The problem with the security industry is that there's no way for non-experts to reliably assess "I'm an expert, trust me!" from a practitioner.
I'm not really sure what the best fix is; there are many possible ones. I've seen total clowns pushing decades-old nonsense be taken seriously by competent businesses simply because they thought "hiring an expert" was enough, like they're a plumber or something.
It is no different than doctors or mechanics or lawyers. Reputation is your best guide. In security-land, there are some certifications that are fairly rigorous; some of those can serve as a distant second.
Doctors and lawyers are professions that are regulated by licensure, of which unauthorized practice comes with actual real and not made up legal consequences. Where is the similar licensure that tech security professionals are regulated by?
You may have missed the point being made. You find a good security professional the same way you find a good lawyer or doctor. Ask around for a reference for a good one. Then check their credentials (e.g., what certifications they have).
I believe there was an article on HN recently about a startup that used a "lawyer" that wasn't because they didn't check their credentials after getting a great reference. Just because there are consequences doesn't mean it doesn't happen.
I feel quite certain that I haven't, I just think the point is poorly made and I've spoken specifically to why I think that to be the case. You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out to be such a professional, quality of work or competency performing it notwithstanding.
You can absolutely suck as a pentester, but still legally hold yourself out to be one and advertise yourself as one to anyone who will hire you.
You can NOT do the same, holding yourself as an attorney or a doctor without very real risk of legal action if you are in fact-not licensed to do either. There are bar associations and medical boards governing various aspects of their work, and how their work is conducted, performs ethics and competency investigations on license holders, and can take away their license to continue working in such capacity if said investigations deem fit. No such governing board or ethical board exists for infosec professionals.
That is a pretty important difference that shouldn't be ignored just to make a petty point about how easy is is to ask for a referral.
Just because there are consequences doesn't mean it doesn't happen.
Which is only supplemental to all of this. My entire point is that it happens, and the prudent do the diligence to make sure it doesn't.
> You can get all the recommendations and referrals you want for an infosec professional; nothing stops that person from holding themselves out
Here is where you missed the point.
You are correct that we do not license, say, pen testers the same way we license doctors. You are incorrect in thinking that this matters.
The point is that in both cases, reputation is the best general-purpose measure of who you want. That's all.
My mentioning certs may have steered you wrong, and that was a bit of a distraction. My point there was that certs tell us something, usually not much, but are still better indicators than their self-advertising.
Let's dispense with the "right or wrong" aspect of this, because I don't think it's helpful towards moving the needle on this, and instead evaluate this as a matter of complementary perspectives.
Does reputation matter? Yes. This I will openly concede. Do I think credentials are meaningless? No.
Where we disagree is "thinking that this matters". I still think it absolutely does, and think the analogy is a poor one. You clearly think it doesn't, that's fine, but I don't think it makes either one of us less or more wrong. Perhaps that's all there is at play here, a difference of opinion in how an organization prosecutes the search for a qualified expert in security, medicine or law; and I think it's revealingly disingenuous to frame such organizational decision making and risk tolerances when seeking professional services with rigid and inflexible absolutes of "right way" or "wrong way" or whether or not method A matters whereas method B doesn't.
I'm not really sure what the best fix is; there are many possible ones. I've seen total clowns pushing decades-old nonsense be taken seriously by competent businesses simply because they thought "hiring an expert" was enough, like they're a plumber or something.