On the #infosec #jobs front, something I have literally zero useful data on is how long you should spend in a role. Not once have any of the interviewees I've seen this year been impacted by being in a job too long/not long enough.
Even in my sketchy notes, I have zero mentions.

The general wisdom is that people who spend short (18 months or less) in roles are skittish and likely to move on soon, or might have "issues" which make it hard for them to settle in.

I have nothing to counter this with so I am open to suggestions. It feels right, but old...

I never made any notes about people's length of service in the interviews I've done but I don't remember if that was because it didn't matter or because they were all 2-3 years, which feels "normal" now. In one interview, one of the panel asked why a candidate wanted to move

after six years with their current org, but that's the only reference I can find.

Checking with people I've worked with, the vast majority spend about 2-3 years in any one place, but there is a huge selection bias in my data.

The current agile/devops type world does seem to make things move "faster" in every sense.

In lots of orgs, 3 years is a lifetime in IT and I can see that people would reach a point where change was needed.

In SOC/IR, 3 years is likely to be exhausting - and the constant effort of CI in security means a change is really the break you need.

But how does that impact people hiring? Some orgs have major change in a few months, so 6 months gives a mountain of experience.

conversely, you could be at a very conservative retail-environment where it takes 5 years to complete a project and anything less really is just flighty...

Does it matter at the paper sift? Would it just be something to confirm at interview?