Consider This Before You Start Teaching to the CompTIA Security+ Exam
Teaching cybersecurity is becoming an increasingly complex endeavor. Not only are instructors being asked to distill and convey increasingly complex information, they are also expected to churn out classrooms full of career-ready individuals.
The need for cybersecurity specialists is staggering. According to one report, there will be 3.5 million cybersecurity job openings in 2025.
In the United States today, most states have either active or pending cybersecurity or online privacy laws. In addition, international laws are requiring more security, privacy, and accountability from companies and orgs in the United States. Compliance means that organizations need individuals with specialized skills pertaining to this blossoming area of the workforce. For example, companies and organizations need:
- Policy development (Governance, Risk, and Compliance)
- Procedure development and implementation
- Security and privacy program development
- Risk management (BIA, BCP, DRP, Risk Assessment, Risk mitigation, etc.)
- Technical specialists (implementation)
- Auditors
- Specialists in training, testing, and assessment
To even begin to get started down this path, students need to pass the CompTIA Security+ Exam. Read on to learn more about this exam, how to organize your thinking when it comes to teaching this complex material, and how to ensure your students are ready to take—and pass—the test.
What is the CompTIA Security+ Exam?
The Computing Technology Industry Association, known to most as CompTIA, is a trade association that issues a large variety of IT and cybersecurity certifications. They have several very popular exams, which most students and professionals are asked to take to stay competitive for typical areas of employment.
One of their core certifications is called CompTIA Security+. CompTIA calls this “the first security certification a candidate should earn.”
According to their website, CompTIA says this exam ensures candidates have the necessary skills to:
- Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions
- Monitor and secure hybrid environments, including cloud, mobile, and IoT
- Operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance
- Identify, analyze, and respond to security events and incidents
How to teach to CompTIA Security+ Exam Effectively
I wrote Fundamentals of Information Systems Security to give students a comprehensive overview of the concepts they must know as they pursue careers in information systems security. It’s intended for Intro to Cybersecurity or Security Fundamentals courses and maps to major domains of the CompTIA Security+ exam.
Fundamentals of Information Systems Security is broken up into three key sections:
- Emerging technologies and the risks, threats, and vulnerabilities associated with our digital world
- A deeper dive into the foundational knowledge areas and functions associated with a career in information security
- A survey of information security standards, professional certifications, and compliance laws.
When teaching this material, I like to bucket this thinking in two simple ways: Teaching strategy and teaching tactics.
It’s my view that teaching strategy is an important step, not just for those who aspire toward management roles, but to understand what underpins tactical work. It’s important to grasp the higher-order concepts, not just the technical work.
For example, students must:
- Understand executive leadership goals and how to align security and privacy activities with those goals,
- Develop policies to meet compliance requirements (specific to each organization/location), and
- Identify the risks that pose the greatest potential for loss to the organization, and then propose effective mitigation strategies for each one.
In short: Students must grasp the breadth of this topic, not just the depth, in order to be successful.
Next, the tactical elements. Here are a few tips for instructors on how to structure your curriculum:
- To have the best chance for getting budget approved, clearly map every security/privacy activity to a specific strategic goal,
- Employ simulations to test critical plans (Business Continuity Plan (BCP); Disaster Recovery Plan (DRP); Incident response, etc.) to increase awareness, preparedness, and to identify gaps that could increase risk,
- Set clear goals for all activities and avoid tangents that waste time and resources,
- I like to step students through a risk assessment process, from environment scanning and assessment to vulnerability assessment and mitigation report with recommendations,
- Finally, spend a little time talking about the difference between a vulnerability assessment and penetration testing.
I co-wrote a test prep curriculum package in order to provide instructors with everything they might need when teaching this critical test.
My program is called TestPrep for Fundamentals of Information Systems Security Through this program, coupled with Jones & Bartlett Learning’s Cloud Labs lab environment, you can:
- Build customized practice tests by selecting the number of questions for each category or subject
- Practice with simulated tests that mimic the actual exam
- Take notes or highlight
- Flag questions for later review
- Select your confidence level for each question
- Turn the timer on or off
Qualified instructors are invited to request a review copy of Fundamentals of Information Systems Security in consideration of course adoption.
About the author:Michael G. Solomon, PhD, CISSP, PMP, CISM, CySA+, Pentest+, is an author, educator, and consultant focusing on privacy, security, blockchain, and identity management. As an IT professional and consultant since 1987, Dr. Solomon has led project teams for many Fortune 500 companies and has authored and contributed to more than 25 books and numerous training courses. Dr. Solomon is a Professor of Cyber Security and Global Business with Blockchain Technology at the University of the Cumberlands and holds a PhD in Computer Science and Informatics from Emory University.