Spending money

jamesleecoleman

I'm a little frustrated with pretty much debating with myself on spending money for certification materials/training.
I have a path that I want to follow to get into InfoSec (coming from helpdesk) but not knowing if what I do will help me out or not is the biggest thing to me. So how do you all figure out what will work out for you and what to spend the money on?

Not knowing the answers is pretty much what is holding me back. Say for example if I earned the Associate to ISC2 and I took the CISSP, would it help me out a lot more or not or if I got the CEH...

I just don't want to spend the money and end up still stuck.

thomas_

I have this debate when I'm applying for jobs and get an offer. I always debate do I take this offer or hold out for another offer.

Ultimately, you are never going to know the "correct" answer. You just have to make a decision and go with it. I don't think there really is a "correct" choice. With certs I think you're not really losing out to take one cert over the other because you can always circle back and get the other cert that you didn't get at first. Even if you decide the cert you initially got wasn't as good as you initially thought, it's not a waste. At the very least you will have added to your knowledge and have another cert on your resume.

dave330i

Do a job search for a security position/title you're interested in (the next step, not the long term dream job). See what types of certs those job postings require.

Essendon

^ Pretty much what I've done too.

DatabaseHead

Some great concerns, for me it's more about time though.

Like some have mentioned looking up the jobs on Indeed is a decent way to baseline the certification. Also reaching out to people on LinkedIn and asking if they felt the certification has helped them. I like personal testimony, personally.

I would apply with the resume you have right now.

Sheiko37

Call up the companies, reach out to people on Linkedin, ask them what they want in a candidate. Don't just guess.

636-555-3226

Security+ costs a book on Amazon. You can afford it. Good way to get your feet wet, and includes a cert many job postings ask for.

dave330i

Sheiko37 wrote: »

Call up the companies, reach out to people on Linkedin, ask them what they want in a candidate. Don't just guess.

And they'll tell you to go check their company's job postings.

topandreuser

jamesleecoleman wrote: »

I'm a little frustrated with pretty much debating with myself on spending money for certification materials/training.
I have a path that I want to follow to get into InfoSec (coming from helpdesk) but not knowing if what I do will help me out or not is the biggest thing to me. So how do you all figure out what will work out for you and what to spend the money on?

Not knowing the answers is pretty much what is holding me back. Say for example if I earned the Associate to ISC2 and I took the CISSP, would it help me out a lot more or not or if I got the CEH...

I just don't want to spend the money and end up still stuck.

Spending money all all of these IT certifications is a scam in my opinion This article on the CISSP asks if it's even worth getting. Some jobs say its required, and some don't. What gets me is that lets say you have a bachelor and masters degree. Some Job seekers won't look at your resume unless it says CISSP on it. It's just too expensive and to much time to get. I wish there was a better system and less hoops to jump through when getting a tech job, so I feel you pain man!

gorebrush

It's not spending money for the sake of it though. It is investing in your career.

I paid out into the thousands for my training over the years and whilst I've managed to get most of it back through my employers, I spent it expecting not to get it back immediately... If you are serious about yourself, you'll do the same.

danny069

I have paid my own money for books/study material, transportation to the exam center, exam costs, not to mention my own time because I don't wait for anyone, especially my job to pay for me. I work hard and earn it because I am investing in myself. You have to be proactive no matter what or else you'll find yourself in a situation where you aren't going anywhere. So you gotta do what you gotta do to get ahead. For example, getting another job, saving pennies, fixing computers for cash, etc. It will make that certification ten times more valuable to you because of what you had to do to get it. Do I think these certs and training are expensive? Sure I do, but don't let anyone or anything hold you down for achieving your goals. Don't let these people laugh at you drinking two thousand dollar bottles of wine from those luxurious suites. Use these certs as stepping stones, get a good return on your investment, and take it from them.

UnixGuy

Whatever cert you paid for and invested it, put the time and effort and study it - it doesn't go to waste. It will open your eyes to possibilities and more advanced. Don't get distracted with thinking of too many certs at the same time. Do one cert at a time, focus intensely on it, and don't think of anything else while you're doing it. Once you finish it, then think of the next step.

YFZblu

The very fact that you're lamenting the decision of investing in either the CISSP or CEH tracks, to me, indicates that you don't know what type of security-related work you want to do. There are many sub-fields in the security industry.

Figure out exactly what type of work you want to do and the correct path will make itself clear.

jamesleecoleman

Everyone that responded, thank you so much for the great information. It's opened my eyes a lot more so I can start planning a lot more carefully. I'm thinking that focusing on one certification at a time will help me out with being patient with things. It seems like a race at times to compete with other people to have the right certification while know what will work or not.


The CEH and CISSP were just examples for the post.

Danielm7

YFZblu wrote: »

The very fact that you're lamenting the decision of investing in either the CISSP or CEH tracks, to me, indicates that you don't know what type of security-related work you want to do. There are many sub-fields in the security industry.

Figure out exactly what type of work you want to do and the correct path will make itself clear.

Take this one to heart, it's something I bring up in a lot of threads that ask how to get into security. "Security" is a very wide field, learn what interests you, then mold your training path to get there. You want to be a penetration tester? Then yes, a CISSP is going to be mostly useless to getting you a job, etc. I think so many people trying to enter the field don't really know what they'll be doing or why they are trying to get in other than it sounds cool or they heard there are lots of jobs, don't be that applicant, figure out what you want and go for it.

Danielm7

topandreuser wrote: »

Spending money all all of these IT certifications is a scam in my opinion This article on the CISSP asks if it's even worth getting. Some jobs say its required, and some don't. What gets me is that lets say you have a bachelor and masters degree. Some Job seekers won't look at your resume unless it says CISSP on it. It's just too expensive and to much time to get. I wish there was a better system and less hoops to jump through when getting a tech job, so I feel you pain man!

The better system you are referring to is mostly work experience, the issue is that a lot of people don't have that so they try to fill in with certs then complain that they can't get a higher level job straight off the line. If you have a BS and and MS, plus actual work experience, it would be very rare for a company not to hire you over a specific cert unless their HR people are clueless (note, this is accurate often enough to be annoying). There is an ROI on different certs depending on what you do with it. A security+ might not get you the job you want, but if it comes down between two equal candidates and I see one took the time and effort to get it, I'm likely to give them preference knowing they have the interest and drive to pursue it.

You're always going to find people that trash talk certs, same with degrees, typically by people who don't have them, it doesn't matter. Know why you are getting it then by proud you achieved something afterwards. FWIW I picked up the CISSP before my last job transition from contract to perm and that alone was the sticking point to move me up significantly in both salary and title, I was already doing the job but the people higher up respected the certification and felt it meant a lot. I spent a few months and maybe $700 total in fees and study material and made it back many times over.

kiki162

Follow the path into infosec by going into a network admin or sys admin role first. This will give you the years of exp needed for the CISSP, and any other certs you may get in the future. Getting yourself into a "base" or core background will help you out, while exposing yourself as much as possible to other areas of IT. Unfortunately, you will have to spend money to make money, and I think your fear is that you won't get a good ROI out of it. Like many of us here, I was at the same place as you once. Another thing to note is what type of jobs do you have in your area, do you have a lot of roles that require say a MCSE, Linux experience, CCNA, or a CISSP? In some areas of the country that is the case, so it's something to consider in case you have to move to get into a better job market.

I don't think CISSP or CEH is going to help you out right now, as having only help desk experience won't make you marketable. Having a solid background as a SA or an NA would make that a little more ideal. There are plenty of boot camps out that will put you in an environment to get say an MCSE, or CCNA, but it's what YOU do with it afterwards that makes the difference. You need to invest that time to continuously educate yourself and keep moving forward.

jamesleecoleman

I know what I would like to be a Security Analyst or work with finding vulnerabilities within the network. The path is confusing because I think that I need to know a lot to be able to fill the roll. On top of that, it's crazy how the same title will have completely different responsibilities so that is part of what I'm concerned about it that deals with money. I check out Linkedin profiles of people who are Security Analyst and its like some only do Risk Management/Policy stuff while others do more.

beads

"...finding vulnerabilities in the network." Not entirely sure what you are getting at here because the statement is so broad its hard for me to narrow down a answer. In order to know what is wrong with the system you need to thoroughly understand both the network (system) is doing right and what is currently vulnerable to attack and exploitation. We use a number of tools to get there from Metasploit (CE) to Qualys to CoreImpact. Metasploit is free to use in a non commercial setting, i.e. home lab but not at work for money. Qualys has constant free course education and certification with there products. Expensive private label brands like CoreImpact are out of most everyone's personal price range but are fun as all get out to play with.

Kiki162 is right on the money here. Learn enough skill to move up the next rung of the ladder to Systems or Network administrator and hone those skills. I mean just because you have a drawer full of tools doesn't necessarily make you a mechanic, either - does it.

Security is what you do after you've had a career if IT: Infrastructure, Development or DBA. Most come from the infrastructure and administration side. The best hackers come from the dev and dba sides. Few people are successful coming in from the outside or stay very long before being punted.

- b/eads

jcundiff

jamesleecoleman wrote: »

I know what I would like to be a Security Analyst or work with finding vulnerabilities within the network. The path is confusing because I think that I need to know a lot to be able to fill the roll. On top of that, it's crazy how the same title will have completely different responsibilities so that is part of what I'm concerned about it that deals with money. I check out Linkedin profiles of people who are Security Analyst and its like some only do Risk Management/Policy stuff while others do more.

Information Security Operations (SOC Analysts vs Engineers, etc)
GRC & Vendor/Third Party Risk Management
BC/DR
IAM
Attack Surface Management
Threat Intelligence
Red Team / Blue Team

Are all different specializations within the Information Security realm... sounds to me like you would like to work into a penetration testing/red team/hunt team role?

My current role is Lead Threat Intelligence Analyst, but my official job title is Senior Information Security Analyst... on paper with my company, job titles are Associate Analyst, Analyst, Analyst II, Senior Analyst, Principal Analyst... the specialization could be in any of the areas I listed above... the open req that says Information Security Analyst depends on which area is hiring.

thatguy67

My company will pay for any exam I pass and they do offer training but they won't go overboard. They typically pay 100% for training/certs for any vendor with whom they are heavily partnered. I am going to pay for my own training up to the CCNP level and then have them pay for a CCIE bootcamp probably. I know they will pay for the travel costs/hotel for me to go to San Jose so that's already a bunch of money I don't have to spend most likely.

I finally bit the bullet today and paid for an INE membership and got a bunch of books off Amazon. My main thing I like about paying out of pocket (at least for CCNP) is that I can keep the materials for myself because I know I will reference it later. That plus the tax write-offs. I'm in a situation right now where I don't have any other expenses other than certs and gas/car so it's a bit of a relief.

In the end, the money you spend in training yourself is insignificant compared to the payoff. I know I will be in a better position for a raise/promotion after I get the certs I'm gunning for and the cert will stay with me even if I leave the company. The biggest sacrifice I've found is time and they do say time is money lol.

TechGromit

jamesleecoleman wrote: »

I'm a little frustrated with pretty much debating with myself on spending money for certification materials/training.
I have a path that I want to follow to get into InfoSec (coming from helpdesk) but not knowing if what I do will help me out or not is the biggest thing to me. So how do you all figure out what will work out for you and what to spend the money on?

The same could be said should I spent 100k on a 4 year college? Will I have a job that will earn me enough to pay off all those college loans? It's a good question to ask before spending lots of your hard earned money, will you get a return on your investment? Far too many young adults do not ask themselves these kinds of questions and end up with a very expensive and very worthless four year degree in Theater Arts or Fashion design. That said, you pretty much can't go wrong buying good technical books, read, study them and pay for and pass a certification exam. You could spent $3,000+ to get a boot camp course to pass your A+, or you can pick up less then $100 in books, apply yourself and get the same results. Will passing your A+ get you more money? Or a better job? I can't answer that for you, but doing nothing yields you nothing. Personally in my case it did. New Management took over and dictated that salary would be based on the number of certifications you held. having none, I picked up a A+ and Network+ books, took a week off of work, read and studied them both and passed both certifications within a month with yielded an immediate return of a $3,000 raise. Not all certifications will get you an immediate and measurable return on your investment, but I'll say it again, doing nothing yields you nothing, actually if you do not improve your skill set eventually you will be replaced with someone that does.

Kreken

TechGromit wrote: »

very worthless four year degree in Theater Arts or Fashion design.

You forgot gender studies. LOL.

On the topic, I generally don't spend any money on the classes but I purchase my own study material. I read, I lab, I watch videos. Costs much less than in person class and can be done at your own pace.

LionelTeo

You got to ask yourself on whats the ROI to justify the spending?

Let say you spent about 7k on a course + certification; because of that certification, you changed job and got a 10k annual increment. The ROI from getting the certification will be 3k. However, there is unlikely as 1 infosec certification without infosec experience may not land you into the job and you may end up making a 7k loss.

If the risk is too high or the cost related to the risk is high, try bringing down the cost related to the risk to get a better ROI; self study for certification without going for the courses. This means that the certification would only cost 500 USD to 1k (depending on vendor). By bringing down the cost from 7k to a few hundred dollars, the ROI gain will be much higher and easier to justify. If the certification do not help in getting the desire job, the loss will be minimize. Best if the company would reimburse the certification cost to even further reduce the cost related to the risk.

The next thing to consider is your currently liquidity of your cash flow. If you had constant opportunity or upcoming plans that involves cash, this may be important. For example that you may had take out the money for a certification, only to find out that the money should had been used for something else. Then you may want to take this into consideration when justifying the ROI for courses/certifications.

Kinet1c

Spending money on books + certification (for example book + exam = ~$300) should see a good return on your investment. Spending money on bootcamps(~$000s), I'm not so sure. Time, topic relevance (to your career and industry demand) and knowledge retention should be your areas of concern. I've done week long courses with Microsoft (client and server based) and they were just boring and walked through course manuals.

Only by covering different topics will you learn what you have an interest in. If you've to spend $100 on various books to discover you like a particular topic then I'd say that's well spent money. However, if you spend $000s on bootcamps initially without knowing this, then I'd say you may as well burn the money.

The stuff I'm covering in my day to day job are skills that don't have certs available, with the exception of AWS. So topics such as python, chef, nagios, sensu, graphite etc., whilst I don't have a particular certification syllabus to cover, I will read books/blogs on these to learn new things and I consider the time and money (approx cost of a book ~$40) to be an investment in my career over both short and long term. If I can get through 5-6 books a year then I consider it to be a productive 12 months.

jamesleecoleman

I really appreciate everyone's input with the discussion. The input has opened my eyes more and its given me more motivation.

Clm

First you need to figure out what you want out of your career. I have CISSP and im studying for CEH now and they have some crossover information but they are different exams and for different roles. The ROI for me with CISSP was great when I passed I applied for only 5 jobs got interviews for all 5 and picked the best fit for me this job wasn't the highest paying one but it suited me best plus it was promotion and a 28k pay increase