hammackk - Thursday, January 12, 2017 9:24 AM
Sounds like a very badly run organisation. Developers should be briefed on security preferably by security people, not by DBAs (who often think they know more about security than they actually do) and in particular on any particular aspects of security that are specific to the company rather than being general stuff. And if developers are not held accountable for security flaws in their systems the management has got it all wrong: it should ensure that its developers understand securty and are trained to design and implement thigs that meet security requirements (either by recruiting only people with that knowledge or by training them) and are given what they need to provide security (so that they can take responsibility for it.
Having professional security people to ensure developers (and DBAs) understand the issues and have the neccessary knowledge is a ggod idea provided the management hiring them are bright enough to distinguish real security people from people with a pretty uniform and a trucheon (who are often called "security guards"). But if the organization is as poor at professional development as is suggested by the idea that the team doesn't even know what ot doesn't know and can see substantial barriers to having prfessional development actually work the management is probably not that bright and the team might do well to start job hunting.
Tom