Not all security folks need to be programmers but it can be beneficial depending on what you want to do. Check out the SANS list of cool infosec jobshttp://www.sans.org/20coolestcareers/
Many of these jobs will interface with code at some point, and some are very application focused but others really don't. I worked as an IT Security/DR Consultant/Administrator for the state for 6 years (and general IT work with servers, desktops and some IT Management for 9 years before that) and never once looked at a line of code. I managed all aspects of BCP/DR for IT, enterprise AV, incident handling, IT audit, VA, and basic firewall configs as well as loads of work defining and implementing configuration standards. None of it required code outside of some simple task automation using batch scripts and most of that was copy/paste off the internet with some minor tweaks for environmental stuff.
That being said, depending on your career goals you may reach a point where your lack of programming knowledge may limit you. This is where I currently am. That job at the state was a great way to break into infosec but I was somewhat limited since I wanted to focus on security testing and do more than just the configuration reviews and audits that were a core piece of our assessment process. Hard to think outside the box when you are checking boxes. At that point you have 3 choices.
1. Learn the code and apply the knowledge to what you already know (This is the route I'm currently undertaking and painfully slow I might add) This seems to be one of the biggest pitfalls I've seen and experienced firsthand with infosec careers. Trying to run before you can crawl. For me it was programming, for others it's network protocols or architecture, or methodology or critical security thinking or risk analysis or soft skills or any of a number of other components of a good security tester.
2. Go into management
3. Work in an area where you don't need to be a programmer. I know some really top notch incident handlers, firewall admins, IDS analysts (unless you count Snort rules which I don't) and others that can't write code.
What is it you are trying to achieve? Check out the SANS list above and think about the 3 jobs that sound the most interesting to you. What do they have in common? What would you need to do the jobs? That should get you started.
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP
WIP: Vendor WAF stuffhttp://sentinel24.com/blog