think of it as a journey ...
In March of 2001 I started on a mission : to get a CISSP certification. "Easy", I thought, do some studying, sit an exam, pass with flying colours, then sit back wait for the job offers to come rolling in. I was wrong. Really wrong.
Myth #1: A CISSP certification is easy.
Well, some people may think that it is easy. Most people find it hard work: you need to have at least 3 years in IT security before you even apply for the exam. You need to cover an extremely broad landscape of IT security - many areas, such as physical security, few people will have any experience in. And you'll need to do a fair bit of reading and studying to get through that exam: 250 questions to answer in 6 hours isn't much fun.
Myth #2: Once you get it, just sit back and relax.
No. Once you pass the exam you need to earn CPE credits in order to keep your certification. If you don't then you'll need to resit the exam after 3 years to keep the certification. Getting CPEs is fairly straightforward: if you publish papers, attend seminars, do some presentations, and basically remain active in the IT security arena then you should have no problem here. But it takes a little work: this isn't a get-it and forget-it sort of certification.
Myth #3: You'll get more money/better job/more recognition.
In actual fact, you probably won't. I've found (at least here in New Zealand) that many employers and even employment agencies have no idea what a CISSP is. They tend to think in terms of the product-certifications; you know, the Cisco CCNA and Checkpoint CCSE sort of thing. They have no idea that you need 3 years of experience to get a CISSP, and they have no idea that it is an ongoing professional-level certification like a CPA (Chartered Accountant). Ergo, you probably won't get a better job or more money from waving your CISSP certificate around.