CompTIA touts its Security+ as the first security certification a candidate should earn. This entry-level certification is commonly pursued by people who have little cybersecurity experience, are working in another area of IT and looking to move to security, or simply want to expand their infosec knowledge. It is a certification where the person can read the book, watch the video course and go take the test, said Mike Chapple, professor at the University of Notre Dame’s Mendoza College of Business and co-author of CompTIA Security+ Study Guide Exam SY0-601, Eighth Edition, published by Wiley.
“People use it as a steppingstone to get a little bit of knowledge under their belts and be able to prove to a potential employer they have that broad sense of knowledge and are ready to go for their first big cybersecurity role,” Chapple added.
Before taking the plunge, Chapple and study guide co-author David Seidl, vice president of IT and CIO at Miami University in Oxford, Ohio, have some advice for certification hopefuls. Here, they discuss what to expect before, during and after the exam, including study tips, career paths, post-certification tasks and more.
While there are no formal prerequisites to take the Security+ exam, do you have any recommendations for what should be completed prior?
David Seidl: People who have their Network+ certification have a little bit of a leg up in terms of networking technologies and concepts, and we frequently recommend both Security+ and Network+ for your security career. But it’s definitely not required; it’s just one of those nice-to-haves in some cases.
Are there any topics on the Security+ exam you find more difficult for test-takers?
Seidl: People often get themselves wound up on the test itself. You can rule out two of the answers for the multiple-choice questions, in most cases. There are also scenarios where CompTIA is testing out new questions and responses — you’ll see something completely unfamiliar, and that may throw you off. Those can usually be ruled out, too.
My advice is to go through each section of the study guide and take the practice tests. If you’re getting 80% to 85% on a section, you’re doing really well. If you’re getting 40% on a section, you know where you need to study more.
Most of the people I’ve talked to have weak spots unique to them — it’s not a consistent weak spot for the exam.
Mike Chapple: The challenge with an exam like this is it covers a lot of ground. There’s no way anybody has experience in all these things. No matter what your background and experience, there are going to be things on the exam that you haven’t encountered in the workplace before. Realizing that and taking a broad approach to focus on areas where you don’t have the background from your work experience is super important.
When it comes to things that commonly trip people up, they often get worked up about the cryptography content. It’s a little intimidating, but we try to explain it in plain English as much as we can in the book. We focus on the fundamental concepts: knowing what encryption and decryption are, the difference between symmetric and asymmetric cryptography, and which keys are used in different scenarios. There’s also understanding which cryptography protocols are secure and which are outdated. Encryption is just one of those things you have to buckle down and learn.
Are there any other resources available to help prepare for the Security+ exam?
Chapple: On my website, CertMike.com, I put together study plans for Security+ and other major security certifications. These plans tie together our books, video courses and practice tests in a week-by-week, coherent approach to help students prepare for the exam.
What advice do you have for taking the exam?
Chapple: One of the great things about Security+ is you can move back and forth through the exam. I recommend people take one pass through the exam fairly quickly — read the questions, mark down where you know the right answers. This will make you comfortable with what’s ahead. Plus, just reading some questions might prompt you with a little information that’s helpful on another answer.
After that first pass, go back to the beginning, and go through again more slowly. Think about it more carefully, and check your answers. There’s a ‘mark question’ option in the software where you can mark questions you’re not certain about. Then, if you have time left, you can make a third pass through and focus only on those marked questions.
There are some performance-based questions on the exam, where you’re asked to manipulate something or do some matching or place network components, for example. Those are somewhat intimidating and time-consuming. I encourage people to skip past those and do them later. Answer all the multiple-choice questions first because that’s the bulk of the questions and the bulk of the points. Go back, and look at those performance-based questions later.
Seidl: The same thing applies in Security+ as in all CompTIA exams: Don’t second-guess yourself. Spending an hour going back and changing your answers can really mess you up. Don’t overthink things. You’re going to miss a few questions — and that’s OK. It’s, ‘OK, I’ve agonized over this. I’m down to two. I’m going to flip the coin and move on.’ It is more important to finish the exam than to get that one question right.
One of the nice things about an entry-level certification like Security+ is that it can help you get a little taste of each of those components and find the ones most appealing to you.
What certification(s) come after Security+?
Chapple: There are two common paths people follow. One is to specialize in different areas of cybersecurity — there’s a whole set of specific certifications, for example, CompTIA Cybersecurity Analyst+ or PenTest+. Such certifications steer you toward a specific field that you can grow and develop expertise in. The other path is the security generalist path, where you want to become a senior security person but not focused on one particular area. The normal path for that is to get the CISSP and other security leadership certifications, such as the Certified Information Security Manager.
Seidl: One of the nice things about an entry-level certification like Security+ is that it can help you get a little taste of each of those components and find the ones most appealing to you. You can get some guidance as to what you might want to do next once you’ve got that foundation built.
Where will the Security+ certification lead in terms of a career path?
Seidl: A lot of the time, it’s an entry-level security job — it may get you into an entry-level security operations center job, entry-level vulnerability management or maybe some early incident response. You also see people who are in a security role already coming back and getting the certification as part of a chain to move them along their career path.
A lot of folks we see are looking for a career hop — a help desk person who wants to move into security or a sys admin who wants a change. They’ll try this certification to make sure it’s what they want to do. It also gets them the credentials to say, ‘Look, I do this other thing as my day job. But I would now like to switch. I’ve committed to doing this amount of training and this amount of certification.’
Chapple: People often wind up approaching a certification because somebody is forcing them to do it. This particularly happens in the military and defense space, where there are requirements around what certifications people who either work directly for the Department of Defense or are DoD contractors have to hold. Often, people are in a job already and then find, because of the way their job is being reclassified, that they need a certification within a certain amount of time.
What should certification holders be aware of post-exam?
Chapple: You don’t have to recertify as long as you maintain your continuing professional education [CPE] hours.
Seidl: But there’s a bit of a CPE treadmill to be aware of. If you don’t keep walking, you suddenly have to run really fast — and it can be hard to do that. Not having to take the test again is an ideal circumstance. Spend time thinking about maintenance. People who work directly in a security job are going to acquire CPEs just because they’re doing their job. Others have to be more intentional, especially if you are security-adjacent, as opposed to directly in security.
Any other advice to help people with Security+ certification and their security careers in general?
Chapple: The most important advice I can offer people is to just get started. If you’re thinking about pursuing Security+ or any other certification, know that it does take the commitment of time and energy. But get the book. Sign up for a course. The only way to get from point A to point B is to begin that journey and make some progress.
Seidl: I tell people that this is an enjoyable career because there’s something new all the time. If you are a person who is naturally inquisitive about how things work, if you like to solve problems, if you are interested in how things break — all of those are reasons to get into security and have a really rewarding career. Plus, there are a bunch of different flavors of security. Once you get into it, you’ll find out that it’s not just doing forensics, firewalls or incident response. You can do a wide range of things. I’m a CIO who was a security analyst when he started his career. Security is a path that can lead you to all kinds of interesting jobs.