CASP – The Evolution of Technical Security Certifications?

| November 27, 2011

casp_logo.gifCompTIA has been a stalwart in the IT certification arena for quite a number of years. They have dominated the space with such recognized credentials as A+, Linux+, Security+ and many others. Their certifications have been highly recommended by The Ethical Hacker Network (EH-Net) as well as countless others as an entry-point into a given area of IT. But can CompTIA help advance the careers of those already in the field of their choice within IT?

Enter CompTIA’s newest line of industry credentials, the Mastery Series of Certifications. The first offering from this new line is the CompTIA Advanced Security Practitioner, CASP (pronounced C-A-S-P like an acronym as opposed to ‘casp’ like a word). At first glance, it would appear as though CompTIA is taking on ISC2 and the venerable CISSP. After a closer look, this isn’t quite the case. Let’s find out more from Carol Balkcom, CompTIA’s Director and Product Manager for the CASP.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

 


EH-Net: Thanks for taking the time to let our readers know of the new and exciting offering you have. In a nutshell, what is the CASP and your role at CompTIA?

Carol Balkcom (CB):  The CASP is the result of our being advised over a couple of years that the Department of Defense was looking for a more technical security exam to include in the “IA Technical Level III” job classification, for those military and military contractors who are in information assurance roles.  The job classification that I referred to is in the Dept. of Defense “8570” directive that requires certification of all information assurance personnel.
The CASP is targeted at the lead security professional in the enterprise environment who has years of experience with security considerations specific to large multi-location organizations.  The U.S. military refers to that environment as the “enclave”, which means the same thing as the enterprise in the corporate environment.

EH-Net: CompTIA has been known and highly regarded for entry-level certifications. What made you decide to venture into more advanced credentials and do you feel the community will accept CompTIA in this new space?

CB:  CompTIA wouldn’t have developed the CASP if we hadn’t had some indication from the industry that there was an industry need for this type of certification (and not just government).  We conducted a survey in 2010 of people who had purchased multiple Security+ exams for their organizations in the previous two years.  We asked if they were likely to purchase an advanced security certification if CompTIA developed one.  Sixty percent said yes.

EH-Net: On the surface, it may seem as though CASP might be competing in the same area as ISC2’s CISSP. How does it compare/differ from the CISSP?

CB:  The CASP is for the Technical Lead in the enterprise.  Did you ever know a programmer who was absolutely jazzed by what he did—was the best programmer in the building, who just wanted to program, learn new things—and wanted to be paid well, but was not especially interested in “management”?  It is that Technical Security Lead in large, complex organizations that the CASP is designed for.  That is not to say that some of the CISSP audience might not want to certify in the CASP—or that some CASP certified might not want to move on to the CISSP.

The CASP also is devoted to the security implications of business decisions like mergers and acquisitions, or new products or technologies.  One of the exam objectives has to do with integrating different disciplines across the enterprise, for example programmers, network engineers and sales staff, to achieve secure solutions; and the security impact of inter-organizational change.

The CISSP is certainly the gold standard for senior security managers and policy-makers; I guess my hope for the CASP is that it will serve as a similar standard for the deeply technical security professional who also has a head for business.

EH-Net: Seeing as how this is considered to be a higher-end technical certification, will there be a practical portion of the exam to truly test the real-world knowledge of the applicants?

CB:  In that survey I mentioned, one of the comments that was made more than once was that the exam should be performance based.  The CASP is the first CompTIA exam to include some performance based questions.  Since it isn’t a “live” exam, what this means is that the exam taker will encounter certain questions where he or she is taken into a software based environment where certain tool use or task performance will be required based on the scenario that is given.  People who are advanced security professionals should know how to perform the tasks that are required in those questions.  But they do require more time and thought than your standard exam question, so more time is given to finish the exam (150 minutes as opposed to 90 minutes for Security+).

comptia_getcertified.gifEH-Net: How many total certifications has CompTIA handed out over the years and which are the top 3 in terms of numbers of professionals who have passed the exam?

CB:  Keep in mind that we started with A+ in 1993.  As of September of this year, over a million-and-a-half people have been certified with CompTIA certifications.  A+ is still #1, but in terms of growth, Security+ grew the most in volume in 2010, but Network+ is still 2nd in terms of the number of certifications over time.  I’ve been interested also in the growth in Linux+ and Project+, especially with the U.S. military, in the last year or two.

EH-Net: Can you give us some more details on price, number of questions, official release dates, where to sit for the exams, study materials and anything else I may have forgotten?

CB:  The CASP will launch at an introductory price in the U.S. of $329.  The exam will have a maximum of 70 questions; depending on the specific form of the exam that is administered, one form may have one question more or less than another one.  (All forms are equally weighted as to difficulty, and statistically validated, of course.)  The exam hasn’t launched officially yet; it will be launched when there is study material in the market, which we expect sometime in January from Element K. Study materials from other publishers are underway and should hit the market starting in February.  The exam will be offered at Pearson VUE centers only.

EH-Net: The first hurdle of any certification is the value of the exam itself. Then it is quickly followed by its acceptance by those in the industry both looking for and those filling jobs. What is your plan to get CASP out to the masses in addition to having HR personnel recognize CASP?

CB:  We have applied for ISO accreditation of this exam, which we fully expect to get in December.  The U.S. military is tracking our progress, and we’re hopeful that the CASP will be added to the certification options under 8570 sometime in the new year.  Once that happens, there is a certain domino effect, in the sense that the large government contractors (for example Lockheed Martin, General Dynamics, SAIC) who are required to have their personnel certified, will then have the CASP as an option for those in lead technical functions.  We have certain large conferences that we attend where we’ll feature the CASP, and CompTIA is active on social media sites such as LinkedIn and Facebook where I will undoubtedly be spending a lot of time, engaging with groups and answering questions.  But every new certification takes time to generate buzz, and the CASP will probably be no different.  I can tell you that I got some good feedback from those who took the beta, earlier this year.

Thank you, Carol, for taking the time to answer a few questions and clarify some of the conjecture. We look forward to the continued Q&A in our forums as well as the venues you mentioned above. Best of luck to you and CompTIA as the release date approaches.

For more information on the CASP, please visit the CASP Page on CompTIA’s site.

Donald C. Donzal
Editor-In-Chief
The Ethical Hacker Network

Category: Editor-In-Chief

Comments are closed.