After 3 solid months of study, I passed the CompTIA Security+ exam on my first attempt earlier this week. I came into this without any prior experience, so everything I learned was new and unfamiliar to me. However, with consistent effort, I am proud to have accomplished my first IT security certification.
I’m writing this blog post for various reasons. Firstly, it is my own personal way of reflecting on these past 3 months while also being a resource for future Security+ exam takers, or for those interested in taking the exam. It is also a good starting point for what happens to be my first of many posts on this blog!
How I studied
During the week, I spent 1 hour studying every day after work, and around 3 or 4 hours on Saturdays and Sundays.
This means I spent approximately 130 – 150 hours in total studying for the exam – far more than what I had initially thought I would need! It’s worth noting that having had no prior experience, I needed more time to fully understand some of the concepts, the technical networking aspects in particular. Others who take this exam may need less time, and some may require more. It’s important to only take the exam when you personally feel ready, so the hours I spent should be an indicative outline only. CompTIA officially recommends candidates obtain the Network+ certification or have 2 years work experience and it is not hard to see why. However, I am an example of someone who passed the exam without either of these proposed prerequisites so it is absolutely possible to pass the exam without them!
The first resource I used was the CompTIA Security+ Certification Study Guide, Third Edition (Exam SY0-501) by Glen E. Clarke. This book is an extremely comprehensive study guide, sitting at 980 pages in total. I spent my time reading through this book from cover to cover, completing all the review questions at the end of each section to ensure I had a good understanding of the chapter I had just read. This book was helpful for someone like me who had no prior knowledge, as it provided easy to understand explanations of all the technical details required, with plenty of examples and diagrams throughout.
I personally think a study guide such as this one is imperative when studying for the Security+ exam. It contains all the knowledge necessary, as well as practice questions to test your knowledge of the various topics. Darril Gibson’s study guide is also often recommend by others, but I can’t speak for that one personally.
From here, I decided I would need to cement my learning from the book with another medium: video. Professor Messer’s Security+ series on YouTube was without a doubt the best resource I used during my study – with the added bonus of it being completely free! I watched every video in his series and took basic notes while doing so to reinforce the content learned from the book. The best thing about his series is that he has tailored the videos specifically to the official CompTIA exam objectives, so if you understand everything in his videos you are guaranteed to be covered for everything in the exam.
I also recommend purchasing a copy of his notes, they are reasonably priced and very helpful. After finishing his video series, I went over his course notes twice to really complete my learning of the content.
The final stage of my exam prep was to complete as many practice questions as possible. I used the CompTIA Security+ Certification Practice Exams, Third Edition (Exam SY0-501) also by Glen E. Clarke. Going through the practice questions, I made sure to understand the questions I got wrong, and identify what my weaker areas were. This is a necessary step as it is your only way of testing your knowledge before the real exam. There were multiple cases where I didn’t understand a concept as well as I thought I did, and these were exposed as I completed the practice questions, allowing me to go back and brush up on those areas specifically.
The exam itself was much tougher than I expected it would be. The biggest reason being the sheer number of questions you must answer in the given time. My exam consisted of 3 Performance Based Questions and 80 Multiple-Choice Questions, with 90 minutes of time to complete them. I found the Performance Based Questions much easier than I had anticipated, and was able to finish these relatively quickly. However, the following Multiple-Choice Questions were an absolute grind to get through. Each question requires a thorough reading to understand the specific nature of what it is asking, before you are presented with a range of options, of which multiple may be viable answers.
Around ¾ of the way through I found myself starting to burn out, and I really had to push myself through the last 20 or so questions. It also didn’t help that the small room I was taking the exam in was uncomfortably hot and stuffy! Thankfully I was able to finish all the questions with a few minutes to spare. I would highly recommend to be in good condition before the exam, you’ll need it to maintain the level of intensity required throughout.
I only had time to review a handful of questions before time ran out, despite having many more flagged. I was extremely nervous to see the score of my exam as the time ran out. Expecting the worst, I was overjoyed to see I was successful! It was an amazing feeling to see that all the hard work paid off 😊
I have heard conflicting opinions about the Security+ certification, or even the CompTIA certifications in general. Veterans in the Information Security industry seem to place little value in the Security+, claiming that being able to pass an exam doesn’t prove anything about your actual ability or knowledge about the subject matter.
In a sense, I agree. Having gained the Security+ certification, I understand that I am not magically an Information Security expert. There is still a huge number of things I do not know. I lack depth, breadth and most importantly experience and the Security+ certification does not mean much on its own.
In saying that, I think the Security+ exam does a good job as an entry level certification. I was able to learn about a range of different Information Security concepts in a structured manner that would have otherwise been incredibly inefficient, and I do feel that it is a good starting point for those like myself who lack real world work experience.
Above all else, I had fun studying and completing this certification. Learning the material covered in the Security+ exam was an enjoyable experience, and it has motivated me to go further and learn even more. I never started studying for the Security+ because of its credibility or reputation. I started studying because I had a desire to learn, and the certification provided a tangible goal to work towards as I did so. To that end, I feel the Security+ is a fantastic starting point and I am satisfied with the value I got out of it.
I’m going to take some time to think about where I want to head next. The most enjoyable sections of the Security+, in my opinion, were the attack based sections. The types of attacks that can be used to exploit various vulnerabilities are incredibly interesting and something I want to learn more about. At this stage, I am strongly considering going all out and working toward the Offensive Security Certified Professional (OSCP) certification. Watch this space as I will be sure to update my blog with my experiences leading up to this in the future!
Thank you to anyone who made it this far, good luck to those preparing for the Security+ exam!