The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

CompTIA's Security Cert Ladder and the 'Future' of Cybersecurity

CompTIA has a vision of the future of cybersecurity certification.This month (October 2017), CompTIA has updated its Security+ exam to version SY0-501. This latest iteration of the exam includes performance-based questions that, in the words of the afore-cited blog post “emphasizes the hands-on practical skills used by junior IT auditor/penetration testers, systems administrators, network administrators and security administrators.”


The idea is to make sure that those who take and pass Security+ can handle basic job tasks and activities associated with those various kinds of IT positions, all of which include some security responsibilities (if not being exclusively security-focused). CSA+ ups the ante with coverage of “tools such as packet sniffers, intrusion detection systems (IDS) and security information and event management (SIEM) systems.”


CompTIA claims with some degree of assurance that the job role of security analyst, which the CSA targets directly, is gaining importance and increasing presence among companies and organizations of all sizes and scopes. The ladder culminates with the CASP, which aims at cyber security professionals with 5-to-10 years of relevant, on-the-job experience.


The practitioner focus speaks to its primary target audience: “(T)hose who wish to remain immersed in hands-on enterprise security, incident response and architecture ... as opposed to management of cybersecurity policy and frameworks.”


That last little snippet about policy and frameworks is why I don’t fully buy into the notion that this ladder means “the future of cybersecurity is here.” There is still plenty of room for those who address cybersecurity policy and frameworks — such as the CISSP and CISM, to name just two important and popular cybersecurity certs that fill this niche.


Then there’s the intersection with risk assessment and management, and of corporate or organizational governance, ably addressed by certifications like the CRISC and CGEIT, among others.


I guess if CompTIA had been less partisan, and positioned their ladder as “A Future for CyberSecurity” rather than “THE Future of” it, then I might have endorsed it without reservation. Having now made that distinction, I think what they have to offer is pretty significant, both in terms of coverage and value.



ed-tittel120Ed Tittel is a 30-plus-year computer industry veteran who's worked as a software developer, technical marketer, consultant, author, and researcher. Author of many books and articles, Ed blogs on certification topics for Tom’s IT Pro, and on Windows desktop OS topics for TechTarget. Check out his website at