[hazmazlaz]

Certifications are a way to bypass HR filters, and allow you to negotiate higher salaries. I agree that in terms of imparting actual skills and knowledge they are of minimal value. Being mentored by your peers, being involved in the community, and learning by doing are by far the best ways to learn Security. Certificates are relatively easy to earn and have high ROI in terms of salary and negotiating power in my experience.

[tptacek]

This is what everyone who voluntarily paid for a certificate tells themselves. As a hiring manager (for ~10 years now) in software security who talks to a lot of other hiring managers, I am pretty confident that the supposed ROI for certification is not there. Also: if you're dealing directly with HR filters when trying to get a job somewhere, you're already playing to lose. A much higher ROI would be gained by learning how to seriously pursue a targeted role.

[hazmazlaz]

Thank you for sharing your experience. I think there is a lot of truth in what you said. It is probably very situation dependent - in my case getting that first cert and paying out of pocket is how I broke in from IT Ops and got my first security consulting gig. The resulting pay bump paid for the cost of the cert in 6 months. For all certs thereafter I've had my employers pay for it as part of a benefits package. Obviously this is only a single data point, but many of my colleagues have similar stories so I feel like it can't be completely unique to me. YMMV.

[gaius]

The value of a (good) certification is that Rumsfeld’s Law applies: you don’t know what you don’t know. Even if you never finish the programme you will at least pick up an idea of what you need to learn, the common vocabulary etc.

[tptacek]

If you want to pay for a forcing function, that's fine, but be clear with yourself that that's all you're really paying for.

Certainly I would push back hard on the idea that a certification of any sort is something you need to obtain a first job in the field.