Certification? When does it end?

I was just thinking about this this year as I wrote down a list of certs that I wanted to work on. I was just wondering at what point does all the effort to study, practice, exam, pay annual fees, end and stop producing an ROI? I enjoy the challenge of tackling a new cert, but as I get older I still wonder "is it all worth it?". I know it probably depends on the person and the objective, but I'm finding more and more people at the top in my organization and field w/o certs who you'd think would have them. And I'll also read about people making CIO or CISO without a single cert to their name. Granted they may have some IT management experience, but I just find it funny that certs are pushed so hard on the IT and cyber community, yet its not really the bar to measure yourself by if you're looking to make it to those higher levels. Anyway, just spatting out loud as I look at my ambitious cert list thinking "do I really need to go this route, another year of hardcore study and time away from my family?".

Find more posts tagged with

CERTIFICATION

Comments

bigdogz

This is just a geek tax that we pay for in time and money! LOL

Seriously, I think it either ends or slows when we become C level and may keep the management certifications to look legitimate.

chrisone

It obviously varies for everyone. Certs can accomplish many goals, below is a short unofficial list.

Salary
Position/Title
Skill improvement
Accolades of accomplishing a tough goal
The journey itself
A project

I suppose if you hit most of these from a career and personal desire I could see someone losing interest in certs. I am starting to get to that point myself, where I’m a little older now and am getting tired of certs. I honestly feel I have until 2021-2022 when I just call it quits and maintain the certs I have going forward. I am also targeting certs that don’t expire going forward.

I also want to look into owning a business, franchise, real estate, building an app, whatever it takes to be financially independent. Being in the information technology industry as an employee has its limits, the market has dictated what a junior or executive management should be earning a certain amount regardless of how hard you Work.

I digress, the topic of certs and stopping has been on my mind lately lol

rant over

roninkai

Exactly. I feel my mental efforts are probably better served to stop thinking like an employee and instead create an asset of value that could become a business. Alas, I did this years ago and exited the rat race for about 8 years. So I've seen the promised land of making money while you sleep, unlimited earning potential, etc. But online marketing aint a walk in the park and if you aren't building a real business and just have something that makes a few extra bucks, it can be short lived and you're onto the next thing. I'm going to push more for on the job study for certs as I continue on my last few before I call it quits....I no longer want to spend all my free time up late reading the driest of IT materials, unsure if it really is going to take me any further than just being kick ass at the job could.

Danielm7

I'm as guilty of it as anyone, I'm 20 years in, just passed an Azure cert and have a SANS course scheduled on a month or so. I've had the same question in a head a bit, I can prune old stuff up, but at some point just stacking them doesn't give a huge ROI. I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago.

I do certs mostly to keep myself focused for specific topics otherwise I'll bounce all around all the time, and to learn new things that might help me transition to a new job focus. At my level there is almost no chance that, outside of a few specific ones, most companies will hire or not hire only based on certifications.

I think the idea that specific certs, outside of maybe the CISSP just as a baseline gatekeeper thing, would matter for you getting a director or CISO level job is very unlikely.

For example, @dragonsden
2020 Level Up Goals: (1) CISSP-ISSAP (2) CAP (3) PMP (4) OSCP
These are all over the place. Architecture, pentesting and project management. There is a point where you're just beating yourself up and spreading yourself too thin but the ROI won't make sense.

LonerVamp

I think this is a great question, and should be matched by also asking yourself what you want to do with your career. What do you want to do as a job day by day for the next 3,5, 10+ years? And are those certs getting you there? Maybe (like me) the goal has been fuzzy due to liking many things and thus have a scattering of various certs and studying activities. For example, I have GCFA which is a forensics cert. I can't say I'm doing (technically) heavy forensics activities on a day to day basis, not am I looking at that as my job title/duty. Was that a mistake? Personally, I don't think so, but others may absolutely say so.

Also, eventually you can stop learning enough new things for a cert which makes that ROI drop quite a bit. For instance take the OSCP. Are there other certs "above" it to pursue or go down? Honestly, not really. There are classes and such, but honestly it's all about personal projects, activities, and job experience at that point.

SteveLavoie

50 % of my motivation to do certs if to build myself a career and for my personal enjoyement. If money, "fame" is achieved, good for me.. but that's not the main objectives. That way, I feel that certification don't have to be a good ROI.

Finally, it help me to measure what I learning by myself, and it is a way to achieve something with time that could be seen as lost.

JDMurray

I must admit to having difficulty studying for any type of exam whose subject(s) I do not find interesting. This leads me to only taking cert exams in areas that I do find interesting, which may not be the best cert for my current or future career path. Therefore, there is a certain challenge in motivating myself to study for the drier and borning stuff (e.g., management certs) that will likely give me the best ROI in the future.

mikey88

There has to be ROI in mind as well as taking a particular career path? I acquired CISSP last year, but haven't really advanced in the field yet... so the goal for this year to to get that bread lol

LordQarlyn

For me, it will probably end when I retire. Even if I make it to C-level, I will probably pursue certs.

matt333

Personally I just do it for the sake of learning new things. I like the structured learning of a certification and I find it a better use of time than watching TV.

TechGromit

dragonsden said:

I was just thinking about this this year as I wrote down a list of certs that I wanted to work on. I was just wondering at what point does all the effort to study, practice, exam, pay annual fees, end and stop producing an ROI?.

At retirement? Or maybe a few years before. I don't know if even making the CIO position gives you a free pass to let your skills degrade. Even CIO's can get fired for incompetence, security breaches, project failures, disaster recovery failures, the company going under. So long as you need to stay relevant in your position to get hired elsewhere, education and certifications will be important. You don't necessarily have to be always improving your skillset, but you need to keep up enough to stay relevant at your current career level.

Danielm7 said:

I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago. .

The same could be said of anyone of us, getting comfortable in our current position, just do enough to keeping up with you current role. Than BAM! Huge Security Breach, company suffers millions in lost revenue and damaged reputation. We need someone to blame, I know we'll fire the CISO and Security director. Problem solved. Now they are out on the open job market with expired security certs, or worse yet no certifications. Maybe they are lucky to get let go during a boom economy, and get another position fairly easily. Or they are not, let go during a deep recession, unemployed for months, even years. "I used to be a big important CIO once, would you like fires with that Happy meal sir?"

That's what Certifications are important, they are insurance against the unexpected. I once had a nice cushy government contractor job, no certifications, making good money, decent health benefits, company paid travel, life was good, till it wasn't, laid off due to government cuts, it was a humbling experience. I got lucky and eventually landed something better, but easily could have ended up stuck in a series of short term contract roles, with no health insurance and no real future.

roninkai

Danielm7 said:

I'm as guilty of it as anyone, I'm 20 years in, just passed an Azure cert and have a SANS course scheduled on a month or so. I've had the same question in a head a bit, I can prune old stuff up, but at some point just stacking them doesn't give a huge ROI. I look at my own company, the CIO just had many years of director/C level roles, no certs, I don't think he even has an MBA, and no one cares. My CISO has a CISSP, some old long expired certs. My risk/security director has an old CISSP, nothing else other than a BS 30 years ago.

I do certs mostly to keep myself focused for specific topics otherwise I'll bounce all around all the time, and to learn new things that might help me transition to a new job focus. At my level there is almost no chance that, outside of a few specific ones, most companies will hire or not hire only based on certifications.

I think the idea that specific certs, outside of maybe the CISSP just as a baseline gatekeeper thing, would matter for you getting a director or CISO level job is very unlikely.

For example, @dragonsden
2020 Level Up Goals: (1) CISSP-ISSAP (2) CAP (3) PMP (4) OSCP
These are all over the place. Architecture, pentesting and project management. There is a point where you're just beating yourself up and spreading yourself too thin but the ROI won't make sense.

Well, the logic behind my cert choices this year are as follows:
- CISSP-ISSAP: been working an architecture heavy role for 2 years, and studied on/off for two years. I just need a quick refresher through the CBK and I think I'm ready.
- CAP: I've worked RMF for 4+ years. I think all I need to pass this is a re-read through 800-37 and maybe 800-53 to be ready.

ISSAP/CAP were the low hanging fruits just to cert out for experience that I already have.

- OSCP/PMP: these are the big boys for the year. Yes, totally different focus and goals and could be entirely unrealistic. I studied for OSCP last year, but wasnt ready to cert out. I guess I want this more for the challenge than anything. a notch in the belt up the cyber pathway. I dont see myself working a pentest role since they pay considerably less than i am making now. Perhaps leading a red-team though, this could be beneficial.

But yes, these are simply shiny marketing letters that may trigger a new job opportunity, or get you noticed within your current company for a special role.

DFTK13

I don’t anticipate ever not trying for a new cert, probably after I retire though. I’m looking at it like this, I’ll become knowledgeable enough in the areas that I specialize in that the cert taking process is a breeze, with only minimal study to keep up with new technologies, while I tackle more difficult certs in unfamiliar areas. Quite frankly, IT is continually changing, so the required validation of knowledge is also continual.

LonerVamp

LordQarlyn said:

For me, it will probably end when I retire. Even if I make it to C-level, I will probably pursue certs.

Interesting perspective.

For me, I imagine at some level on the managerial or strategic leadership track I'd expect to have no real further use for technical certs or studying. I'd have other people likely doing that for me to some degree. I suppose I would still be informed enough to make leadership decisions, but...I dunno. Since I'm not the most social person, I'd have to spend quite a bit of energy in that department every day/week at that level.

bigdogz

A great deal of time we get the vendor certifications because we get the customer, preferential treatment, or to stand out as having x number of people certified so they can obtain some higher status on the provider chain to draw in more customers.

yoba222

I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.

LordQarlyn

LonerVamp said:

Interesting perspective. For me, I imagine at some level on the managerial or strategic leadership track I'd expect to have no real further use for technical certs or studying. I'd have other people likely doing that for me to some degree. I suppose I would still be informed enough to make leadership decisions, but...I dunno. Since I'm not the most social person, I'd have to spend quite a bit of energy in that department every day/week at that level.

Yeah, I probably would not pursue technological certs, i.e., Cisco, Microsoft, AWS, etc., rather I would pursue managerial certs, or training. Of course any manager or above in tech needs to have a strong foundational tech knowledge to make good decisions, whether it's choosing a specific vendor platform or deciding to move the entire IT system to the cloud.

DatabaseHead

yoba222 said:

I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.

Spoken like someone who is wise in their years.....

Info_Sec_Wannabe

I agree with OP. I'm at a crossroads on certifications myself although I've been eyeing OSCP for a while now. I'm not sure if its simply mental fatigue, lack of career focus or what not. So I'll be on a certification hiatus for the time being.

LonerVamp

yoba222 said:

I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.

Being thrust unexpectedly in situations like that is the absolute worst time to find oneself lacking in certifications and badges. +1 for career insurance.

LonerVamp

Info_Sec_Wannabe said:

I agree with OP. I'm at a crossroads on certifications myself although I've been eyeing OSCP for a while now. I'm not sure if its simply mental fatigue, lack of career focus or what not. So I'll be on a certification hiatus for the time being.

I will always say go for it if you see some measure of benefit (financial or learning) and it's something your heart kinda wants. Unless you go into pentesting, there will be few places you get into by way of having the OSCP. That said, once you get in the door, it's a huge conversation piece.

For me, I started mine in 2008, I think it was. And then life/work balance exploded and I promptly had to drop it with very little effort applied to it. I came back and earned it 9 years later. It was always just this unfinished goal I had, and I knew I had to get back to it someday. That said, situations changed and I found more value in getting it again, too.

So, in the end, you do you. Figure out some goals, figure out some roads to get to those goals, and rededicate yourself to them. And...be sure to do things that make you happy. Pursuing the OSCP actually made me pretty happy, so it was time well spent for me.

H-bomb

yoba222 said:

I think less about ROI and more like paying for insurance in case I lose a job or need to bail out of a toxic work environment.

This is what I've always said. Its self-insurance and peace of mind.

averageguy72

To me, it depends on your goals and what you expect to get out of certification. I like to learn. The things that I primarily care about are security and architecture. If something that I want to learn about has a certification, why not go for it if I can see it providing value down the road?

Speaking industry specific, one thing that I've seen in the SaaS industry is that over the last ~5 years customers expect certified security staff. And I think security requirements will expand as their vendor management programs continues to mature. I see security certifications, based on frameworks or non-vendor specific methodolgy, as worthwhile.

I also agree with @yoba222 and @TechGromit, part of the value can be an insurance policy in bad times. But based on recent experiences I believe there could be a ceiling. The top tier companies in technology don't seem to care about them, at least not their own. They're just now getting around to requiring their own employees to pass them.

As someone who has been the hiring manager in the past, I primarily cared about what you could do. But I will to say, that if I had two resumes that were relatively the similar, I would have been more inclined to first reach out to the candidate that had the certifications to go with the experience. As with most things opinion-based, YMMV.

E Double U

Seems never ending for me because each year I feel like there are no more that I want and then something comes up at work that puts me right back on the cert path. I felt I was done with SANS last year, but then SEC530 was created plus my employer had budget so I took it. I thought I was done with vendor specific certs and then my employer says it is mandatory for everyone to do Azure stuff. I don't really mind because there is no strong impact on my work-life balance since my employer allows for studying during work hours.

DFTK13

E Double U said:

Seems never ending for me because each year I feel like there are no more that I want and then something comes up at work that puts me right back on the cert path. I felt I was done with SANS last year, but then SEC530 was created plus my employer had budget so I took it. I thought I was done with vendor specific certs and then my employer says it is mandatory for everyone to do Azure stuff. I don't really mind because there is no strong impact on my work-life balance since my employer allows for studying during work hours.

I wish I could study during work hours, I can only do so during my lunch break but I’m paid hourly so it’s not a long break.

TechGromit

DFTK13 said:

I wish I could study during work hours, I can only do so during my lunch break but I’m paid hourly so it’s not a long break.

It's feast or famine with me, some days there isn't enough hours in the day to complete the work, others it's why do they pay me to sit here.