CompTIA Security+ SY0-601 update: Everything you need to know
CompTIA’s Security+, the most popular cybersecurity certification in the world, is getting an overhaul for 2021! The updated exam (from SY0-501 to SY0-601) re-aligns the certification to match the most in-demand entry-level cybersecurity skills and trends of 2021.
On today’s episode, you’ll get insights into the changes directly from the source, Patrick Lane, Director of Products at CompTIA, as he explains how Security+ is evolving to remain the “go-to” certification for anyone trying to break into cybersecurity.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- 0:00 - Intro
- 4:10 - What is the CompTIA Security+ certification?
- 5:05 - Security+ baseline technical skills
- 16:00 - Security+ helps solve an industry problem
- 21:35 - Security+ job roles
- 31:45 - Job role skills and exam release
- 37:35 - CompTIA Cybersecurity Career Pathway
- 47:27 - SY0-601 vs SY0-501: 6 big changes
- 52:10 - Security+ exam details
- 56:48 - Live Q&A
- 1:02:13 - Outro
[00:00:00] CS: Welcome to another episode of the Cyber Work with Infosec podcast. On the show we discussed cybersecurity trends and the way those trends affect the work of infosec professionals. Today's podcast episode is a webinar we hosted that was entitled CompTIA Security+: Everything you need to know about the 601 Update, and features Patrick Lane, director of products at CompTIA. Join us today to learn how the Security+ certification is evolving so that it remains the go-to certification for anyone trying to break into cybersecurity. You'll learn about evolving Security+ domain areas and job skills, common job roles for Security+ holders, 501 and 601 exam timelines, tips to pass the updated Security+ exam, plus we take Security+ questions from live viewers at the webinar.
After this episode has been finished, I hope you're also considering checking out Cyber Work Applied, a new series of hands-on training modules. Expert infosec instructors can help you learn new cybersecurity skills and show you how those skills apply to real-world scenarios. You can find Cyber Work Applied at infosecinstitute.com/learn.
And now let's head over to Patrick and moderator Camille Raymond for today's presentation, CompTIA Security+: Everything you need to know about the 601 update.
[00:01:20] CR: Hello, everybody, and thank you for joining us on today's webinar, CompTIA Security+: Everything you need to know about the 601 update. My name is Camille Raymond and I'll be moderating today's webinar. I'll go ahead and introduce Patrick in just a few moments, but first would like to explain a few tips to make this a more interactive and engaging experience for everyone today. So as listeners, you are all on listen only mode. This does mean that you're muted, but you're more than welcome to ask questions at any time by typing them in using the control panel's question feature. We'll save some time at the end to have Patrick answer the questions. Lastly, I'm excited to share that after the Q&A at the end of the webinar we will be picking a winner for our free one-year subscription to Infosec Skills. And also I wanted to share that everyone who is watching today can get seven days of free training by signing up for Infosec Skills, and I'll share more details about that a little bit later.
So with that, we are excited to have Patrick Lane today. Patrick is the director of products at CompTIA. And we've done a few webinars with him in the past. He always does a great job providing us updates on CompTIA's certifications. So excited to have you back, Patrick. A little bit about his background. He directs the IT workforce skills certifications for CompTIA including Security+, PenTest+, CYSA+ and CASP+ plus. He assisted the U.S. National Cybersecurity Alliance, also known as the NCSA, to create the Lockdown Your Login Campaign to promote multi-factor authentication nationwide. He's also implemented a wide variety of IT projects including an Internet and help desk for 11,000 endusers. Patrick is an Armed Forces communications and electronics association lifetime member. Born and raised on U.S. Military bases and has authored and co-authored multiple books including Hack Proofing Linux: A Guide to Open Source Security
So a fantastic guest with us today. I'm excited to pass it off to Patrick here in just a moment after we review the agenda. So today we will touch on what is Security+. Patrick will talk about kind of the baseline cybersecurity skills, the job roles and growth indicators. We'll talk about the differences between SY0-601 versus the 501 and kind of some of the updates there. We'll talk about the exam details. And then as mentioned, I will pass it off to Patrick for questions. So feel free to submit those questions using the Q&A panel at any time.
So with that, I'm going to go ahead and give the control over to Patrick here to get us started.
[00:04:08] PL: Thank you everyone. My name is Patrick Lane. Thank you for introducing me. I'm the product manager for CompTIA Cybersecurity Certifications. As a director, I work a lot with the industry and within CompTIA to ensure that our exams are meeting the needs of the industry. Security+ is one of our largest certifications of all at CompTIA. In fact, it's our number one certification. And so one of the reasons why people are coming to Security+ is because of the skills that it offers and the fact that employers are hiring people who have Security+. So Security+ will help you get a job in IT and cybersecurity.
So when we look at the certification, we have to remember that Security+ is an entry-level certification exam. It was released in 2002 and it's updated every three years. It assesses the baseline or core technical skills required to secure networks, software, hardware devices. Essentially, it teaches you the basics to securing anything that's attached to a network or the Internet. It's a broad range of cyber security skills as you can imagine. And these skills are used for high-performance on the job. So people are coming to take Security+ because it proves that they can do the job and employers will know that they can get the job done. So the IT certification in general is very valuable.
Also, Security+ appears in nearly 10% of all job ads in the United States. And right now 16% of the entire workforce has Security+, and we have millions of people who have taken our CompTIA exams around the globe. In the last three years there have been a lot of changes in cybersecurity as you're probably all aware of. The industry continues to grow. There continue to be more jobs available. There continue to be not enough people to fill those jobs. And in fact, in some cases, employers are looking to IT certifications. Employers are looking to IT certifications in lieu of a college degree for jobs that are hard to hire for. They would rather hire someone with a bachelor degree and a cert if they could. But in this day and age, we're in a phenomenal time of human history. You can actually get a job with an IT certification and show that you have the knowledge, skills and ability to do that job role. And then you can come in to the job and then gain experience. That's why this is an entry-level certification. You need experience when you're out there in the field. We'll be talking about that later when we talk about the cybersecurity career pathway. We'll talk about where Security+ fits in that, because believe it or not, this is around the two-year level. So typically, someone taken Security+ would be a security administrator or a systems administrator. However, there's a lot more job roles coming to Security+ because they need baseline cybersecurity skills, and we'll talk about that later too when I talk about all the job titles that are advertising Security+ in job ads.
So four big changes that occurred in the last three years since the last time we updated Security+. We found out there's more threats attacks and vulnerabilities. In fact, there's 68% more of them according to the surveys we've observed. And so all of the industry, as we have begun work on Security+, have come to tell us there are simply more of them and we need to protect ourselves from them. So we need to educate our workforce on these ever-changing attacks. Also, we're finding there's been a huge migration to the cloud in the last three years and our workforce doesn't necessarily know how to work in the cloud.
And so Security+ has to cover both on-premises and on cloud solutions, because according to our survey of all of the Security+ graduates out in the world, believe it or not, 87% of them are working in hybrid environments. That means 87% of all Security+ graduates are working either on-premises, which would be our traditional server room that we've worked in for decades, but then also the cloud. And so as you're performing your security administration, systems administration tasks, you're working pretty much in a hybrid environment all the time, and the hybrid is ones on-premises and on ground. On-premises, I should say, and in the cloud. Some people say on cloud as well. And so just know that, that you're always going to be able to work in both environments. And it's different when you work in both environments. Probably 70% is the same, but 30% of it is very, very different.
Next, there's an emphasis on entry-level incident response. In the past, entry level, or I should say incident response, was really left to analysts, people at the three to four year level of their career. You’d typically find security analysts, SoC analysts, those working in a – That are performing continuous security monitoring. You would expect them to be involved with incident response traditionally. However, incident response is becoming a team sport. Because there's more threats attacks and vulnerability, we're finding now we have to train incident response skills lower in the career ladder.
So incident response skills in the last three years have gone from just being something you might have found with security analysts, the three to four-year level, coming down to the two-year level. And so that means systems administrators, security administrators need to be knowledgeable about incidents so they can report them if they see them, because most organizations with over a thousand people will have some kind of IT ticketing system usually. Otherwise it would probably be through an MSP. But regardless, they need to understand, “Aha! I have seen anomalies that could indicate bad behavior. I need to report this.”
For example, it could be something as simple as looking at a Word file and seeing who the owner is. And if it's an owner that's not anybody in your company, then you could raise a flag. There are so many indicators of what could indicate bad behavior. It could be even just getting a phishing email, for example, and then reporting that. But we find people at help desks that are now discovering threats, because the help desk is often the first line of defense. Oftentimes, our breaches come in from customers. So if you're at a help desk, you may have a customer report something and you'd be able to say, “Oh, that may be some kind of an incident that I need to report.” And so these skills are coming down. And now at the Security+ level, this entry level cybersecurity cert, you're expected to be able to identify threats and be able to respond to them. And so just the basics of that, but this is a great change.
Next, governance risk and compliance, GRC. We have found that last year approximately 55% of our Security+ students were under some kind of governance risk and compliance. Those are some of the examples you see here, such as PCI DSS, and that's the payment card industry data security standard. You also have GDPR, which is a privacy standard in Europe. That means basically you have to store any data from European customers in Europe. Big change. There's also a lot more like that too. The California Privacy Act has come out, California Consumer Privacy Act that's similar. Any data of – So people in California has to remain in California. Maybe we'll see other states doing that too, but it's a great privacy measure, and we'll see who else decides to adopt it.
Also, with governance risk and compliance, we're finding that everyone has to be involved. And so we've no longer at a point where systems administrators and security administrators can ignore governance, can ignore risk, can ignore compliance, because 55% of them, of our base, was working with GRC last year. This year, initial reports, up to 70%. You see what that shows? Even with the rule of – With a range of errors with the data, we're still looking at probably a five to ten percent increase year over year in compliance with our Security+ students. And that's a large increase. Not entirely unexpected.
NIST also is jumping into the game. They have the NIST RMF. If any of you are familiar with the NIST 853 publication. It's a special publication and it's called the risk management framework. That lists all the controls, the security controls, that would be used for most regulations. And so the idea that a security administrator or a systems administrator would need to understand GRC, would be they need to understand the connection of how they are responsible for complying to security controls for any given regulation that their company is responsible for.
So if you are a security administrator, your company was under PCI DSS, it might be your responsibility to make sure that all the data at rest is encrypted. That would be part of your role. Also at Security+, maybe you're involved with continuous security monitoring, which is one of the largest security controls in all of RMF 853, continuous security monitoring. And so you need to be able to pick up and understand where there's anomalies and things that you would need to troubleshoot and just understand that it's an anomaly that would need to be reported. So that's just becoming more and more important. So I just wanted to make note of it, because GRC is not rocket science. But now as cybersecurity professionals, we have to embrace it. We can no longer hide from compliance. We now have to embrace it and understand it's our responsibility of cybersecurity professionals to ensure that we are paying an active part in making sure that security controls are implemented. So Security+ helps solve an industry problem.
CompTIA is a non-profit organization. We're a non-profit. We're doing this because we are trying to find problems in the industry and fix them. I just mentioned four problems that we're seeing in the industry, right? Lack of GRC, more incident response, just a few things, more threats. So that's what CompTIA does. And so Security+ is helping solve those problems that I just showed you, right? So we are – As these attacks increase that I told you, there's probably 68% more attacks this year than last year. A lot of people believe it's from COVID-19. But I can also tell you it's due to the bad actors just continuing to get smarter, continue to proliferate in numbers. So as these cyber security attacks increase, more job roles are tasked with bridging the gap between improving baseline security readiness and incident response to address today's threats.
I need to say something about security readiness and security posture. These are two – I suppose you could say there they're two trends, but they're really very, very important and they should be not trends, but they should be core to a business. Security readiness is really are you able to tell anyone how secure your business is on a scale from zero to ten? In other words, is there any kind of metric you can use? Well, there're a lot of things that are called maturity models that are coming out. And there's a very large one in the defense industry, and it's essentially the cybersecurity maturity model certification. It would require any defense contractor to be able to go to the Department of Defense and say, “We have a CMMC score of 10 out of 10,” just to put it very simply.
So if you were the army, you would say, “Oh! A 10 out of 10 according to the CMMC. Wow! That means you are ready for top secret information.” But if they come and the army is looking at a company who may provide services to them and their CMMC score is only a seven, well, then seven out of ten would indicate that they are not as cyber ready or their security posture is not as high as the other. And so that would allow decisions to be made. And there's even something I've heard that insurance company using a FICO score to actually determine the security readiness of a company. Expect to see more of this as we move forward.
So what it means is that all the companies out there have to be more secure if they want to continue to do business with the government. We expect this also to take place with corporate. And so we're seeing more and more of these metrics, and pretty much any regulation, whether it’d be PCI DSS, the NIST frameworks, SOC2. I mean, there are so many. Would you – You'd have to ask your company, “Are we using one of this and do we have a metric to determine overall what our company security posture is?” You probably don't. And you probably need it. So this is something that's very important. And I think as an industry, we're all going to be moving towards this. All workers, okay?
And so basically the updates to Security+ reflect the skills that are relevant to these job roles. And so we're trying to basically prepare the industry to handle those problems that we just talked about. So essentially let's just look at this case study, the problem, cyber security attacks have increased dramatically up to 68% percent, right? This is requiring more job roles both in cybersecurity and related roles to take responsibility for baseline readiness and incident response.
So as a solution, if employers can train and certify their workforce, or if you as an employee gets this certification, this exam would validate that you have the latest skills relevant to security job roles and related job roles and it would mean that you're prepared to be more proactive in preventing the next attack. So a benefit to organizations and why they would want to hire you if you have Security+ is because if they hire you it will help the organization have talent with the latest skills and competencies. Needed to improve that baseline cybersecurity readiness I was telling you about an incident response by applying today's current best practices for preventing and addressing these latest attacks, threats and vulnerabilities. So as an organization, this is the main mission of CompTIA, to find an industry problem and fix it.
Next slide. So let's look at the job roles covered in Security+ 601. More job roles are using Security+ than ever before. However, there's two main job roles that 40% of the audience is, and that is security administrator and systems administrators. Typically, 40% of the audience for Security+ are these administrator job roles. Administration is level three of Bloom's taxonomy. That means it's about implementation. It is about hands-on skills. It's about getting the job done. That's what Security+ does. Gets you employees who get the job done. And employers really, really like that.
So if we look at those two main job roles, security administrator, systems administrator, these are administrative roles that would typically be responsible for ensuring you have a baseline cybersecurity skillset on your team and ensure that you have a baseline number of your best practices, tools and techniques that you're using to keep your company secure. This would be things like as a security administrator you would be responsible for assigning role-based access control, for example. And that would be essentially adding permissions to files. Ensuring that all of your files are encrypted and that they have some kind of minimum level of cybersecurity controls. You would want hopefully that you're using at least privileged access. And so anyone who has access to a resource, you have to say, ”Do they need access to that resource?” There should be a policy that says roles have access to specific resources. If those roles aren't access, aren't a supposed to access a resource, they should be denied access to that resource. So it's fairly simple. It's a matter of creating access lists and deny lists for network resources. This is one of the basic tasks of a security administrator. Also to ensure that there is encryption on the files at rest, for example, and what type of encryption would that be. And does it fit within the overall guidelines of the company's encryption policies, for example? Or access control policies. So these are all things you'd have to be very good at. And if you've done administration, you know exactly what I'm talking about.
But there are other job roles that are coming to Security+. Now these are the minority. However, these job roles are coming at a faster and faster rate and there're reasons for it. It tells an amazing story. Even though the majority of IT pros coming to Security+ are for the administrator job roles, we find a lot of other people coming to take it, because they need to learn how to secure a network. If they understand how a network is secured, they can do all types of things with their jobs. They could build software that ran securely over a network, because they understand the concepts.
Let me go through a few examples. Let's look at some of these secondary job rules that are coming to take Security+ and think about why. First is help desk managers and analysts. This makes great sense, because help desk is the front line. We usually find out about major security breaches through the help desk, because it's a customer that may have indicated it. You'll often hear that there may be someone lurking on your network for over 100 days before you locate them. Oftentimes it's a customer who may say, “Hey, there's something weird going on with my account. There are some numbers that have changed or something.” They might then alert you and then you could go in and do some research and see, “Oh! There had been a privilege escalation. Someone got into our active directory for that's what we're using and was able to go and upgrade a regular user to an administrator and then access folders and files that they shouldn't been able to access.”
Well, if you're monitoring your network, you would find that person poking around. You would have been alerted of the privilege escalation and could have reviewed it. So those are some extra things. But when we look at these secondary jobs, you've got to think help desk managers, analysts, they're going to be on the front lines and so they're going to be taking in a lot of this information. They've got to be able to identify that, “Oh, that is a security threat on our network. It's serious. I need to write a ticket.” So it will go to the cybersecurity team.
Network and cloud engineers, they have to learn how to secure a network. So everyone in infrastructure would need Security+ because it would be a two-year baseline skill, and typically infrastructure would actually go beyond that three, four, five, six years. People that want to stay in tech all their lives. These are the cloud engineers. These are the Linux engineers. There're a lot of people that are working in infrastructure that are actually keeping the company running and possibly the ones in charge of the product that your company is creating.
And so the network and cloud engineers absolutely have to understand this. It's almost a prerequisite skill for network and cloud engineers. Also, IT auditors. They're coming to Security+ because they're auditing networks. Auditing networks to ensure they are secure usually in the name of PCI DSS, HIPAA, NIST, SOC2, the list goes on and on. They're going to be the ones that have to audit to make sure that your company is complying to the security controls.
So an IT auditor may see the security control of continuous security monitoring. Well, if they know how a network works and they know how a network is monitored because they took Security+, they would know what to look for. And so we find a large number of IT auditors coming to take Security+ because it makes them better at their job. They understand what they're supposed to be looking for to verify that the network is as secure as all of the employees of the company are saying it is. So an auditor is really all about proving that you really are secure. So you can imagine that background would be very helpful.
Also, we find people who go into governance, security officers, security managers. Even IT project managers are coming to take it, because if they know how the network works, they know the regulations that could be applied to secure that network. Also, the last category is fascinating. Nearly 10% of all people coming to CompTIA+ are from DevOps teams and software developers. Software developers has a very broad range of programming and coding skills. If you look at the software developer occupation with the Bureau of Labor Statistics, you can see it's very broad. Software developer includes software engineers. It includes Java programmers, Python programmers, C++. I think I already said Java, C#, you name it. Huge number of people are coming to Security+. And the reason is it's because software developers have to create code that will run securely on a network. If they know how to secure a network, they will know how to write software that can run securely on that network. So this very basic principle applies in a grand fashion when we look at the audience coming to Security+.
So it seems very simple, and apparently that is why they're coming to Security+. And so that is one of the reasons why we see the growth of Security+ as these skills have just become more applicable to more and more job roles across the world. And you can see here at Security+, it sets IT pros up for success in intermediate and advanced cybersecurity jobs too. It's really a springboard into advanced level jobs. Like for instance, we see a lot of people from Security+ springboard into analysis level jobs. So you're really jumping from Bloom's level three jobs to Bloom's level four jobs where you're dealing with analysis. And the analysis level, which is at the three to four-year level of someone's career typically, would cover these more advanced jobs such as security analyst, penetration tester, security engineer, forensics analyst and security architect. These are all jobs that Security+ is a recommended prerequisite for. Because if you have these core baseline cybersecurity skills found in Security+, then you have that knowledge to move on with your career and to build on top of that knowledge with analysis skills, design and creating skills. So you can just keep going up and getting higher and higher paying jobs as your cognitive abilities are utilized more.
Next slide please. Okay. So we may ask ourselves what are these baseline cybersecurity skills that I've been talking about? What are they? Well, there're actually five of them. These are the five baseline cybersecurity skills that all of these job roles are coming for. So let's go over them. Most of them are in direct response to the industry problems. First, identify, analyze and respond to cyber security events and incidents. Mentioned, 68% more attacks. We need to all be able to identify, analyze and respond to cybersecurity events and incidents.
Next, we need to be able to monitor and secure hybrid environments, which operate on-premises and in the cloud. We need to operate with an awareness of applicable laws and policies. This is related to GRC, which as I said is quickly grabbing a hold of all of our occupations in cybersecurity. Also, assess the cybersecurity posture of an enterprise environment using various tools and techniques. Mentioned, organizational security is extremely important. In the past, we've had fragmented organizational security where you have one team using a different encryption standard than another team. You may even have your marketing team using a different encryption or some kind of third-party tools that the IT department isn't aware of, shadow OIT.
So you need to be able to assess the cybersecurity posture of an enterprise environment using various tools and techniques so that you know the truth, you know what's really happening. Also, recommend and implement appropriate cybersecurity solutions, very important. There are a certain number of analyzed questions used for troubleshooting. One thing, you have to know either what the problem is or who you can talk to to fix it. And so you have to be able to recommend and implement appropriate cybersecurity solutions, and that way there are some level four analysis objectives as well on the exam to assist with troubleshooting skills.
So I've been talking a lot about Security+. The new version that's coming out that will have the updates I'm talking about right now is called SY0-601, and it's going to be available in mid-November of 2020. Now, that's just next month. We're shooting tentative date November 12th, but we'll know later this month, because we have to go through a psychometrician process. And so we're actually going to have that fixed up at the end of this week. But tentative date, November 12th for the release for 601. I hope you are interested and wish to take it.
I mentioned the new exam code 6Y0-0601. You can take it online or on ground at a Pearson VUE Testing Center. We just put all of our exams online in April when COVID-19 hit. Because, you're right, when COVID-19 hit, no one took our CompTIA exams. It was a scary month. But we were able to move all the exams online with Pearson VUE. And so now we're actually back in business and it's really wonderful to see CompTIA having completely transform its business to online. Not surprising that we did, but I think that was a really neat thing and I’m happy for CompTIA to have adapted to continue to survive in this new business climate that we all see.
Fortunately, as you know, cybersecurity jobs, they are still being hired cyber. Security professionals are still getting raises for getting IT certifications. Our jobs have not become reduced. They have increased. And so if you're in cybersecurity, know now that you need to continue to learn as much as you can for as long as possible. Because if you're going to be successful in this field, you have to be curious and you have to want to learn new things because this industry changes every day unlike a lot of other businesses. And so you've got to be prepared to learn. If you don't like to learn, if you aren't curious about something and you really want to find out why, if you're a person that might get stuck on an IT problem configuring a server and you work on that problem for three and a half days because you can't get it out of your mind and you have to figure it out, that might mean you're going to be absolutely excellent at cybersecurity. So that's just a quick note.
Last thing, if you've taken the current SY0-501 or if you are going to take the exam the, existing SY0-501, that's going to retire at the end of the school year on July 31st, 2021, at least northern hemisphere school years. So the existing SY0-501 exam is going to retire July 31st, 2021. That means both exams, 601 and 501, are going to be available from mid-Movember 2020 to July 31st, 2021. So you'll be able to choose whichever one you want to take.
Next slide please. Here is the CompTIA cybersecurity career pathway. Well, that actually shows the infrastructure pathway too, but I'm going to focus on the cybersecurity pathway. So if you look at this CompTIA pathway document, you're actually looking at 10 years of knowledge skills and abilities and tasks that a cybersecurity professional or IT professional would be able to do at a certain time in their career. All of our certifications are based on job roles except for ITF+. Why? Well if you look to the far left under core skills certifications, ITF+, well, that's the first cert we recommend for anybody who wants to go into cybersecurity as a career, whether you're a student or just out of high school or whether you’re somebody who's already working in the industry and just wants to change jobs. I think the ITF is even taught in some junior highs and high schools to kind of give students an idea of what they want to do.
The reason that really works is because it shows you some programming skills, right? It shows you some cybersecurity skills. It shows you some infrastructure skills. It shows you some help desk skills. And it really allows you to decide what you like to do, because it's all so different. I mean, it really is in many ways. And so I think people's mindset becomes fixated on certain technologies. It's like you will naturally go into one of the areas. Like I naturally went into networking and TCP/IP and naturally went into cybersecurity. There are many who naturally will go towards scripting and programming. And there's almost a personality type or difference in the types of job roles that people want to go to in our industry. And so I think it's important to make sure that you're doing what you like to do, because if you don't like cybersecurity, you're probably not going to be very happy in it. But if you like cybersecurity, you're going to be a kid in the candy store for the rest of your life. And that's the best part of it all.
Okay. So we have ITF+, right? That will let you know where you want to go. Thanks. But then we can go into the core skills certifications. And so at this point we're really looking at the basics. In fact, the first job role certification we have is A+, and A+ covers nine months of knowledge skills and abilities and tasks in someone's IT career. People typically go into help desk jobs because they're available and they're a great place to start. It's an excellent learning place, because you're going to be talking to customers all the time. You're going to learn all the little ins and outs of working essentially with devices and supporting people. So you're going to be supporting people and devices on a network. And this is a lower level skill, but it's really how do you support all the devices that are hooked up to the network? Help desk, support desk is what this is covering.
Then you get to an 18-month point. At that point many are ready to learn the network administration skills. This is how a network works. What is TCP/IP? That is the TCP/IP suite? What are the seven layers of the OSI reference model? And you need to know what's occurring at each one of those. Because the TCP/IP suite and that stack is maybe ultimately what the hackers are manipulating. In many cases, just by manipulating the packets using a packet conditioner is one example. But if you understand the TCP/IP stack and OSIRM and how everything's supposed to work, then you're like, “Boom! There's a spoof. Boom! There's somebody duping my MAC address. Boom! There's somebody that's clouding up my IP header. Boom! There's somebody who’s switched a flag in one of my packet and they're hijacking the session.” I mean, it's like you learn the encyclopedia of the Internet. You learn how everything works. If you have networking fundamentals down, you could do anything, software, IT, cybersecurity. You can go into infrastructure because you understand the plate on which the Internet sits. Very helpful, and I can't emphasize that enough.
Then you get to the two-year level. Then you begin to learn some cybersecurity skills. Notice, cybersecurity skills are not the first skills you learn in IT. You need to learn the basics of it before you learn cybersecurity. Many people will say, “You can't secure a network unless you know how the network works.” And so that is why when you get to Security+ at this two-year level – So all of you out there right now, if you're thinking about taking Security+, you've got to make sure you understand networking basics, networking fundamentals. So make sure that's something in your education as you proceed in networking, or I should say in cybersecurity, in IT. I'm talking very broad. You need to learn a little bit more how the engine works before you start speeding off on the Internet.
All right. And then after Security+ then, we're at the two-year level. This is where I was saying you can then advance into intermediate and advanced level jobs. So at this point, you're ready to go with Security+. You're on the diving board. You're on the springboard. Where do you want to bounce to? At this point, many people will say, “I want to go into cybersecurity.” And so they will then go into red team, blue team, which is PenTest+, which is attacking systems legally to find the vulnerabilities in them before the enemies find them for you. Then CYSA+, which is security analyst. This is blue team. This is defense. Both of these are at the three to four-year level and these are skills that go beyond Security+. And we'll often find pen testers are the attackers. Security analysts and CYSA+ are the defenders. So the security analysts are usually in a security operations center using tools, behavioral analytic tools, to try to find the attacks that come in from the pen testers who are basically legal hackers. That's at the three to four-year level.
Then we can go to the advanced level in cybersecurity. When we get to the advanced level, we're talking like five years plus of knowledge skills, abilities and tasks. And at this level is when we're going to see people like security architects and security engineers. There're probably a lot of you that are security engineers. That is a super exciting job for the ultimate, for the kinesthetic hands-on learners. I mean, I don't think – That is probably one of the coolest jobs in cybersecurity for me, for my opinion, is a security engineer probably gives you the most differences in your day and the most excitement, but that's just my personal opinion and great variety from year-to-year in your job.
So CASP+, security engineer, security architect, digital forensics analyst. Forensics is becoming bigger and bigger. CASP+ is covering that. Then you also have network enterprise architecture. In CASP+ at this point, you were able to be hired by an organization to find problems with the entire organizational security, cybersecurity, and fix it, and that requires a big brain and a lot of experience. So CASP+ is really a capstone course for those of you that have been out there working for five plus years. I'd recommend, if you're on the certification track right now to get training, I'd go up Security+. Do PenTest+, CYSA+, then get some experience and then come back and take CASP+.
Regarding CASP+, it's becoming extremely popular right now. It's just become one of the top 10 highest paying certifications in the IT industry. That's incredible. That was just last month. And we're seeing it really move out beyond the Department of Defense who's been using the certification for eight years. And we're seeing it being adopted by corporations, because now corporations are aware of it because of the wonders that it's done within the Department of Defense. So we're really happy about that, and I just wanted to share that good news with you.
Okay, next slide, and I got to do a time check.
[00:46:48] CR: Sure. Yeah, we are getting close to the end here and we'll want to save a little bit of time for questions. So I just wanted to remind everyone, if we don't get to all the questions today, and we likely will not because there's a lot of great questions being submitted, we will go ahead and follow up for the ones we don't get to.
[00:47:06] PL: Okay. Well, let me finish this one slide and tackle questions. How about that?
[00:47:11] CR: Sure, yeah. We have a few more that we can send out the slides in the recording for people to take a look at too if we don't get to them all.
[00:47:19] PL: Okay, perfect. All right. So just six changes to Security+. I've really already stated most of these. So I can go over this quickly. The 501 exam is the exam that was released three years ago. We have to update every three years for our continuing education requirement that we helped set with ISO, ANSI globally. Part of 17024 ISO ANSI regulation. And so that states continuing education. Every three years, it has to be updated, because the industry is changing so fast. If we didn't, these certifications would not be worthwhile to you. You need to have that continuing education unit or these certs don't work, all right?
So with Security+ 601, remember, newer skills, more threats attacks, more entry level incident response, more governance risk and compliance. Also, believe it or not, because the IT industry has been maturing, it is maturing. It is finally learning job roles. It's finally creating organizational structure that's been morphing over the last 10 years. There's actually fewer domains in the new version. So you may have said, “Pat, all the stuff you've been talking about, that must be one heck of a big exam.” It's actually got fewer domains than the last version, because we're becoming more defined as an industry. And CompTIA is also maturing and coming more defined as an industry supporter.
So we have five domains instead of six. There are fewer objectives in the new one. There're 35 instead of 27. So two less objectives. However, we have more examples. So under the objective stem, we list examples, but there are more examples because there are more products out there as you know. There're more techniques being developed. For example, I was just working with penetration testers before this meeting that we're having, before this session, and what they were really focusing on was all the new applications that have arisen. Because now like in Security+, you have to think about the cloud, right? But you also have to think on-premises. How is that going to be different? And so they're really taking the case with that. And they also even look at wireless devices as something different. So we're becoming even specialized in the environments in which we work in.
Also, we – Oh, yeah. We re-reordered and renamed some of the exam domains for instructional design improvements. For example, the old technologies and tools domain in the new version. The technologies and tools are placed within the domains where they are applied, which is excellent instructional design. And as far as Bloom's taxonomy goes, it indicates more application of skills getting the job done and slightly less analysis overall. So analysis skills, if you want to learn a lot more of those, you need to go up the food chain to security analysts, CYSA+. It’s a three to four-year level. In there, you can apply skills that you've learned as an administrator and configuring. But now that you've administered and configured those systems, you can now observe the traffic and then analyze and make changes as needed.
And so that really covers everything that I wanted to cover. Oh! Well, look, the salary. It's getting close to 100,000, and it’s scheduled to – As you can see these jobs, we expect that these jobs are going to continue to grow. So what did you have as questions?
[00:51:09] CR: Sure. So Patrick, I will skip over some of these a little bit. We'll leave them up here and maybe just kind of discuss during the questions. I know some of them are related to what is Security+ and why it's different. Again, we'll send out the slide deck after the presentation here to remind some folks on what we are going to kind of forsake in the effort of time here a little bit. But if there's anything that anyone has questions on, we will get to that in just a second.
Again, here's some of the some of the comparisons for some of the different certifications, which we can take a look at. And then if you want to go over this one real quickly, Patrick, I know this is something that a lot of people do have questions on. So I'd like to cover this slide.
[00:52:03] PL: Great. Okay. The exam code, as I mentioned, is going to be SY0-601. The launch date is going to be mid-November 2020, but I can tell this group exclusively, November 12th is the tentative date. Then the availability, it's going to be worldwide and it's going to be located on ground and online. So you can go and take it at Pearson's on VUE. And so just go to pearsonvue.com. And then when you register, you actually select – If you want to be taking it at a center located near you or if you want to take it online.
The question types. This is one of the key differentiators, because Security+ is the only certification at the two-year level of cybersecurity that has performance-based questions and multiple choice questions. So there's actually hands-on simulations of security administration and systems administrator tasks on the exam. And so not only do you have to you'll learn the knowledge, but you have to be able to perform the skills, the abilities, the tasks. You need the abilities to perform those skills and tasks.
And so that is why we have performance-based questions, and we're the only core entry-level cybersecurity certification that has performance-based hands-on questions in technology on our exam. Also, there's going to be a maximum of 90 questions. You've got 90 minutes to do it. Passing score is going to be 750 out of 900, which I believe is a typical passing score for most of our exams. It's going to be released in English only at the beginning. And then we're looking at Japanese and Portuguese possible translations six months after.
Recommended experience, CompTIA Network+. Remember, I told you, you have to know how the network works before you can secure the network. So you need to have either CompTIA Network+ or those networking fundamentals under your belt already before you take Security+. Highly recommended.
[00:54:16] CR: Perfect.
[00:54:18] PL: Am then because I mentioned, it's basic – Okay, got it. Good. Anyway, it's basically showing two years of experience in IT administration with a security focus. That is what we're mirroring is that two-year level of experience in IT security administration. Then I mentioned before the exam retirement, 501 will retire July 31st, 2021. But if you have a Security+ voucher right now, it'll be valid for either exam. So your Security+ voucher, if you already bought one, you can just use it and reschedule and select 601 with Pearson VUE. Because Pearson VUE, the Security+ voucher will work for any version of the exam. So that's important to know.
[00:55:06] CR: Good to know. Cool. Well, as we wrap up here, Patrick, I didn't know if you wanted to touch on any organizations that assisted in development or just kind of show them here. Otherwise, we can jump ahead to the questions.
[00:55:18] PL: Oh! Well, yeah, just one quick note. You noticed we've got some really great organizations that helped us from multiple industries. And so I just want you to be aware that we had academic, we had finance, we had – Well, as you can see here, military. We had healthcare and we had really smart people from the Applied Physics Laboratory at Johns Hopkins that even helped. We also had Splunk, which many of you know is the number one SIM provider in the world according to Gartner. They are ranked number one and they provided an incredible knowledge to our team. And Netflix as well. We had the threat hunter from Netflix, lead threat hunter, help us with the development Security+ and CASP and PenTest+ as well. And so we're very proud of the groups that have helped us, the top companies in the world helped us create Security+.
[00:56:19] CR: Fantastic. Well, Patrick, thank you so much. You have so much great information to share and we really appreciate that. There're so many folks that are interested in Security+, which is awesome. So let's go ahead and get to um some of the questions that came through. And if we have a moment, we might stick around for just a minute or two after.
[00:56:42] PL: Okay.
[00:56:42] CR: So the question that I'd like to start with is from Anthony, is, “I have the SY-501 from 2019. Does CompTIA offer recertification or will I need to take the 601?”
[00:56:58] PL: Oh, we do offer recertification. And you can renew either way. Essentially, if you took the exam in 2019, you either can renew by retaking the 601 exam. Or, I mean, by taking the 601 exam when it's released. Or you can do continuing education units. And so that means for Security+ you have to, every year, participate in a certain number of conferences, read books, perhaps do research yourself. But constantly learn and document as you've learned about cybersecurity topics. If, for example, I went to RSA this last year in San Francisco. It was like as we were closing RSA, the nation was shutting down. It was crazy. But anyway, so we were at RSA, and I was able to submit my attendance to RSA and I think I got like 10 units of credit. So those are the types of things that you can do. But look how much I learned from going to RSA this year. I mean, “Wow! And so I was able to show them proof, show proof that I'd been to RSA and therefore I get the continuing education units. But you can also retake it, but I tend to like to take the education path where every year I do perhaps 20 continuing education units towards the 50 that I need to get total to renew Security+. So that's the way I like to do it, is join the continuing education unit program. And you can just look at CompTIA – Search for CompTIA CEU, CEUs, and you'll go right to the link.
[00:58:37] CR: Sure. And to build off of that, actually, everyone today who's watching will receive an automatic um certificate of attendance that you may be eligible to submit depending on what your certifying body counts as education credits. So I wanted to point that out. So a couple of more questions before we wrap up here. I think this is, again, related to if someone has already passed the 501, they do not have to upgrade to the 601. They will still be Security+ holders, correct, as long as they continue to renew their certification.
[00:59:18] PL: Exactly. Because when you get certified, it doesn't label you as a certified 501 or a certified 601. It's just your Security+.
[00:59:27] CR: Perfect. Thanks for clarifying that, and that was a question from, I think, Nate. So hopefully that helps you out there. We did have a question on the Security+ voucher, and Patrick did mention that that will work for either exam. And we have a good question here that I think we'd like to end with, and this is from Massoud. He said, “Can we directly start from Security+ without having IT Fundamentals+, A+ and Network+ certifications? Or are those prerequisites?
[01:00:05] PL: There are no required prerequisites to CompTIA exams. We only have recommended prerequisites. Therefore, you can take Security+, but you might fail it. It is recommended that you have networking fundamentals background before taking Security+. It will provide you much better learning experience and you'll be better at your job and you'll have an easier time passing the exam most likely. That's my recommendation. And many from CompTIA who've taken our certs would say the same.
[01:00:38] CS: I hope you enjoyed today's webinar with Patrick Lane and feel ready now to jump into the new version of Security+. Just as a reminder, our Infosec instructors and Infosec skills authors are prominently featured on our all new interactive learning series titled Cyber Work Applied. It features hands-on tutorials to teach you new cybersecurity skills and apply those skills to your career. Best of all, it's always free. To learn about Cyber Work Applied, just go to infosecinstitute.com/slash learn and get started today.
Thank you once again to Patrick Lane, and thank you all for listening and watching. We will speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.