Security isn't just "people can't get inside our servers", it's a much broader topic than that — anything that looks like "people didn't something that, in hindsight, we'd rather they couldn't have" falls under that purview, really. I'd certainly qualify working on preventing the next Cambridge Analytica, or preventing the next micro-targeted political propaganda campaign, as "security work" without even blinking.