Every time I log onto Reddit or LinkedIn I am guaranteed to stumble across a conversation about IT Certification. Its something I’ve given a lot of thought to. About ten years ago I created my own personal roadmap. So here is my perspective and a bit about my journey. I’m going to be mostly focused on security certifications, but a lot of what I say can be extrapolated out to IT certs in general.
First, what is a certification? Most certifications are essentially an attestation from a professional organization that you know information about a specific domain of knowledge or technology. You give time and money to a professional organization or certification body, usually by taking an exam or test, and then if you meet their threshold, they certify you as a subject matter expert. For example, Cisco offers certifications on their technology lines. In exchange for money and passing a test, Cisco will give you a piece of paper that says you know stuff about Cisco equipment and how a network operates. You can then turn around and show that to potential employers to help you get a job or help you get a raise at your current job. Another example is International Information System Security Certification Consortium, or ISC2. They are a nonprofit. Unlike Cisco, they will certify that you have professional levels of knowledge of specific security domain but not specific technologies or equipment. They are what is called “vendor neutral”.
I like to think about certifications as investments. It’s a way to invest in my career advancement. No one will care as much about your career as you will, so take time to think about how you want to chart a course. Make a plan for your career. It can be a 2-5 year plan. How do certifications fit into that plan? I started keeping a professional development plan document several years ago. I use it to create and track my career goals. I then identify and align certifications with those goals. The time and money I spend is my investment in achieving those goals. But here is the thing about investments. You want to choose wisely so they will have a net positive return. Return on Investment, or ROI, is a way to look at certifications from the perspective of “Will I get more back from what I put into this?” For example, let’s say it will cost $2000 for training material and then at least 80 hours of study time to get your desired certification. Can you project how much of a pay increase having the certification will get you? Knowing that will help you determine the ROI. Could you find the training material at a lower cost? What is the opportunity cost of those 80 hours? Are you giving up sleep or time with family? Those are all items you must factor in.
Another ROI item is re-certification. Most technology and security certifications will be good for certain amount of time after you pass the exam. Then they expire. The length of time varies from one organization to another. ISC2 certifications are good for three years. On the other hand, Microsoft’s current certifications expire after a single year. Now, there are still a few certifications out there that never expire. TCM Security has several pen-testing related certifications that never expire. The expiration period is usually driven by updates to vendor technology or a requirement by the US Department of Defense, for which many certifications help qualify people for certain types of employment roles. Where the ROI comes in is determining the amount of effort required to maintain the certification and keep it from expiring. Many certifications will now let you use continuing education credits to satisfy the re-certification requirements. But some will require you to re-take the latest exam. Do your research and decide for yourself what fits your individual career plan. For myself, I avoid certifications that won’t allow me to use continuing education credits. One of the huge upsides for using them is that you can count them towards multiple certifications. I hold three separate security certifications. So if I take a single course that counts as 40 credits I can apply those 40 against all three of my certifications. That’s great bang for the buck and good ROI.
Which certification is the right certification? When I started mapping out career objectives and aligning them to certifications, I took the approach of looking for the jobs that I wanted and then seeing which certifications were listed. When you look at online job listings, they will almost always list some required or preferred certifications. If you want an entry level IT job most of the time, you’ll see the A+ and Network+ certifications listed. But what if you want to be a Cloud Security Engineer? The easiest thing to do is go find multiple listings for that title and aggregate the most common certifications. Another great resource, at least for security certifications, is Paul Jerimy’s website. It does an amazing job of mapping certifications from beginner to expert level for a board group of security domains like Governance Risk and Compliance to Pen-testing, etc. You can find the site here: https://pauljerimy.com/security-certification-roadmap/
I think I will have more posts about my own certification experience in the near future. Right now I am currently working on the studying for the Certified Secure Software Lifecycle Professional (CSSLP) which is offered by ISC2. It has some overlap with CISSP and CCSP so I already have some of the knowledge I need. But it’s also an exam that doesn’t have very current study material. So I am on a of an adventure as I gather material.
One more good resource for most certifications is Reddit. Just about every technology and security certifications has its own sub. They are great starting places for researching and gather study material.
That’s all for now! Good luck and happy studying!