I worked in IT Security with some spooky dudes, including some who were quite famous. Even tho pretty much every company has someone with IT Security in their title or job description, the fact of the matter is that the bulk majority of the “security professionals” in the US today are woefully undertrained and lack useful experience. If you really want to find out how good someone is, ask if they have done 1) a physical security assessment of their company (i.e, they know how someone can physically compromise building security). 2. Managed and external threat assessment (i.e, hired a company to see if they can break in and how they did it). 3. Have an active response team, and have participated in Red Team/Blue Team exercises (Red Team employees pose as hackers and try to breach the company systems while Blue Team employees monitor for attacks and actively work to foil attacks). Finally, what do they do to train non-security staff in how to minimize exposure thru Security training. If you get blank looks on any of these, find another candidate.
re: your 1) - I worked at a company about a decade ago where our office security could be compromised with a manila folder. I proved it to some of my coworkers one afternoon and they decided not to leave anything of personal value at the office after that.
I am in total agreement. I work as a cyber security architect and cant tell you how many executives and Sr level titles I run into that have NO CLUE about cyber security. Sadly, the majority of our customers are banks.