And the standards for getting into security vary, a lot. I've worked with extremely knowledgeable security researchers, and people who were promoted from helpdesk (typically in areas like compliance), with very little knowledge outside of some certificates. With the latter I often had to explain pretty basic stuff, like how digital signatures work and why the client needs to know the public key.