I supervise people, but I’ve maintained hands-on involvement, just like many others I know. In my experience, I’m often the one the CISSP or CISM call on to do the heavy lifting, even though we work on the same floor and are seen as part of the top-level IT/cybersecurity chain, where managerial duties are typically expected. We’re clearly coming from different perspectives, and that’s normal—no two IT professionals take the same path. Regardless of how many letters are after my name, I’m on the side that knows how to do the work and actually gets it done.
It's not required that managers be able to do the work. If they're doing the work, they're not managing. It's two different skill sets. The further a person goes up the management chain, the less technical they have to be. Most CISOs are completely non-technical and would be a liability in a production environment. CISSPs/CISMs very rarely touch the technology hands-on because they're managing people who do.
I've done the hands-on work. I was doing BC/DR during the lead-up to Y2K. I've built relational databases from scratch. I've built and maintained network infrastructures. I've built websites and maintained web servers. I've deployed software and done patching. I've configured various servers. And now I teach others how to do it. While helpful, none of those skills are required for management. Management requires skills to manage the people and the work. Project management, service management frameworks, time management, budgeting, forecasting, conflict resolution, collaboration with stakeholders, and communication become much more important than scripting in Bash.
To pass CySA+, a solid understanding of Linux+ is crucial. Once again, you're focusing on the test-taking aspect, which some people on platforms like YouTube claim they can pass in just two weeks without any prior experience, relying on memorization rather than actual knowledge even though CompTIA says the test is for a 10 year old veteran. And if they pass it they can use the credential because you don't have to prove those 10 years of experience. My point is simple: if you're genuinely working in IT on a 9-5, any additional knowledge you acquire and validate through certification should be recognized, regardless of the certification level, as it complements your practical experience. The CompTIA model is good, but there is always room for improvement.
A solid understanding of Linux is only required if you're using Linux hands-on in your on-premise environment on a regular basis. If you're not, then you don't have to know anything about Linux. Same with Cisco. Same with Palo Alto. Same with VMWare. Same with Splunk. Same with every other vendor-specific technology.
The great thing about CompTIA is that it is vendor-neutral or vendor-agnostic. You don't have to know any vendor's technology. You get a deep and broad fundamental understanding of how the technology works and how it relates to other technologies. Knowing a specific command line tool or knowing a specific configuration setting on a router is not the focus. Knowing how things work is relevant. If you want to know the specifics of a single vendor tool or service, get that training as well. The different vendors do not cover the fundamental theory of how anything works even remotely as well as CompTIA does. Microsoft gives an extremely rushed and abridged explanation of cloud computing concepts in their MS Azure course, and then they do nothing but focus on specific technical skills with their technology.
