At the end of August, CompTIA announced that its Security+ certification had passed a significant milestone, as the total count of credentials granted topped the 50,000 mark. Over the past six years since this certification made its initial debut in December, 2002, Security+ has slowly gained increasing acceptance and adoption as one of a small number of entry-level information security certifications worth pursuing.
That said, Security+ has played to mixed reviews from information security and certification experts, including yours truly. At various times, it’s been suggested that the exam has gotten a bit stale, wandered off-topic, and failed to cover important topics. With an average three-year update cycle (do the math) most of these observations tend to occur beyond the half-way point between exam refreshes. It’s possible that the CompTIA methodology and timing is more responsible for the occasional gaffes and gripes that get reported about its exams, including Security+.
That said, there’s a lot to like about the latest upcoming version of Security+, slated for release in Q4 2008, as a quick review of its draft objectives (in PDF format) will attest. As it has always done, the latest Security+ incarnation seeks to validate that individuals have at least 2 years experience in network administration with a security focus, including day-in, day-out security activity, along with broad basic knowledge of “security concerns and implementation.”
The original 5 domains in the exam’s body of knowledge have acquired another domain: assessments and audits (4), along with Systems Security (1), Network Infrastructure (2), Access Control (3), Cryptography (5) and Organizational Security (6, formerly known as “Operational Security”). These objectives have also been completely refreshed and overhauled, and deliver reasonably complete and comprehensive coverage of the information security landscape as we know it today.
In my last blog, I provided a list of certifications that the DoD has mandated for IT professionals whose responsibilities at various levels touch on information security. As I read over that list, I’d wondered about the suitability of Security+ in the Level 2 Technical Worker category. Now that I’ve revisited the requirements and objectives for this exam, I wonder no longer: Security+ is definitely worth further investigation and possiible pursuit, especially for those looking for a stepping stone to the CISSP. Just be sure to wait for the 2008 version to go live, and use preparation materials (books, practice tests, flash cards, and so forth) to match!