There are many different kinds of security roles such as risk, compliance and security reviews (very little programming), penetration testing (programming and scripting to various degrees depending on the work) and security software development (full-time programming).

How good one is at programming would of course usually depend on the individual. In the rest of the software industry, there are all kinds of roles (some of which involve programming and some do not) and the ones that do involve programming have programmers of all kinds and calibre. It is no different in computer security.

I have over 12 years of experience in this field now in various positions where my various colleagues and I have written large security products in C, C++ and Java, as well as smaller security solutions in Python and Go. Most of the times programming is just a means to an end which is true for many other fields as well. It is usually math, algorithms, crypto, protocols, etc. that are more interesting and that we need to be well versed with along with being skilled at programming. Also, I would like to share two of my earlier posts around this subject:

- https://news.ycombinator.com/item?id=14873475 (about demand and job prospects in security software development)

- https://news.ycombinator.com/item?id=12545851 (about math and software development in the computer security field)