[amckenna]

I think the point is more that security certifications CAN be worthless and you don't NEED them, but that doesn't make them inherently bad/worthless. I think the author's argument should be that the industry has begun to rely on them too heavily for vetting. That makes sense though because it can be very difficult to vet the skills of a client. The hiring process is very time consuming so if you see two candidates and one has "proven" they at least have some baseline skill in an area then they will lean on that for decision making in the same way they look at education or self reported experience.

Experience on a resume is self reported so that is an even worse indicator of skill than a cert. At least one of those two involved external validation by a 3rd party.

I think there are a few good ones out there and getting them ensure the person has at least a baseline knowledge of some subject. I have worked in the industry for years as a pentester, but I still went and got my OSCP and OSCE for fun. A lot of it was review, but it was nice to fill in some gaps and practice things I hadn't had as much experience with.

Certs are like college degrees, you can get by without them, but it can be easier if you have them. You will probably learn some things along the way and the provide a foundation for later studying or pursuit. You don't NEED them, but you don't need a lot of things in life, that doesn't make them worthless.