cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rayz
Newcomer I

Should I stop certifying? How many certificates is too many?

In the past 15 months, I successfully passed the following exams: gisf, cap, cissp, cisa, gstrt, cism, crisc, ccsp
Now I am preparing for cisa and cgeit after.
In my opinion, the piece of paper is very motivational and it keeps me reading and studying.
Do you think it would be beneficial for career to continue with certifications, or I should stop and take it easy since this is just weird 🙂
10 Replies
Dada19
Newcomer I

Hi Rayz

 

It's great you are going through the list but if you are not complementing those certs with practical knowledge/in your day-to-day work, it's better to stop.

 

 

BR

 

Dave

rslade
Influencer II

> Rayz (Newcomer I) posted a new topic in Career on 02-01-2019 04:29 PM in the

> In the past 15 months, I successfully passed the following exams: gisf, cap,
> cissp, cisa, gstrt, cism, crisc, ccsp Now I am preparing for cisa and cgeit
> after. In my opinion, the piece of paper is very motivational and it keeps me
> reading and studying. Do you think it would be beneficial for my career to
> continue with certifications, or I should stop and take it easy since this is
> just weird

I suspect that doing some actual work might help your career ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Death is a very dull, dreary affair, and my advice to you is to
have nothing whatever to do with it. - Somerset Maugham
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
AlecTrevelyan
Community Champion

I believe that certifications should be used to validate knowledge and experience.

 

However, there is nothing wrong with studying for certifications as a way of gaining knowledge. A couple of hours studying each night for 6-8 weeks is often enough to pass many of these exams, especially if you have practical experience in the subject - that's not exactly onerous, and is more productive than many other pastimes.

 

Additionally, in terms of maintaining the certifications, CPEs can often be applied to multiple certifications including those from across multiple certification bodies, so again it's not so onerous.

 

Although, in terms of career benefit, there is probably a saturation point which I suspect you've long since passed as your certs are all InfoSec related.

 

Depending on what your career aspirations are maybe look at studying things which will round out your skill set accordingly.

 

Caute_cautim
Community Champion

You should carry on doing certifications on a regular basis.  My suggestion is just keep on learning and developing and keeping abreast of the many issues facing us, which if you do so, will keep your CPE's in good shape.  One suggestion is digital badges, short and direct courses, which help you keep aware of different issues, soft skills, technology, which are digestible and relevant.

 

The principles taught within CISSP for instance, provides a baseline approach to tackling issues, you can apply those same principles to the majority of environments, but you do need to keep aware of different technologies and techniques: 

 

Suggestion:

https://upskillcreate.com/my-badges-challenge/

 

Keep maintaining your existing certifications, but you will need to supplement them, as the world is moving so far, it could take a number of years, before the true implications are known - use these opportunities for CPE's and self development.

 

Regards

 

Caute_cautim

 

 

 

CISOScott
Community Champion

Consider this point of view from a hiring manager's perspective. If all you have is certs with very little work experience to back it up, then I am going to question your ability to actually perform the work. If you have 10+ years of experience with these certs then that thought doesn't (usually) cross my mind. Now if you were doing these to get a degree (offered by some cert/degree providers) it also wouldn't be that bad of a thing.

Also a bunch of certs acquired in a very short amount of time MAY scream "I am good at test taking" and not "I am good in my field". The exception to this would be certs that build on each other. I used to recommend people take Security + and Network + before attempting CISSP. You might even have tried CEH before the CISSP. Those beginning certs help build your foundational knowledge towards the more advanced certs.

 

What is your purpose for taking so many certs? Is it to find job opportunities? To further your career where you are?

Caute_cautim
Community Champion

@CISOScottI think you picked up the wrong impression - let me state my argument again.  I work in an environment, in which digital transformation, Data Analytics, Cloud - Hybrid, Mutlicloud, Private, Dedicated, etc; Containers, Kubernetes; IoT/OT; Identity and Access; Mobile; and the expectation is to apply security architecture and principles to each and every business problem, in other words, it is ever changing, dynamically progressing and ever challenging in terms of complexity.   Yes, the base certifications are required for my employment, but in order to keep up with the evolution, one requires constant self development, I am expected to at least ensure I have 40 hours of "self development", per annum - this does not sound much at all.  However, in order to become an Expert Architect level - one has to do about 120 hours of effort in order to put together the necessary certification package, and attend the mandatory courses associated with it.  

 

Yes, one can sit on one's backside, if you wish and only maintain ones original certifications, but as far as I am encouraged, and the expectation is to continually develop myself to keep my skills up in terms of technology, processes and soft skills to stay relevant in an ever changing environment and from a security and privacy perspective ensure that "things" are not bypassed, forgotten to reduce the risk of an incident occurring further down the line.   Therefore, yes, certifications are important depending on the role, and level you are progressing towards, but in a modern day environment - which is constantly evolving, innovating, it is a challenge - which requires self motivation to ensure you are relevant.   Therefore to keep up, it is important to use such development systems such as "digital badges" stretching from 2 to 20 hours courses, to maintain and ensure one is still relevant.   Even my Architecture certification with the Open Group and within the organisation requires one to re-certify every three years - because things change.  You need certification to ensure you have the baselines, principles and proven skills - but above and beyond this, one needs to keep relevant in terms developing ones skills and to take any opportunities, which are available to do so.  

 

Take another example:  One might complete a PhD on a given specialist subject, which may be very narrow and not relevant - but the act of doing a degree, higher degree or research is all about teaching one to think, collate, research and obtain the appropriate skills to apply them to other circumstances and situations.     These are base skills, and ones does need to keep learning, developing and staying relevant - or one may marked for "transformation", certainly this is my experience from the "private" sector, having spent half my working days in the "public" sector as well.  

 

Yes, I agree you can do too many certifications - which is both costly and possibly not appropriate for the roles one is employed.   However, the days of done that, have gone, and things are rapidly developing, new innovations, new environments are being created both in a macro and micro sense - so in order to stay relevant, it is important to keep developing.  Certifications can be rather slow and cumbersome, whereas digital badges can assist keep one relevant in a dynamically changing, increasingly complex world.

 

Regards

 

Caute_cautim 

denbesten
Community Champion


@Caute_cautim wrote:

... in order to keep up with the evolution, one requires constant self development, I am expected to at least ensure I have 40 hours of "self development", per annum ...


131,800 of us demonstrate compliance with that expectation simply by keeping 5 letters ("CISSP") behind our name.

 

@CISOScott make an important point that a "quality resume" is more about all the pieces fitting together well and presenting a consistent story.   The link you presented includes an extreme example of opposite --"quantity over quality". Oliver Bodemer earned 250 IBM badges in about 15 months.  That does not paint a very good picture in two ways.  First,  I would hesitate to hire Oliver out of concern about his focus is on chasing badges, whereas I want someone that focuses on bringing value to my company.  Second, knowing one can earn an IBM badge every business day devalues the badges themselves.

Shannon
Community Champion

 


@Rayz wrote:

Do you think it would be beneficial for career to continue with certifications, or I should stop and take it easy since this is just weird 🙂

 

If you've got experience in IT Security, GRC, etc. & your career benefits from the certifications, they'll definitely contribute. As @Caute_cautim said, it's important to keep yourself updated in all of this.  With IT evolving at an ever-increasing pace, you have to keep up or get left behind.

 

Then again, ensuring your knowledge is up-to-date doesn't demand that you be certified, unless you want to prove that to an employer, in which case --- as @CISOScott pointed out --- certifications won't matter without a background in the field. (An exception would be organizations mandating certifications even for employees whose job responsibilities aren't related)

 

A lot of certifications under your belt may not hold your 'career' pants up if you lack the weight of experience.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CISOScott
Community Champion

True, @Caute_cautim,  I understand the need to keep up certifications and I take into consideration keeping up with the times when considering applicants for positions. If I feel they are too book heavy or are industry "word smart" I will ask questions that pertain to their experience and give them the chance to explain their experience.

 

I once had an applicant tell me they had "installed" over 132 servers at their current position. They spoke well and used correct terminology and on the surface seemed like a qualified candidate. Once I probed deeper like "What make and model were the servers?" they had no answer. They replied "I don't remember." I was looking for a server admin at the time and did not choose that candidate. This person had certifications but no real experience.

 

I have a dislike for applicants that sit on their backside and do not try to keep up with the trends in their industry. I have seen applicants complain that it took them 20 years to move up 5 levels when they were in a location that I did it in 4 years. I am a big believer in constant education. I constantly provide links to FREE training and improvement opportunities and sadly few of the ones I offer it too take me up on it. Yet they usually are the loudest complainers when they get passed over for promotion.

 

My response to the OP (Original Poster for those who don't know) was that not to get caught up in certifications just for the process of obtaining them, but to expand your knowledge in them. If you take the auditing cert then after you are done, review your company's audit process. Is it good, great or poor? What can you do to help improve it? Once you learn the audit process, how does it correlate to the security processes.

 

The best candidates (and subsequently great employees) I have hired usually have found a problem where they work, came up with a plan or took action to fix it, documented the improved process or procedures, taught others how to do it, and then went on to find other areas they could improve on and repeated this cycle. The ones who have just followed orders for 15 years and never "worked outside of their position description" (a.k.a "Not my job!) usually do not make great employees. They may be adequate employees, but I want rock stars. I provide the tools to become rock stars, but not the motivation.

 

My favorite line from your post is this: "- so in order to stay relevant, it is important to keep developing. "and I couldn't agree more.