Real-world anectdata how one big company (medical equipment) got OK at security:
At some time they decided that security was more important now. Their in-house guy (dev->dev management → “congrats, you are now our chief security guy”) got to hire more consultants for their projects, went to trainings and, crucially, went to cons (e.g. defcon). He was a pretty nice guy, and after some years he became fluent at hacker-culture. In short, he became capable of judging consultant’s work and hiring real security people. And he made some friends on the way. I think this is the best path to aquire institutional knowledge: Take a smart person loyal to the company, immerse them into the knowledgable subculture (spending money on failures on the way), use the aquired knowledge to hire real professionals (really hire, or hire as consultants for projects, or hire to give trainings).
Different big company (not software related), same thing. After some years their security guys became fed up with their lack of internal political capital, quit and switched career to “real” security.
Note that this approach gets hacked if everyone uses it at once, which means you should never attempt to immerse your experts after hearing another company is doing it, because all the newbies will end up talking to each other (see how things like LinkedIn work for 99% of people as some kind of weird networking simulator).
Real-world anectdata how one big company (medical equipment) got OK at security:
At some time they decided that security was more important now. Their in-house guy (dev->dev management → “congrats, you are now our chief security guy”) got to hire more consultants for their projects, went to trainings and, crucially, went to cons (e.g. defcon). He was a pretty nice guy, and after some years he became fluent at hacker-culture. In short, he became capable of judging consultant’s work and hiring real security people. And he made some friends on the way. I think this is the best path to aquire institutional knowledge: Take a smart person loyal to the company, immerse them into the knowledgable subculture (spending money on failures on the way), use the aquired knowledge to hire real professionals (really hire, or hire as consultants for projects, or hire to give trainings).
Different big company (not software related), same thing. After some years their security guys became fed up with their lack of internal political capital, quit and switched career to “real” security.
Note that this approach gets hacked if everyone uses it at once, which means you should never attempt to immerse your experts after hearing another company is doing it, because all the newbies will end up talking to each other (see how things like LinkedIn work for 99% of people as some kind of weird networking simulator).