We have been hiring a lot of people recently, and it reopened a long-standing debate. How important are long years of hands-on experience when recruiting a security tester?
There is value in recruiting a security tester who has real-world experience in the field:
The ramp up time for the person to skill up is minimized.
He/she has developed the discipline required for testing.
The tester is familiar with a number of platforms already.
Having seen the practical problems testers face, the person has clearer expectations from the job. [It's not "just hacking"!]
But long years of experience is less important in security testing than in several other fields. In areas where change is relatively slow, 10 years of experience is vastly better than one. In security testing, new techniques and tools are being added so rapidly that even the experienced tester is constantly learning new things to keep abreast.
In such a situation, it is better to look for the ability to learn and apply new knowledge than to count the years of experience during recruitment.