Is it worthwhile keeping my ISACA certifications?

steve.taylor

Okay, so the situation: I have CISM, CISA, and CRISC.

Personally I don't value the certifications that much. I did CISM and CISA years ago to help me get a better job, and I did CRISC last year because my previous employer asked me to take the exam. With 10+ years' experience, I'm questioning why I pay money to ISACA for certifications that I don't value and for which I have little respect.

I won't bore everybody with the details of why I think this, because I want to focus on the following questions:
1) Has anybody given up any of their certifications and lived to regret it?
2) Are there any downsides to changing my CV to something such as "Previously held CISM/CISA/CRISC certifications"? I don't see much difference, but I wonder what the HR/recruitment drones would think.

I'm particularly interested in any experience from anyone in New Zealand/Australia. I don't think that employers in both countries value certifications that much but rather what you can do.

TheFORCE

steve.taylor wrote: »

Okay, so the situation: I have CISM, CISA, and CRISC.

Personally I don't value the certifications that much. I did CISM and CISA years ago to help me get a better job, and I did CRISC last year because my previous employer asked me to take the exam. With 10+ years' experience, I'm questioning why I pay money to ISACA for certifications that I don't value and for which I have little respect.

I won't bore everybody with the details of why I think this, because I want to focus on the following questions:
...
I'm particularly interested in any experience from anyone in New Zealand/Australia. I don't think that employers in both countries value certifications that much but rather what you can do.

I think you should provide the details as to why you think this. A lot of current members here are debating as to if they should attempt the certificates or not, me including. So you will be doing as a favor providing us with your opinion in this matters, since there are very few who beleive that ISACA hold no value, the opposite actually, the majority of people think ISACA certifications hold a certain prestige to them.

OctalDump

So you are paying, what, $100-120/year to keep these? And probably at least 1 hour a year to keep on top of the paper work? It's a pretty small cost, so you'd need to be fairly confident that it wouldn't be worthwhile keeping. If you did give them up, and then needed them again, it's going to be at least a day of study and probably half day lost for doing the exam plus whatever the exam fee is.

I think probably keep them, unless you are sure that you won't need them. I think one value for employers is that they can provide an assurance that the person they are trusting is skilled, but if you had some other assurance eg degrees, professional associations, then maybe that box is ticked.

I am guessing that you are probably mid career, based on your 10+ years' experience. There is a danger for people mid career, in that they have progressed well into their career and are pretty confident in what they do. Often that can be overconfidence, hubris. It's something to be careful about.

So if you get rid of them, make sure you have a better replacement.

636-555-3226

If you don't get any value out of them then ditch then. Not to go all ISACA on you, but doing a cost/benefit analysis appears to indicate a high cost and little benefit, so the endeavor is not worth pursuing further.

Personally I disagree with you re: ISACA, but we live in a democratic society after all. If everybody always agreed with me I'd be the last guy in the universe surrounded by tons of female hotties having a permanent pool party where I get to live like a rock star!

Tongy

**** them.

steve.taylor

TheFORCE wrote: »

I think you should provide the details as to why you think this. A lot of current members here are debating as to if they should attempt the certificates or not, me including. So you will be doing as a favor providing us with your opinion in this matters, since there are very few who beleive that ISACA hold no value, the opposite actually, the majority of people think ISACA certifications hold a certain prestige to them.

Since you asked:

The CISM exam was simply too easy. I walked out of it wondering if I had got a single question wrong. This isn't because of my individual brilliance -- I found the CISSP exam very difficult, for example -- and hence I don't see a lot of value in it from a learning perspective. I think that the "prestige" that you mentioned if because they're well known in the industry and asked for by many HR/recruiters. It's not a "ohhhh, look, they passed that exam" prestige.

The topics covered by CISM are very, very high level. I don't think that it shows any great mastery of infosec management.

I've also mentored a few ex-workmates in both CISM and CRISC. They had little in the way of infosec experience or training, and all of them passed without any problems. (Granted, a few will have to wait until they meet the experience requirements.) I have a problem with certifications that relative novices are able to pass so easily. Could these people run an infosec/risk programme? Nope.

For CRISC, I skimmed through it for a month and then read the book the day before the exam and passed... not amazingly well but a pass nonetheless. Again, it's so ridiculously high level. I struggle to respect something that is so theoretical.

CISA... well, I just did it when I was starting out and didn't have enough experience to do CISM or CISSP. I found the exam difficult, but I have no interest whatsoever in audit. Therefore, for me personally, it's not really something that I value. I have nothing against the exam.

steve.taylor

OctalDump wrote: »

So you are paying, what, $100-120/year to keep these? And probably at least 1 hour a year to keep on top of the paper work? It's a pretty small cost, so you'd need to be fairly confident that it wouldn't be worthwhile keeping. If you did give them up, and then needed them again, it's going to be at least a day of study and probably half day lost for doing the exam plus whatever the exam fee is.

Thanks. Just to clarify, it's not about the money or the fact that I need to do a few CPEs. It's more about keeping things that I don't respect.

OctalDump wrote: »

I think probably keep them, unless you are sure that you won't need them. I think one value for employers is that they can provide an assurance that the person they are trusting is skilled, but if you had some other assurance eg degrees, professional associations, then maybe that box is ticked.

This is more my concern.... that they're seen by the HR drones (or anyone in infosec) as a level of dedication to the art/science, that I'm somewhat skilled (after some coffee). I'd keep my CISSP because I have respect that certification despite what a lot of people say.

OctalDump wrote: »

I am guessing that you are probably mid career, based on your 10+ years' experience. There is a danger for people mid career, in that they have progressed well into their career and are pretty confident in what they do. Often that can be overconfidence, hubris. It's something to be careful about.

Bang on, mid career. I'm trying to become a full-time security architect right now. A slight change from what I've been doing in the last few years, but not something that I haven't done before on a part-time basis.

steve.taylor

And... I personally don't see the difference in changing my CV to, "Previously held CISA, CISM, CRISC certifications". It still shows that I (at some point, anyway) had some dedication, skills.

OctalDump

steve.taylor wrote: »

Thanks. Just to clarify, it's not about the money or the fact that I need to do a few CPEs. It's more about keeping things that I don't respect.

That's easy then. Drop them, and put "Previously Held" and be ready for the conversation. I think at this level some professional thought would be respected, being able to articulate in job interview why you think they aren't very good is probably more useful than saying "Oh yes. I have those. Next question".

zxbane

steve,

I have to agree I feel this way in a sense. I pursued the CISM a couple of years ago and it has honestly had no impact on my employment efforts. I now work as a federal civilian in the DoD and I can say that most of my INFOSEC peers have hardly heard of CISM, let alone ISACA. Compare that against CISSP which most view as the gold standard (not saying it compared in skills to something like OSCP etc, simply that it garners the respect or recognition).

I'll maintain it for the heck of it but I won't pursue the CRISC or any other ISACA certifications as I previously planned to. I just don't see the ROI for the time or money.

I'd much rather pursue a CISSP specialization or possibly the CCSP, additional SANS certs, something along those lines, ISC2 and SANS seem to have more recognition

dustervoice

If you are at the stage in your career where certifications such as the ones Isaca offers no value then get rid of them. I currently work for a company who worships every cert and publication from Isaca so i have no choice but to use isacas terminologies, pass their tests, pay AMF etc. I plan on only keeping the ones i have until i get my next role then ill let them expire. I will keep CISSP as everyone makes a big deal about it and i rather not waste my time in a conversation explaining "why i dont have it".

kanecain

With your certs and experience, you could easily make well over six figures here in the states. You problems may be due to your country's job market.

Remedymp

While I understand the reasoning, I just can't see working that hard on exams and letting them expire. Even if they provide no immediate benefit, they're credentials next to your name for a small price.

Raystafarian

If I was a hiring manager (or HR drone) I'd skip right over "previously held" - I would assume you lost it due to misconduct. Would you want to risk that? If so, drop them.

mokaz

Well, personally i think that ISACA stuff in general is way to much closed circuitry. There are no 3rd parties involved and its in the end just like religion, either you fully agree to it and don't question it or if you start questioning it then you might bump into answers that'll be unpleasant to say the least.

On a personal level, i've passed the CISM exam but never applied for certification and don't really know if i'll ever do.
And unless obligated to do so i'll never sit another ISACA exam again.

Concerning your CV, i wouldn't start the phrasing with "Previously held" but rather go for something like CISM/CISA/CRISC (expired by choice).

Finally for me the ISACA experience has been the more costly cert I ever did and probably the one i'm least respecting indeed.

regards,
m.

steve.taylor

kanecain wrote: »

With your certs and experience, you could easily make well over six figures here in the states. You problems may be due to your country's job market.

We're not discussing the New Zealand/Australian job market.

steve.taylor

Raystafarian wrote: »

If I was a hiring manager (or HR drone) I'd skip right over "previously held" - I would assume you lost it due to misconduct. Would you want to risk that? If so, drop them.

Hrmmm, I hadn't considered that perspective. I'm not too sure that people would jump to that conclusion, though.

steve.taylor

mokaz wrote: »

Concerning your CV, i wouldn't start the phrasing with "Previously held" but rather go for something like CISM/CISA/CRISC (expired by choice).

regards,
m.

I really like this idea. My certs are up for renewal in December. I think that this is the way that I'll go.

Thank you everybody for your input!

cyberguypr

@Raystafarian, where does that logic come from? It's extremely normal to see people list expired certs in resumes, mainly because they decided not to renew them. Why would you default to that?

beads

Keeping the cert boils down to one thing and one single thing only. Does the certification provide you with an opportunity otherwise not available to you. Would the cert bring in more money; a promotion; or some intangible recognition outside of burning some additional pixels. If that's the case then hey, your golden. If not then feel free to drop the cert(s). Any cert that isn't directly making you money or directly related to what your position indicates only leads to peers questioning your motives. Think of the guy listing 35 acronyms after his name. Really?

Where belonging to ISACA helps. Seriously! Belonging to ISACA in a major metropolitan area is golden. The up to date training and meet-ups are well worth the effort and I highly encourage showing up to the occasional monthly meeting. In Chicago the annual cruise and learn day where your "stuck" on a boat for 8 hours combined with two learning sessions equals enough CPEs to make it worthwhile. In essence there is your payback for keeping the cert active.

I know this is supposed to be a pro-certification board but obviously not all certs are created equal.

- b/eads

Raystafarian

cyberguypr wrote: »

@Raystafarian, where does that logic come from? It's extremely normal to see people list expired certs in resumes, mainly because they decided not to renew them. Why would you default to that?

My arena (finance), I guess. Nobody really lets a CPA run out and then still list it, same for the other certs I'm surrounded by. There aren't very many "minor" certifications that can be surpassed by something that's better e.g. SSCP --> CISSP.

I probably overstated "misconduct" - I should have also mentioned the other major reason, which is lack of CPE - an indicator that you lag behind current information.

I'm looking for an auditor and I have tons of CISA and CIA candidates, a "previously held" CISA wouldn't stick around. You're right though, that's probably not the norm for most of the other technology arenas.