Sign up for free at http://convocourses.com for deeper dives.
Many more videos on https://www.youtube.com/convocourses
short videos at https://www.tiktok.com/@convocourses?lang=en
Podcast version of the content:
The Comptia Security+ IT certification is a very good certification for IT professionals getting into IT security and for IT security professional that have been doing cyber security for a while. If you already have a high-level security certification (i.e. CISSP, CISM,CISA,CASP) I would say the Security+ is not necessary, because those certs already cover everything in the Security+ and more. But if you don’t have any general security certs then you should definitely get it.
What are the benefits:
It is a well known certification that lets employers know that you are more than familiar with security best practice.
Having the Security+ alone is enough to get a job or a raise in some situations.
If you are unfamiliar with all the security best practices it is a great start in getting to know an important body of knowledge.
It is 8570/8140 compliant.
For more information on the Security+: https://certification.comptia.org/certifications/security
|Launch Date||May 1, 2014|
|Exam Description||CompTIA Security+ certification covers network security, compliance and operation security, threats and vulnerabilities as well as application, data and host security. Also included are access control, identity management, and cryptography.|
|Number of Questions||Maximum of 90 questions|
|Type of Questions||Multiple choice and performance-based|
|Length of Test||90 Minutes|
|Passing Score||750 (on a scale of 100-900)|
|Recommended Experience||CompTIA Network+ and two years of experience in IT administration with a security focus|
|Languages||English, Japanese and Portuguese|
|Retirement||TBD – Usually three years after launch.|
|Price||$311.00 USD (See all pricing)|
I will give a quick, down and dirty look at these certification from the perspective of someone in the industry. This is my personal opinion based on my experience. I have the CISSP and CAP. I know many doing IT/security/Risk Management work with one or more of the listed certifications and have direct experience hiring and teaching for organization looking for risk management professionals.
What is the TOP risk management certification?
The choice of “best” or “top” risk management certification depends on the industry.
Financial industries are very much into the CISA. The ISACA CISA and CISM are certs that came from the financial industry. I was surprised to learn that a friend of mine who worked for Ernst & Young as a corporate tax/finance auditor was working on taking the CISA. When I asked him why, he said that other accountants/financial auditors take that test. Banks and other financial organizations look highly upon the CISA and CISM.
US Federal organizations heavily favor the CISSP for risk management work. Within the government, its the gold standard for risk management and Information Security jobs. So much so that they think that someone with a CISSP can do ANY security job. It’s very broad in content so its a misconception that a CISSP can perform any security or risk management job. Its best if the CISSP is accompanied by actual experience with a given subject matter and/or a specific certification that might give indication of knowledge on a subject matter that is not so general. All of that said, the CISSP is a GREAT certification if you want to get paid well.
The ISC2 CAP, is a great certification for risk management. It is the most relevant for risk management. The CAP focuses on the NIST risk management framework. It breaks the entire process down. CISSP is really all over the place covering way too many security points. By contrast, the CISA is all about auditing systems. The CISM is all about Information Management. The CAP is a solid certification that goes 6 feet deep into pure risk management. If you are serious about learning risk management for IT, then the ISC2 CAP is for you.
The ISSEP is a step up from the CISSP and the CAP. Its like a SUPER CAP. Its an actual concentration of the CISSP. I noticed that high level risk management positions in the US federal space sometimes ask for it. It is definitely and Alpha Predator of risk management certifications. You cannot go higher than this for RMF outside of getting a Masters or PHD in Information Assurance/Information Security or the like.
The problem that I see with the ISSEP (CISSP concentration) is that its a LOT of work for very little extra marketability. I mean, with an ISSEP you are a 1% in the RMF space but only .01% of the jobs in RMF/C&A category actually require an ISSEP. What I mean to say is that not many people are looking for the ISSEP. Its a hard certification because you must first achieve the CISSP. The ISSEP material is hard, boring and very comprehensive.
Over all the CAP, CISSP and CISA/CISM are the best certifications for a professional in doing Risk Management Framework for IT.