The CompTIA Advanced Security Practitioner certification is ideal for IT professionals looking to improve or brush up on their technical skills. Whereas many advanced security certifications focus on management skills, such as how to implement security policies or frameworks, the CASP+ content focuses on the technical skills required to secure enterprise environments.
"Anyone in IT with this certification is going to be in good shape," said Troy McMillan, author of CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide, published by Pearson.
CASP+, which has no formal prerequisites, is designed for practitioners -- not managers -- with at least 10 years of IT experience, including five years of technical security experience. Professionals with less experience are advised to complete CompTIA's Security+ and Cybersecurity Analyst+ before attempting CASP+.
Launched in 2011, CASP+ was designed to fulfill the requirements of the Department of Defense's Directive 8570 (now part of the larger DoDD 8140), which requires technical and information security government professionals meet certain criteria to be part of the DoD workforce.
The latest version of the exam, CAS-004, released in October 2021, covers four domains:
- security architecture (29%)
- security operations (30%)
- security engineering and cryptography (26%)
- governance, risk and compliance (15%)
Here, McMillan offers advice on the certification, including study tips and how to prepare for the exam, as well as the benefits of passing the exam and potential career paths.
Editor's note: This transcript has been edited for length and clarity.
What are the benefits of CASP+ certification?
Troy McMillan: CASP+ is respected among all the cybersecurity certifications. As far as employment is concerned, a lot of people in security are changing their jobs right now -- you hear it called 'The Great Resignation.' People are not just quitting; they're taking new jobs with bigger salaries.
CASP+ certification is beneficial for anyone trying to stay employed or looking for a new job. It's great technical knowledge about security that more people need to know and understand. That's the big thing -- it sets you up to stand out among other candidates.
What are the differences between CASP+ and CISSP?
McMillan: There is a lot of overlap in the exams, but the focus is different. The P in CASP stands for practitioner, which means the certification is designed for the actual person performing security duties. The P in CISSP is professional and more targeted at managers. The topics included in the CISSP exam are more from the angle of the CIO. These are not the people doing stuff -- they're managing people doing stuff.
The person with the CASP+ is going to know more about the actual nuts and bolts, whereas the CIO with the CISSP is going to be less interested in how to configure certain things than in how that concept fits into security.
CASP+ is compliant with ISO 17024 standards and approved to meet DoDD 8140. What does this mean for the certification holder?
McMillan: The DoD realized it needed to make sure folks in the military were secure. In other words, it needed to ensure people had the right security knowledge depending on their role. The DoD is even trying to get people who just use computers in the DoD network to take the Security+ exam because it wants everyone to exercise safe cybersecurity habits.
A lot of security-related certifications -- CASP+, CySA+, CISSP -- are now part of the DoD's training. The DoD will say, 'If you have this job in the military, you have to pass this certification.' The DoD isn't looking for members of the military to retain everything from the exam, but if people get a certification, they're going to remember the important stuff.
What is the career path for CASP+ certification holders?
McMillan: People who get this certification are going to be practitioners, such as a security analyst. The exam is good for people working at smaller organizations who take on multiple security roles. It's also good for anybody who wants to be a network administrator or security administrator. It's hard to use specific job titles because companies use strange names when advertising jobs. One company's network administrator is another company's support technician. That said, CASP+ is good for any job that involves general network security maintenance.
More on CompTIA Advanced Security Practitioner (CASP+) CAS-004 Cert Guide
Test your knowledge with these CASP+ practice questions.
What are your top tips to prepare for the exam?
McMillan: Start by getting a good book -- there are a lot of good ones out there. Make sure the book is for the most recent version of the exam, CAS-004. You'll also want to get a good practice test.
I'd be less than honest if I didn't say there are cheat sheets out there you could use to pass the exam. The problem, however, is that you're going to get on the job and not know what you're doing and then get fired.
So, I suggest getting a practice test that's not a cheat sheet. In fact, I'd get a couple of practice exams -- you can never have too many. It's also good to get some labs. A bunch of companies make labs that allow you to get hands-on experience on topics covered in the exam. You often read about how to do something, but it doesn't really click until you do it yourself.
What area of the test trips up test-takers the most?
McMillan: The biggest challenge for people is cryptography and encryption. When you start talking about it, people's eyes start to gloss over and they get confused. Let's face it, cryptography must be complicated to work. In some ways, you just have to memorize it -- for example, which protocols are asymmetric or symmetric.
About the author
Troy McMillan, CASP, is a product developer and technical editor for CyberVista and a full-time trainer. He became a professional trainer 20 years ago, teaching Cisco, Microsoft, CompTIA and wireless classes. McMillan has written and contributed to more than a dozen projects, including authoring CISSP Cert Guide (Pearson) and CompTIA CySA+ CS0-002 Cert Guide (Pearson).