The problem with the information security industry is the lack of accountability combined with the lack of technical know-how. More specifically, software companies need to be held accountable for their shitty products and those that are working to "protect organizations" need to be held to higher technical standards.
Over the last couple of years, some of my friends have found thier way into the field and while I'm not one to harp on the success of others, it reminds me of why companies and private networks are insecure in the first place. Having a couple of certifications doesn't mean you know how to protect a network, or that you can identify an IoC when it's necessary. Given, they have to start somewhere, but the truth is, they're not in it for the craft, they're in it for the cash.
I really can't stand hearing, "I can't code" or "I'm not about that life" when it comes to coding, pentesting, or the intricacies of DFIR. I tell some of my friends that to be good (and to be taken seriously) you really have to live and love it. It's not a 9-5 job, it's 24/7. It's late nights, it's devouring books, watching a lot of videos; a lot of note taking, testing, setting up VM's, programs, and exploits, and maintaining an organized model to work with it all. Programming is the same way, but programming differs from security in that the time dedicated to a build more often than not has a positive output. In security, time worked/invested != progress. Often, security work is like beating your head against your keyboard until something happens. Programming/Dev is like being a writer. You just have to sit down and do it. Security isn't like that. It's wide, deep, and requires a top down approach to learn anything new and worthwhile.
I know a lot of "security pro's" who seriously cannot code --and it drives me nuts because all I can think about is the fact that vulnerabilities are based on software flaws. In security, the age old addage is "Think bad, do good", which is basically an excuse to cash in on the growing demand for offensive skills. In security, the hacks are taught before anything, in hopes that a practitioner will understand how to detect/defend having learned the attack. Well, where is this mentality when it comes to security software engineering?
I've been saying it for years; a security software engineering sub-field will be in high demand in the coming years. Because companies are going to want security professionals that can break AND build. Unfortunately, the inevitability of the field is the fact that automation WILL eliminate most of the well-paying, in demand jobs of today. By 2020, pentesting will be completely automated, as well as detection and prevention software that learns and adapts to network traffic and behavior. This is just a natural progression of the industry and it's going to leave a lot of "security pro's" behind. Sure, one can rack up the security certifications, but what does that really mean? I know a nice collection of security pro's that have a laundry list of certifications, but couldn't write a simple HTTP fuzzer if their life depended on it.
Security had a good run over the last 10 years as a young industry that had a lot of growing up to do. For a while there, anyone could get in, make a good living, and cash in on the growing demand for security skills. Fortunately, the industry is growing up and the real engineers are stepping in to make some significant changes to our established expectations.