Security is obviously a primary concern for all administrators, but many question the need for a new security certification. Responses to our recent article on the subject of CompTIA’s new Security+ certification were decidedly mixed. A number of readers readily embraced the certification, acknowledging it as a welcome new accreditation, while others said that it's yet another unnecessary addition to the already burdensome jumble of certification alphabet soup.
Although the industry is witnessing a growing need for security expertise, many argue that the necessary certifications already exist and that CompTIA’s addition will offer little more than another scrap in a long paper trail unless it includes some testing of practical skills.
A number of members said that the biggest challenge CompTIA will face with this certification is in making it relevant and valuable to IT professionals. Enterprise architect Jim Huggy, for example, believes that the exam should be structured like the Cisco Certified Internetworking Expert (CCIE).
“Make part of the test a practical exam,” Huggy wrote. “If they make the test hard with practical skills—bang—[it provides] value to the market.”
Huggy is concerned that if the certification is like many others, it won’t test for the skills that are really needed and will be just a meaningless piece of paper.
Another member agreed that testing of practical skill was necessary. "There’s tons of theory, but until you work with the stuff, you don’t have a clue.”
The value of certification
While most members agreed that experience is important—perhaps more important than certifications—others acknowledged that certifications have their place and that the Security+ would fill a particular need. Ideally, certification in network security should demonstrate that an IT professional has knowledge of security issues and concepts, as well as an understanding of general networking concepts and principles.
System administrator Angelique Armstrong pointed to the value of certification when you hire staff members. Since new employees who hold certifications should at least have a grasp of the fundamentals, "you don’t have to go all the way to square one in training them to do their job.”
Another member suggested that the Security+ cert would help provide some focus on what’s important, as admins sift through all the security concepts and offerings.
“I find the security area so broad that the biggest problem I’ve had is deciding what to read,” the member wrote.
The Security+ cert might also help by providing a midrange certification below the GIAC. “Hopefully,” wrote one member, “this will be a midlevel cert that has a practical use in the job force.”
In filling these various needs, the Security+ has the potential to be a valuable tool for validating the security skills of networking professionals. Still many question whether such a tool is really needed.
Do we really need another certification?
Among those who are critical of CompTIA’s new offering is Rcartright of Innovative Care, who questioned whether this certification is necessary.
“CompTIA keeps churning the certs out, don’t they?” Rcartright wrote. “Does any company…require this certification? Or is this just another way to get me to fork over my $199 for testing?”
This statement reflects the biggest concern about not only this certification in particular, but all certifications: Is it necessary and relevant?
Another member said, “A Security+ cert just seems like one more in the never-ending list of certs that we as professionals have to have.”
The driving question is, What will CompTIA do to distinguish the Security+ to make it a useful means of measuring security knowledge?
Network security analyst Kate Wakefield, of Costco Wholesale, pointed out that the field already has an internationally recognized vendor-neutral security certification in the Certified Information Systems Security Professional (CISSP).
“This certification is held by 8,600 individuals worldwide and is rapidly gaining ground as a way to test comprehensive knowledge of information security.”
Wakefield makes a good point: Why do we need the Security+ if a vendor-neutral security certification already exists—one that is widely recognized? Unless it offers something to differentiate it from other certifications, CompTIA’s cert may add even more confusion to the already puzzling certification mix.
As one member pointed out, however, the Security+ may serve as a midlevel security certification that can be a stepping-stone to advanced certifications such as GIAC and CISSP. This could also prove valuable to network administrators who want to augment their strong networking expertise with a security certification but who have no desire to specialize in security or pursue the GIAC or CISSP certs.
Keys to delivering value
While members disagree about the need for another network certification, some see potential value in CompTIA’s Security+. It’s up to CompTIA to make the certification valuable to professionals in the field, but members suggested that the certification can fill key needs by serving as:
- A midlevel security certification.
- A vendor-neutral security certification.
- A certification based on practical skills and knowledge and not just theory.
- A certification that narrows the wide range of security topics to those most applicable for admins.
If CompTIA can fill these needs with the Security+, it seems likely that many IT pros will welcome this certification.