I've been thinking - what actual value do companies see from having a skilled, knowledgeable, capable infosec team? I am a bit worried, that on reflection, the answer seems to be "not a lot."
Dont agree - read on and I will try to explain.

First - backstory. About 5 years ago I was engaged with a company who had a genuinely top-notch [IT|info|Cyber] security department. For an org of ~7000 end users, they had ~20 security professionals who covered a range of disciplines, all motivated, experienced and hardworking

Over the next five years, a combination of frankly INSANE management decisions obliterated this great team. It wasn't a security management issue, it was an organisational fit of madness where most Director-level staff didn't stay long enough to have a forced password change.

During this time, gradually the "best" staff left, often replaced by people who would, in other circumstances, be unemployable. None of this slowed down the management madness which started to consume executives and dismantled entire structures.

Fast forward to around six months ago. The team is a shadow of its former glory. It still has people who care, but they are a minority. From once having experts using Cobalt Strike to run continuous red team, it struggles to get output from Any Dot Run.

From having people who were actively struggling to improve things, to resolve issues, to prevent future problems, it is *largely* people who are content to wait and see what comes up and if nothing happens they dont have to do anything.

SIDEBAR - this is not a subtweet. Some of the people there are good friends of mine and I don't mean this to say they are all inept. /SIDEBAR

On a personal level, I've learned that things I put massive amounts of effort into getting working have largely been left to wither and die. Things I got stressed about making sure happen, now simply dont happen.

And no one cares.

The point of this is that I am, currently, unconvinced that anyone should care.
They have had zero increase in incidents. They have had zero increase in "security issues" (a lot of this is because they dont see them any more) and there is zero incentive to make anything better.

This is not an isolated case. When I reflect on organisations I have been part of in the last decade, this pattern repeats itself. A multinational I worked at went from spending three years building a superb internal CSIRT/investigation function to dismantling it, almost

overnight and then outsourcing enough of it to claim it still existed without missing a heartbeat. And not one exec was held to task even when BadThings eventually happened. It was the "How could we have ever known" response. And everyone was ok with this.

So, realistically, while we work hard, put in all that extra hours to make things awesome, how much is actually needed enough for it to survive when [you|me|us|them] decide to move on. I suspect this is a lot less than people think.

My personal conclusions: mediocrity is perfectly acceptable by organisations, they dont want to pay for skills/ability and generally dont need it. If you want to be good and do good things, this is great but realise you are doing it for yourself (which is enough reason), not work

Even in 2020, most companies dont care about security. They give it the minimum they can get away with, which is almost certainly less than you, a sane person, thinks is acceptable. *If* they get breached, lambs will be sacrificed and things will carry on as normal.

Your skills, knowledge and ability matter more to yourself and your peers than it will ever matter to a company that pays for your work. This *is* close to my heart because I am obsessive about trying to learn more. But I am fully aware most people who pay for my work dont give

more than a small toss about what I can (or cant) do. If you ever suffer from impostor syndrome, rather than compare yourself to the rockstars, compare yourself to the majority of people doing Infosec in non-security companies. When you talk to "Security Consultants" who dont

realise Linux logs login events, and they have zero shame in this lack of knowledge; when you see Security Operations managers who don't know how a SIEM works, you realise there is a wide range of "skills" in this industry.
In 65% of [Info|IT|Cyber] roles, all the company want

is someone who will sign off on designs or prepare pointless documents for a regulator/auditor.
If you have a role with a good team where people actually care about your abilities, cherish this and realise you probably work for a minority of private sector industries.

Which brings me back to the main point. If companies can go from High Skilled / High Performing teams to mediocrity without caring, is there any real, tangible, value in paying extra for the skills?

IMHO the answer should be *yes* because that genuinely feels right. We should strive to be better because it is the right thing to do. We should be proud if we excel.
But few companies do this & it's not clear they should. Being good costs money. Is it a justified expense?