CompTIA's Security Cert Ladder and the 'Future' of Cybersecurity

I'm not 100 percent behind the premise that "The Future of Cybersecurity is Here," but I do agree that CompTIA makes a pretty good case for a reasonably comprehensive cybersecurity certification ladder in the infographic I snipped to accompany this blog post:

Source: CompTIA Image Library

I was at the Logical Operations conference in Baltimore last week (LO-CON17), where I appeared as an invited speaker on the subject of DoD 85700-recognized certifications. CompTIA was there, too, and I had a chance to chat with their representative, who reminded me about the Sept. 27 IT Career News blog post that featured this handy-dandy certification ladder.

And while we're on the subject of the DoD Approved 8570 Baseline Certifications, it's worth observing in this context that all of the items in the CompTIA ladder shown in the infographic, except for IT Fundamentals, appear in one or more of the cells in the table that recites all the approved certs by job role or designation.

Of the six certifications in the ladder, three have relatively little security focus and coverage — namely, IT Fundamentals, A+, and Network+.

That said, the level and amount of security coverage in each of those three increases step-wise, though it does not exceed 20 percent (18 percent, actually) even on the Network+ exam objectives. That changes dramatically for the next three rungs on this ladder, because Security+, CSA+, and CASP are all 100 percent focused on security topics, tools, and technologies, as well as the skills and knowledge that they demand.

Increasingly, CompTIA exams are heading toward performance-based testing, too, with even A+ and Network+ now including some performance-based questions, and the top three rungs of this cybersecurity ladder including substantial performance-based testing elements and coverage.

I see that as a very good thing, because cybersecurity professionals and the organizations that employ them are unanimous in agreeing that what certified cyber security professionals can DO with their skills and knowledge is the most important outcome from obtaining certification in the first place.

This month (October 2017), CompTIA has updated its Security+ exam to version SY0-501. This latest iteration of the exam includes performance-based questions that, in the words of the afore-cited blog post "emphasizes the hands-on practical skills used by junior IT auditor/penetration testers, systems administrators, network administrators and security administrators."

The idea is to make sure that those who take and pass Security+ can handle basic job tasks and activities associated with those various kinds of IT positions, all of which include some security responsibilities (if not being exclusively security-focused). CSA+ ups the ante with coverage of "tools such as packet sniffers, intrusion detection systems (IDS) and security information and event management (SIEM) systems."

CompTIA claims with some degree of assurance that the job role of security analyst, which the CSA targets directly, is gaining importance and increasing presence among companies and organizations of all sizes and scopes. The ladder culminates with the CASP, which aims at cyber security professionals with 5-to-10 years of relevant, on-the-job experience.

The practitioner focus speaks to its primary target audience: "(T)hose who wish to remain immersed in hands-on enterprise security, incident response and architecture ... as opposed to management of cybersecurity policy and frameworks."

That last little snippet about policy and frameworks is why I don't fully buy into the notion that this ladder means "the future of cybersecurity is here." There is still plenty of room for those who address cybersecurity policy and frameworks — such as the CISSP and CISM, to name just two important and popular cybersecurity certs that fill this niche.

Then there's the intersection with risk assessment and management, and of corporate or organizational governance, ably addressed by certifications like the CRISC and CGEIT, among others.

I guess if CompTIA had been less partisan, and positioned their ladder as "A Future for CyberSecurity" rather than "THE Future of" it, then I might have endorsed it without reservation. Having now made that distinction, I think what they have to offer is pretty significant, both in terms of coverage and value.