undefined | Better HN

0 pointsdvtrn4y ago0 comments

You may have missed the point being made

I feel quite certain that I haven't, I just think the point is poorly made and I've spoken specifically to why I think that to be the case. You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out to be such a professional, quality of work or competency performing it notwithstanding.

You can absolutely suck as a pentester, but still legally hold yourself out to be one and advertise yourself as one to anyone who will hire you.

You can NOT do the same, holding yourself as an attorney or a doctor without very real risk of legal action if you are in fact-not licensed to do either. There are bar associations and medical boards governing various aspects of their work, and how their work is conducted, performs ethics and competency investigations on license holders, and can take away their license to continue working in such capacity if said investigations deem fit. No such governing board or ethical board exists for infosec professionals.

That is a pretty important difference that shouldn't be ignored just to make a petty point about how easy is is to ask for a referral.

Just because there are consequences doesn't mean it doesn't happen.

Which is only supplemental to all of this. My entire point is that it happens, and the prudent do the diligence to make sure it doesn't.

0 comments

_jal4y ago

> I feel quite certain

People who are wrong usually do.

> You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out

Here is where you missed the point.

You are correct that we do not license, say, pen testers the same way we license doctors. You are incorrect in thinking that this matters.

The point is that in both cases, reputation is the best general-purpose measure of who you want. That's all.

My mentioning certs may have steered you wrong, and that was a bit of a distraction. My point there was that certs tell us something, usually not much, but are still better indicators than their self-advertising.

dvtrnOP4y ago

Let's dispense with the "right or wrong" aspect of this, because I don't think it's helpful towards moving the needle on this, and instead evaluate this as a matter of complementary perspectives.

Does reputation matter? Yes. This I will openly concede. Do I think credentials are meaningless? No.

Where we disagree is "thinking that this matters". I still think it absolutely does, and think the analogy is a poor one. You clearly think it doesn't, that's fine, but I don't think it makes either one of us less or more wrong. Perhaps that's all there is at play here, a difference of opinion in how an organization prosecutes the search for a qualified expert in security, medicine or law; and I think it's revealingly disingenuous to frame such organizational decision making and risk tolerances when seeking professional services with rigid and inflexible absolutes of "right way" or "wrong way" or whether or not method A matters whereas method B doesn't.

j / k navigate · click thread line to collapse