The obvious, but the place to start, is to look at the resume. After that, we can just Google and review LinkedIn to see discrepancies and especially any omissions. If it’s an organization or a person coming to you to offer services, you should be able to find information about them pretty readily on the internet as far as whether or not they’ve done good business.
It helps if you ask for a previous pen-test report. For example, if you are looking to have a penetration test done say, “Hey! I would like to see a couple of sanitized penetration test reports that you’ve done for other organizations.” They should be able to provide that. That should show some of the maturity because that’s just one of the things, if not the first thing people in the industry ask for.
Companies want to know you are technical and you are good at hacking. In addition, they want to know are you able to deliver a report that’s going to allow them to make sound investments decisions and sound security decisions based on what that report says. Some of the best technical people out there have a really hard time relaying that information in a written form that people that aren’t technical can understand.
I’ve been fortunate to have what I guess you could say gift because that’s one of the areas that I get a lot of traction and excel in business wise is being able to sit in the trenches and do the attack, I not only demonstrate the attacks but explain what’s going on to someone that may not be technical at the same time. When they look at ROI and what they need to invest in, they will have a clear picture.
Cybersecurity can be a vague term and many processes done just because we think they need to be done. The key thing in hiring is not just the ability to do the test but can they transform those findings to enabling the decision makers to make the right security decisions.