CompTIA Security+ Certification : Preparation and Tips

Background

I am currently working full time in a SOC environment. Although I have obtained few certifications like ISO 27001 LA, ISC2 CC, ITIL, AWS CCP and Azure AZ-900 & SC-900, this was my first time attempting an exam from the CompTIA family of certificates. Today I have finally managed to knock down Security+ SY0-601 certification with a score of 789/900.

Also, since I am preparing for CISSP, I had already completed much of the reading exercise , but lacked confidence to give it a go. Hence I resorted to Security+ as a stepping stone before aiming for the big one. Since I have been getting lot of queries from my network, I wish to document my Security+ journey for the benefit of everyone.?

Comparison with ISC2 CC and CISSP:

Currently Certified in Cybersecurity (CC) from ISC2 is the entry level certification in the CyberSecurity realm which is most suitable for beginners with minimal work experience. In my experience, the Security+ exam has much more coverage in domains and higher difficulty compared to CC. Hence it may be pursued by people having atleast some experience working in IT and basic understanding of Security concepts.

Security+ is often compared to ISC2 Certified Information Systems Security Professional (CISSP) certification, being one of the most sought after and recognized certifications in the CyberSecurity realm. I would say that the language of Security+ is very different from CISSP, which is aimed at senior management folks. The CISSP exam seldom focus on solving problems, rather it tests us on the best way forward for the organization "thinking like a Manager". Security+ is a problem-solution kind of an exam, where you are presented with a problem, and you are required to fix it like an analyst or engineer. Thus, Security+ is more suited for analysts/operations personnel to validate their knowledge in a vendor neutral manner.

Prerequisites:

CompTIA recommends 2 years of IT experience along with the A+ and Network+ certifications before moving on to Security+. However, it is very much possible to pass Security+ even without them, just as in my case.

About the Exam:

The exam format is up to 90 multiple choice questions (typically ranging from 70 to 90 questions) and maximum time allotted for the test is 90 minutes. Out of these questions, 4-6 are performance-based questions (PBQ's) which are interactive in nature (like solving real-world problems like networking/threat analysis). The passing score is 750 out of 900, but the scoring method remains a secret. Have a look here for the official exam objectives. for Security+ SY0-601 certification.

Study Resources:

I have used mostly video content for my preparation using freely available resources and didn't signup for any paid courses. Have to really appreciate the people who make such quality content available for free.

1. I have used Professor Messer's video series on YouTube as my primary study material. It helped to paint a picture as to which topics are covered in the exam. It was easy to consume these bite sized videos, each of which lasts 5-10 mins whenever I got some spare time between work. I must appreciate the proper coverage of exam objectives in this series.
2. I used Peter Zerger's exam cram video in the final days of my preparation to further reinforce the topics. This is a 10+ hour video session divided into chapters and domains useful for final revision.
3. PBQ questions of Security+ are indeed a nightmare for the aspirants. Cyberkraft has posted detailed walk-though of different types of PBQs expected in Security+ and it is available for free. This has been instrumental in building my confidence to crack such questions.

Test Banks and Apps:

Even if you have completely covered the exam objectives by reading or through video course, the preparation is only half-way until you have done some practice tests. It really helps to bring out the CompTIA mindset, picking out keywords from the question and eliminating wrong answers from the options. You can even find out the weak topics and focus your learning efforts in those topics by utilizing additional resources.

1. Comptia Security+ Prep (by LearnZapp) - This is a mobile app which leaves a vast question bank always available at your fingertips for casual quizzing as well as timed exams. There is a free trial of 14 days which you can fully utilize if you are determined enough. It helps in the learning process as well by providing ample explanation for the answers.
2. Jason Dion's Practice tests : A set of six timed full length practice tests. It says that you need to score atleast 90% to be considered ready for the exam. However I could only score 82-86% in these tests. I feel that it is somewhat more difficult that the actual exam questions. Therefore if you score over 90%, congratulations! You are guaranteed to pass the actual test! Here also they have provided ample explanation for the answers which reinforces the learning.

Apart from these, there are several YouTube videos that feature walk-through of questions from the CompTIA official practice tests. It is true that you will never feel 100% ready. But taking practice questions is the best way to get accustomed to the style of the test.

Note for Beginners

I could manage to pass without reading any books as I had prior experience in SOC and IT Administration. However, I understand that many of them attempting this certification does not come from a strong Cybersecurity background. Since there is no experience requirement for Security+, even a beginner in the field can also take up this test with dedicated efforts. I would like to list out some resources which are helpful for such aspirants.

Books:

There are lot of good books available which would help beginners to grasp the topics easily. The two books mentioned below are concise and short (500-600 pages only) compared to the rest of the books, increasing your chances for passing the exam in the first attempt:

1. Security+ Certification Guide from Ian Neil (Packt Publishing)
2. Security+ Study Guide by Mike Chapple (Sybex/Wiley)

Also, these books provide sample questions at the end of each section which provides a glance into the kind of questions expected in the exam and helps to retain the information after reading.

Paid Courses:

Some of us are not comfortable to read up a lot of information but prefer video content which is engaging and easier to retain information. Although I don't have first hand experience, I have been getting good feedback from my colleagues and friends regarding some courses which help you prepare for Security+

1. Google CyberSecurity Certification Course : This doesn't need any introduction. It is a well crafted, self paced online course from Google made available through Coursera. It helps to lay the foundations of security through online classes and reinforce that knowledge through assignments and hands own labs. This course is aligned with the objectives of Security+ and any beginner can join the same if they wish to embark on the Cybersecurity journey.
2. Dion Training Sec+ Course Labs, & Practice Exams: This is by far the most comprehensive online course available for Security+ by popular trainer Jason Dion. Since the bundle includes course labs and one practice exam, it is more economical than purchasing everything separately.

Committing yourself to achieving Security+ is like investing in yourself to unlock an amazing career path in the ever evolving CyberSecurity domain. I wish good luck to all of you in your certification journey!