After "what's the best new way I can find people who can write code fast and who will have a talent for finding security vulnerabilities", this is the issue that occupies all my cycles.

Like most firms working in security, our bread is buttered by large companies, who are bidding very high numbers for (in our case) appsec testing.

But by number, a conspicuously large fraction of our customers are mid-late stage startups, and taken as a whole, we talk to more startups than any other kind of business.

Startups are particularly exposed to the security market problem. They have very little infrastructure and they are spending most of their cycles just trying to stay in business and find traction. At the same time, they've managed to outsource all of the technical requirements of their businesses except the part which bears the highest security risk, which is their custom code.

What can we do about this? I talk to YC companies all the time, and it's frustrating. I am always good for a phone call and we'll even poke at startup apps pro-bono (we love working with startups) but that help has to get in line behind our paying clients, all of whom can be counted on to appear from behind a dark corner at any moment and swallow 2-3 weeks of our time whole.

I am seriously all ears for ideas on how security people like iSEC and Matasano can help early-stage startups without invoicing half+ of those startups last funding round.

Today, it's increasingly rare for organizations to have bespoke security, just as it's increasingly rare for them to have bespoke IT. It's only the larger organizations that can afford it.

The rest of the article is based off this premise, which I can't agree with at all.

It's the micro and small companies that are using off-the-shelf cloud software, not the mid-size companies. I know of two software vendors in my city alone that sell project management software to mid-size companies, both offer bespoke customization on top of a core product (one written in-house, one Dynamics CRM) and they are both doing a roaring trade in completely different markets.

All of these off the shelf cloud systems offer only the most basic business functionality when you actually get down to it. Salesforce just manages sales. That's all. To get it to do more you need to do bespoke customisation. And then you find out you can't just pay someone to build some software and let it just run, you need to be able to change it as your market and needs change.

EDIT: My impression is that off-the-shelf cloud software is replacing shared excel spreadsheets and Access DBs. But this is all based on gut, I'd be interested to see any evidence supporting either me or Bruce.

The big hole here, is that security in this day and age involves preventing phishing attacks. The only way that you can protect users from their own stupidity is to lock them down.

Google Chrome and other walled gardens may win, because they come locked down by default. Corollary: Open Source may remain a thing for geeks only because of this.

I'm not in IT nor am I a software engineer. That said I'm tech proficient and was an amateur coder in a past life. Security seems like it has a solid future. What's the best way to train for a career (change) in IT security?