Steve Young - Fotolia
CompTIA just released a new version of CompTIA Security+ exam, a tool used by IT professionals in information security. Could you explain the changes to the exam? Will the changes potentially make the exam easier or more difficult, or make the credential more or less valuable?
The Security+ certification was designed to introduce people with some existing technical knowledge and two years of experience in IT administration to the world of information security. Although no job in information security can really be classified as entry level, this certification has become the starting point for a career in this highly technical field.
The U.S. Department of Defense includes Security+ as one of the mandatory security training requirements for government employees to meet under directive 8570. This directive, combined with the low minimum requirement for previous experience, has driven this certification to be become one of the most popular choices for candidates looking to enter the information security field.
Technology is rapidly evolving and CompTIA, the creator of Security+, made changes to keep the certification relevant amid all of these advancements. The new exam covers technologies including virtualization, cloud services, encryption and authentication. There is additional focus on identifying both technical and social engineering attacks. The potential risks of social networking are examined, as well as logical network segmentation and writing effective access control lists. IPv6 is also touched on, and there is a lot of attention around understanding public key cryptography.
CompTIA maintains that the new exam is not meant to be any more difficult than the previous exam. The goal of updating it is to stay current with technology and not increase difficulty. However, there have been some changes to the types of questions included on the exam. There is still a maximum of 90 questions, but some of them are now performance-based instead of the traditional multiple choice. Performance-based questions were first introduced in the higher-level CASP (CompTIA Advanced Security Practitioner) certification exam and now have found their way into Security+. These questions present the candidate with various scenarios where they must solve a problem in a simulated environment. This adds a higher level of validity to the certification, but could also increase difficultly for those without hands-on experience.
The changes that CompTIA has made to Security+ should keep it relevant as an entry-level information security certification for the next several years. The updated exam offers an overview of security risks inherent in many of the newer technologies that weren't as prevalent when the exam was last revised. The addition of the performance-based questions also adds more legitimacy to the certification in the eyes of current information security practitioners. This opinion is somewhat offset by the previous experience requirement of only two years, but is appropriate for entry-level positions. Overall, Security+ is valuable to anyone looking to learn more about the field or get started in an information security career.
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Dig Deeper on Security industry certifications
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading