It seems like you got into computer security a fair bit ago, and have a lot of experience on the appsec side.

With that background paired with “certs are worth nothing” points out two blind spots to me:

- the value-add certs have exists in non-appsec areas, putting aside CISSP and promotion paths. CySA is going to help you be a better soc anaylst, but ya it’s not getting you into NCC Group anytime soon. A CS degree or knowledge in that direction matters a lot more/only. SWE<>Sec exists in a totally different part of the field, in a way.

- early days security folks have a very different view on how to get into the industry. Back then, it was pre-certs, and even really pre-compsec jobs. Things are a bit different now.

You may not realize that where you stand depends on where you sit, but you’re pretty far from new talent pipelines these days it sounds like.

If single sentence platitudes are how you want to engage, then I’m done as well.

It’s kind of amusing to tell somebody whose prior ventures were “how do we do tech hiring better” and “being the interim security team for small companies, and then helping hire their replacements” that they seem pretty far removed from new talent pipelines.

FWIW: the interim security team company is still going strong; I'm just not there anymore (I'm at Fly.io).

Not sure what to tell you, I’m pretty close to the same hiring pipelines and outcomes tracking as well.

There is huge nuance to the cert topic, but it’s silly to hold a binary “they’re worth nothing” view.

The most I’ll concede is that certs are very useful in identifying job opportunities: if a tech job uses certs to assess a candidate/employee’s skills or value, it’s a good indicator to not take that job.

There’s not huge nuance here.