It's such a farce. You got a 70% on a multiple choice test and now you are "certified" in information security, nevermind that you don't know how to actually produce anything (neither a "dev" nor an "op"). But hey, the c-suite who hired you can only read pie charts and bar graphs, and is paid top dollar to make sure those boxes get checked, not to know how anything actually works.
So you buy a bunch of automated scanning tools, pester the sysadmins to install multiple root-kits on all the servers, generate a bunch of PDF reports, and email them to those same sysadmins. You know, to help out the people who have been _achieving_ security (not just talking about it) for years. You rely on them to implement or document everything for you, but it never occurs that they could teach you a thing or two because they are not "certified". What they would consider their nuanced opinion tempered by years of experience comes across to you and your c-suite boss as complacent and change-resistant excuse-making.
So you buy a bunch of automated scanning tools, pester the sysadmins to install multiple root-kits on all the servers, generate a bunch of PDF reports, and email them to those same sysadmins. You know, to help out the people who have been _achieving_ security (not just talking about it) for years. You rely on them to implement or document everything for you, but it never occurs that they could teach you a thing or two because they are not "certified". What they would consider their nuanced opinion tempered by years of experience comes across to you and your c-suite boss as complacent and change-resistant excuse-making.