cso spotlight: certifications

CompTIA Security+: Prerequisites, objectives, and cost

Learn how CompTIA Security+ certification will impact your job and salary and how to decide if this cert is right for you.

virtual certificate icon / certification
Svetazi / Getty Images

CompTIA Security+ is a security certification offered by the Computing Technology Industry Association (CompTIA), a U.S.-based trade and industry nonprofit. Security+ is one of a suite of certifications that CompTIA offers across multiple IT disciplines; it's focused on entry-level security professionals and is one of the most popular.

Like any well-regarded certification, CompTIA Security+ can help boost your career and your earning power. We'll dig into the details of this cert's potential impact for you later in this article; first, let's look at who should aim for this certification and get some practical information on the CompTIA Security+ exam, the test that anyone seeking this cert needs to pass.

Is CompTIA Security+ for beginners?

In a word, yes, CompTIA Security+ is meant for people relatively new to the field who are planning to pursue a career in cybersecurity.

CompTIA describes the Security+ certification as "the first security certification a candidate should earn. It establishes the core knowledge required of any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs." The specific big-picture skills candidates need to be certified are the ability to:

  • Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions
  • Monitor and secure hybrid environments, including cloud, mobile, and IoT
  • Operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance
  • Identify, analyze, and respond to security events and incidents

CompTIA Security+ prerequisites

Unlike other certifications like the CISSP, which require a number of years of industry work experience, the only formal requirement for Security+ is that you pass the exam.

That said, the exam is not something you can go into blind: CompTIA recommends it for people who already have at least two years of industry experience. And even if you have that background, you probably are better versed in some areas that the exam covers than others. So, while there aren't any formal prerequisites for taking the exam, you'll want to prepare and study before taking it.

How long is the CompTIA Security+ exam?

The Security+ exam is, in the words of CompTIA, "no longer than 90 questions," and you'll be answering them on a computer.

There are three types of questions on the exam: multiple choice questions, where some questions have more than one correct response; drag-and-drop questions, which involve dragging labels onto the correct components on a diagram; and performance-based questions, in which you must solve problems in a simulated environment. Here's a non-interactive look at what the drag-and-drop questions are like, and here's an interactive example of a performance-based question. (Both examples are actually from one of CompTIA's networking cert exams, but they give you a sense of what the format is like.)

The maximum amount of time you have to take the exam is 90 minutes. You'll need to take some time after you arrive at the test center to check in, so make sure you get there well before your scheduled appointment. CompTIA says that most of the multiple-choice questions, which should take less time to answer than the other types, will be towards the end of the test.

CompTIA Security+ exam cost and location

Taking the CompTIA Security+ exam costs $370 in the United States, and is priced comparably in other countries; see this table for more details. For those living in lower income "emerging market" countries, a special rate of $207 U.S. dollars is available.

The test is administered by Pearson VUE. You can take the test at one of Pearson VUE's worldwide test centers, or can also do so on your home computer, although in the latter scenario you will be monitored by a proctor via your webcam to ensure that you're not cheating.

CompTIA Security+ objectives

In CompTIA lingo, objectives are things that someone seeking certification should be able to do—tasks they should be able to perform, or knowledge they should be able to demonstrate. For CompTIA Security+, objectives include things like "Compare and contrast different types of social engineering techniques" and "Given a scenario, implement host or application security solutions." Exam questions are tailored to make you prove you can meet one or more of these objectives.

CompTIA organizes certification objectives into topic areas called domains. For the CompTIA Security+ 601 exam, these are the domains, along with the percentage of the exam that will be spent on each:

  1. Attacks, Threats, and Vulnerabilities: 24%
  2. Architecture and Design: 21%
  3. Implementation: 25%
  4. Operations and Incident Response: 16%
  5. Governance, Risk, and Compliance: 14%

Each objective is slotted under one of those domains (e.g., "Compare and contrast different types of social engineering techniques" is in the "Attacks, Threats, and Vulnerabilities" domain.)

CompTIA makes a comprehensive list of all the objectives and their corresponding domains for the Security+ 601 exam public for anyone who's interested. This document includes a list of example elements that might factor into each objective. For instance, for "Given a scenario, analyze potential indicators to determine the type of attack," it lists malware, password attacks, physical attacks, adversarial AI, supply-chain attacks, cloud-based vs. on-premises attacks, and cryptographic attacks, but it also notes that "these content examples are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination."

CompTIA Security+ jobs and salary

CompTIA Security+ is, as mentioned, aimed at security pros in the early stages of their careers. CompTIA lists a number of specific job titles whose duties are covered by the domains tested for on the Security+ exam (Note: salary data from Glassdoor reflects the national average):

  • Systems administrator — $75,000
  • Security administrator— $86,000
  • Security specialist— $64,000
  • Security engineer— $110,000
  • Network administrator— $69,000
  • Junior IT auditor/penetration tester— $84,000
  • Security consultant— $121,000

Of course, keep in mind that a CompTIA Security+ certification alone isn't enough to snag one of these jobs, and plenty of people get jobs with those titles aren't Security+ certified. And, since CompTIA Security+ is meant for people at the start of their security careers, salaries may be on the lower end of the range for each role.

Is CompTIA Security+ worth it?

The truth is that no certification is a guarantee of a particular job or a particular salary. It would be great if we could point at some guaranteed bump in income that comes with a cert, but that's simply not possible. The question is usually approached the way the Newtrix blog breaks it down: a look at the typical salaries earned by job titles that the certification qualifies for (ranging from $55,0000 to $148,000 for Security+) and noting that, in many surveys, hiring managers for jobs like these say that certifications definitely fall on the list of things they look for in a candidate. This isn't an absolute rule that tells you that if you invest the time and money to get a CompTIA Security+ certification, you'll definitely make a salary in that band; but there's definitely a strong correlation, particularly if you're looking to stand out on a list of potential hires.

One specific employer for whom a Security+ certification is very helpful? The U.S. Department of Defense. DoD directive 8570 lists a number of specific certifications that are required for certain roles within the department, and Security+ is on the list.

CompTIA Security+ study guides and training

CompTIA offers a number of training courses and study guides, many available in "bundles" with the test itself for less money than buying each individual component separately.

If you're interested in third-party training and study resources, Career Karma has a good roundup. In particular, they point to training courses from PluralSight, Learning Tree, and Knowledge Hut as highly rated and well-respected. When it comes to study guides, two of the best are the CompTIA Security+ All-in-One Exam Guide, and Sybex's CompTIA Security+ Certification Kit. 

CompTIA Security+ practice test

If you want to buckle down and run through some practice tests yourself, you can get some direct from CompTIA itself, as well as a set offered through Udemy.

Please note, though, that while these tests are meant to show you what the real exam is like, you won't see questions here taken verbatim from real tests. Without too much Googling, you'll probably stumble on what are labelled "brain dumps": crowdsourced documents where people who have just taken the exam list as many questions as they can remember. CompTIA considers using these to be cheating, and moreover points out that simply memorizing rote answers to questions defeats the purpose of certification; you should be expanding your skillset so that you'll know the answers and can perform well on the job, not merely memorizing what word to reply to a prompt with.

Renewing your CompTIA Security+ certification

Remember how we said above that the Security+ exam is refreshed every three years? Well, your certification is on the same cycle. You can recertify by taking continuing education courses, acquiring a higher-level certification, or taking a recertification exam. CompTIA has more details.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations