Value of InfoSec certs? Why pile up certs?

I keep hearing that there is a serious shortage of Security personnel. it is a no brainer that there is certainly demand for security professionals now a days. But what I don't get is the reason why so many experienced infosec guys and gals keep on piling up security certifications. Is it for significant raises? For promotion to become boss of boss?

For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
Like for example after gaining CISSP why struggle for CISA or CISM?
Please enlighten (and encourage) me

Find more posts tagged with

Comments

Danielm7

Snooper wrote: »

Is it for significant raises? For promotion to become boss of boss? For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
Like for example after gaining CISSP why struggle for CISA or CISM?

Yes, any and all those reasons. It's a field where you have to like learning new things, many times a new cert is a focus for learning new things. If it's something like SANS, the training is great, and you usually do a cert with it, so why not?

For your example, the CISSP is general and lots of HR folks mistakenly think it's the gold standard of technical security. The CISA is audit focused, the CISM is management focused. So, you might get another, or more, to focus on a different area of the field. Infosec is really wide there aren't a lot of security certs that cover everything, and if they did they wouldn't do it well because there is too much spread from something like audit all the way to reverse code engineers.

[Deleted User]

Why people do security certifications is very simple. Security is always changing and you need to adapt with it. Many jobs now require certifications of some level to establish a baseline of knowledge with employees. Certain DoD jobs require IT certifications as part of the 8570 requirement. They also show you are dedicated to continuing your education outside of work. Plus, who doesn't like to stroke their own ego a bit!

NetworkNewb

Snooper wrote: »

Like for example after gaining CISSP why struggle for CISA or CISM?

Because companies ask for these certifications in their job ads and people like to make more money...

whiterg

and certifications vendors also like to make money ....

E Double U

I do it for sh%ts and giggles. When I have an employer that pays for training and exam attempts, why not take advantage.

Danielm7

E Double U wrote: »

I do it for sh%ts and giggles. When I have an employer that pays for training and exam attempts, why not take advantage.

Exactly! Like I don't NEED a masters degree, but I have tuition reimbursement now so I feel stupid just letting it sit on the table.

jamesleecoleman

I'm working on making the jump into a straight infosec job. I have a little three years (FTE) of helpdesk experience so far and I'm working on getting into my second year with this one guy JOAT show.

Certifications lead to knowledge, which leads into things for me to do at the current organization that I'm at now where they're not really doing anything. I have to bring information security into the organization because some of the things are important and need to apply directly to us. I feel like a certification gives you the blanket information that's needed at a certain level and then you go off into different things.

whiterg

I have a mix feeling about security certifications (even if i have some of them)

Nowadays everybody have,will have a CISSP (example).HR people see it as a holy grail (right or not) so from my POV this cert is becoming like
the comptia A+/Net+/Sec+ , a entry level to pass the HR filter. If you have the minimum years of experience just go with a CISSP and then learn and pass "technical security" like OSCP/OSCE/ELS/CCIE or others when you work, you will save a lot of time and money.

For me Security cert are "valuables" if :

- the number of people who manage to get it (no cheating) are small.
- Final exams/practical are not exposed to the public
- the renewal process is not just about money (i don't see the "value" of CPE if you have to pay fees to maintain your cert.)
- if Marketing is not 80% of the cert and so on ..

About experience , everyone can name herself/himself "Security" consultant/vendor/technician whatever you want , but the lack of real world experience (for some [many]of them ) is driven this field down. Security is a multiform field and nobody can be "good" in every security aspects.

There is always fight between experience and certifications.i have see on many forums "which security cert should i pursuit ,or which
one is the best " ... I think this the wrong way. I personally see certification as a ending point.if i want to leave/or progress
inside a company then i learn the cert that validate my current experience and then move on to the next step.

katawia

Why Not?
1. In this information age it's the best equalizer in learning to grow skills in multiple areas without having to get a bachelor, master or PhD and still MAKE a decent (at least) amount of living.
2. Sticking with only one cert is not the best way to "insure" your knowledge, skills, abilities (KSA) now and for the future.
3. It holds back the early onset of Parkinson, Alzheimer, etc...
4. You're able to compress learning and baseline skills acquisition from many years to a few weeks or months.
5. At least you become literate and confident in the InfoSec areas and when it's time for proposals writing it can be leveraged.
I could go on... but will let others chime in too.
And Oh BTW why worry? It may be a hobby for some folks!!!
Compared to how other folks use time we can never get back (watch TV, gossip etc...), I'd rather be piling up Certifications!!!

LonerVamp

Two main reasons: Getting past HR screens and gaining actual knowledge. Early in a career for sure, it's useful to get certs to get past initial HR screens and move hiring manager interview conversations beyond the "do you even know anything I need?" phase. For learning, it's about picking up courses and training to improve knowledge and skills, and often taking the cert exam is a small step after learning the material.

Infosec has a shortage overall, but that's largely because infosec is not usually an entry level area of IT. And once you get in, there are a good 8-9 very different slices of it. And that shortage is not universal to all markets. In my market, for instance, there are a few architect and analyst positions open, but more specialized positions like app security don't get filled quickly at all. But if you want to move into it, you need more than an IT background and enthusiasm for learning. You usually need to have learned something already, and certs or job experience + title are the easiest ways to demonstrate that to technical and non-technical people alike.

It also helps network with peers if you do on-site studying, and can be a conversation-starter when rubbing shoulders at cons or meet-ups, as well. For some specialized stuff, it could even lead to local talks to get under your belt. In other words, it'll help you network sometimes.

But for most, I think, it's about learning more so we can solve more puzzles and mysteries.

cyberguypr

E Double U wrote: »

I do it for sh%ts and giggles.

This is one of the reasons why I keep getting certs I don't need. I'm at a point in my career where my accomplishments speak for themselves and I really don't need more certs. I do it because I enjoy it a lot. The other aspect is what other mentions above, HR gating. I would hate to lose a job because I don't have a given cert. As much as we want to pull the "if they don't recognize my value and the fact that X cert means nothing then I don't belong there" card reality is that companies have their processes and if I see a great role I'm not going to let it go because I don't have the one cert they value. Well, except is it's from EC-Council, then I tell them to go pound sand

sunto

Snooper wrote: »

I keep hearing that there is a serious shortage of Security personnel. it is a no brainer that there is certainly demand for security professionals now a days. But what I don't get is the reason why so many experienced infosec guys and gals keep on piling up security certifications. Is it for significant raises? For promotion to become boss of boss? For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
Like for example after gaining CISSP why struggle for CISA or CISM?
Please enlighten (and encourage) me

CISSP and CISM are related, but are more like cousins than brother/sister. They are also viewed differently depending on the industry you're in (Government, Financial, Private-Sector, et al.).

Also, technology is a million-miles wide. It's good to pick up more certs so you can validate different down-lines (application security versus GRC, as an overly-simplified example).

NotHackingYou

A certification is great goal because the steps to achieve it are easily definable, success is easily definable, and validated by a third party. In addition, setting a date for the exam can help ensure commitment to study on your defined schedule.

636-555-3226

Another thing to consider is that certs can be like bank accounts. Even though you don't necessarily need your money right now, you can put it in the bank for when you need it in the future. Same thing with certs. You may not necessarily need it now, but if you're ever laid off or looking for a job, it's great to have that cert in the bank ready for withdrawal rather than scrambling around trying to study & pass a test in the week or two that that particular job posting is open for resumes.

ITHokie

Snooper wrote: »

Like for example after gaining CISSP why struggle for CISA or CISM?

GRC and management types do this, but I wonder if people in established technical security roles do. There is literally no chance I would ever pursue CISA or CISM. CISSP is more than enough.

As for reasons to have multiple technical certifications, I think that was answered pretty well by others in this thread. The most important for me is to be continuously developing knowledge and skills that can better equip me to protect the organizations I work for.

beads

I do or will as the easy certs fall off or I do not renew them. I have done this many times since the 90s. No big deal. Outside of making me learn a few things I otherwise wouldn't learn I really don't see much added value to having too many certs and have become a bit infamous in some circles for saying such. If your carrying 30+ certs and practicing in only a couple of domains what does that really say? To me volumes but always rings hollow as well. Your not currently practicing in a domain its just a history paper of some lost glory.

The other problem I see with people and too many certs is the overall lack of ability. Hey, its great that you have 40 certificates of varying degrees but do you know how to implement or troubleshoot any of this? Likely not. I see this all the time within security. People can tell me volumes of opinion but cannot read a basic SYSLOG output or if there is or isn't problem.

Take your pick. There is good and bad to the whole situation.

- b/eads

UnixGuy

You learn A LOT when you do the certifications. It's not about passing an exam, but doing the training course that gives you skills to pass the exam

It's also a road map for you to learn certain topics.

Plus the expectations are SO HIGH on InfoSec professionals.

EANx

If you aren't moving forward, you're moving backward. People chase certifications because they want to learn new things and show they have achieved a certain level of competency. People also do it because IT isn't like many jobs where you don't have to keep learning, they want to be ready in case they need to look for another job. Show me two candidates, one that has six year-old certs and nothing recent or someone who has 2-3 more in that time and I know who I'll select for the job.

TheFORCE

ITHokie wrote: »

GRC and management types do this, but I wonder if people in established technical security roles do. There is literally no chance I would ever pursue CISA or CISM. CISSP is more than enough.

As for reasons to have multiple technical certifications, I think that was answered pretty well by others in this thread. The most important for me is to be continuously developing knowledge and skills that can better equip me to protect the organizations I work for.

I considered doing this, I'm somewhat in between though with technical and non-technical compliance tasks and projects. Have the CISM book, want to get the DB because the book is unreadable.

Jaydel.Leach

What everybody else said plus the need for CPEs.

Snooper

wow. You guys are phenomenal. Amazing replies. I never expected to see so many points listed, indeed very encouraging to see what motivates and moves the go getters. Thank you all for replying and Keep it up.

Hornswoggler

Some thoughts:

1. It's a blast
2. InfoSec tends to be the "best of the best" and a motivated bunch
3. We need to understand other IT roles so we can advise and consult
4. We wear many hats: from "thinking like a manager" to "thinking like a hacker"
5. Collecting CPE credits once part of this circus..
6. Helps build confidence, competence, and respect at work
7. Certs are good but the knowledge gained and being able to apply it is the prize
8. It separates those who truly belong here from the bandwagon jumpers
9. With these skills/certs, I'll never go hungry

beads

Hornswoggler wrote: »

Some thoughts:

1. It's a blast
2. InfoSec tends to be the "best of the best" and a motivated bunch
3. We need to understand other IT roles so we can advise and consult
4. We wear many hats: from "thinking like a manager" to "thinking like a hacker"
5. Collecting CPE credits once part of this circus..
6. Helps build confidence, competence, and respect at work
7. Certs are good but the knowledge gained and being able to apply it is the prize
8. It separates those who truly belong here from the bandwagon jumpers
9. With these skills/certs, I'll never go hungry

10. You can never be too "good" at reading endless logs and explaining the 18 elements of HIPPA for the 6th time a day.

The rest I agree atleast to some degree of confidence. I know more about how the network actually works than the architects and SMEs from other areas allowing me the privilege of reading my normal security logs somewhere betwen 11:30AM and 1:30PM most days. Walking into the door usually means someone is waiting for me at 8:00AM with something "critical"

What does this have to do with certs? Not much. I will learn these things appropriate for my position on my own. After a point its just a paper chase for CPEs and renewal game. Too many certs or too broad and I get extremely suspicious. There is a rather in-polite phrase that relates but will keep it clean here.

You get all the certs you want.

- b/eads

JDMurray

Always be improving your knowledge and skills. Certifications are a great way to do that. You are your best investment in your own future.

N7Valiant

Regarding this, I'm a bit curious being very early into the IT field, but does anyone ever feel that maybe chasing down certs all the time might break the work/life balance? I ask because studying up for the A+, Net+, and now my Security+ feels pretty similar to full-time at school and I'd imagine it would be pretty similar to taking night classes when you're working full time.

I don't know if that ever becomes particularly stressful to accumulate all those certs and then having the need to renew every 3 years.

TheFORCE

N7Valiant wrote: »

Regarding this, I'm a bit curious being very early into the IT field, but does anyone ever feel that maybe chasing down certs all the time might break the work/life balance? I ask because studying up for the A+, Net+, and now my Security+ feels pretty similar to full-time at school and I'd imagine it would be pretty similar to taking night classes when you're working full time.

I don't know if that ever becomes particularly stressful to accumulate all those certs and then having the need to renew every 3 years.

Take 1 cert per year and you will not feel burned out. The cert will also count towards the CPEs. CPEs shouldn't be a problem though to many things out there that can qualify for CPEs. For example, instead of reading a newspaper I read an article that can give me CPEs or attend a vendor presentation that can give me CPEs.

If i knew that early on in my career I'd have 10 certs by now. Instead its the past 2.5 years that I got most of my certs.