+ Reply to Thread
Results 1 to 24 of 24
  1. Junior Member
    Join Date
    Oct 2017
    Posts
    24
    #1

    Default Value of InfoSec certs? Why pile up certs?

    I keep hearing that there is a serious shortage of Security personnel. it is a no brainer that there is certainly demand for security professionals now a days. But what I don't get is the reason why so many experienced infosec guys and gals keep on piling up security certifications. Is it for significant raises? For promotion to become boss of boss? For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
    Like for example after gaining CISSP why struggle for CISA or CISM?
    Please enlighten (and encourage) me
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2013
    Posts
    1,920
    #2
    Quote Originally Posted by Snooper View Post
    Is it for significant raises? For promotion to become boss of boss? For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
    Like for example after gaining CISSP why struggle for CISA or CISM?
    Yes, any and all those reasons. It's a field where you have to like learning new things, many times a new cert is a focus for learning new things. If it's something like SANS, the training is great, and you usually do a cert with it, so why not?

    For your example, the CISSP is general and lots of HR folks mistakenly think it's the gold standard of technical security. The CISA is audit focused, the CISM is management focused. So, you might get another, or more, to focus on a different area of the field. Infosec is really wide there aren't a lot of security certs that cover everything, and if they did they wouldn't do it well because there is too much spread from something like audit all the way to reverse code engineers.
    Last edited by Danielm7; 11-09-2017 at 12:27 AM.
    Reply With Quote Quote  

  4. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    897

    Certifications
    A+, Network+,Security+, EMCISA v2, MCP, MTAx2 , CCENT, CCNA R&S,C|EH,C|HFI,Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH,E|CIH
    #3
    Why people do security certifications is very simple. Security is always changing and you need to adapt with it. Many jobs now require certifications of some level to establish a baseline of knowledge with employees. Certain DoD jobs require IT certifications as part of the 8570 requirement. They also show you are dedicated to continuing your education outside of work. Plus, who doesn't like to stroke their own ego a bit!
    2017:E|CSA E|CSP,eLearnSecurity Courses 2018: C|ND,ICND2,CCSK,CISSP,CCNA-Security,CSA+,GWAPT 2019: CWNA 2020: LPIC-2
    Reply With Quote Quote  

  5. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,619

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #4
    Quote Originally Posted by Snooper View Post
    Like for example after gaining CISSP why struggle for CISA or CISM?
    Because companies ask for these certifications in their job ads and people like to make more money...
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    May 2007
    Location
    Europe
    Posts
    10

    Certifications
    OPSA,CCNA(4x),eJPT
    #5
    and certifications vendors also like to make money ....
    Reply With Quote Quote  

  7. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,158

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #6
    I do it for sh%ts and giggles. When I have an employer that pays for training and exam attempts, why not take advantage.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2013
    Posts
    1,920
    #7
    Quote Originally Posted by E Double U View Post
    I do it for sh%ts and giggles. When I have an employer that pays for training and exam attempts, why not take advantage.
    Exactly! Like I don't NEED a masters degree, but I have tuition reimbursement now so I feel stupid just letting it sit on the table.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Dec 2007
    Location
    Grand Rapids, Michigan
    Posts
    1,857

    Certifications
    Network+ : A+ : Security+ : eJPT : Life+
    #8
    I'm working on making the jump into a straight infosec job. I have a little three years (FTE) of helpdesk experience so far and I'm working on getting into my second year with this one guy JOAT show.

    Certifications lead to knowledge, which leads into things for me to do at the current organization that I'm at now where they're not really doing anything. I have to bring information security into the organization because some of the things are important and need to apply directly to us. I feel like a certification gives you the blanket information that's needed at a certain level and then you go off into different things.
    Booya!!
    ------------------------------------------------------------------------------------------
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    May 2007
    Location
    Europe
    Posts
    10

    Certifications
    OPSA,CCNA(4x),eJPT
    #9
    I have a mix feeling about security certifications (even if i have some of them)

    Nowadays everybody have,will have a CISSP (example).HR people see it as a holy grail (right or not) so from my POV this cert is becoming like
    the comptia A+/Net+/Sec+ , a entry level to pass the HR filter. If you have the minimum years of experience just go with a CISSP and then learn and pass "technical security" like OSCP/OSCE/ELS/CCIE or others when you work, you will save a lot of time and money.

    For me Security cert are "valuables" if :

    - the number of people who manage to get it (no cheating) are small.
    - Final exams/practical are not exposed to the public
    - the renewal process is not just about money (i don't see the "value" of CPE if you have to pay fees to maintain your cert.)
    - if Marketing is not 80% of the cert and so on ..

    About experience , everyone can name herself/himself "Security" consultant/vendor/technician whatever you want , but the lack of real world experience (for some [many]of them ) is driven this field down. Security is a multiform field and nobody can be "good" in every security aspects.

    There is always fight between experience and certifications.i have see on many forums "which security cert should i pursuit ,or which
    one is the best " ... I think this the wrong way. I personally see certification as a ending point.if i want to leave/or progress
    inside a company then i learn the cert that validate my current experience and then move on to the next step.
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Jul 2017
    Posts
    23
    #10
    Why Not?
    1. In this information age it's the best equalizer in learning to grow skills in multiple areas without having to get a bachelor, master or PhD and still MAKE a decent (at least) amount of living.
    2. Sticking with only one cert is not the best way to "insure" your knowledge, skills, abilities (KSA) now and for the future.
    3. It holds back the early onset of Parkinson, Alzheimer, etc...
    4. You're able to compress learning and baseline skills acquisition from many years to a few weeks or months.
    5. At least you become literate and confident in the InfoSec areas and when it's time for proposals writing it can be leveraged.
    I could go on... but will let others chime in too.
    And Oh BTW why worry? It may be a hobby for some folks!!!
    Compared to how other folks use time we can never get back (watch TV, gossip etc...), I'd rather be piling up Certifications!!!
    Reply With Quote Quote  

  12. Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    67

    Certifications
    OSCP, CISSP, Sec+
    #11
    Two main reasons: Getting past HR screens and gaining actual knowledge. Early in a career for sure, it's useful to get certs to get past initial HR screens and move hiring manager interview conversations beyond the "do you even know anything I need?" phase. For learning, it's about picking up courses and training to improve knowledge and skills, and often taking the cert exam is a small step after learning the material.

    Infosec has a shortage overall, but that's largely because infosec is not usually an entry level area of IT. And once you get in, there are a good 8-9 very different slices of it. And that shortage is not universal to all markets. In my market, for instance, there are a few architect and analyst positions open, but more specialized positions like app security don't get filled quickly at all. But if you want to move into it, you need more than an IT background and enthusiasm for learning. You usually need to have learned something already, and certs or job experience + title are the easiest ways to demonstrate that to technical and non-technical people alike.

    It also helps network with peers if you do on-site studying, and can be a conversation-starter when rubbing shoulders at cons or meet-ups, as well. For some specialized stuff, it could even lead to local talks to get under your belt. In other words, it'll help you network sometimes.

    But for most, I think, it's about learning more so we can solve more puzzles and mysteries.
    -------------------------------------------------------
    Security Engineer/Analyst/Geek, Pen Testing
    Reply With Quote Quote  

  13. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,818

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #12
    Quote Originally Posted by E Double U View Post
    I do it for sh%ts and giggles.
    This is one of the reasons why I keep getting certs I don't need. I'm at a point in my career where my accomplishments speak for themselves and I really don't need more certs. I do it because I enjoy it a lot. The other aspect is what other mentions above, HR gating. I would hate to lose a job because I don't have a given cert. As much as we want to pull the "if they don't recognize my value and the fact that X cert means nothing then I don't belong there" card reality is that companies have their processes and if I see a great role I'm not going to let it go because I don't have the one cert they value. Well, except is it's from EC-Council, then I tell them to go pound sand
    Reply With Quote Quote  

  14. Junior Member
    Join Date
    Jul 2017
    Posts
    7
    #13
    Quote Originally Posted by Snooper View Post
    I keep hearing that there is a serious shortage of Security personnel. it is a no brainer that there is certainly demand for security professionals now a days. But what I don't get is the reason why so many experienced infosec guys and gals keep on piling up security certifications. Is it for significant raises? For promotion to become boss of boss? For jumping into a different security stream? or is it because there is a glut of infosec professionals and one needs to stand shoulders taller than others?
    Like for example after gaining CISSP why struggle for CISA or CISM?
    Please enlighten (and encourage) me
    CISSP and CISM are related, but are more like cousins than brother/sister. They are also viewed differently depending on the industry you're in (Government, Financial, Private-Sector, et al.).

    Also, technology is a million-miles wide. It's good to pick up more certs so you can validate different down-lines (application security versus GRC, as an overly-simplified example).
    Reply With Quote Quote  

  15. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,363

    Certifications
    CISSP
    #14
    A certification is great goal because the steps to achieve it are easily definable, success is easily definable, and validated by a third party. In addition, setting a date for the exam can help ensure commitment to study on your defined schedule.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  16. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    874

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #15
    Another thing to consider is that certs can be like bank accounts. Even though you don't necessarily need your money right now, you can put it in the bank for when you need it in the future. Same thing with certs. You may not necessarily need it now, but if you're ever laid off or looking for a job, it's great to have that cert in the bank ready for withdrawal rather than scrambling around trying to study & pass a test in the week or two that that particular job posting is open for resumes.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2008
    Location
    Denver
    Posts
    119

    Certifications
    GXPN, GPEN, GCIH, CISSP, C|EH, CCNA, MCSE:S, MCSA, MCP, A+/N+/S+/L+/P+
    #16
    Quote Originally Posted by Snooper View Post
    Like for example after gaining CISSP why struggle for CISA or CISM?
    GRC and management types do this, but I wonder if people in established technical security roles do. There is literally no chance I would ever pursue CISA or CISM. CISSP is more than enough.

    As for reasons to have multiple technical certifications, I think that was answered pretty well by others in this thread. The most important for me is to be continuously developing knowledge and skills that can better equip me to protect the organizations I work for.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,312

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #17
    I do or will as the easy certs fall off or I do not renew them. I have done this many times since the 90s. No big deal. Outside of making me learn a few things I otherwise wouldn't learn I really don't see much added value to having too many certs and have become a bit infamous in some circles for saying such. If your carrying 30+ certs and practicing in only a couple of domains what does that really say? To me volumes but always rings hollow as well. Your not currently practicing in a domain its just a history paper of some lost glory.

    The other problem I see with people and too many certs is the overall lack of ability. Hey, its great that you have 40 certificates of varying degrees but do you know how to implement or troubleshoot any of this? Likely not. I see this all the time within security. People can tell me volumes of opinion but cannot read a basic SYSLOG output or if there is or isn't problem.

    Take your pick. There is good and bad to the whole situation.

    - b/eads
    Reply With Quote Quote  

  19. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,355

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #18
    You learn A LOT when you do the certifications. It's not about passing an exam, but doing the training course that gives you skills to pass the exam

    It's also a road map for you to learn certain topics.


    Plus the expectations are SO HIGH on InfoSec professionals.
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Sep 2016
    Location
    VA
    Posts
    420

    Certifications
    CISSP, PMP, CCNP, FITSP-M
    #19
    If you aren't moving forward, you're moving backward. People chase certifications because they want to learn new things and show they have achieved a certain level of competency. People also do it because IT isn't like many jobs where you don't have to keep learning, they want to be ready in case they need to look for another job. Show me two candidates, one that has six year-old certs and nothing recent or someone who has 2-3 more in that time and I know who I'll select for the job.
    2017: CCNP (done), FITSI-M (done) CCIE Written
    2018: CCIE R/S
    2019: VCP (DCV/NV), OSCP
    2020-1: MBA
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    May 2006
    Posts
    1,939

    Certifications
    CISSP, CCSP, eJPT, ITIL,PA ACE,Qualys Certified Specialist, A+
    #20
    Quote Originally Posted by ITHokie View Post
    GRC and management types do this, but I wonder if people in established technical security roles do. There is literally no chance I would ever pursue CISA or CISM. CISSP is more than enough.

    As for reasons to have multiple technical certifications, I think that was answered pretty well by others in this thread. The most important for me is to be continuously developing knowledge and skills that can better equip me to protect the organizations I work for.
    I considered doing this, I'm somewhat in between though with technical and non-technical compliance tasks and projects. Have the CISM book, want to get the DB because the book is unreadable.
    Reply With Quote Quote  

  22. Member
    Join Date
    Jun 2016
    Location
    Illinois
    Posts
    35

    Certifications
    MSIS (Information Systems Security), CASP, CEHV9, CCENT, Security +, Network +
    #21
    What everybody else said plus the need for CPEs.
    Reply With Quote Quote  

  23. Junior Member
    Join Date
    Oct 2017
    Posts
    24
    #22
    wow. You guys are phenomenal. Amazing replies. I never expected to see so many points listed, indeed very encouraging to see what motivates and moves the go getters. Thank you all for replying and Keep it up.
    Reply With Quote Quote  

  24. Member Hornswoggler's Avatar
    Join Date
    Jun 2017
    Posts
    52

    Certifications
    A+, MCSE NT 4.0, CCNA, MCSE Win2k, CISSP, GCIH, CCSK, GPEN, OSCP
    #23
    Some thoughts:


    1. It's a blast
    2. InfoSec tends to be the "best of the best" and a motivated bunch
    3. We need to understand other IT roles so we can advise and consult
    4. We wear many hats: from "thinking like a manager" to "thinking like a hacker"
    5. Collecting CPE credits once part of this circus..
    6. Helps build confidence, competence, and respect at work
    7. Certs are good but the knowledge gained and being able to apply it is the prize
    8. It separates those who truly belong here from the bandwagon jumpers
    9. With these skills/certs, I'll never go hungry
    2018: Linux+, eWPT/GWAPT
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,312

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #24
    Quote Originally Posted by Hornswoggler View Post
    Some thoughts:


    1. It's a blast
    2. InfoSec tends to be the "best of the best" and a motivated bunch
    3. We need to understand other IT roles so we can advise and consult
    4. We wear many hats: from "thinking like a manager" to "thinking like a hacker"
    5. Collecting CPE credits once part of this circus..
    6. Helps build confidence, competence, and respect at work
    7. Certs are good but the knowledge gained and being able to apply it is the prize
    8. It separates those who truly belong here from the bandwagon jumpers
    9. With these skills/certs, I'll never go hungry
    10. You can never be too "good" at reading endless logs and explaining the 18 elements of HIPPA for the 6th time a day.

    The rest I agree atleast to some degree of confidence. I know more about how the network actually works than the architects and SMEs from other areas allowing me the privilege of reading my normal security logs somewhere betwen 11:30AM and 1:30PM most days. Walking into the door usually means someone is waiting for me at 8:00AM with something "critical"

    What does this have to do with certs? Not much. I will learn these things appropriate for my position on my own. After a point its just a paper chase for CPEs and renewal game. Too many certs or too broad and I get extremely suspicious. There is a rather in-polite phrase that relates but will keep it clean here.

    You get all the certs you want.

    - b/eads
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks