CompTIA "Advanced" Security Certification ?

RobertKaucher

GeeLo wrote: »

LOL... now back to the creator of the thread..

A few things..

First, Security+ is not a entry level cert.. never has been and never will be, if you need Security+ for your job, your not in a entry level IT position.

I recall distinctly when I was studying for it ComTIA had a video with someone from the DoD talking about how it was encouraged for everyone from receptionists to network engineers. I personally consider it appropriate for jr. level sys and network admins.

From CompTIA

CompTIA certifications are internationally recognized and vendor-neutral. CompTIA A+, CompTIA Network+ and CompTIA Security+ are effective foundational-level certifications that pave the way to earning higher-level and vendor-specific certifications.

I had already been prepping for the ISA, 291/293, and 298 exams from MS; but I literally did one or two weeks of prep for this test and passed with an 836.

They say 2 years networking experience, but I don't buy it. It's security trivia. I don't mean entry level like I want to get my first job at the Geek Squad. I mean entry level net/sys admin. But just my opinion.

SephStorm

RobertKaucher wrote: »

I don't understand your reasoning. It's a new cert, it does not replace the Sec+, Sec+ does not go away. I will have my Sec+ for life and never take this exam because it offers no value to me. Sec+ did at the time. If I had the expiring Sec+ and worked for a place that required it be kept up-to-date, I would keep it up-to-date. That really has nothing to do with CompTIA creating a new cert.

This is a professional level exam. Security+ is an entry level exam. It's like suggesting that the creation of the MCITP: Enterprise Admin was to force you to upgrade your MCP on Windows XP.

If Security+ were being replaced, I might agree. But this exam is to follow it, not replace it. With a 10 year requirement of IT experience, I think this is a little harder than even the CISSP to attain. Sec+ to this is like CCENT to CCNP.

With respect, I think this is bull. I think CompTIA got owned by people who have current certs, and had to figure out a way to continue bringing in new money. Because the vast amount of people who have compTIA certs only need to validate those skill for a limited amount of time, until they get hired, or are going for a higher level cert (i.e elective exams, ISC2 experience waivers) Now that MCSA and MCSE (Security)are on the way out, and there is no replacement for them, thats one less group of people who NEED a compTIA cert. So what they are doing is trying to appeal to older, more experienced people, who probably have a CT cert, and no intention of certificating, to in a way, force them to come to CT.

As for not getting hired on Sec+, I can say that I have seen it. I've seen it on LinkedIn, I've seen it in the military, I've experienced it. When I got to my current unit in the army, they said "Oh you have your Sec+?! Well, we were going to send the next guy we got in to another place, but we'll keep you." I also see it for CISSP. Guys doing a hands on job, requirements? Sec+ and CISSP.

Mark my words, CompTIA is trying to muscle in on the market. 8570 is compiled of basicly three providers, CompTIA, ISC2 and GIAC, with GIAC leading. EC-Council will undoubtedly make some moves in the next revision, if and when it comes. With the addition of "Sec+ Advanced" , CompTIA can become a requirement for IAT III, IAM I-III, CND Manager, and all of the IASAE levels.

RobertKaucher

SephStorm wrote: »

With respect, I think this is bull. I think CompTIA got owned by people who have current certs, and had to figure out a way to continue bringing in new money. Because the vast amount of people who have compTIA certs only need to validate those skill for a limited amount of time, until they get hired, or are going for a higher level cert (i.e elective exams, ISC2 experience waivers) Now that MCSA and MCSE (Security)are on the way out, and there is no replacement for them, thats one less group of people who NEED a compTIA cert. So what they are doing is trying to appeal to older, more experienced people, who probably have a CT cert, and no intention of certificating, to in a way, force them to come to CT.

As for not getting hired on Sec+, I can say that I have seen it. I've seen it on LinkedIn, I've seen it in the military, I've experienced it. When I got to my current unit in the army, they said "Oh you have your Sec+?! Well, we were going to send the next guy we got in to another place, but we'll keep you." I also see it for CISSP. Guys doing a hands on job, requirements? Sec+ and CISSP.

Mark my words, CompTIA is trying to muscle in on the market. 8570 is compiled of basicly three providers, CompTIA, ISC2 and GIAC, with GIAC leading. EC-Council will undoubtedly make some moves in the next revision, if and when it comes. With the addition of "Sec+ Advanced" , CompTIA can become a requirement for IAT III, IAM I-III, CND Manager, and all of the IASAE levels.

Considered with respect... But I don't see where you are disagreeing with me.

As I said in other posts CompTIA *DOES* need this new cert to generate revenue and stay relevant in the cert market. When Sec+ is required for higher level jobs it's because of DoD requirements. It's not because the exam is some 1337 cert.

SephStorm

I didn't get to read those later posts until after I posted the above.

erpadmin

GeeLo wrote: »

LOL... now back to the creator of the thread..

A few things..

First, Security+ is not a entry level cert.. never has been and never will be, if you need Security+ for your job, your not in a entry level IT position.

As someone who has all three CompTIA lifetime certs, I can tell you that I, and with total respect mind you, disagree with this wholeheartedly. A+ and Network+ are required for DoD jobs too. Does that mean they're not entry level certs? Put it this way, when kids pick up a book like Get Certified Get Ahead, study it, take the exam and pass it, it's not in the same league as something like a CISSP. A C level student can become Security+ certified with proper study. When folks told me how "hard" this exam was, I studied with the aforementioned book, plus bought Transcenders, plus used Labsim, plus used Learnkey and used the practice exams here and elsewhere. I expected a good 800-820 maybe even a 790....when I got 870 out of 900, I was really floored. The exam really was stupid easy but I thought it was going to be real difficult. I would not put this exam in the same league as a CISSP at all or any other exam that is mid to high level.

GeeLo wrote: »

Second, I do agree that CISSP (and a few other security certs) are way harder to obtain then Security+. But Security+ is not a walk in the park like some of you tend to say.

See above.

GeeLo wrote: »

Third, CompTIA has always been a company that has provided long lasting "value" versus other certifications. Not just the over all cost of the certification, but the longevity or life-span of the certifications itself.

I had mixed reactions when I heard about the "Re-certify every 3 years" plan that CompTIA was doing in regards to ISO and the DoD, but learning now about a possibility of phasing out certifications like Security+, is really very disappointing. If CompTIA keeps putting $$$money$$ before their customers / members, they will lose money in the long run. I think I'll contact the a few high level CompTIA executives that I have corresponded with in the past, to see what they have to say.

Now on this I'm with you 100%

Devilsbane

I also found the Security+ to be very near a "walk in the park" yes it took a lot of studying, but nothing was too difficult.

Nice link RK

SephStorm

So do you guys think the CISSP is more difficult because of the amount of information, the type of information, the length of the test, or what?

(And before someone says mile wide...)

GeeLo

Some of you guys are in the Army.. or were in the Army ?

DoubleD

Devilsbane wrote: »

I also found the Security+ to be very near a "walk in the park" yes it took a lot of studying, but nothing was too difficult.

What He Said

walterbyrd

> Mark my words, CompTIA is trying to muscle in on the market. 8570 is compiled of basicly three providers, CompTIA, ISC2 and GIAC, with GIAC leading

I think that is about right. Except, maybe, about the part about GIAC leading.

I have worked in a DoD 8570 environment. From my experience, it is all about the CISSP. And that should be no surprise, the CISSP is the one cert that covers practically everything, technical and managerial. Take a look:

DoDD 8570

From my experience, the Sec+ is essentially worthless in an 8570 environment, they want the CISSP, they are hardly even aware of the other security certs. I hold an a+, net+, sec+, lin+, and proj+, and in my experience all of those certs are complete jokes in the industry. The a+ will get you some low-level deployment work, or maybe even a helpdesk job. The rest of the certs are worthless.

According to the article, that another poster cited, the Advanced Security cert will require:

> "10 years IT experience, with at least five of those years dealing hands-on with security"

So only 5 years in security. This is absolutely not a clear-cut requirement. What exactly constitutes "hands-on with security?" If I put AV software on a PC, does that qualify? Also, how will comptia verify this?

I could never get a straight answer from ISC2 about what constitutes security experience. I don't know is comptia will be much better.

Devilsbane

walterbyrd wrote: »

So only 5 years in security. This is absolutely not a clear-cut requirement. What exactly constitutes "hands-on with security?" If I put AV software on a PC, does that qualify? Also, how will comptia verify this?

I could never get a straight answer from ISC2 about what constitutes security experience. I don't know is comptia will be much better.

They will probably verify the same way ISC2 does, have your manager write a letter vouching for this, maybe ask for a resume. But what happens when you have 5 years of experience split between 3 different companies? Do you have to go back to the first 2 and hope that they write letters too?

Bl8ckr0uter

I really don't think this is going to be like this guys. I think it is going to be like Security++(maybe +++). I don't think Comptia has the time or money to set up a major verification program by the time they release the certification (i've read here someone thinks it is coming out in January).

RobertKaucher

Bl8ckr0uter wrote: »

I really don't think this is going to be like this guys. I think it is going to be like Security++(maybe +++). I don't think Comptia has the time or money to set up a major verification program by the time they release the certification (i've read here someone thinks it is coming out in January).

I agree and that's why I said I think is is going to be considered more of a mid-level cert.

That being said I think the Sec+'s real failing is the way the exam is set up. It is focused far more on facts and information than it is on actually thinking about and properly implementing the technologies. I suppose it is harder for a vendor neutral exam to test those types of scenarios because they are implementation centric.

Bl8ckr0uter

RobertKaucher wrote: »

I agree and that's why I said I think is is going to be considered more of a mid-level cert.

That being said I think the Sec+'s real failing is the way the exam is set up. It is focused far more on facts and information than it is on actually thinking about and properly implementing the technologies. I suppose it is harder for a vendor neutral exam to test those types of scenarios because they are implementation centric.

I think that is very true. I guess I will see first hand in 6 days lol.

Do you plan on taking the beta?

RobertKaucher

Bl8ckr0uter wrote: »

I think that is very true. I guess I will see first hand in 6 days lol.

Do you plan on taking the beta?

That's one of those exams I would loike to take but honestly holds very little value for me. I will probably pass as I am mega busy with Silverlight and SQL BI stuff.

SephStorm

walterbyrd wrote: »

> Mark my words, CompTIA is trying to muscle in on the market. 8570 is compiled of basicly three providers, CompTIA, ISC2 and GIAC, with GIAC leading

I think that is about right. Except, maybe, about the part about GIAC leading.

I meant as far as the number of 8570 certs. They have about 7 of their certs on the list compared to 5 with ISC2, 3 CompTIA, and 1 EC-Council

walterbyrd

SephStorm wrote: »

I meant as far as the number of 8570 certs. They have about 7 of their certs on the list compared to 5 with ISC2, 3 CompTIA, and 1 EC-Council

Yes, but since the CISSP works for Tech III, that means it also works for Tech II, and Tech I. Also, since the CISSP works for Manager III, that means it also works for Manager II, and Manager I. And since the CISSP works for IAT Level III, it also works for IAT Level II, and IAT Level I. And since the CISSP works for IAM Level III, it also works for IAM Level II, and IAM Level I. The CISSP also works for IASAE II, and IASAE Level I.

The CISSP is almost a clean sweep when it comes to DoD 8570. No other single cert comes any where close to filling the requirements for as many specializations. That is the reason that companies regulated by 8570 want the CISSP above all else. If you have the CISSP (or even CISSP associate) they can move you where ever they need you, without having to get you another cert.

I suspect that CompTIA wants their cert to be on-par with the CISSP. Right now, the Sec+ is no where close to being as widely accepted as the CISSP.

jbutler9

I imagine that most of us have taken a look at the IT exam process these days and have come to the conclusion that getting a cert is not longer relevant.

Hear me out first before you blast away...

First off, the assumption that a certification means that a person actually knows what they are doing is pretty naive. I know more than a few people working on DoD contracts or are responsible for various forms of Enterprise Systems for the DoD that have tons of certifications, and in reality, they truly don't know what they are doing. I know this because I have had to unofficially step up and take over their responsibilities.

Second, I hate the fact that when I am getting interviewed for a position I am not put to the test, either by an essay and/or a hands-on evaluation prior to me being offered the job. This tells me a great deal about a company and how much they sincerely respect my technical knowledge and expertise that I will bring to their organization.

To all you recruiters out there, stop wasting your time and money by hiring non-experienced people thinking that they will save you money...why do you think you are getting them so cheap? You get what you pay for.

Third, organizations that offer certifications should have nothing but hands-on exams, no more multiple choice. Anyone can read and memorize.

Fourth, I would imagine that there will be alot of companies out there that will be extremely upset since they require their personnel to have a specific certification, namely Sec+, and with the DoD requirement, I am sure that a lot of those people won't pass their exam.

And finally, I realize that putting an exam out there will draw in revenue and if profits are the only thing driving technology standards then I question the validity of the standards at which we, as IT personnel, are being tested.

Bottom line: True knowledge comes from experience, it is not something you can memorize.

What is that saying......A knight knows that fighting a dragon unprepared is not wise, but a wise man would never try it. (something like that)

So the next time you go on that job interview, demand that you be given a true test of your abilities, not only will you prove to them that you are worth every penny but you may just set the standard for that company because they will be hiring others at some point and they are the people you will have to work with.

RobertKaucher

jbutler9 wrote: »

What is that saying......A knight knows that fighting a dragon unprepared is not wise, but a wise man would never try it. (something like that)

Yes, and they also say one village's wise man is the village whose being eaten by the dragon's coward!

But I agree with your post to a certain point. I don't believe certification is irrelevant. I believe people have incorrect assumptions about what it means and not all certs are created equal. Brain **** excluded, I think that many of the MCITP exams do a very good job at measuring a person's knowledge and ability to make good choices. In the SQL Server exams, for example there is a ton of emphasis placed on what you would do in certain situations. If you are incapable of understanding the theory, you could not anser the majority of the questions correctly.

Other exams, such as Linux+ and Sec+ are far more information dirven. This is why I call these exams entry level. It is what do you know vs. what do you do when something breaks in this way and you only have X,Y and Z to help you fix it.

I also think that certification should be seen as a way to help you improve professionally from a skill perspective. It helps you learn a product or technology in greater detail than you can from on the job. Most people's jobs are very focused. They face similar issues each day. Certification, when practiced properly, helps ensure that you know what your stuff is capable of, even if you don't use it that way. It also gives you a good foundation in how the product actually works and is intended to be used. If you don't know that sort of information you will not know which rules can be betn and which can be safely broken. 13 years of experience doing the same bull everyday only means that you know bull. It does not mean that you are curious, smart, or able to "man up" when the chips are down. But neither does a certification. When I see a cert in an interview, I see an avenue for questioning. That's all.

walterbyrd

I imagine that most of us have taken a look at the IT exam process these days and have come to the conclusion that getting a cert is not longer relevant.

Hear me out first before you blast away...

Heard you out. IMO: you are completely wrong. Since 8570, security certs are far more relevant than ever. Now they are an actual job requirement, not just a feather in your cap.

First off, the assumption that a certification means that a person actually knows what they are doing is pretty naive.

Okay, let's apply the same logic to every other type of credential. Does a driver's prove the driver knows what he/she is doing? Clearly not, let's do away with all driver's licenses. I suppose we also do away any kind of flight license. And we can also do away will all college degrees, by the same reasoning. For that matter, why have grade school, or high school, those diplomas do not prove anything. Also, MDs, JDs, CPAs, and so on do not prove anything, why have them? Let anybody be a doctor, or lawyer or anything else.

I know more than a few people working on DoD contracts or are responsible for various forms of Enterprise Systems for the DoD that have tons of certifications, and in reality, they truly don't know what they are doing. I know this because I have had to unofficially step up and take over their responsibilities.

Only experienced matters. So nobody can be a doctor, until that person is already an experienced doctor. Doesn't that make perfect sense?

Second, I hate the fact that when I am getting interviewed for a position I am not put to the test, either by an essay and/or a hands-on evaluation prior to me being offered the job. This tells me a great deal about a company and how much they sincerely respect my technical knowledge and expertise that I will bring to their organization.

I feel just the opposite. I have been bushwhacked too many times by incompetent interviewers. Cert tests may be flawed, but the worst of them are usually better than the best interviewers. When you hire an accountant, or lawyer, or doctor, or when you get on airplane; should you have to interview that person to make sure he/she knows his/her job? Would you be qualified to give such an interview?

To all you recruiters out there, stop wasting your time and money by hiring non-experienced people

Exactly, nobody should be a doctor until that person is already an experienced doctor.

BTW: you do know that the advanced sec+, and the cissp, have experience requirements?

Third, organizations that offer certifications should have nothing but hands-on exams, no more multiple choice. Anyone can read and memorize.

On this point, I tend to agree. I think redhat, and cisco, may have the right idea with the rhce and the ccie.

Fourth, I would imagine that there will be alot of companies out there that will be extremely upset since they require their personnel to have a specific certification, namely Sec+, and with the DoD requirement, I am sure that a lot of those people won't pass their exam.

That does happen. But, I think the DoD gives plenty of time to get the certs. Maybe, if you are supposed to be a security professional, you should be able to pass the exams eventually?

And finally, I realize that putting an exam out there will draw in revenue and if profits are the only thing driving technology standards then I question the validity of the standards at which we, as IT personnel, are being tested.

How is this any different from every other formal credential in existence?

Bottom line: True knowledge comes from experience, it is not something you can memorize.

Right, so nobody can be a doctor until that person is already a very experienced doctor.

AD200

Will this exam be released next year? I'd probably still go for CISSP if I had to choose....