10+ year info sec veteran here. I think first order of business is do you want to be a specialist or a generalist? Application security is but one piece (albeit in many cases a very important piece). I chose generalist and I am happy to have done so. Today I am diving into Strict Transport Security, yes, but also working with HR and IT on our employee onboarding and off-boarding process, reviewing vendor and customer contracts and federal compliance requirements. Privacy, Regulations and Law, Compliance, IT and infrastructure security, corporate IT security, and yes application security - every day I deal with all of the above and I love that. And a great foundation into all the things a security person may do, I cannot recommend the CISSP enough go for the CISSP (or, alternatively, CISA) certification.
The CISSP is a certification designed to give managers a high-level understanding of the different areas of security. For some stupid reason, HR people think it's the gold standard of technical certifications. Unless a person has is an absolute beginner, they probably won't learn anything technical.
I literally can't think of a single person I talk to in security --- and I talk to lots of security people --- who will mount a defense of the CISSP certification. Most of the people I know see it as a plague on the industry.
(I'm 22+ years in the industry, for whatever that's worth.)
There's nothing wrong with the CISSP for what it is, a wide gamut glance into InfoSec, but a lot of hiring managers have been led to believe it holds high technical merit. A few years ago I took a job with my then shiny new CISSP and I was uncomfortably flattered a bit at how much awe it held with people who had no idea what it even was. They assumed I was a master hacker when neither my work nor my resume suggested any such thing.
I think what it tells employers, who don't know better, is that the person is a Certified Information Systems Security Professional, and they might have heard all government security employees must have one, so it must mean that the people are extremely skilled. In this, I'm not qualified to say but my hunch is, not very likely based on a few untechnical people I know in the last few years who passed the test successfully.
What it should tell employers however is that the person is capable of critical thought and has a light familiarity with a wide range of security concepts.
Why should I have to pay a pretty significant amount of money at the start of my career to buy a piece of paper that suggests I'm capable of critical thought? In fact: isn't doing the exact opposite of that actually doing a better job of demonstrating critical thinking skills?
6 months in Iraq isn't enough for vet status. If you didn't live through the Vietnam War of tye 70s, if you never saw the AK-47 in action, you arent a vet.
