Some thoughts about the preparation and the exam and some tips for future test-takers
In July 2020 I obtained the CompTIA Security+ certification. In this post, I try to ask to questions that interested readers may have.
What is the CompTIA Security+ certification?
The CompTIA Security+ certification is an exam that assess that you have the basic skills in six of the core domains of Information Security:
Threats, Attacks and Vulnerabilities
Technologies and Tools
Architecture and Design
Identity and Access Management
Risk Management
Cryptography and PKI
It is a vendor-neutral certification. This means that, despite some of the basic commands used in Linux or Windows, you won't need
to learn commands or actions specific for a given vendor. This is good, because the exam is sufficiently abstract to give you a
global vision of Information Security. You will be asked, for instance, what is the role of a firewall and maybe you will find
a question during the exam that will ask you to set proper rules in its Access Control List, but this only validates that you
know the ideas and you know which are the operations that you have to carry out. You will never by asked which is the exact command
or syntax to add a rule for a Cisco, or a PaloAlto and so on.
So the first key point of this exam is abstraction. The second is extension. If you take a look at the exam
objectives, you will see a very long list. This means that, in order to pass the exam, you must know a lot of concepts and tools related to
information security. Anyway, it is not required that you know any of these concepts thoroughly. This may be a difficulty, because having to
know a lot of things without digging much under the surface of each concept may lead to confusion, and it may be quite easy, for example,
to exchange one encryption scheme for another. What helps here is already having working experience in the field. Or having studied well.
How much time do I need to prepare the exam?
The CompTIA Security+ certification is a quite general Information Security certification that covers the core domains of Information Security.
This is the reason why people suggest to take this certification at the beginning of a cyber security career. Anyway, entry-level
certification does not mean easy certification. The area covered by the exam is wide and you need to know several topics to pass.
As an example, when I started to study for the exam my background was the following: a bachelor degree in Computer Engineering, a master
degree in Computer Science and Networking, 18 months of experience as HVAC/IT technician and almost one year of experience in the R&D
of a Cyber Security startup. I didn't know all the topics covered in the CompTIA Security+ exam, so studying the things that I did not study
during my University years and did not practice at work has been undoubtedly useful. On the opposite, there were exam objectives that I already
studied in depth, so the requirements of CompTIA seemed a joke to me. I studied after work, trying to do few things per day but costantly and it took
some months to me to feel comfortable to take the exam. I passed at the first try but as I mentioned the exam is not a joke, so you have to prepare
seriously. Taking simulation tests may be useful, but I didn't like neither the unofficial App that you can find on Google Store neither the printed
book with 'practice tests' because according to me their answers were not always correct. Instead, I really appreciated the questions in Darril
Gibson's book. I suggest that, after you have studied, you take the Glossary of Darril Gibson's Security+ book and, without reading the description,
check whether you know the items. When you know all the items in the glossary you are ready for the exam!
Is the CompTIA Security+ certification useful?
I think that usefulness depends on your goal. If you want to find a job in Cybersecurity, or advance your career in this field, then for you usefulness
is related to how much is this certification kept into account by recruiters. If, instead, you are interested in this certification for its topics, then
for you usefulness is related to how many things you have learnt once you have passed the exam. In the former case, I think that how much this certification
is kept into account is dependent on your background and on each specific company. For instance, if you have no previous working experience in this field but
you have the CompTIA Security+ certification, than overall your CV has a certain weight. Instead, if you already have experience in some of the information
security fields and then you get this (and maybe even other) certification, then overall your CV will have a bigger weight, I guess. As an example, if you
look on Forums like Quora, Reddit or Facebook groups, there are people that tell that they started with a ComptTIA A+ certification or similar, got a job
as helpdesk, and then they took other certifications while working in the field and managed to advance their career. Then it depends on the company.
Gayle Laakmann McDowell, author of Cracking the Coding Interview, affirms that it is even better
to remove any certification from your CV when applying for big tech companies like Google, Amazon, Microsoft and so on. So, it seems that people have different
ideas regarding whether or not taking certifications with the goal of getting a (better) job is a good idea. So let's pass to the latter, and more interesting
in my opinion, goal of a certification: getting knowledge. I think that every time you put your effort to learn something new you are always
doing good. A certification is no different. Personally, I wouldn't take a certification which covers topics that I already perfectly know, just to
add a badge on my Linkedin resume. And when talking about the topics of Information Security I like to discuss about the concepts, not the certifications.
I think that just showing certifications is bureaucra attitude, while a good technician could posses, obviously, certifications, but would enthusiastically speak
about technology.
Which study material should I get?
I will list the study material that I used for my exam, making a brief review for each item.
Mike Meyers' CompTIA Security+ Thomas Stearns Eliot wrote The Waste Land in 1922.
Well, instead this is Wasted Time in 2020. Let me better explain. Mike Meyers' will give you a well formatted book, with a CD-ROM and access to some of its
videos where he tries to be as interactive as possible. Well, the content of the book is poor. The arguments are covered really in surface (too much even for the CompTIA
security+ exam!). Some parts are pure cut-and-paste of other parts. Does not highlight the important parts. If you read it won't hurt, but I would not recommend.
CompTIA Security+ Practice Tests: Exam SY0-501
I took this book and did almost half of the tests inside, but finally I gave it up because according to me a lot of questions are ambiguous, and some answers are
even wrong. As a side note: during the exam, no question was as ambiguous as the questions in this book. I do not recommend, but maybe I could be wrong.
Comptia Security+ questions on Google Play Ok, you do not have to pay to use this app, so maybe you can give it a try. But some questions are REALLY
similar to the questions in printed books, making me wonder if it was even plagiarism.
Academic/Working ExperienceThis never hurts. If you have, use it!
Darril Gibson's Get Certified Get Ahead If you only pick one book, pick this one! The theory is explained
really well, he knows how much CompTIA is going to ask you about each topic and it has very good practice questions too!