I would say the lawsuit example isn't great, lawyer is a specialized profession unto itself. Management has it's own vagaries, but I think it's easier for the right kind of engineer to get into management rather than a lifelong manager to gain competence in engineering and that was the original point. Having someone with no background in engineering running a department is suspect.
There's still a disconnect here. Infosec is a specialized profession unto itself, too. A CISO is not just "an engineer that's gone into management". My original point is that security is so far removed from "engineering" that it's incorrect to equate the two (even though it's done all the time).
>I think it's easier for the right kind of engineer to get into management rather than a lifelong manager to gain competence in engineering
IME, it's the opposite. It depends on your specific goal (are we trying to train someone to be CISO or are we training them to be a SOC team leader?), but it's ridiculously easier (and more effective) to take a person with existing management abilities and teach them about security than it is to take an engineer and teach them security management skills.
>Having someone with no background in engineering running a department is suspect.
It's really not, because again, engineering != security. It's no more suspect than the CFO not having a background in engineering.
