The reasoning behind that practice is due to the fact the client may not feel too comfortable having an ex hacker snooping around on his network. They want a security firm, not hackers.
I ask a question in class, "How can a white hat hacker really be effective if he has never been a black hat?" Just trying to think like the enemy is not enough. Where does experience come in? Book smarts or real world experience? Which would you prefer?
I would like to get your opinions on this.
Just a note to all the black hats that read this forum, "If you think you are going to get certified and then be accepted by the corporate world, think again. You better not ever breathe a word that you were ever a black hat. The only way that will happen is if they made a movie about you."