> I've met lots of security consultants who did not have backgrounds in math or compsci.
My experience both working at and with higher end consultancies is that there is no correlation whatsoever between those degrees and any particular consultant’s competency. Some of the best people I’ve worked alongside have been college dropouts and Religion majors.
Likewise, I've never found any correlation between those degrees and security improvements delivered by consultants. Honestly, the best security consultants I know of are essentially con men (and women!) who have devoted their amateur psychological instincts to good. You can apply all the best tech but without organizational change it won't last. On the flip side if you bring organizational change to adopt security in depth as a value then even substandard tech can serve the purpose. In that vain, the best security consultants (meaning someone hired temporarily for their expertise – not a long term employee hired by renewable contract) are those who can imbue leadership with the vision of their organization as one that benefits financially from security as a cultural value. I'm not sure who did this for Apple but they are a good example of a company that has benefited from a reputation earned by truly valuing security instead of trying to merely make sure everything is secure.
My experience both working at and with higher end consultancies is that there is no correlation whatsoever between those degrees and any particular consultant’s competency. Some of the best people I’ve worked alongside have been college dropouts and Religion majors.