You don't often get a chance to help shape something new, but that's exactly what you can do for the Computing Technology Industry Association's (CompTIA's) new Security+ certification. CompTIA's goal is to create a vendor-neutral certification that tests candidates' understanding of typical attacks and security best practices. To determine what the certification should test, CompTIA has created a survey and is inviting everyone to take it.

The survey is straightforward. After some perfunctory demographic questions, you consider 37 pieces of information and tasks and rate them on how often you think someone might use that information, how important it is to a security administrator's job function, and what level of expertise someone should have to know the information. The resulting statistics should yield an aggregate opinion of how security professionals view the items in the survey. For example, I said that recognizing and reacting properly to malicious code attacks is something that might happen weekly, is absolutely essential for a security administrator, and requires a moderate level of expertise. I gave a similar answer about network-based attacks (e.g., Denial of Service—DoS—attacks, port scans, spoofing), but I indicated that such attacks require a high level of expertise to identify and respond correctly to.

CompTIA has done a good of job identifying the concepts and tasks that are common to security administrators. My only concern is that I considered almost all the tasks to be important or very important. If most people who take the survey agree, the Security+ certification will be a tough one. Whether it needs to be so tough that only a few experienced administrators can attain it is worthy of further discussion. CompTIA's most popular certifications (e.g., A+, Network+) have traditionally been entry-level, vendor-neutral certifications that lead to other, more vendor-specific certifications. If CompTIA decides to test candidates' knowledge of the full range of topics that appear on the survey, the Security+ certification will be a high-level certification that you would take after A+ and Network+ but before a vendor's security certification.

Being positioned in that niche could be a good thing for all of us. Companies have stated during the past year that not enough of their employees understand security-related topics. These organizations might need just a few top-level security administrators, but they'll tell anyone who listens about the growing need for people to help implement and maintain security policies. Likewise, a growing need exists for people who understand how to clean up the aftermath of viruses and worms. The results of several SANS Institute surveys support such claims. At the very least, just about every company should ensure that its technical support and Help desk personnel are trained on proper security practices. The Security+ certification could be the answer to all these needs.

Whether you have a lot of security experience or very little, your opinion will help make the process statistically sound and balanced. This certification has the potential to be an important one, and it certainly seeks to fill a great need. I needed just 25 minutes to answer the 37 survey questions, so giving CompTIA the benefit of your expertise shouldn't be much of an inconvenience.