Say you need to get a penetration test for PCI compliance. There are literally hundreds of vendors that offer these services. Your CTO would like to use X vendor because he read a paper / saw their name at Defcon / recommended by a partner.
When the vendor comes to perform a penetration test, they launch a Nessus scan against the target ranges. They compile the results and manually validate the findings to ensure they are not false positives. The end product is a report that looks something like a checklist: SSLv1 in use, self-signed certificates internally, missing the latest third party software patch on a server.
According to the penetration testing firm, you are probably at a low / medium risk level. The tacit implication is that as long as you fix those issues, you should be good to go.
The problem is that first, a vulnerability scanner is an imperfect piece of software and does not test anything a real attacker would. A real attacker might try phishing, or guess "Password1" on a user account. Maybe the attacker would attempt a man in the middle attack or set up an evil hotspot. Once you have AD credentials, now you can find which users have local administrator access, which then you can see if there is a shared Administrator password across all workstations.
The other problem is that the first penetration test does nothing to address potentially systemic issues for why the security vulnerabilities occurred in the first place. The patches could have been missing because there is no formalized patch management program, or inaccurate change management, or an issue with their Puppet config.
Currently there's no way to separate the "good" (read: thorough) from the bad other than direct referral or looking at a sample report.
I am a professional penetration tester right now in the US. I got into the field from education, but once I got my OSCP I had multiple offers from different companies.
There are a ton of "boutique" firms in the space right now, but there are quite a few who seemed to be popular and then died off right away.
One of the big market gaps I see is the ability to provide really good tactical feedback but also package it in a way that it provides value to the actual decision-makers at the top. There are so many pentesting firms that are extremely talented at breaking in, but are really lacking at helping to actually implement cultural and program-level changes so that it doesn't happen again. There are also firms whose idea of a penetration test is just running Metasploit/Nessus/Acunetix and then packing it up without a lot of insight.
Compliance is a huge driver right now, meaning some companies just want to check the boxes and be done with it. However, just because you are PCI compliant doesn't mean you are actually secure. It takes a special set of "soft skills" to be able to help companies truly improve their posture.
Maybe I'm biased but I wish Computer Science was more of an integral standard of education instead of an afterthought.
With all this discussion about Common Core, we're still at the point in my state where MAYBE a Computer Science can be applied to the Math credit requirement for graduation.
I just feel like so many schools view it as an optional afterthought.
Source: Physics teacher who has been begging his administration to add this course. Right now I have over 40 kids who meet after school to learn programming and scripting, but can't find it to be added as part of the official offerings.
Generally a decent layman's explanation of the experiment, but they had to conflate quantum mechanics with magic by saying "the atom knew it was being watched..."
It's very hard to handle these misconceptions once they're already so widespread.
In regards to your point about the physical size being a thing:
I worked at an inner city school and one of the teachers that could get students in line like nobody else was a 6'5" 275 lb man who worked as a biker bar bouncer on weekends.
This was middle school, so maybe the effect was exaggerated, but he could stop fights like no other.
To your point about trying to gain the approval of students, the dynamic definitely makes a big difference. Teachers that tried to be the 'fun' teacher were taken advantage of time and time again. I wish this wasn't the case, but an authoritarian role was the best way to provide consistency, stability, and true opportunity for learning in these types of classrooms.