Totally agree - it still cracks me up in my particular industry. “There’s a shortage of security engineers and architects” is a common trope. No there isn’t- you just aren’t paying more than SWE and other dev salaries. People would consider switching if the money was there.
But I started out by finding software engineers that were interested in security and were willing to learn and turned them into higher-paid security folks.
absolutely this. most solid security people were devs with an interest who were given the opportunity to flip. the problem is employers want to pay below market prices, for someone who already has all of the skills they want. that just doesn't happen: those people command a lot more money. your approach is MUCH more practical (hire or transfer good interested devs internally, and train them up).
The bad companies, though, don't tend to offer more money than average. IME, they offer less. When a company is deaf to what developers care about in one department, they're usually deaf to what developers want in other departments, too.
