A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
Commentary on IT Certification
July 11, 2010 at 6:45 pm #105296
Certifications are not a panacea for cybersecurity woes
As Congress debates legislation to improve cybersecurity, one problematic idea that appears to have gained some traction is developing a national certification program for cybersecurity professionals.
If certifications were effective, we would have solved the cybersecurity challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.
Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won’t write passwords on the backs of keyboards. Nor has the increase in the number of certified cybersecurity workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.
At the federal level, a certification mandate would be little more than a box-checking activity for agencies, akin to many of the Federal Information Security Management Act requirements that tax the federal budget and workforce, but produce few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a “license to practice” for cybersecurity professionals.
Licenses are typically only required in professions in which the public is harmed by the absence of licensure. (Perhaps that is an argument to require licenses for members of Congress.) Therefore, the implicit assumption in arguing for a certification program for all federal cybersecurity professionals, those involved in operating critical infrastructure and potentially many more individuals in the private sector, is that the public is being harmed because unqualified workers are filling those jobs — not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent cybersecurity workers. That is the only problem that certification (in the form of a de facto license) could fix. However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to cybersecurity risks.
The security community needs to speak up. The cybersecurity challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks.
July 22, 2010 at 2:40 pm #105308
FISSEA has addressed the issue of certification for IT professionals for a number of years. In its annual conferences, speakers an panelists were generally in agreement that certification is not a “silver bullet.” Certification does, however, provide one measure for determining whether an individual is a qualified practitioner. It also can provide a mechanism for disciplining individuals who fail to perform or do not adhere to standards for ethical conduct (ie., if a certification authority is serious about maintaining the acceptability of their certification, individuals will have their certification revoked for ethical lapses).
July 23, 2010 at 5:18 pm #105306
Bryan Conway JD, PMPParticipant
I think the major problem with the cyber security certification requirement being cascaded down to “soft IT” skilled employees is that the tested material is too broad and very far beyond the scope of the employee’s job description. In my department, most of the systems administered are old legacy mainframe systems, where employees simply add/delete/modify account accesses. However, the certification requires knowledge of wi-fi security, risk analysis, vulnerability testing, public key infrastructure, cryptology, and other highly technical security concepts that have nothing to do with the employee’s job! There is an entirely separate IT group that is responsible for organizational cyber security.
This certification is mandatory for about half of our department. Realistically, several will probably not pass (I am a “soft IT” person and had to really study my a** off to pass), and will potentially get reassigned simply because they weren’t able to pass a test that is largely irrelevant to the required duties of the position! John stated that certification requirements could be used as a mechanism to purge poorly performing / unethical employees from the organization, but when the requirement is imposed upon inappropriate groups of employees, it will cause many high performing individual to find employment elsewhere, which doesn’t enhance cyber security.
I would suggest that this appears to be just a full employment initiative for the certification test preparation industry, but that would be rather cynical, wouldn’t it?
July 24, 2010 at 3:14 pm #105304
Security certification is really only useful in evaluating security professionals. In Bryan’s example, what is required is role-based training. Role-based training would provide those responsible for O&M with the security knowledge specific to their assignments. If a certificate is required, it could reflect the training received and not a full certification that covers all areas of security.
Requiring everyone to have a security certification reduces the effectiveness of certification as a performance discriminator. A high-level certification also tends to dilute the security skills necessary to address specific technologies. For example, how many questions would a typical certification exam contain that would cover mainframe security?
July 27, 2010 at 10:58 am #105302
John is correct BUT I am seeing, at least some, organizations take the lazy way out, and simply roll Role-based training into security certification if said individuals title includes “computer” or security which Bryan points out a rather classic case where this should NOT be!
July 30, 2010 at 6:05 pm #105300
Bryan Conway JD, PMPParticipant
I agree, it would be much better to partition the Security+ certification into smaller, job specific modules (like mainframe security) – perhaps something could be developed within the agency for this purpose. However, requiring a vendor-neutral, international certification ensures (hypothetically) that the employees are knowledgeable and not just rubber-stamped as such by their agency without a legitimate means to measure their competence.
In reality, about half of the security administrators that are required to take the exam in my directorate do not need training, they have been doing the job for over a decade and nothing has really changed during this duration in the mainframe world! Unfortunately, these types of employees are the most susceptible to failing the Security + exam, as they do not have degrees and have no experience in preparing for and taking rigorous exams. The other half are degreed newcomers who have taken multiple tests in college as well as tests like the ACT, SAT, GMAT, GRE, CPA, etc., and will have a much better shot at passing. The net result will be the older, experienced workers getting removed from their jobs while the new, inexperienced workers remain!
As far as this certification serving as a “performance discriminator”, I don’t think that over-applying it would reduce its effectiveness in that regard. Actually, I fear that it will discriminate more heavily than ever, as forcing more employees to take the exam will most likely drive the passing rate down substantially and bounce good employees out of their security admin jobs!
July 30, 2010 at 6:29 pm #105298
I believe that another short term result of this forced testing will be those people who have the knowledge to run the system efficiently will be supervised by the skilled test takers, regardless of their leadership abilities or technical skills. A disaster looking for a place to happen
You must be logged in to reply to this topic.