Certifications? Why?

So the market is forcing me to get one of the security certifications, like the CISSP. It doesn’t matter that I have more then 16 years of experience in the field, and pretty much saw first hand each case those certifications cover. Sure, I can pass the exam, but I don’t see the point. Besides they charge you an enormity for it and you need to maintain it each year by paying more money.

It’s all about the money. Nothing more.

You have people that are certified and are worth crap. For example, a once I had to help someone with a risk assessment, he had three, not one, three certifications. However, during the assessment he failed to see the most obvious of vulnerabilities, even after I pointed it to him. Why? He was caught up preparing his check lists, methodology, tables, report formats, standards, etc, etc, etc. He was following what the certifications told him was the correct way of doing things. Not real life. He failed to see the MOST obvious vulnerability, right in front of his freaking face.

But he is certified.

When I showed him how things work in real life, he was out of his element. He didn't have a checklist for this.

I hate this. Anyone can pass a freaking exam. However it takes more than just a piece of paper to think like a hacker, like a adversary, like a security expert.