Certs in our industry are a funny thing. In fact, You mention OSCP or a SANS cert, and I rarely hear a bad word. On the other hand you hear CISSP, CEH, Security +, and may others and you get mixed reviews. Never mind that sometimes the job wants you to get one of these “paper” or “not worth the time” type certifications. There are reasons, and yes, while one could hack their way into getting one of these certs without having actual experience (even with the 5 year requirement for the CISSP), the upper levels of management in many companies, and HR in a lot of companies want to see some of these certs.
I go off on this because I just set up a date to take my CISSP cert. I know a bunch of infosec people, and many of them have told me not to do it, until they hear it is part of my bonus objectives for the year, and then it is, “Well I guess that is a good reason to.” Personally, I am nervous as all getup about it. I haven’t taken an exam in many years, and haven’t passed one in almost 10 years. Reality is that means I have not been good at taking exams, or memorization. Heck, we have google, duckduckgo, and other search engines, books in paper and digital format, and social media to ask questions and get answers from in real time. I’m getting older and the memory is not always what it once was. The fact that some of them feel my skills are well beyond this exam means a lot, but still it is something to toss out there. Something to get me a better raise, force more money maybe, but really it might shut some people up that I do not know what I am talking about. Mind you those people are not in the infosec world, and in a bunch of cases not in the IT field at all.
A self made man is what I am. I have learned from others and from books. I have experimented on my own equipment. I have no degree from a college. I know what I know and I don’t know so much more it is amazing. So much to learn. So why get down on a simple cert, that if you actually study for it, someone can learn something? I mean, isn’t that one of the things that makes infosec great, the constant learning?