Most engineers, particularly people who work on infrastructure, are extremely wary of companies that make security promises. This is because the vast majority of security offerings are definitely security theater.
If you intend to do something in the realm of security theater, please don't, the harm is real. The harm is to your mother or your grandparents, your non technical friends. Please never engage in anything that does not actually improve security in a meaningful way, no matter how profitable it is, and it is most definitely profitable. There is a lot of snake oil in the industry.
The process of security is probably pretty close to:
Identify what needs to be secured
Identify the cost of poor security (so you can beg leadership for resources)
Identify ways it can be attacked
Identify the cost of prevention
Prevent the things that need to be secured from being attacked successfully via technical measures
Set up systems to find Indicators of Compromise (IOCs) to verify you haven't been attacked
Set up systems such that when a compromise is indicated, the extent and method of penetration can be fully understood
Set up defense in depth such that you assume one system is completely compromised and defend the other systems from it
Sanity check your security posture via pen testing or bug bounty programs
Identify how your systems might be abused by bad faith actors
Set up systems to understand bad faith use of your systems
Create and implement prevention and remediation of bad faith use of your systems
Set up systems to audit employee usage of systems
Gather evidence and prepare it for law enforcement
Interact with law enforcement in regards to bad faith uses
Identify the compliances that you need
Identify acceptable solutions for those compliances (which are frequently bad faith)
Implement the solution to compliance requirements
Handle the business <> legal <> technical compliance relationship
Apply for and certify the compliance.
Understand
Prevent/Harden
Build/Monitor
Verify
Most of the security folks I know talk to eachother, follow security people on twitter, or follow people like krebs. There are many mailing lists for notifcation of major security problems, many are invite only. Hacker news is probably good enough to seeing industry shaping stories. If you want to do research mining the CVE database can tell you a lot about exploits. Security folks frequent conferences. Defcon is probably the most popularized but I don't think it's industry shaping.
I think the industry overall is often shaped by major public exploits. For a while SCADA systems were the big thing. Heartbleed showed us that many of the libraries we depend on are poor quality or neglected. Leftpad showed us that many systems we implicitly trust aren't trustable. Spectre showed us that both hardware/OS are not guaranteed secure and that part of security means understanding your hardware might become 20% less efficient overnight. Solarwinds showed us that supply chain security is much more important than we thought. Russia's invasion of Ukraine has put a little bit of focus back on nation state actors and securing critical infrastructure systems (like power stations and cell towers). Pegasus showed us that zero days are absolutely abused by powerful entities and your CEO's communications may well be compromised. Colonial pipeline was a big thing.
Frankly, if I were an investor, I would not trust a product dev who went from product right into making security solutions. I would expect a person creating security solutions to have worked in a security based role and then had a desire to generalize solutions or to solve a painful problem faced in that role that that all companies face.