Not saying IT security cannot be admins, sounds like you are bringing theoretical viewpoint. I already have some years of experience and certifications in the field - so it is hard to surprise me.
I am pointing out that in most places there is separation of duties so you don't give "red teamer" or "pentester" access to any databases when they are in offensive role.
Then most likely administrators (who can have formal education on paper called cybersecurity) who have loads of work so 90% is configuring and keeping all configuration proper will have requirements like background checks and you are not going to hire "mischevious people" for that role.
Security is a broad spectrum but still offensive testing is maybe 1-2% of the work that needs to be done, all those systems need people to configure them. Having good security 90% of work is waking up updating software and keeping configurations of systems documented and in proper state. If some company doesn't have their security posture basics fixed there is no point of doing "red team assessment" or a "pentest" with them, that would be waste of time.
I am pointing out that in most places there is separation of duties so you don't give "red teamer" or "pentester" access to any databases when they are in offensive role.
Then most likely administrators (who can have formal education on paper called cybersecurity) who have loads of work so 90% is configuring and keeping all configuration proper will have requirements like background checks and you are not going to hire "mischevious people" for that role.
Security is a broad spectrum but still offensive testing is maybe 1-2% of the work that needs to be done, all those systems need people to configure them. Having good security 90% of work is waking up updating software and keeping configurations of systems documented and in proper state. If some company doesn't have their security posture basics fixed there is no point of doing "red team assessment" or a "pentest" with them, that would be waste of time.