Do you know the phrase “a perfect storm?” It’s that situation where unrelated factors combine and amplify together, all to create something really spectacular. That’s what is going on right now with CompTIA’s Security+ certification. Factors such a long legacy, a strong reliance across the industry, and a sunset in the current exam version all form the perfect storm for anyone who doesn’t yet have this certification. And one more factor remains: an upcoming surge in credibility (more on that later). The bottom line is this: if you don’t have the Security+ certification yet, you should get it now. But before you do, read about each factor in detail below.
The CompTIA Security+ certification is nearing its tenth year. For some people, 10 years is not a long time, but it means Security+ came before YouTube and Facebook. The very first iPod was released 10 years ago, as was the first USB flash drive. In terms of security certifications, Security+ predates ISACA’s CISM and Red Hat’s Certified Security Specialist.
In the information security field, 10 years seems a much longer time. Information security has matured a great deal in only 10 years, seeing new focus on areas like identity management, risk management and governance. IT professionals familiar with keeping financial information secure will remember the Sarbanes-Oxley Act was enacted in July 2002 (heyalso less than 10 years old!). Indeed, a lot of ground was covered in only the past 10 years. And the Security+ certification has lived through it all.
Industry Respect for Security+
Just because something is older doesn’t make it better. But in this case, maybe it does. I find the Security+ increasingly becoming a baseline. Take, for example, how the Security+ certification gets used as a prerequisite toward a higher level certification. The most well-used case is in Microsoft’s Microsoft Certified System Engineer, where a person seeking their MCSE can use CompTIA’s Security+ as an elective. In fact, CompTIA is the only third-party option available to Microsoft MCSE certification seekers. For Microsoft’s security specialization, again, the CompTIA Security+ is an alternative to Microsoft’s own security courses. This kind of endorsement creates a considerable level of credibility for the Security+. This credibility comes unbiased, from both the private and public sectors.
The CompTIA Security+ certification is vendor-neutral. This means the certification is not biased, does not promote, nor heavily dependent on a strong familiarity of one vendor. This means when talking about identify management, for example, you are not going to miss a question because you aren’t overly familiar with implementing Cisco products. Nor are you bound to focus on one solution provider such as Microsoft.
Endorsement in the Public Sector
It’s not just private companies that leverage how popular the Security+ certification is. The public sector refers to it as well in defining job requirements and training. For example, the United States Department of Defense (DoD) has manual 8570.01M (last updated April 2010), which describes the training and certification requirements for all Information Assurance professionals within the DoD. That includes all the US military, the Pentagon, the NSA and the rest of the 3 million employees and service members.
The DoD manual describes the requirements of “IAT” or Information Assurance Technical personnel at particular levels within the DoD. In the manual’s words: “The IA workforce focuses on the operation and management of IA capabilities for DoD systems and networks.” Regarding Department of Defense information assurance technical and managerial personnel, there are three possible levels. The manual details experience and training requirements for all three levels. For example, an IAT Level 3 person is more qualified than an IAT Level 1 person.
But how does this manual (and DoD) regard the Security+ certification? According to the manual, an IAT Level 2 person “normally has at least 3 years in IA technology or a related area” to be considered qualified. However, if a person holds the Security+ certification, that person now meets the minimum requirements for IAT lLevel 2 work.
Yes, the Security+ certification qualifies a person for IAT Level 2 work, a position for someone assumedly having “at least 3 years” experience. Bear in mind that even CompTIA does not require but only recommends 2 years’ experience before taking the Security+ exam. This is because the Security+ is designated as a “DoD approved certification” for IAT Levels 1 and 2, and IAM (management) Level 1 positions.
All told, there are noticeable shifts in how the industryboth private and publicvaluate the Security+ certification. In every case, it seems to reflect a growing respect for the Security+, so I feel the investment spent in gaining the certification is bound to pay off.
Changeover in exam version
CompTIA is noticing that growing respect, too. Perhaps one response is their recent, complete makeover of the exam. Earlier this year, CompTIA released a new revision of the popular exam, the exam’s third version since its start in 2002. And the revision is timed with yet another “perfect storm” factor, to be explained later. It’s enough to say their timing was well-thought out. This can be good and bad news.
The good news, as we discussed above, is that CompTIA is continuing to improve upon the certification. The bad news, if you’re the kind of certification student that relies on notes and experience from past students, is that a new revision means new areas of study with completely new questions. Depending on the source, study guides could be edited and honed multiple times during one exam revision. In contract, a new exam revision means untested territory for study guide providers. In short, study guides of “today” are of little help for the exam of “tomorrow.”
If you are such a student, don’t worry there’s hope. According to CompTIA, the expiring exam revision of the Security+ exam will be available until December 31, 2011. That extends the value of study guides and such through the end of the year. But the end of the year is coming fast.
To be certain, we’re talking about the same exam revisions. The new revision is SY0-301 and has been available to exam takers since May 2011. However, the expiring exam revision is called SY0-201 and is available to you until the end of the year, as noted per the CompTIA website.
Remember in the introduction I added another important factor, an upcoming surge in credibility? Let me explain.
Last year, CompTIA announced they will remove the “open-ended” trait from their three foundation certifications, of which Security+ is the most senior. What does that mean? In the past, if you got a Security+ certification, you keep it for life, regardless of any effort to upkeep or exercise it. No more “free ride” now.
This means holders will need to demonstrate their ongoing practice by recording a number of activities such as teaching, publishing, or attending conferences. This should sound familiar to many certification holders who already have to record their Continuing Education Units or CEUs. Now, Security+ becomes one more certification where you can apply the same conference.
Why do I consider this a smart move? Simply put, much more credibility is given to certifications kept up-to-date compared to ones given “for life.” Five years from now, you can be sure those certified as Security+ are dedicated to their trade. And so will employers.
In SummaryA Perfect Storm
Remember I called this the “perfect storm”? A perfect storm is what this is because of the timing of multiple factors. The factors include its legacy and the certification’s growing respect, the waning availability of the older exam revision, and the removal of the certification’s “open-ended” quality. All told, the timing for getting this certification couldn’t be better. Waste no more time and secure a seat to take this certification.