Security+: What a Disappointment!

Greg takes CompTIA's Security+ exam and comes away wishing he'd spent the fee on expanding his CD collection.
by Greg Neilson

4/6/2004 -- If you've read my earlier column on my plans for 2004, or my comments featured as part of CertCities' 10 Hottest Certifications for 2004, you would know that I am pretty bullish on CompTIA's Security+ certification. Actually, that should read was bullish. You see, I finally took the Security+ exam, and I must say I was very disappointed by it.

I'll say up front that I failed the exam by a couple of questions. But this is not about my score: I don't need Security+ title for my job or any future career plans. I took the exam because I was excited about the title; I thought it would be useful to broaden my security knowledge in areas that I don't deal with on a regular basis.

From my experience in taking more than 100 other certification exams, I expected Security+ to ask unambiguous questions with varying levels of difficulty that when combined -- and let's face it, there are 100 questions here today, so there's lots of scope for this variation -- would give a reliable indication of whether someone has acquired basic security skills in a broad range of areas. And I don't think that's an unreasonable expectation to have, especially considering this exam's $225 (U.S.) price tag. (Even worse, in Australia the cost in local currency was $415, which equates to $312!).

Unfortunately, this is NOT the exam we have today.

Much of Security+ consists of pretty easy questions about security, which probably accounts for the relatively high percentage needed to pass (83 percent). -- not unreasonable considering how many easy questions there are. However, there's two other types of questions on this exam: a handful covering content so obscure that only an expert can answer, and -- here's the kicker! -- others that are so poorly worded that you are unable to determine what you are being asked, let alone which is the correct response! In fact, before I took the test, I had seen comments posted in forums complaining about the quality of the Security+ exam questions, and I pretty much dismissed those posters as whiners. But now I know they were on to something. I wish I could put detailed examples of these questions here; but that, of course, would be giving away exam questions, which I can't do.

Now, I'm not a psychometrician, so I can't say that the Security+ exam doesn't confirm to this testing standard or that one. But considering the quality of the questions asked and the imbalance of the question difficulty levels, I can say that I simply don't believe that this exam does what it sets out to do: truly test one's knowledge of the subject at hand.

I have a number of other CompTIA certifications: Network+, Server+, Linux+ and IT Project+. Security+ simply doesn't conform to the same standard. Therefore, until CompTIA does some work to fix the problems with this exam, I can't recommend that anyone else take it, and I will no longer recommend the program to others. I did learn a great deal about security in my preparation, but as far as the exam itself goes, I would have been much better off spending the cash on expanding my CD collection.

I'd like to hear back from those of you out there that have taken / plan to take this exam. What do you think? Let me know by posting your comments below.