What is Security+?

Security+ is a fundamental part of your current or future I.T. career. While this is generally true, I’m going to explain why that is, as well as what exactly Security+ is.  The Security + exam is either an online (at home) or in-person proctored exam consisting of concepts relative to I.T. security and systems.  The current price of the test is $404 and the exam can be rescheduled as many times as needed within a year of purchase. 

 

The actual test consists of performance-based (interactive), multiple-choice, and multiple-select questions. There will be a maximum of 90 questions provided to you over 90 minutes. The test and credentialing is maintained by the company CompTIA. The current exam number and topics are all publicly available (not the actual questions). The test is meant to cover a wide variety of topics, but all topics that will be covered are outlined in the exam objectives document (see below):

 

When you take and pass this test, it is considered “Active” for 3 years and grants you the benefit of being compliant with certain IAT specifications.  you have those 3 years to complete one of the following to reset your 3 year timer:

 
  • acquire enough continued education credits per CompTIA
  • pass the Security + exam again (version doesn’t matter) 
  • pass one of the following CompTIA Certification (Linux+, Cloud+, CySA+, PenTest+, CASP+), here is a useful diagram showing certification relevancy
  • pay the recertification fee ($)
If you don’t do any of these things in the 3 year window, then you HAVE to pass the Security + exam again to become officially Security + certified and have that certification be considered “active” again.

Now, let’s cover what is actually tested in the exam, there are 5 domains.  Each of these domains have a weighted value that contributes to how your final score is tallied.  Below I listed all the domains, their weight, and what they cover.  The passing score for the exam is 750, the scoring system is on some magical scaling system that goes from 100-900.

  • Compare and contrast various types of security controls.
  • Summarize fundamental security concepts.
  • Explain the importance of change management processes and the impact to security.
  • Explain the importance of using appropriate cryptographic solutions.
  • Compare and contrast common threat actors and motivations.
  • Explain common threat vectors and attack surfaces.
  • Explain various types of vulnerabilities.
  • Given a scenario, analyze indicators of malicious activity.
  • Explain the purpose of mitigation techniques used to secure the enterprise.
  • Compare and contrast security implications of different architecture models.
  • Given a scenario, apply security principles to secure enterprise infrastructure.
  • Compare and contrast concepts and strategies to protect data.
  • Explain the importance of resilience and recovery in security architecture.
  • Given a scenario, apply common security techniques to computing resources.
  • Explain the security implications of proper hardware, software, and data asset management.
  • Explain various activities associated with vulnerability management. 
  • Explain security alerting and monitoring concepts and tools.
  • Given a scenario, modify enterprise capabilities to enhance security.
  • Given a scenario, implement and maintain identity and access management.
  • Explain the importance of automation and orchestration related to secure operations.
  • Explain appropriate incident response activities.
  • Given a scenario, use data sources to support an investigation.
  • Summarize elements of effective security governance.
  • Explain elements of the risk management process.
  • Explain the processes associated with third-party risk assessment and management.
  • Summarize elements of effective security compliance.
  • Explain types and purposes of audits and assessments.
  • Given a scenario, implement security awareness practices.

Compensation

Now, let’s cover the WHY, why would you want to take all this time to learn this material and pay all that money to pass this test and do ongoing work and studying to upkeep the certification status.  So, according to this article from ZipRecruiter, which is from July 2024, the average salary of a person who is Security + certified is ~$71,000 annually.  Take that number with a grain of salt, because average is not a guarantee.   That value doesn’t account for other certifications, experience, schooling, portfolio projects, or any other metric that could directly impact compensation.  That is not meant to deter, but to inform, that getting this certification doesn’t immediately make you worth $71,000 a year to a company.

 

Another thing to note is that the range is very wide and there are many different sources for this information.  Salaries can range from $50,000 to $120,000 for those holding Security+ certifications.

 

Opportunities

Now, a very similar disclaimer here that getting this certification does not guarantee you employment at X dollar amount on its own, it does however give you a tangible milestone to say that you have taken initiative to learn the formal fundamentals and industry standard technologies and concepts. 

 

That being said, the amount of jobs that you can get with a Security + certification, some side projects, and good soft skills is pretty impressive.  Here’s a list from CompTIA of “Jobs You Can Land With CompTIA Security+”.

 

  • Cloud Penetration Tester
  • Penetration Tester
  • Web App Penetration tester
  • Network Security Analyst
  • Security Architect 

Now that is a pretty insane list, it does come directly from the manufacturer of the certification, so it kind of checks out that it would give big titles as possibilities.  I do like to take a more realistic approach at what kind of job opportunities are available for people with this certification, so I went to LinkedIn jobs, and searched just the word “cybersecurity” and there was just short of 60,000 results.  On the front page i was seeing jobs like:

 

  • Network Security Engineer
  • Cloud Security Engineer
  • Cyber Security Engineer
  • Systems Administrator

There is also a new directive from the government called DoD 8140.03, here is a link to some info on that directly, but basically it’s going to supersede an older directive called DoD 8570.01.  These directives help the government create standards or requirements around government or government adjacent positions (like civilian contractors) in information technology, to ensure there is a baseline level of competency and understanding.  Here is a link from CompTIA showing another example of jobs relative to this directive and certifications.

Learning Materials

Due to the large number of opportunities related to this certification, many people seek it, even if just to check a box for compliance.  This in turn means there are a lot of people trying to provide learning material.  I have a few go to resources I point people to check out, I am not sponsored or affiliated with any of them, this purely my preferences and what I consider my go to resources.

  • Professor Messor, he provides a full curriculum of exam prep. He also has monthly live calls.
  • YouTube, I only go here for specific concepts that I want clarification on.  For example, I wouldn’t search, Security+ training course free on YouTube, but I would search, TACACS explained, or what is a Buffer overflow attack.
  • Udemy, There are a bunch of good course’s on here, but I used Mike Meyers when i first got my certification, and I liked his training a lot. 
  • Books: a little old fashioned I know but I did read through the McGraw Hill published book, here it is on Amazon.

At the End of the Day.

Your career/progress/route through the world of Information Technology is up to you and totally on your terms.  It’s good to be critical of what you are learning or trying to accomplish.  If you want to do everything, you end up not being very skilled at anything, if you only focus on one topic, you end up siloed and legacy if/when technology adapts to not need your specific thing.  Point is, getting certifications is never a bad thing in itself, however if you have all these certifications, and can’t change the display on your desktop, then you have a problem.  Stay well rounded, get certifications that apply to you and prove you know what you’re talking about, or learn some new things that don’t apply to you now, but will help you change course towards the career or positions you want to have.  Either way, invest in yourself and keep learning.