Is CompTIA's InfoSec Push a Positive for IT?

Information security is an industry mouthful that refers to all of the below:

? A thriving IT job category
? A professional discipline that combines tech savvy with an advanced understanding of human behavior
? An ongoing concern that currently dominates every conversation about computing and information systems

It's no wonder that InfoSec-related vendors and industry organizations have seen a generous uptick of interest in their training and certification programs in recent years.

CompTIA has been particularly active in this area, having created Security+ and its Advanced Security Practitioner (CASP) certifications. Now CompTIA has released a new InfoSec certification, and has another one in the works.

The Social Media Security Professional (SMSP) credential is actually a joint effort between CompTIA and the Ultimate Knowledge Institute (UKI), an IT training company based in California. UKI offers certification training for numerous IT vendor and industry association programs, including certifications from Microsoft, Cisco, EC Council, ISACA, and Red Hat.

UKI is currently developing two other social media security certifications to exist alongside the SMSP. These two new certifications are the Social Media Engineering & Forensics Professional (SMEFP), and Social Media Management & Governance Professional (SMMGP) credentials. For now, it appears that the SMSP is the only certification that UKI and CompTIA will be partnered on.

The SMSP certification is clearly aimed at corporations and governments who have had to embrace the use of social media sites and apps in order to stay relevant to modern clients and customers. When Facebook and Twitter hacks occur, while they are often more embarrassing than compromising, they receive the same level of media coverage as far more severe cybercrimes. This level of scrutiny has made social media security a priority for corporations, celebrities, and all levels of government.

That said, is having an IT industry credential based entirely on social media security actually necessary? The subject is certainly worthy of coverage in a larger information security training program, for example. Aside from the unique audience interactions and use incidents specific to social media sites and apps, however, the case could be made that social media security should be encompassed by any worthwhile InfoSec certification program.

To earn the SMSP certification, candidates can take Ultimate Knowledge Institute's official SMSP training course and then pass the related exam. Or an individual can challenge the exam without the official training, provided he or she can show proof of at least one year of professional experience.

It will take time to see if the CompTIA/UKI partnership on the SMSP credential will gain traction in the increasingly crowded InfoSec certification marketplace.

CompTIA isn't just sitting around and waiting for that news to come in, however — the group already has another security-related certification under development: the Cybersecurity Analyst+ credential. The beta exam period for this certification began on June 30, and the launch of the official exam is expected to hit during the first quarter of 2017.

As with the Security+ and CASP exams, candidates attempting the Cybersecurity Analyst+ exam must be prepared to perform hands-on simulations which CompTIA refers to as "performance-based" questions. The analysis of the Cybersecurity Analyst+ beta exam results will be used to refine the final exam objectives and question pool for the production version of the exam.

Leaving aside the SMSP, the launch of Cybersecurity Analyst+ will give CompTIA three dedicated InfoSec certifications. A fair question for candidates to ask is: what differentiates these three certifications from each other?

CompTIA offers something of an answer on the Cybersecurity Analyst+ certification web page, where the three certifications are placed in the following path based on the recommended number of years of professional InfoSec experience:

Security+ (2 years) > Cybersecurity Analyst+ (2-3 years) > CASP (5-10 years)

This summary of CompTIA's perceived difficulty level for these three InfoSec credentials does give candidates a partial baseline for selecting the certification most relevant to them. Is this really enough, however, to make an educated choice?

Looking at the top-level exam objective categories for each certification offers a more helpful comparison:

Viewing the three certifications in this manner provides a better understanding of the differences between them. For example, while Security+ requires knowledge of security threats and vulnerabilities, Cybersecurity Analyst+ advances up to threat and vulnerability management.

Given the high priority of security in today's enterprise, it makes sense that CompTIA would want to offer a number of different InfoSec certifications that fill in the gaps it sees in the IT industry.

There are two problems, however, with this type of diversification. First, CompTIA runs the risk of cannibalizing its own program, especially if it continues to introduce more granular InfoSec certifications. As it stands, candidates with less than five years of work experience will have to decide whether Security+ or Cybersecurity Analyst+ will best serve them — it's unlikely they will choose to earn both credentials.

Second, CompTIA is going to have to work on educating employers and the rest of the industry on the differences between its present and future InfoSec credentials. Security+ already has a well established reputation in the industry; CASP slightly less so, as it is still relatively new. Cybersecurity Analyst+ will not make its official debut until early next year, which gives CompTIA some time in which to bolster its new credential.

Certifications act as a form of merit badge, demonstrating ability in a given discipline. But, in order for a credential to have a positive impact on an IT pro's career, it must be recognized and valued by employers and managers in the industry.

This is something CompTIA will want to consider if it continues to expand its InfoSec certification program. To this point, they have maintained simple and distinct identities for their industry credentials: Network+, Server+, Security+ and so forth. These designations are easy for employers to understand and classify accordingly.

Likewise, CompTIA should be cautious about creating new certifications which are based on subsets of its existing certifications. The Social Media Security Professional credential definitely addresses a valid industry issue, but the question remains whether social media security is so far removed from the greater InfoSec body of knowledge, that it requires its own credential.

CompTIA's overall goal of providing vendor-neutral training and certifications that cover the industry's most relevant disciplines is laudable, and provides great value to employers and IT professionals. As long as this goal is used to guide the introduction of new certifications, CompTIA will remain a trusted source of IT credentials for years to come.