Security Certifications from CompTIA
Have you thought about taking your security training to the next level? We interviewed Carol Balkcom, director of product management at CompTIA, to learn more about CompTIA's security certifications and how they can help IT pros run a tighter ship.
Techopedia: Many know CompTIA for its A+ certification. Tell us about your other security offerings.
Carol Balkcom: CompTIA Security+ is our first exam devoted entirely to security, and it was originally launched in 2002. All of our exams are "vendor neutral", meaning that they aren’t tied to any one vendor’s products - and Security+ is no exception.
CompTIA A+ and Network+ also have security components in them, because of course today’s support technicians and network administrators must also be knowledgeable about security. As an aside, all three of these exams (A+, Network+, Security+) are on the U.S. Department of Defense Directive 8570 that requires certification for information assurance personnel. As a result, a large number of professionals have taken these certifications over the last few years.
To get back to our security offerings, earlier this year we formally launched the first in CompTIA’s "Mastery" series of exams, our CompTIA Advanced Security Practitioner (CASP).
Techopedia: Tell us more about Security+. What major subject areas are covered and who is the primary audience?
Carol Balkcom: The primary audience for Security+ is IT professionals with two or more years of hands-on, technical information security experience. There are Security+ certified professionals in all types of organizations, from the U.S. Navy to General Mills to the Archdiocese of Philadelphia.
As to the subject areas in Security+, the broad knowledge "domains" are network security, compliance and operational security, threats and vulnerabilities, application, data and host security, access control and identity management, and cryptography.
Techopedia: What about CASP? Can you tell us more about the designation?
Carol Balkcom: For the CompTIA Advanced Security Practitioner (CASP), we recommend at least 10 years in IT and five years of hands-on technical security experience. It is intended for the security architect working in a large, multi-location organization. The CASP also looks at the security implications of business decisions, such as the acquisition of one company by another, as an example.
Techopedia: What was the rationale for developing the CASP?
Carol Balkcom: The idea for the CASP originated with discussions with the U.S. Department of Defense several years ago. We were told that they wanted a more technical exam for the "IA Technical Level III" job role in Directive 8570. The directive mandates certification of all personnel engaged in information assurance activities. The tech level III is basically the person who specifies and oversees enterprise (a multi-location networked environment, which the military calls "enclave") security. This person is required to have deep technical security skills.
But before CompTIA develops any certification, we look for industry validation of the need for it in the broader industry. So in one of our annual security surveys, we asked about whether there was an industry need for an advanced security certification that was technical in nature. The survey responses confirmed that we should continue with development.
Techopedia: Not to highlight your competition, but many professionals are familiar with the CISSP. How does CASP differ from that certification?
Carol Balkcom: There were several subject matter experts involved in CASP development who are also CISSPs. The intent was not to develop an exam to compete with the CISSP, but to provide an advanced certification that is technical in nature. The CISSP has long been the gold standard for security professionals who make policy and are involved in security management. The CASP is intended to, as an example, measure the ability of a person to execute and implement risk mitigation strategies, including classifying information types into levels of CIA (confidentiality, integrity and availability) based on the organization or industry, and implementing the right kind of security controls.
Another significant difference between the CISSP and the CASP at this point in time is that the CASP contains some performance-based questions that must be answered by carrying out a task in connection with a given scenario using a software platform that requires the exam taker to make specific choices. The focus is on technical knowledge of the job and how to carry it out.
Techopedia: At an organization like CompTIA you must be on top of trends in the job market and what is hot in IT. Have you seen more demand in this area over the past years?
Carol Balkcom: This won’t surprise anyone, but the answer is yes. Partly driven by the U.S. government and by the need for government contractors (of whom there are many) to be certified in order to get work, IT certification has been on the rise. Corporate use of certification in hiring and employee incentive programs remains strong. Finally, we are seeing growth in developing regions such as Malaysia, the Middle East, Europe and Africa as governments provide funding for training and certification to address growing IT skills needs.
Techopedia: The age-old question is the value of a certification versus experience. Where do you weigh in?
Carol Balkcom: Certification is an indicator, not proof of the ability to perform. (Although, the new performance-based questions that I mentioned earlier are a definite step in the direction of measuring actual skill.) Certification is an indicator that someone took the time and made the effort to learn what was needed to take and pass an exam. But certainly hands-on experience - even if the experience is only in labs during courses - is always preferred over certification alone.
Want to read more about IT certification? Check out Techopedia's IT Careers section.
For more info direct from CompTIA, see official page for Security+ and CASP.