[akerl_]

Any company that values certs in InfoSec is not a company you want to work for. There are specific government roles that require certs, and thus there exist good companies that make a token nod to paying for their folks to get certified, but the CISSP isn’t going to teach useful skills and any company that says otherwise is a huge red flag.

Best route depends on what band of security you want to get into. Pentesting? Building systems? Incident response? It’s a big field. But essentially, would recommend getting your hands dirty, go poke at some bug bounty programs to get your feet wet. That’ll help you narrow down what you want to do and get a sense of what attacks look like in the modern era, which are the 2 really useful outcomes.

[samstave]

Palo Alto Networks. Government Clients....

[akerl_]

It’s not clear to me what you’re trying to say? I specifically mentioned that there are roles that require certs due to government regulations, and at companies worth working for, you get hired as you are and they pay for you to hit whatever checkbox certs the role needs on paper.

[samstave]

We are on the same page. I mentioned CISSP as a goal to seek out.... not "start out the gate at CISSP"

The guy said he was a full stack SWdev for ~10 years... I am sure he is technical enough to understand the path...

[akerl_]

We aren’t on the same page. CISSP is not a goal. For security jobs, there’s 3 possible states with regards to certifications (CISSP, SEC+, etc):

1. Your employer doesn’t care about certs, and their customers don’t care about certs, and so you don’t need to worry about certs.

2. Your employer doesn’t care about certs, but they have customers (like the government) who believe erroneously that certs are desirable. So your employer pays for you to go get the fancy piece of paper so their customers will pay them. This is no different than any other checkbox requirement from the customer.

3. Your employer cares about security certs. This is a sign that you don’t want to work there.