I always loved the quote/saying

"A student who graduates med school with a C average is still a doctor" or something of that effect. 

Certs help hiring managers and HR feel warm and fuzzy.  It documents that someone is SUPPOSE to adhere to an ethical code in some cases (ISC2, GIAC, etc...).  I agree they are great for helping you get in the door.  I also agree that they help prove that you have taken the time to invest in your career.  After all we should be doing this because we love it not because it makes us good money.  I always like to say that the money is a perk for doing something I love. 

I don't agree with companies forcing their staff to obtain certs just to say our staff is certified.  The only exception are vendor partners.  Many vendors require their partners to hold a certain level of certifications.  If a conulting company is a Microsoft Gold partner, then they need to have a certain amount of MCITPs, MCSEs, MCPs etc...  Now what I don't agree with is making the current employees flip the bill themselves for certification exams and training, reimbursement is fine, but offering to pay for training up front is better.  This shows the company wants to invest in you and your abilities as much as you do. 

My last job the CIO or CEO (not sure who made the ultimate call in the end) decided that they would take the advice of a hack consulting firm who recommended that they have fully certified staff for their internal tech support.  This prompted a full review of the current operations of the technical support department and eventually lead to the decision to outsource our duties to contractors.  They began by bringing in a number of consultants to "help" with planning our enterprise projects.  It consisted of project manager with a CISSP but no relevant experience related to the projects and another person who again had no real experience.  But hey they are certified so all is well right?  Then they began bringing in consultants to help fill the help desk seats.  Again no relevant experience but they were certified.  Supposedly they had someone coming in experienced with our Patch management system, alas, that was a myth.  Neither of the consultants even heard of it.  2 days later after I resigned, I got a call to work a 2 week contract in the city for the exact system.  I had to chuckle.  So they brought in all these consultants to replace the 8 fully qualified full timers, user issues are falling by the wayside, nothing is getting done and overall moral is crap.  But hey, its ok, they are all certified. 

Ok one more good one, they didn't even vet these consultants, one was coming in stinking like alcohol every day, he was eventually let go.

Certs are important, I enjoy going for the ones that will benefit my knowledge rather than fill a quota.  When I finally did take my first SANS course, I thought it was excellent!  For one it forced me to study, otherwise I get distracted when I try to self study and for two, I got to learn some things I didn't know.  Its also nice to gauge my success and even better utilize what I learned.  Just wish the SANS classes would have some form of student loan program, you are not always lucky to find an employer who will dole out 3500 for a 6 day course.  I also agree that certs do not make the individual.

Let's face it. Humans are not geared for making rational and intelligent decisions about risk. We are notoriously bad at it. It comes down to risk management of your human resources.

A certified person is a somewhat known entity. There is still the possibility that they may be incompetent, but they were at least validated against the set of requirements that earned them the cert. When trying to build mature processes, it helps to have as many known quantities as possible. Variance is the enemy of maturity. Using "qualified" employees also provides some level of defensibility (is that even a word?) when things go wrong.

The uncertified person may well be more capable, and often is but how do you validate that? What do you tell management when you choose an uncertified person over the vastly more qualified candidate (on paper) and then he proceeds to delete your AD domain?

The intelligent choices will factor in multiple criteria including problem solving skills, experience, available resources, certifications, education, etc., but auditors often like to see those credentials because they indicate uniformity and maturity and that's how they structure their reports. I really don't think anyone is wrong, but we don't live in a world of absolutes and there's a lot of gray area here.

Oh and I'm a CISA only so I know how to deal with auditors. I'm not an auditor. I do security testing, not blind checkbox compliance (except when it's the only way to pay for security control X)

I think certifications are very powerful when used correctly. Much like Masters Degrees, I feel people need to gain experience first then use the Cert/Degrees to augment their development. I hate it when i see "newbs" come into our company with a M.S. straight of or College and No experience. It is often much less effective because you don't have experience to reflect your learning's off of in your masters degree. Thats why it is called a Masters... you are mastering your field. you can master something without being involved. There is no such thing as a Boxer with no hands.

I'm going to continue with everyone, yes certs will get you an interview..but once you sit down for the interview and the questions start coming out..they will know if you're legit.

I remember going in for my first networking interview..I had the Network+ and CCNA ( home lab experience) and to be honest..I thought I was going to kick ass. BAM all hell broke lose.

We started talking about my education and certs, then technical questions started. I think I might of answered 2 out 10 questions right. Yeah I have certs and decent knowledge of networking but I was put in place and realized I need actual experience not just certs.

Do you have any IT experience? and have you had any interviews?

Yuck,

Very little.  I do tech support at my job for 4 yrs.  Very little actual computer work.  I volunteer at a Computer Forensics lab but it's only after hrs and after my FT job.  I can't go down there every day as they are testifying, or go home.  So its maybe once a week.

If I had no bills I would not be in this situation.  I could quit my FT job and go down there every day like the owner wants me too.

I have had a few interviews.  The most recent was a DoD job in FT Huccuica.  It's that base in AZ.  They said they didn't like my personality and that's the reason I didn't get the job....Really WTF...

There is a Jr computer Forensics position that I am being recruited for in VA but they need to hire a senior Forensics director and they will interview me.

So the only thing I can do is get certs, prove that I can learn and learn quickly and then hopefully find a person that was in my position until he got hired and then hopefully will hire me.

But in the mean time I keep plugging away one day at a time.

Yes they said they didn't like my personality.  That's the only reason.  The interview went great. I was friendly and answer all of the questions.  I was astonished that they said that to me.  Yes I am willing to move all over the world.  Looking at some jobs in Afgan/Kuwait now.

I will take anything anywhere.

Ya I figure having a Master's degree can't hurt.