Over the last decade or so, IT security has exploded as a field, both in terms of the complexity and breadth of the subject matter, and the opportunities available to security-focused IT professionals. Security has become an inherent part of everything in IT, from network management to web, application and database development. But even with the increased focus on security, there is still much work to be done in the field, and opportunities for security-minded IT professionals aren’t likely to decrease any time soon.
For those who are already in the IT security field, or are looking to enhance their career, there are a range of certifications and training options available for those who want to learn about IT security and demonstrate that knowledge to current and potential employers. However, a lot of the more advanced IT security certifications require a level of knowledge, experience and commitment that might be outside of the range of many newer IT professionals.
A good certification to demonstrate basic security knowledge is the CompTIA Security+ certification. Unlike other certifications, such as the CISSPor the CISM, the Security+ doesn’t have any mandatory experience or prerequisites, though CompTIA does recommend that candidates have at least two years of experience with networking in general, and security in particular. CompTIA also suggests that Security+ candidates obtain the CompTIA Network+ certification, but they don’t require it.
Even though the Security+ is more of an entry-level certification than others, it’s still a valuable certification in its own right. In fact, the Security+ is a mandated certification for the US Department of Defense, and is accredited by both the American National Standard Institute (ANSI) and the International Organization for Standardization (ISO). Another benefit of the Security+ is that it’s vendor-neutral, instead choosing to focus on security topics and technologies in general, without limiting its focus to any one vendor and their approach.
Topics Covered by the Security+ Examination
The Security+ is basically a generalist certification – meaning that it evaluates a candidate’s knowledge across a range of knowledge domains, as opposed to focusing on any one area of IT. So, instead of maintaining a focus on application security only, say, the questions on the Security+ will cover a broader range of topics, aligned according to the six primary knowledge domain defined by CompTIA (the percentages next to each indicate the representation of that domain on the exam):
- Network Security (21%)
- Compliance and operational security (18%)
- Threats and vulnerabilities (21%)
- Application, Data, and Host Security (16%)
- Access control and identity management (13%)
- Cryptography (11%)
The exam provides questions from all of the domains above, although it is somewhat weighted to give more emphasis on some areas. For example, you can expect more questions on network security as opposed to cryptography, for example. That said, you shouldn’t necessarily focus your studying on any one area, especially if it leads you to exclude any of the others. A good, broad knowledge of all the domains listed above remains the best way to be prepared for the test.
There is only one exam required to earn the Security+ certification. That exam (exam SY0-301) is comprised of 100 questions, and is provided over a 90-minute period. The grading scale is from 100 to 900, with a passing score of 750, or roughly 83% (although that’s just an estimate, because the scale changes somewhat over time).
In addition to the Security+, CompTIA offers a more advanced certification, the CompTIA Advanced Security Practitioner (CASP), providing a progressive certification path for those who want to continue their security career and studies. Like the Security+, the CASP covers security knowledge across a number of knowledge domains, but the depth and complexity of the questions asked on the CASP exam exceed those of the Security+.
CompTIA also offers numerous certifications in other areas of IT as well, including networking, project management and systems administration. And, if security is your chosen field, you might consider other certifications such as the CISSP, CEH, or a vendor-based certification such as the Cisco CCNA Security or Check Point Certified Security Administrator (CCSA), to extend and deepen your knowledge of security.