How I Passed CompTIA Security+
I picked security as one of my CPD KPIs for Q1 2022 and started formulating an exam plan to follow a security-related learning path. I am not a dedicated security person; I manage a team of Azure cloud consultants and administrators. So I’m not going to be a blue or red team person anytime soon - but just like all things, it’s not enough to say security is entirely down to the security team — everyone needs a security focus. Now more than ever.
I selected three exams that are relevant to my day to day work
CompTIA Security+ (SY0–601)
Microsoft Security Operations Analyst Associate (SC-200)
Microsoft Identity and Access Administrator (SC-300)
Like all exams, they are now available online to be taken at home or from a test centre. I am old school, so a Pearson Vue test centre it was.
The CompTIA exam is an entry-level, security fundamentals exam and is a very good place to start even if you have a long history of working in IT. Many times concepts and terminology changes over time and although we think we know a lot — doing an up to date certification help to sharpen our skills and correct any misconceptions we’ve picked up over the years. There are two versions of the exam leading to the same qualification. I choose the newer of the two exams — Exam Code SY0–601. I found a good blog comparing the differences between the two exams, which helped my choice.
The exam is described on the Comp TIA homepage and covers 5 main security domains;
Attacks, Threats and Vulnerabilities
Architecture and Design
Implementation
Operations and Incident Response
Governance, Risk and Compliance
I have subscriptions to two learning platforms, O’Reilly Media and PluralSight. Both had excellent training courses for the CompTIA exam, with O’Reilly having a live training evening, over two days, during the time I was studying for the exam. I found Sari Greene’s video course to be excellent and is included with the O’Reilly subscription that I have. This was the foundation of my training.
What’s Hard?
The exam is broad. This makes it a challenge to cover all areas. It's also a little bit ‘US centric’. There are several questions on standards and policies that apply only within the US, such as the type of access card the US Military use! If you’re in the US, these may be more natural to you — I’m not, so these items were not things I had encountered before.
What’s Easy?
Overall, this is not a difficult exam, if you work in IT or have applied yourself to the material. A lot of the material is conceptual and therefore intuitive, so focus on the nonintuitive hard facts; Security standards, common ports, attack types.
Types of Question
Most of the questions are straightforward, multiple-choice. I didn’t find any questions that were especially tricky or that I felt were unfair.
The exam started with a few scenario questions. I was presented with just one scenario; I am sure this can vary by exam. The question presented a security policy as mandated by an organisation’s security department and then some suggested actions to achieve this policy. Like a lot of exams, the scenario was a separate section and once completed, you couldn’t return to it.
The exam is 90 minutes and I needed all the time — it is quite a full exam, with 90 questions on average, so a question a minute is a challenging pace!
CompTIA’s CPD philosophy.
CompTIA’s certifications don’t expire as such, providing you complete 150 CE credits within 3 years of passing the exam. Once you keep doing this, you will maintain the certification. The caveat is that the Continuing Education Units (CEUs) cost USD 50 per annum — so a total of USD 150 to roll forward the certification after 3 years. Each of us would have to assess the value of this, but there is one good point; If you take other CompTIA exams then “CE Fees need only be paid at the highest certification level held”, (A+, Network+, Security+, Linux+, Cloud+, PenTest+, CySA+ or CASP+) CE Fees apply towards the renewal of all CompTIA certifications. Separate payments for each certification are not necessary.
How long did it take?
I like to take 1 month for an exam. I book the exam 4 weeks away and then start the study programme using all materials available to me. You’ll each have your own learning methods and different quantities of time available to dedicate to study. Just make sure you have covered all of the exam objectives and get to the point where the concepts are second nature in your brain. The O’Reilly subscription had a practice test available, which gave me a high level of confidence going into the exam — but it was not as in-depth as the exam, so beware.
Was it worth it?
You can read CompTIA’s take on if it's worth it here. If you’re out to prove yourself, then it is definitely worth it and can help achieve a new job or promotion. For me, the exam didn’t cover anything I wouldn’t be expected to know anyway, but it was still a good stepping stone to the next, more product-specific exams I am taking. However, I still don’t have a view on the paid-for Continuing Education elements.
Caveats
All of the products, people or companies mentioned are just those that I used or referenced as part of my training journey. These are not endorsements beyond saying that I personally found them helpful. We all have our individual training styles and should choose materials that suit our personal learning. Lastly, I have no connection to any of the products mentioned, other than as a customer and no freebies or inducements have been solicited or received. Happy learning!
About the Author:
Simon Grant is a Service Delivery Manager here at Version 1.
