Competitive Pay and Sponsored Certification
InfoSec resources definitely come from a wide variety of backgrounds. I've worked with ex-cops, ex-lawyers, ex-history professors, and so on. My background is - professionally, at least - in software as a build and release, and test engineer. While I'm currently a security lead embedded in an app development team, even now security isn't my primary role. In fact, I've had opportunities to get out of my software dev role and focus on security but the pay and benefits didn't outweigh those of my current gig.
Now, I'm sure it's surprising to some I work with to learn I have pentesting skills, can build Tor servers and nodes, have a deep practical understanding of cryptocurrency and have researched everything from undetectable honeypots to a distributed computing-driven traceroute infrastructure for generating realtime network topology snapshots. But none of this is interesting when you consider 50 hours of my work week is focused on everyday development lifecycles for standard app features. My preference would be to put my technical skills toward something I love and find endlessly fascinating, but when you compare the InfoSec work week to its pay scale (and I mean practical engineers who program tools on the fly, track intrusion realtime and patch in response to exploits) you often find a huge gap.
One of the things that keeps me in my current role is the combination of industry competitive pay, benefits and the regular opportunity to get certified on the company's tab. Working somewhere that gets the value you bring, understands the hours needed to do quality work and provides opportunities for work/life balance is hard to measure. And for many of the smaller InfoSec groups that have reached out, this just didn't seem to be the case. Frankly, I suspect a large number of hiring managers don't understand the day-to-day activities of an InfoSec tech. The 24/7 availability requirement is only one aspect of this reality. There needs to be a resource balance to allow relaxation, but also flexibility to allow techs with families to work after hours when needed, the tools to pull out a mobile device and work when in line at Disneyland on the weekend, and the pay scale to make all of it attractive.
Until the pay is more competitive, the tools provided the best they can get to provide maximum computing power and mobility, and access to company-sponsored certifications becomes the norm, I don't think as many with the skills companies really want to hire are going to be lining up. This may be just a small factor in the equation, but for me it was the primary one. And I work alongside lots of far more talented hackers who also settled for the next-best role for the same reasons. Maybe it's good, though. That means embedded InfoSec junkies like me can help add a layer of security responsibility that might not have been there before since... well, since companies aren't hiring teams of us.