[rdl]

If you're in the military, you're basically required to get it, and it's not much more of a waste of your time than other things you could be doing there...

I personally got it just so that no one else in my company would ever need to do so; there are stupid companies which won't buy a product without integration, and where they have artificial requirements for integrators being certified. Given that it is only 1% of useless pain to enable 99% useful rewarding stuff, I found the sacrifice worthwhile.

[tptacek]

This comment is a great example of why I'm training myself to be less factional and defensive about people who hold the certificate. The military thing hadn't ever occurred to me.

But to be clear: I believe pretty firmly that for technical / software security, the CISSP is useless.

[rdl]

CCIE Security is probably useful, although that's more CCIE + Security than some abstract security cert, too, and specifically for network security, and specifically the kind of network you get in a corporate environment, not a startup/saas.

I'm not sure how I feel about SANS/GIAC. Absurdly expensive IMO, but potentially actually has some value for sysadmins doing system security. I can't think of what CISSP is actually good for, except maybe trivial pursuit - crappy consultant edition.

[suresk]

Somewhat related - about 2 years ago, my employer had a bunch of us go through the SANS/GIAC GSSP training & certification. Some of the material was pretty boring and of questionable utility, but we had a good instructor and some of the hands-on parts where we were finding vulnerabilities was actually really fun.

I'm under no illusions about the certification's marketplace value and I doubt I would have ever paid for the course/cert on my own, but it felt like one of the better formal trainings I've been through in my professional career (which, granted, isn't saying a whole lot by itself).

Also, the certificate comes mounted on a comically oversized plaque, which provides some entertainment value.