My Security+ Certification Journey

At time of publication, it's Cybersecurity Awareness Month here in the United States. We supported the campaign as a team last year with security-focused content, and wanted to embrace that charge again this year. Supporting cybersecurity as an F5er and as a steward of the DevCentral community is a no-brainer. So why security+?

The Goals

Beyond supporting the awareness month, I had a personal goal: up-level my security foundation beyond practical implementation skills. I have worked in and around security positions and technologies for much of my career, but I've yet to do any formal training in the theories, policies, and procedures around security. In reading through the objectives of the CompTIA Security+ certification, it seemed to have a good balance of practical experience and coverage in areas I have no direct responsibility or expertise like incident response, risk, governance, and compliance. 

The Course

Once I decided on pursuing the Security+ certification, I had to identify resources to assist in my journey. This is one of the things I love about the F5 culture. We may not get all-expenses-paid week-long in-person training experiences, but we do have 24x7 access (amongst other tools depending on your department) to LinkedIn Learning and O'Reilly Publishing. This is a HUGE benefit. I can't tell you how valuable these assets are.

I decided on a Pearson IT Certification video course instructed by Sari Greene, which had over 23 hours of video content! The course was broken down by the rubric for the exam. Lessons were broken down by domain, and within each lesson there were sublessons mapped to domain objectives. Pretty clear cut organization, which was helpful.

The course itself was Sari presenting in the lower right super-imposed over slides. Yeah...if slideware is not your thing, this course is definitely not for you. But for me, even though I face death-by-powerpoint often, I had so much to learn that the immense amount of information presented on the slides and then often clarified and expanded upon by Sari was really helpful. Four things about the course I really appreciated:

  1. At the end of each video sub-lesson, there was a five question quiz on the material, with three seconds apiece to answer. The short timeframe was helpful for me to guage how closely I paid attention and if I needed to go back and review anything.
  2. Following each quiz there was a security-in-action, which provided a real-world scenario to apply the knowledge learned. This was important, I found often that information learned is not necessarily knowledge gained.
  3. At the end of each lesson, there was a closer look video, which would dive into understanding CVEs, or how Wireshark works, etc. Some of this was review for me, but there were a lot of helpful nuggets and tools I added to my toolbox.
  4. At the end of each module, there was a ten question quiz on the material, in varying formats. These were helpful refreshers and also presented the material differently to make sure I was learning concepts.

There wasn't much to complain about in the course, but a few nits I'll mention:

  1. Seemingly every third video I got a 500 error, and reloading collapsed the right-column ToC I kept in place to track my progress, and turned off the volume. Not a big deal, but super annoying. Not a problem with the content, just the delivery.
  2. The test taking strategies section was at the very end of the content instead of up front. I'd swap it as I'm preparing for an exam, even while learning content. There are a few things in my preparation I would have changed throughout the course had I had that at the beginning.
  3. Sometimes the content was delivered painfully slow. Easy fix moving the playback button to 1.25x/1.5x, but the pacing wasn't always very consistent.

The Practice Exams

My approach to the course and overall preparation for the certification exam was to take a pre-test before even starting training just to assess where I was, to set a baseline if you will. Then, after each module, I'd take another practice test. Ahead of really knowing anything detailed about the exam content or structure, I found a Udemy course with 5 exams of 100 questions each, which I was excited about. 

My pre-test score was a 54%, scoring 54 entirely correct questions out of 100 on the first practice exam in the Udemy course. I did have some partially correct as well, but the Udemy course doesn't seem to award points. But that was ok, I had a baseline in place. After I finished module 1, which was the Threats, Attacks, and Vulnerabilities domain, my second test rose to 65%, so progress! That said, I started to question some of the accuracy of the questions, and noticed a lot of typos and seemingly language translation issues in the wording of some questions. A few more modules and practice exams in, my scores weren't improving and my uneasiness with the practice material was growing. Ultimately, I decided to forego the fifth Udemy practice exam and switched to the ones attached to the training course, and WOWZA what a difference.

The Pearson practice exams are fantastic. HIGHLY recommend sticking with them. Not only do you get an accurate scoring like you'll get on the real exam (range of 150-900 with a passing score of 750) but they break down the number of questions asked in each objective and your relative success in each.

Also, you can take the exams in study mode or test mode, which is helpful to experience it both ways depending on your goals for the day.

Learning, Note Taking, & Surprises

I've mentioned this before on the live stream in an older episode of You Want Answers?!?, but as I gain in wisdom (aka...getting older!) the ways in which I learn have changed. Gone are the days I can just consume instantly everything in front of me. I have to take it in smaller doses, review a lot more, and engage with it in different ways. The Closer Look and Security-in-Action exercises in the course were very effective in supplementing the slides and commentary from Sari, and the constant practice exam exposure helped. Speaking the concepts out loud was instrumental, the addage that teaching a concept is the best way to cement it for yourself holds up. My audience was my 14 year old dog and my 4 year old kid, but still, it was working for me!

Regarding notes...my skills have waned in this regard. I used to be very effective at picking out key concepts, writing those down, and fleshing those out later if necessary. During this course, especially early, I found myself writing EVERYTHING down, to the point I was so distracted by note taking I wasn't paying attention enough to learn the material. Ingesting information is not the same as digesting it. I switched to a different method about 40% in that helped: I sped up the video replay to 1.25x so it was fast enough to stop me from writing too much down but slow enough I could grasp the concepts. I also started to pause the very end of each lesson, which was a word cloud of concepts, and wrote down the 2-4 keywords I felt the least sure about so I could add those to my review cycle.

Surprises...there were many! On the plus the side, there were some things I knew innately that didn't require much study. On the negative side, there were a couple things I really thought I knew that I didn't know very well at all when diving into the weeds: SSL/TLS and PKI. You'd think since I've made a career of these technologies I'd have the fundamentals down, but you'd be wrong. There is so much to these protocols and frameworks that I clearly didn't know, and it was simultaneously alarming and refreshing to dig in and bring clarity to the details and the how/what/where/when/why of decision making around cryptography. There's a reason the guidance from everyone in the know is to NEVER ROLL YOUR OWN CRYPTO! That stuff is really hard to get right, and false assurance is bad place to be.

The Real Thing, Test Results, and Closing Thoughts

 I had to work out some administrative stuff to get scheduled for the exam, and the dates were pushed out a little for a seat in my area, but my exam is now set for Monday Oct 24th at 3:30pm central. I'm nervous because it's been a hot minute since I've taken a certification test but I do feel adequately prepared. I'll update this section next week with my results.

UPDATE: I passed! Passing score was 750, my personal goal was 820, and I fell slightly north of the middle of those levels at 798. A few notes on the actual test:

  • Every practice test I took had at least 90 questions, but in the actual exam, I had 74, which was a welcome sight except that...
  • The first several questions (I think six but I'm not 100% on that) were all performance-based, and I took 15 minutes to walk through those. I felt good about them, but that left me only 75 minutes left to answer the remaining 68 questions.
  • Pro Tip - don't wear a hat! I wore my lucky DevCentral hat but I couldn't take it in, so my certification picture is all hat hair and I was self-conscious throughout that people were staring at my knappy head.

On the journey itself, I'm glad I'm doing it. It's easy to get comfortable being comfortable, but being stretched never returns void. I remember hearing a message once from a guitarist about the importance of stretching new strings, and that not taking the time to do it results in challenges with pitch, tuning, and intonation. Stretching the strings makes beautiful music in the hands of a skilled musician. And so it is with us. I know certifications are a contentious subject for some on their value. But whether or not they open doors to a particular job, they do present the opportunity to be stretched, and they force you to learn details about a subject that you'd normally gloss over or skip altogether.

To that end, what journey are you on? And how can I or anyone else on the DevCentral team or the greater DevCentral community help you?

Updated Oct 27, 2022
Version 3.0
  • Hey Jason!

    Thanks for writing this. It's a great overview of what needs to happen to get certified these days. I'm curious why you chose Security+ over the CISSP.

    Good luck on the exam!

  • Thanks Victor_Granic! I chose the Security+ over other certs including the CISSP, for a few reasons:

    • The breadth and basics beyond security theory and into the practice of practical/operational security as well
    • Beginner/Intermediate certification approachable by the largest percentage of our non-security practitioners in the community
    • Seemed doable in the amount of time I allocated to study and prepare content for Cybersecurity Awareness Month