In the world of IT, and especially IT security, opinions on certifications differ significantly. Some people see them as a useful way to confirm structured knowledge, while others treat them as a weak signal or an unnecessary distraction. I understand both sides, or at least it seems to me that I do.
Critics of certifications do not always take into account that many RFP means Request for Proposal. It is typically used when an organization asks vendors to submit a proposed solution and commercial offer. Wikipedia and RFI means Request for Information. It is usually used earlier to gather information about available capabilities, approaches, or potential vendors. Wikipedia processes explicitly list them as one of the factors considered when evaluating an offer, alongside aspects such as scope, references, team composition, or price. For that reason alone, having them is often justified from a purely business perspective.
I also do not treat certifications as a substitute for practical experience. Real projects, like penetration tests, problem-solving, and responsibility for the final result teach things that no exam can fully capture. A certificate can confirm that I spent time studying a particular area and passed a given verification process, but it does not replace day-to-day engineering or consulting work. In my view, both elements are useful, but they serve different purposes.
For me, courses and the certificates associated with them are primarily a way to stay motivated and continue developing in a structured manner. They help me choose the next topic, keep a clear pace of learning, and work according to a concrete plan instead of jumping randomly between areas. A good syllabus forces me to revisit foundations, fill gaps, and cover topics systematically. In that sense, certificates are not a goal in themselves, but a practical framework for continuous learning.