I’m head of cybersecurity for a $2B tech company that makes networking equipment. Cybersecurity is a mostly crappy career, even today. (I would say totally crappy, but I can easily find work, only to basically go nowhere and constantly fight people to do even do a mediocre job.) Why is it so crappy?

Several reasons:
1) If you a good job, nobody notices or cares. Nothing happens, you just spend money and delay things. You’re not generating new products, income, etc
2) It’s DEAD LAST in priority and budget is hard to come by. Because of #1.
3) It so complicated, people don’t know the difference between good security and shit. Thus people focus on doing as little as possible to look good to management who knows even less about it.
4) The timeframe between doing a shitty job and the consequences is long enough where it’s easy to claim ignorance and point fingers
5) Regulatory compliance is not sufficient to be secure, but it is sufficient to appear secure enough for management to declare both victory and ignorance.

In the rare cases where I see companies do a decent job is:
1) They have been burned really bad in the past due to security failures and senior management was directly and personally affected
2) They are a very large company, and security directly impacts their bottom line. For example Apple, or a bank. But caveat: a credit card bank will only protect themselves against risk that they are liable for (vs risk owned by a merchant or middle-man bank).

So why do I work in this business? Because very few understand it and I can make a lot of money working very few hours and working remote anywhere in the world, being the person I want to be. I can use my free time to do something important that people appreciate like live music and discussing gender issues. And it wouldn’t matter if I worked any harder. People will do as little as possible to be secure - I spend most of my time calling people on their bullshit and making then redo things and then escalating if they don’t. (Ie I don’t have to do much work analyzing things because the vast majority of people are so bad at security, the mistakes are painfully obvious to any decent security professional. I have to FORCE people to do even simple things and often yell at and threaten them to get them to do almost anything, and I do this in front of senior management and TO senior management all the time. Otherwise people will NOT listen or do even the most basic things properly)

And I’ve worked with insurance companies and UL on cyber programs and lobbying Congress on reform. The problem we run into is that the people buying insurance know even less about it, and the market does not seem to have much of a place for those who price insurance well. If an insurance company charges more for customers who have a lousy cyber profile, the customer will just buy insurance from another company who is dumb enough to not know the difference. Hopefully this is improving.