I saw some tweets in my TL about infosec burnout and such, so let's chat about that. I believe the core of burnout is not getting any traction for your efforts, so all effort and emotional energy is ultimately wasted. So why do so many infosec people and roles end up here? A :

In all of my roles, I've gotten the most traction improving security with teams where I had a high amount of influence. How did I gain that influence? Primarily by learning about what they do, why they do it, what makes it awesome, and taking an interest in its long-term success.

Improving security by the right amount and ways is all about ensuring the long-term success of a thing. Suffocate it with security restrictions, and it won't have long-term success. Accumulating too much security debt for too long also doesn't bode well for long-term success.

If you have a high influence relationship with a team based on understanding their work, frequent communication, high trust interactions, common context, and shared goal of long-term success, determining the right security improvements and alignment on them tends to be very easy.

Most importantly: you don't get any of that through any amount of work occurring completely within your own security team(s). I think the most incorrect idea in infosec is that anything can be accomplished from afar vs. through a rich of network of high influence relationships.

Why do we try to secure from afar? I think there is also an idea that being independent is preferable to being invested (having skin in the game). I can personally say that my (independent) consulting recommendations were much worse than mine working inside a company (invested).

What I look for to understand how seriously a company takes security is not any amount of reports produced by consultants, but instead how many security folks they have invested in the company's growth and long-term success and how respected they are outside of security team(s).