Requirements for conducting VA & PT – Take 2
Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action. We get ridiculous statements in RFPs such as:
The tests shall be conducted in a broader way like a hacker will do.
LOL! If a real hacker is doing it then its not a test 🙂
Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.
Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.
And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.
Career Insights from Stephen Northcutt, CEO of SANS
http://www.bankinfosecurity.com/articles.php?art_id=2914 
Fascinating.
I get a lot of enquiries from wannabes who, as they put it, want to "break into security". I presume they see it as more interesting than the work they are doing.
They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.
The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did - the long way. And gained the practical experience and understanding of the issues along the way.