Small Business IT - Certs worth it?

[pr0l3]

So here's the dilemma, I wanted to go get my C|EH, but there's this nagging in my head saying it's just not worth it.

A little background.

I work for a family owned business - we provide IT solutions to small businesses. We're pretty buttoned up; cloud backups, email, web dev, TV and media installs, infrastructure, networking, server and workstation installs and support - your basic all-in IT provider.

I've been a basement hacker for a few years, I've got a decent little VM-based hack lab set up.

We've hired on guys that have NO net+ sec+ or a+ as most of the candidates we spoke to had no front line customer service skills to back up the theoretical.

I've been wanting to 'add' security to our list of services to provide. I know that in the enterprise world, we wouldn't even be considered for a placement because none of us are certified. We all have years of real experience - our response to crisis situations is documented and positive.

Is it possible through self study to attain the knowledge to really call yourself a security guy, without the certs?

Not look for flames here, just some honest advice.

[digip]

For experience, if you get a good teacher, then yes, if they are hands on, and you can take something away from it. Most of the time, just gets your foot in the door to have it on your resume for an interview. Experience always trumps the number of certs, but some places, require certain ones, such as ones with top clearance or government based ones they have ISO certs a bit different than things like say, a CompTIA A+ or, Cisco, or MCSE certification.

Education though, from anywhere, is always a plus, so long as you apply yourself, and use it on a regular basis, or you end up forgetting most of it if you don't get a job, doing what you got trained for. I myself carry a number of certs, that are of no use to me today, since most of it, is lost, since I don't do it for a living, I forget all of my Cisco and Microsoft stuff for the most part, but know other things, I never learned in class, that have no relevance to what I do now, which is web and graphic design.

[pr0l3]

Well said - it's pretty much the way I feel know. My dad has built an IT company that employs 8 people based on _only_ experience. He started small and now manages 100 or so offices.

I think I'm going to approach infosec much in the same way... as I have been.