[fragmede]

If you task your fully staffed SRE division to have some people doing cybersecurity full-time, what's the difference between having that and an actual cyber security team? And if you have that, why wouldn't you want to hire experts in that field instead of cross-training or finding generalists?

[slt2021]

hiring security experts is expensive and very few companies are able to afford and retain them.

ask yourself what is cheaper: hire and retain Cloud Operation admins in SRE org, hire and retain Cloud security experts in cybersecurity org -- vs hiring a cloud security guru and task him overseeing with maintaining and security $platform_name ?

very few companies are able to hire and retain SRE-Kubernetes operators and Kubernetes security architects, so it kinda makes sense to merge and hire one good expert

[fragmede]

Now you're just haggling over price. Ask yourself, what's more expensive, a good security team, or getting hacked? For LastPass, it's existential.

It just depends on the size of the respective orgs. If engineering is 5 people, a dedicated security person doesn't make sense. At 500 you might be able to get away with one. At 5,000 engineers though, you real do need more than one good security expert.