I've been working as a information security specialist for a year now (doing SOC work, pentests and developing tools to improve the first two) at a major energy producer in Europe. I've been a hacker and following what's going on in this field for some time longer.
I haven't done consulting but what I've heard from colleagues about some consulting companies (even internationally recognized ones) we've hired in the past matches what you've highlighted - utter disappointment.
Even though I haven't approached the field from a consulting direction, I'd also recommend instead to start hacking yourself and applying the recommendations highlighted by Hans.
I would like to push back on a couple of things - certification and norms.
There are some certificates that really take a no-bullshit stance and completing them does require extensive knowledge and abilities so seeing that someone has a OSCE certificate shows me that they are capable of doing penetration tests. I've heard other experts in the field expressing that certificates aren't that important for getting a job and what matters more is what you can do and what you are enthusiastic about doing.
Your wording on the usage of norms, I feel, is too broad. I agree that some norms, especially if they are thrown around without specifications or are implemented without background knowledge, are stupid (well explained by LiveOverFlow https://youtu.be/fKuqYQdqRIs ).
But as you said they can be good source of inspiration and ideas. For example going though the MITRE ATT&CK framework recommendations does force you to think about all the aspects a system can fail and the things highlighted there and in other standards are most often based on lessons learned from experiences where things have gone wrong.
I would also like to add to the Dos list:
Getting a good understanding of the fundamentals of IT, software development and networking
I've been working as a information security specialist for a year now (doing SOC work, pentests and developing tools to improve the first two) at a major energy producer in Europe. I've been a hacker and following what's going on in this field for some time longer.
I haven't done consulting but what I've heard from colleagues about some consulting companies (even internationally recognized ones) we've hired in the past matches what you've highlighted - utter disappointment.
Even though I haven't approached the field from a consulting direction, I'd also recommend instead to start hacking yourself and applying the recommendations highlighted by Hans.
I would like to push back on a couple of things - certification and norms.
There are some certificates that really take a no-bullshit stance and completing them does require extensive knowledge and abilities so seeing that someone has a OSCE certificate shows me that they are capable of doing penetration tests. I've heard other experts in the field expressing that certificates aren't that important for getting a job and what matters more is what you can do and what you are enthusiastic about doing.
Your wording on the usage of norms, I feel, is too broad. I agree that some norms, especially if they are thrown around without specifications or are implemented without background knowledge, are stupid (well explained by LiveOverFlow https://youtu.be/fKuqYQdqRIs ).
But as you said they can be good source of inspiration and ideas. For example going though the MITRE ATT&CK framework recommendations does force you to think about all the aspects a system can fail and the things highlighted there and in other standards are most often based on lessons learned from experiences where things have gone wrong.
I would also like to add to the Dos list: