More important than certification is knowledge acquisition and experience. The 3 year requirement for CISSP is not unreasonable considering the breadth of information that is required.