Getting ready for CASP+, but wondering if I should bother renewing my S+

Most of my certifications are olllld and grandfathered into the old "good forever" system. However, a little over three years ago I got my S+, but my career took a slightly different turn and I let it expire just because I was busy. That said, I've been running through some material and I'm pretty sure I could pass it again with minimal additional preparation. I've been studying in earnest for CASP and it seems my memory and CASP+ preparation may serve to get me by. So I guess these are my questions:

1) Is there any reason to have an S+ if one has the more advanced CASP+?

2) If I snag my S+ and get my CASP+ pretty quickly after (say within a month or two), is that OK? Does getting that credit so quickly after getting a new S+ mean I can still get an additional 3 years right off the bat? From what I've read, it seems like it but I just want somebody in the know to confirm my understanding.

3) I'm also curious for those that have CASP+, which as I understand it, is pretty knew: how has the certification been received for you? I've already paid for a voucher so this is happening but I'm curious what others' experiences have been so I can calibrate my expectations.

Finally, if anybody has any bright ideas for making the jump from experienced 10+ Sys Admin to a security-specific role, I'd be glad to hear them. I've been thinking of using targeted advertising (I can't post links yet because I'm a n00b here, but find the Decon lecture, "How to Social Engineer your way into your dream job").

Thanks!

- Richard

Find more posts tagged with

Comments

JDMurray

Security+ has a much better name recognition than CASP+. If someone is searching resumes by keyword they are much more likely to hit on "Security+" than "CASP".

The only reason to renew your Security+ is if your employer requires and will pay for it, otherwise nobody seems to care that your certs are in good standing--except the cert vendors, of course.

You will also automatically renew your plus certs by passing another plus exam. The years do not compound; that is, passing three plus cert quickly will not give you nine years to your next renewal period. Don't forget that you have to pay CE $$$ during each of those years too.

CASP was introduced in 2012-13 as the first of several mid-level certs CompTIA would be releasing as a new certification tier. CASP was re-branded "CASP+" for the CE program when CompTIA realized the plus certs were their best brand recognition. CASP has evolved considerably from when I took it in 2013. I'm not sure anymore how it compliments/overlaps the current Security+ and CySA+ cert objectives.

stryder144

As @JDMurray said, Security+ has more name recognition than CASP+, by a mile at least. If you think you can easily pass the Security+ exam, I say go for it. Don't get me wrong, the CASP+ is a great cert, very challenging, and I think it will potentially be a good intermediate cert to get before CISSP (I found the CASP+ to be a harder cert than the CISSP, but that could be because I did CASP+ first then CISSP). Also, if you go to the Black Hills Information Security channel on YouTube, Jason posted an update to his Social Engineering/Job video (both are very relevant, so use the info in both would be my recommendation).

yoba222

If I were you, once obtaining the CASP+, I'd leave Security+ on the resume for keyword recognition, even though it's expired.

RickyJo

So sorry for the delay friends, things got a little crazy the last few days.

_________________

This is all very helpful, thank you.

I'm looking forward to checking out the updated video on Black Hill's channel (thanks Stryder).

I do have a couple follow up questions for all of you--particularly JD--if it's no trouble:

> You first say how S+ has much better recognition, but go on to say that you wouldn't bother renewing it on your own dime--this will be my own dime. Should I take that as advocating Yoba's suggestion to mention the expired certification somehow on my resume? Perhaps instead of saying roughly "I have an S+" I can say, "passed S+ exam on [date]" (I would welcome advise on how to phrase this from Yoba as well, I don't want to run afoul of the rules).

> Secondly I'd like to clarify my question regarding renewal. Pretend I do bother getting my S+ first and my CASP+ a month later, do I end up with 3 years and 1 month before expiration, or 5 years and 11 months? I understand that I won't be able to stack beyond that, I'm sorry for being unclear initially.

AverageJoe

I'll add my 2 cents, though I don't have CASP (I took it once but didn't pass and have not re-visited).

I think if it doesn't cause hardship and you can knock it out, go ahead and take the Sec+ exam. If money is tight, this sure wouldn't out-prioritize groceries, gas, or kids' birthday presents, but I might skip some golf or buy less beer for a while in order to take the test.

My thinking is:

a) Sec+ really does have a lot more name recognition. Even once you have CASP, you may still want to have Sec+ on your resume. I have CISM and CISSP but I still list Sec+ on my resume.

b) Yes, quite a few list expired certs on their resume. If you do, you should indicate it's expired somehow because you definitely don't want anyone thinking you're pulling a fast one.

c) If you happen to fail (or delay) the CASP exam, at least you still have the Sec+. In this age of COVID-19 and riots, you just never know what's coming round the next bend. A bird in hand, and all that.

And yes, in the scenario you suggest, you'd have 3 years and 1 month before your Sec+ expires, and your CASP expires at the same time. When you pass Sec+ it's good for 3 years from the date you passed the exam. Then when you pass CASP it (and any certs it renews) are good for 3 years from the date you passed the CASP exam.

As always, YMMV. Good luck!

RickyJo

@AverageJoe, thanks for the follow-up! This is all very helpful and the clarity on the renewal timeframe is particularly useful.

RickyJo

Hey friends, this may be off-topic to the forum in general, but if it's no trouble and since it's related to my original post:

1) Are any of you in the security field with a non-military background?

2) Of those, how did you make the jump into security? I live in Colorado Springs and basically any security-centric job requires a clearance. From what I can observe, nobody really wants to sponsor a new hire for their clearance and I'm not getting one from where I'm at now. Any creative tips for getting a clearance or moving forward without one? Totally looking for big picture answers here. I'm thinking of looking for jobs in Minneapolis where healthcare/insurance is big and living is cheap. I'm pretty much a HIPAA-guru--well, I certainly try, anyway. That said, I honestly would rather not relocate if I can help it!

AverageJoe

Yep, military background with clearance is tough to compete with. Many will hire someone with an existing clearance rather than sponsoring a new clearance, especially if we're talking Top Secret clearance. That said, a Secret clearance is a lot less daunting, so I think there are more employers willing to sponsor if you're otherwise totally qualified and a great fit for the position. It may be worth it to take a substantially lower paying job that sponsors a clearance to be better set up for the future positions.

yoba222

The only shadiness I can think of in keeping an expired Security+ on the resume is when DoD requires it to be current. But if you already have CASP+, this requirement would be already satisfied. Possibly Cisco partnership CCIE type stuff also, but not the case here. I don't know maybe an expired CISSP possibly too?

JDMurray

yoba222 said:

The only shadiness I can think of in keeping an expired Security+ on the resume is when DoD requires it to be current.

The DoD itself only cares that you passed the cert exam and not that you've kept the cert itself renewed. As an example, the DoD's acceptance of the "Associate of the (ISC)2" designation means you never need to be fully CISSP-certified to be compliant under 8570.01. However, you may be working on a contract within a DoD program that stipulates specific certifications must be "held and in good standing." An example could be, "at least 30% of the IT people assigned to this project must have at least one current Cisco networking certifications."

xcopy

If you pass the CASP it will automatically renew your Security+. The CASP is CompTIA's highest certification, it may not be as popular as Sec+, it holds more weight in high end jobs in the DOD sector. Sec+ is more of an entry level cert, not to mention CASP is higher up in the DOD baseline certification matrix and according to the DOD equivalent to CISSP.

All CE (continuing education) certifications lower than CASP will be renewed with when passing the CASP.

https://www.comptia.org/continuing-education/learn/renewing-multiple-certifications

AverageJoe

JDMurray said:

The DoD itself only cares that you passed the cert exam and not that you've kept the cert itself renewed.

That's not quite correct. While DoD does give Associate credit as CISSP, 8570 does require certs be kept current. From DoD 8570.01-M, "Certification holders must adhere to all recertification policies set by their certification provider and ensure that their certifications stay active. Expired certifications must be renewed. Expired certifications are not to be considered in the workforce metrics."

I do think DoD made things confusing when they allowed Associate to count as CISSP, but I think the intent was to allow those who passed the exam to be considered qualified for that particular requirement (CISSP) even without the 5 years of experience. That doesn't mean most qualified, so it sure doesn't guarantee a person will get a job sans the CISSP.

In my opinion, I think it was more of a grandfathering clause to allow employees to retain a position later deemed to require that 8570-level. It's not uncommon for existing employees (and sometimes new hires in a probationary capacity) in DoD to be required to meet the newly required condition for their position within 6 months of it being imposed (or within 6 months of being assigned to the position). Impossible to do with CISSP without the background experience, so this makes it so you can pass the test and keep your job. I'm sure some probably interpret it more widely, but that's what I've seen.

AverageJoe

xcopy said:

If you pass the CASP it will automatically renew your Security+.

Yes, but only if your Security+ is still active.

Taking the CASP will not renew an expired Security+, so OP was asking if there was any reason to re-take Security+ before taking CASP.

JDMurray

AverageJoe said:

While DoD does give Associate credit as CISSP, 8570 does require certs be kept current.

Enforcement is per DoD program or contract. If a program does not enforce, or a contract does not require, cert renewal then it (likely) not budgeted to happen. This can be very inconvenient for someone who has expired cert(s) that wants to move to a program that requires certs in good standing, but there are provisions that can remedy this (e.g., you have one year to renew your CISSP).

AverageJoe

I don't get what you're saying. Certification is covered by DoD policy, and DoD's contracts (any that I've been involved in, anyway) do require certifications in accordance with that policy. I'd expect any contract missing that requirement initially would be caught in legal review, but if it really were missed, I think it would likely come to light during source selection or during competitors' contract protests (because defense contractors sure aren't going to let one another undercut costs like that). Could I see it EVER being missed? Sure, stuff happens, but definitely not as a general rule.

As to enforcement, I suspect lack of enforcement is probably either at a relatively low managerial level (probably ignorance not deceit, at least I'd like to think) or is administrative oversight, and not a deliberate attempt of the firm to fail to adhere to the contract. I can't picture firms deliberately risking current or future contracts for something as simple as requiring current certs.

On the individual level, I've seen contracted employees get told "fix it now." That's usually when folks figure out it would have been much easier to keep their Sec+ (or whatever) current. But they fix it or they don't come back. Luckily there's always someone else right around the corner with a current cert.

Frankly, though, I've very rarely seen this as a problem with contractors. Firms and contracted employees are generally (in my experience) very good about keeping up on certs.  Military and government civilians, however, seem much more prone to let their certs lapse. And believe me, that has never made any sense to me.

There are often provisions to allow 6 months to meet certification requirements for DoD civilians and military, but from what I've seen, contractors are usually expected to be full-up on day one.

RickyJo

Hey friends,

I passed the CASP. Thank you very much for your help.

AverageJoe

Awesome! Congrats!

xcopy

Congratulations!

RickyJo

Fun fact:

on my initial test taking, the proctors screwed up. There was a big to-do regarding if disabling my laptop screen and using a larger monitor instead counted as using only one monitor. The original proctor said it was OK, the next one disagreed and killed the test. I complained about the confusion and wound up with a replacement voucher for the test AND a voucher for any additional test.

I used my retake on my original voucher successfully and still had the two compensation vouchers left over. I then discovered that in fact BOTH vouchers worked for ANY test (including the one I thought was only for CASP). I went ahead and renewed my S+ for free (~850! YAY!) and figured, what the heck, and snagged Cloud Essentials (mostly because it doesn't expire and I figured I could pass it with minimal study). Kind of weird to use a ~$400 voucher on a ~$120 test (maybe I should have just sold it or knuckled down for Linux+), but both vouchers were free so I'm pleased as punch. Got three certifications for the price of one!

yoba222

@RickyJo, nice you were compensated so generously for CompTIA/Pearson's screw up. The idea of having to simply sit the exam again and "that's it" never sat well for me.

On a similar note, I often read about cert holders worrying about submitting worthy CEU evidence. It appears to me that when the cert body is often barely competent enough to give the exam, it's doubtful they will be auditing with a lawyer's level of scrutiny.

RickyJo

@yoba222: thanks! I also was very pleased. I was so frustrated at first, but I have to confess the resolution was more than fair.

At risk of straying slightly off-topic, I was wondering: I see you have both PenTest+ and CySA+. I'm feeling some momentum and was wondering if you think either of those would be worth pursuing even though I have a CASP now. I know CompTIA classifies CASP a little higher, but it seems like name recognition may be better with both CySA and Pentest.
Setting aside the name recognition for a moment, did you feel CySA was just S+ on hard mode or was there more to it? I'm guessing PenTest+ is tons of questions about tools. I dislike tests that focus largely on flags and switches--memorizing this feels like *mostly* a waste of time to me. Did you feel that way about the PenTest+? Was the time you spent studying for it valuable? Do you feel somebody that passed CASP and S+ recently would need to broaden their study much to pass CySA (I realize you haven't taken CASP, but it really did feel like a really, really hard extra-jorgony S+ exam)?

yoba222

RickyJo said:

@yoba222: thanks! I also was very pleased. I was so frustrated at first, but I have to confess the resolution was more than fair.

At risk of straying slightly off-topic, I was wondering: I see you have both PenTest+ and CySA+. I'm feeling some momentum and was wondering if you think either of those would be worth pursuing even though I have a CASP now. I know CompTIA classifies CASP a little higher, but it seems like name recognition may be better with both CySA and Pentest.
Setting aside the name recognition for a moment, did you feel CySA was just S+ on hard mode or was there more to it? I'm guessing PenTest+ is tons of questions about tools. I dislike tests that focus largely on flags and switches--memorizing this feels like *mostly* a waste of time to me. Did you feel that way about the PenTest+? Was the time you spent studying for it valuable? Do you feel somebody that passed CASP and S+ recently would need to broaden their study much to pass CySA (I realize you haven't taken CASP, but it really did feel like a really, really hard extra-jorgony S+ exam)?

I did CySA+, Pentest+, and Cisco Cyber Ops all within a few months of each other like 2 years ago so they've congealed together considerably in my mind.

For the CySA+: Extra-jargony Sec+? I think that jargony tool memorization + bad grammar + typos describes the CEH from what I've read, though I haven't taken that and don't intend to. No, more than that. I mean with CompTIA, since it's only the exams and it's really up to you on how you study for it, things really depend on how much a person puts into it.

For CySA+, I think I put about 80 study hours in and probably 25 of those were in a lab course I purchased. 80 hours was more than necessary, but I like to go slow and deep. It wasn't too bad as far as jargon memorization and probably less than for the Sec+. It was more about recognizing logs and outputs of things an analyst might use, like vulnerability scan results.

For PenTest+ I didn't memorize any tools because I didn't know what was on the exam. I took the v1 beta and there were no study materials. I winged it and passed solely on my past experience. I think being able to recognize the purpose of snippets of script coding, and then recognizing web application attack type things mainly is what really brought me across the finish line with a passing score. The non-memorization didn't slow me down, but v1 beta might be different than the current version.

Like you mentioned, I haven't (yet?) done CASP so can't say if doing CySA+ and PenTest+ on top would be redundant or not. Also harder for me to judge now is because I'm 300 hours into the PWK course studying for OSCP. I've learned far more in these 300 hours than I ever have for any other cert. I think that it's because I'm studying for a practical exam and not memorizing for a multiple choice test. But then I've never studied for one cert for so long, so maybe it's that. So while last year I might have said the CySA+ study experience was so great and I learned so much, now my memories are probably distorted because OSCP has kind of eclipsed it all. I do hear CCIE study time tends to be above 700 hours . . .