Why CompTIA Security+ Is Not Enough

The CompTIA Security+ certification is widely known as the de-facto entry certification for Cyber Security, but it may no longer reflect what is defined as entry in today's world.

If you’re someone who is trying to "Break into Cyber", the journey is hard! But this post is not to make you feel inadequate, as I am also a holder of a Security+ certification. This post is to enlighten you of the current state of Cyber.

So, let's dive into why Security+ is no longer enough to land an entry-level position.

Companies Are Lowering Risk

There has been a big issue in the Cyber community as of recent. I have seen many posts about making "Entry-level entry again", and I'm willing to bet you have, too. Candidates believe the requirements are too high to be considered entry-level, and are hoping to get the opportunity to learn on the job. This sentiment is also shared by Mid and Senior level professionals. You may be thinking, if so many people share these thoughts, why don't companies actually give these candidates a chance?

Well to put it in simple terms, by giving someone a chance who may be new to the industry, they would also inherently increase the risk of a cyber incident! The whole point of SecOps is to lower risk, and if an incident was to happen, this could cost a company millions.

This is not to say no one should give you a chance, but to motivate you by understanding what is at stake, and to change your mindset from "give me a job" to "I can be an asset to your team".

If you want to ”Break into Cyber”- you need to take it serious.

Higher Standards For Entry-Level Positions

To hedge against this risk, companies have upped the requirements of entry-level to what was once considered mid-level requirements. But don't take my word for it, any random job posting on LinkedIn will reflect this. Let's take a look at one below:

Here we see a posting for an Entry-level SOC Analyst. Let's break this down for what this means for an applicant with only Security+ certifications.

Off the bat, we see that this company is looking for someone with 2-4 years with experience, a Bachelor's or Master’s, and an advanced certification like CISSP (minimum of 5 years).

If you’re applying with just Security+, your chances of getting this interview are very slim.

However, don’t let this discourage you. You can develop a plan to stand out as a candidate.

Certification/Degree Inflation

Currency isn't the only object in the world that experiences inflation. I would argue most Cybersecurity certifications and degrees are currently going through inflation as well!

According to data from the U.S. Census Bureau, the percentage of people in the United States with a Bachelor's degree or higher has been steadily increasing over the past few decades. In 1990, around 20% of the population aged 25 and over had a Bachelor's degree or higher. By 2019, this percentage had increased to around 36%. This indicates that a larger proportion of the population now holds a Bachelor's degree compared to the past.

Though there is no precise comparison of data for certifications, I'm willing to bet if you looked at any person that is currently working in Cybersecurity or aspiring to get in- they indeed have multiple certifications and/or a degree in Computing.

The CompTIA Security+ Does Not Reflect What Companies Need

The CompTIA Security+ certification is more of a introduction into Cybersecurity, which isn't enough to prove someone is an ideal candidate. This is because the exam covers a broad range of foundational concepts and practices. However, many companies and organizations with Security Operation Centers (SOCs) may find that the Security+ does not fully align with their specific needs.

The SOC environments need employees with specialized skills, and often require more advanced knowledge such as threat intelligence, incident response, and security analysis. As a result, the broad nature of the Security+ does not address the needs of a company, but still is valuable to those starting their journey.

What does this mean for YOU?

Now that we understand why the Security+ certification is no longer enough, what does that mean for you? I want you to not just think about getting a job, but your long term goals in Cyber. How do you envision your career 10 years down the road? What specialization do you want to focus on? Do you wish to stay technical, or be more managerial? These are things you need to consider as you form your strategic plan to break into cyber!