Certification? When does it end?

roninkaironinkai Senior MemberSan DiegoMember Posts: 305 ■■■■□□□□□□
I was just thinking about this this year as I wrote down a list of certs that I wanted to work on. I was just wondering at what point does all the effort to study, practice, exam, pay annual fees, end and stop producing an ROI? I enjoy the challenge of tackling a new cert, but as I get older I still wonder "is it all worth it?". I know it probably depends on the person and the objective, but I'm finding more and more people at the top in my organization and field w/o certs who you'd think would have them. And I'll also read about people making CIO or CISO without a single cert to their name. Granted they may have some IT management experience, but I just find it funny that certs are pushed so hard on the IT and cyber community, yet its not really the bar to measure yourself by if you're looking to make it to those higher levels. Anyway, just spatting out loud as I look at my ambitious cert list thinking "do I really need to go this route, another year of hardcore study and time away from my family?". 
浪人 MSISA:WGU
ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP
Tagged:

Comments

  • bigdogzbigdogz Member Posts: 873 ■■■■■■■■□□
    This is just a geek tax that we pay for in time and money! LOL

    Seriously, I think it either ends or slows when we become C level and may keep the management certifications to look legitimate.
  • chrisonechrisone Senior Member Member Posts: 2,141 ■■■■■■■■■□
    edited January 17
    It obviously varies for everyone. Certs can accomplish many goals, below is a short unofficial list.

    Salary
    Position/Title
    Skill improvement 
    Accolades of accomplishing a tough goal
    The journey itself
    A project

    I suppose if you hit most of these from a career and personal desire I could see someone losing interest in certs. I am starting to get to that point myself, where I’m a little older now and am getting tired of certs. I honestly feel I have until 2021-2022 when I just call it quits and maintain the certs I have going forward. I am also targeting certs that don’t expire going forward.

    I also want to look into owning a business, franchise, real estate, building an app, whatever it takes to be financially independent. Being in the information technology industry as an employee has its limits, the market has dictated what a junior or executive management should be earning a certain amount regardless of how hard you Work. 

    I digress, the topic of certs and stopping has been on my mind lately lol

    rant over
    Certs: CISSP, OSCP, CRTP, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (completed), BlackHills InfoSec: Breaching the Cloud (completed), eLearnSecurity: WAPTv3 (completed), IHRP (completed), THPv2 (completed), PTXv2 (completed)
    Certs: VHL: Advanced+ (completed), OSCP (completed), AZ-500 (failed 1st attempt), eWPT (failed 2x, no further attempts), eCIR (complete), eCTHPv2 (report: awaiting results), eCPTXv2 (Dec)
    2021: AZ-500, AZ-104, AZ-204, AZ-303, AZ-304, MS-500
  • roninkaironinkai Senior Member San DiegoMember Posts: 305 ■■■■□□□□□□
    edited January 17
    Exactly. I feel my mental efforts are probably better served to stop thinking like an employee and instead create an asset of value that could become a business. Alas, I did this years ago and exited the rat race for about 8 years. So I've seen the promised land of making money while you sleep, unlimited earning potential, etc. But online marketing aint a walk in the park and if you aren't building a real business and just have something that makes a few extra bucks, it can be short lived and you're onto the next thing. I'm going to push more for on the job study for certs as I continue on my last few before I call it quits....I no longer want to spend all my free time up late reading the driest of IT materials, unsure if it really is going to take me any further than just being kick ass at the job could.
    浪人 MSISA:WGU
    ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
    2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP
  • Danielm7Danielm7 Member Posts: 2,298 ■■■■■■■■□□
    I'm as guilty of it as anyone, I'm 20 years in, just passed an Azure cert and have a SANS course scheduled on a month or so. I've had the same question in a head a bit, I can prune old stuff up, but at some point just stacking them doesn't give a huge ROI. I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago. 

    I do certs mostly to keep myself focused for specific topics otherwise I'll bounce all around all the time, and to learn new things that might help me transition to a new job focus. At my level there is almost no chance that, outside of a few specific ones, most companies will hire or not hire only based on certifications.

    I think the idea that specific certs, outside of maybe the CISSP just as a baseline gatekeeper thing, would matter for you getting a director or CISO level job is very unlikely. 

    For example, @dragonsden
    2020 Level Up Goals: (1) CISSP-ISSAP (2) CAP (3) PMP (4) OSCP
    These are all over the place. Architecture, pentesting and project management. There is a point where you're just beating yourself up and spreading yourself too thin but the ROI won't make sense. 


  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK Member Posts: 515 ■■■■■■■■□□
    I think this is a great question, and should be matched by also asking yourself what you want to do with your career. What do you want to do as a job day by day for the next 3,5, 10+ years? And are those certs getting you there? Maybe (like me) the goal has been fuzzy due to liking many things and thus have a scattering of various certs and studying activities. For example, I have GCFA which is a forensics cert. I can't say I'm doing (technically) heavy forensics activities on a day to day basis, not am I looking at that as my job title/duty. Was that a mistake? Personally, I don't think so, but others may absolutely say so.

    Also, eventually you can stop learning enough new things for a cert which makes that ROI drop quite a bit. For instance take the OSCP. Are there other certs "above" it to pursue or go down? Honestly, not really. There are classes and such, but honestly it's all about personal projects, activities, and job experience at that point.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2020 goals: AWS Security Specialty, maybe AWAE or SLAE, CISSP-ISSAP?
  • SteveLavoieSteveLavoie Member Posts: 893 ■■■■■■■■□□
    50 % of my motivation to do certs if to build myself a career and for my personal enjoyement. If money, "fame" is achieved, good for me.. but that's not the main objectives. That way, I feel that certification don't have to be a good ROI. 

    Finally, it help me to measure what I learning by myself, and it is a way to achieve something with time that could be seen as lost. 
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,933 Admin
    I must admit to having difficulty studying for any type of exam whose subject(s) I do not find interesting. This leads me to only taking cert exams in areas that I do find interesting, which may not be the best cert for my current or future career path. Therefore, there is a certain challenge in motivating myself to study for the drier and borning stuff (e.g., management certs) that will likely give me the best ROI in the future.
  • mikey88mikey88 CISSP, CySA+, Security+, Network+ and others Member Posts: 494 ■■■■■■□□□□
    There has to be ROI in mind as well as taking a particular career path? I acquired CISSP last year, but haven't really advanced in the field yet... so the goal for this year to to get that bread lol
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • LordQarlynLordQarlyn Member Posts: 650 ■■■■■■□□□□
    For me, it will probably end when I retire. Even if I make it to C-level, I will probably pursue certs.
  • matt333matt333 Senior Member Bay AreaMember Posts: 259 ■■■■□□□□□□
    edited January 17
    Personally I just do it for the sake of learning new things. I like the structured learning of a certification and I find it a better use of time than watching TV. 
    Studying: Automating Everything, network API's, Python etc.. 
    Certifications: CCNP, CCDP, JNCIP-DC, JNCIS-DevOps, JNCIS-ENT
  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,000 ■■■■■■■■□□
    edited January 17
    I was just thinking about this this year as I wrote down a list of certs that I wanted to work on. I was just wondering at what point does all the effort to study, practice, exam, pay annual fees, end and stop producing an ROI?. 

    At retirement? Or maybe a few years before. I don't know if even making the CIO position gives you a free pass to let your skills degrade. Even CIO's can get fired for incompetence, security breaches, project failures, disaster recovery failures, the company going under. So long as you need to stay relevant in your position to get hired elsewhere, education and certifications will be important. You don't necessarily have to be always improving your skillset, but you need to keep up enough to stay relevant at your current career level.
    Danielm7 said:
    I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago. . 


    The same could be said of anyone of us, getting comfortable in our current position, just do enough to keeping up with you current role. Than BAM! Huge Security Breach, company suffers millions in lost revenue and damaged reputation. We need someone to blame, I know we'll fire the CISO and Security director. Problem solved. Now they are out on the open job market with expired security certs, or worse yet no certifications. Maybe they are lucky to get let go during a boom economy, and get another position fairly easily. Or they are not, let go during a deep recession, unemployed for months, even years. "I used to be a big important CIO once, would you like fires with that Happy meal sir?"


    That's what Certifications are important, they are insurance against the unexpected. I once had a nice cushy government contractor job, no certifications, making good money, decent health benefits, company paid travel, life was good, till it wasn't, laid off due to government cuts, it was a humbling experience. I got lucky and eventually landed something better, but easily could have ended up stuck in a series of short term contract roles, with no health insurance and no real future.

    Still searching for the corner in a round room.
  • roninkaironinkai Senior Member San DiegoMember Posts: 305 ■■■■□□□□□□
    Danielm7 said:
    I'm as guilty of it as anyone, I'm 20 years in, just passed an Azure cert and have a SANS course scheduled on a month or so. I've had the same question in a head a bit, I can prune old stuff up, but at some point just stacking them doesn't give a huge ROI. I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago. 

    I do certs mostly to keep myself focused for specific topics otherwise I'll bounce all around all the time, and to learn new things that might help me transition to a new job focus. At my level there is almost no chance that, outside of a few specific ones, most companies will hire or not hire only based on certifications.

    I think the idea that specific certs, outside of maybe the CISSP just as a baseline gatekeeper thing, would matter for you getting a director or CISO level job is very unlikely. 

    For example, @dragonsden
    2020 Level Up Goals: (1) CISSP-ISSAP (2) CAP (3) PMP (4) OSCP
    These are all over the place. Architecture, pentesting and project management. There is a point where you're just beating yourself up and spreading yourself too thin but the ROI won't make sense. 


    Well, the logic behind my cert choices this year are as follows:
    - CISSP-ISSAP: been working an architecture heavy role for 2 years, and studied on/off for two years. I just need a quick refresher through the CBK and I think I'm ready. 
    - CAP: I've worked RMF for 4+ years. I think all I need to pass this is a re-read through 800-37 and maybe 800-53 to be ready. 

    ISSAP/CAP were the low hanging fruits just to cert out for experience that I already have.

    - OSCP/PMP: these are the big boys for the year. Yes, totally different focus and goals and could be entirely unrealistic. I studied for OSCP last year, but wasnt ready to cert out. I guess I want this more for the challenge than anything. a notch in the belt up the cyber pathway. I dont see myself working a pentest role since they pay considerably less than i am making now. Perhaps leading a red-team though, this could be beneficial.

    But yes, these are simply shiny marketing letters that may trigger a new job opportunity, or get you noticed within your current company for a special role. 
    浪人 MSISA:WGU
    ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
    2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP
  • DFTK13DFTK13 Member Posts: 176 ■■■■□□□□□□
    I don’t anticipate ever not trying for a new cert, probably after I retire though. I’m looking at it like this, I’ll become knowledgeable enough in the areas that I specialize in that the cert taking process is a breeze, with only minimal study to keep up with new technologies, while I tackle more difficult certs in unfamiliar areas. Quite frankly, IT is continually changing, so the required validation of knowledge is also continual. 
    Certs: CCNA(200-301), Network+, A+, LPI Linux Essentials
    Goals: CCNP Enterprise(ENCOR + ENARSI), AWS CSA - Associate, Azure AZ-104, Become better at python, learn docker and kubernetes

    Degree: A.S. Network Administration
    Pursuing: B.S. in I.T. Web and Mobile Development Concentration
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK Member Posts: 515 ■■■■■■■■□□
    For me, it will probably end when I retire. Even if I make it to C-level, I will probably pursue certs.
    Interesting perspective. :) For me, I imagine at some level on the managerial or strategic leadership track I'd expect to have no real further use for technical certs or studying. I'd have other people likely doing that for me to some degree. I suppose I would still be informed enough to make leadership decisions, but...I dunno. Since I'm not the most social person, I'd have to spend quite a bit of energy in that department every day/week at that level.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2020 goals: AWS Security Specialty, maybe AWAE or SLAE, CISSP-ISSAP?
  • bigdogzbigdogz Member Posts: 873 ■■■■■■■■□□
    A great deal of time we get the vendor certifications because we get the customer, preferential treatment, or to stand out as having x number of people certified so they can obtain some higher status on the provider chain to draw in more customers.
  • LordQarlynLordQarlyn Member Posts: 650 ■■■■■■□□□□
    LonerVamp said:
    Interesting perspective. :) For me, I imagine at some level on the managerial or strategic leadership track I'd expect to have no real further use for technical certs or studying. I'd have other people likely doing that for me to some degree. I suppose I would still be informed enough to make leadership decisions, but...I dunno. Since I'm not the most social person, I'd have to spend quite a bit of energy in that department every day/week at that level.

    Yeah, I probably would not pursue technological certs, i.e., Cisco, Microsoft, AWS, etc., rather I would pursue managerial certs, or training. Of course any manager or above in tech needs to have a strong foundational tech knowledge to make good decisions, whether it's choosing a specific vendor platform or deciding to move the entire IT system to the cloud.
  • DatabaseHeadDatabaseHead Teradata Assc 16, CSM, MS Access 2016, 2019 Member Posts: 2,586 ■■■■■■■■■□
    yoba222 said:
    I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.
    Spoken like someone who is wise in their years.....
  • Info_Sec_WannabeInfo_Sec_Wannabe Senior Member Member Posts: 400 ■■■□□□□□□□
    I agree with OP. I'm at a crossroads on certifications myself although I've been eyeing OSCP for a while now. I'm not sure if its simply mental fatigue, lack of career focus or what not. So I'll be on a certification hiatus for the time being. 
    Three year plan: (2018) CISSP [X] and eJPT [ ]; (2019) eCPPT [ ]; (2020) OSCP [ ]
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK Member Posts: 515 ■■■■■■■■□□
    yoba222 said:
    I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.
    Being thrust unexpectedly in situations like that is the absolute worst time to find oneself lacking in certifications and badges. +1 for career insurance.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2020 goals: AWS Security Specialty, maybe AWAE or SLAE, CISSP-ISSAP?
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK Member Posts: 515 ■■■■■■■■□□
    I agree with OP. I'm at a crossroads on certifications myself although I've been eyeing OSCP for a while now. I'm not sure if its simply mental fatigue, lack of career focus or what not. So I'll be on a certification hiatus for the time being. 

    I will always say go for it if you see some measure of benefit (financial or learning) and it's something your heart kinda wants. Unless you go into pentesting, there will be few places you get into by way of having the OSCP. That said, once you get in the door, it's a huge conversation piece.

    For me, I started mine in 2008, I think it was. And then life/work balance exploded and I promptly had to drop it with very little effort applied to it. I came back and earned it 9 years later. It was always just this unfinished goal I had, and I knew I had to get back to it someday. That said, situations changed and I found more value in getting it again, too.

    So, in the end, you do you. Figure out some goals, figure out some roads to get to those goals, and rededicate yourself to them. And...be sure to do things that make you happy. Pursuing the OSCP actually made me pretty happy, so it was time well spent for me.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2020 goals: AWS Security Specialty, maybe AWAE or SLAE, CISSP-ISSAP?
  • H-bombH-bomb Member Posts: 128 ■■■□□□□□□□
    yoba222 said:
    I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.
    This is what I've always said. Its self-insurance and peace of mind. 


  • averageguy72averageguy72 Senior Member Member Posts: 320 ■■■■□□□□□□
    To me, it depends on your goals and what you expect to get out of certification.  I like to learn.  The things that I primarily care about are security and architecture.  If something that I want to learn about has a certification, why not go for it if I can see it providing value down the road? 

    Speaking industry specific, one thing that I've seen in the SaaS industry is that over the last ~5 years customers expect certified security staff.  And I think security requirements will expand as their vendor management programs continues to mature.  I see security certifications, based on frameworks or non-vendor specific methodolgy, as worthwhile.

    I also agree with @yoba222 and @TechGromit, part of the value can be an insurance policy in bad times.  But based on recent experiences I believe there could be a ceiling.  The top tier companies in technology don't seem to care about them, at least not their own.  They're just now getting around to requiring their own employees to pass them.

    As someone who has been the hiring manager in the past, I primarily cared about what you could do.  But I will to say, that if I had two resumes that were relatively the similar, I would have been more inclined to first reach out to the candidate that had the certifications to go with the experience.  As with most things opinion-based, YMMV.
    CISSP / CCSP / CCSK / CRISC / CISM / CISA / CASP / Security+ / Network+ / A+ / CEH / eNDP / AWS Certified Advanced Networking - Specialty / AWS Certified Security - Specialty / AWS Certified DevOps Engineer - Professional / AWS Certified Solutions Architect - Professional / AWS Certified SysOps Administrator - Associate / AWS Certified Solutions Architect - Associate / AWS Certified Developer - Associate / AWS Cloud Practitioner
  • E Double UE Double U Member Posts: 1,785 ■■■■■■■■■□
    Seems never ending for me because each year I feel like there are no more that I want and then something comes up at work that puts me right back on the cert path. I felt I was done with SANS last year, but then SEC530 was created plus my employer had budget so I took it. I thought I was done with vendor specific certs and then my employer says it is mandatory for everyone to do Azure stuff. I don't really mind because there is no strong impact on my work-life balance since my employer allows for studying during work hours. 
    Alphabet soup: CISSP, CCSP, CISM, CISA, GDSA, GPEN, GCIA, GCIH, GCCC, CEH, Azure Fundamentals, Azure Security Engineer Associate, ITIL 4 Foundation, and more.

    2020 goals: AZ-900, AZ-500, GDSA, ITILv4

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • DFTK13DFTK13 Member Posts: 176 ■■■■□□□□□□
    Seems never ending for me because each year I feel like there are no more that I want and then something comes up at work that puts me right back on the cert path. I felt I was done with SANS last year, but then SEC530 was created plus my employer had budget so I took it. I thought I was done with vendor specific certs and then my employer says it is mandatory for everyone to do Azure stuff. I don't really mind because there is no strong impact on my work-life balance since my employer allows for studying during work hours. 
    I wish I could study during work hours, I can only do so during my lunch break but I’m paid hourly so it’s not a long break. 
    Certs: CCNA(200-301), Network+, A+, LPI Linux Essentials
    Goals: CCNP Enterprise(ENCOR + ENARSI), AWS CSA - Associate, Azure AZ-104, Become better at python, learn docker and kubernetes

    Degree: A.S. Network Administration
    Pursuing: B.S. in I.T. Web and Mobile Development Concentration
  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,000 ■■■■■■■■□□
    edited January 28
    DFTK13 said:
    I wish I could study during work hours, I can only do so during my lunch break but I’m paid hourly so it’s not a long break. 
    It's feast or famine with me, some days there isn't enough hours in the day to complete the work, others it's why do they pay me to sit here. 
    Still searching for the corner in a round room.
Sign In or Register to comment.