Cybersecurity Training: Should Pros be Licensed?

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

A proposed cybersecurity mandate is being discussed by the senate that would affect thousands of information technology and security workers if implemented. The proposal basically requires that all government employees and contractors be certified and licensed if they provide cybersecurity services to an agency or for an information system designated as critical infrastructure. The proposal is part of the CyberSecurity Act of 2009, a bill introduced by Sens. John "Jay" Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). To ensure the security of cyber communications with global trading partners and for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes, the proposal would direct:

Pros and Cons

This push toward licensing and certifying cybersecurity professionals has spurred a debate within the government and associated organizations.

"It is a good idea, but how do we implement it?" says James Lewis, Director Technology and Public Policy at the Center for Strategic and International Studies (CSIS). "There are still many unanswered questions. For example, we do not know what certified means, and what you do to become certified?"

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Cybersecurity training is an initiative that takes some time to implement, he says. "It is very encouraging to see this level of attention being given to cybersecurity training and education," says Hord Tipton, CEO and president of ISC2. "However, it is one thing to write good ideas and another to follow."

Currently, if implemented, there will be numerous challenges in compliance, laws and regulations apart from the need to define cyber security skills and services, which will be an extremely daunting task, Tipton adds.

Opinions about the proposal vary, but all agree that there is nothing new about using certification as a tool for hiring, placing and enriching employees. Within the federal government, the Defense Department has had a mandatory certification (but not licensing requirement) for its information assurance workforce since 2004. George Bieber, Director of the Defense-wide Information Assurance Program mentions that considering around 30% of the DoD workforce is now certified, there is a significant positive impact seen in the performance level of employees.

"The concept is sound, but whether it will work will depend on the type and rigor of the certification," says Karen Evans, who served as the de facto federal chief information officer for more than five years until this past January. She maintains that cybersecurity is a complex field in which we need a range of skills from writing secure code to systems administration, intrusion detection and forensics. The curricula needs to be developed so that certifications can be based not only on the completion of accredited coursework, but also rigorous testing and monitored practical experience in the specific discipline and, quite often, the specific hardware in which the individual is certified. "The certification needs to match up to the needs and address the gaps in the workforce. A less than rigorous certification and licensing process could be worse than none at all," she says.

"We know we are in the right direction by inculcating a commitment to the codes of ethics and continuing education in this field," says John Rossi, Professor of Systems Management / Information Assurance, U.S.National Defense University. "The challenge lies in getting the government to fund as well as getting people to commit toward this initiative," he says.

Licensing is no different than what medical practitioners or even lawyers need to have when they practice their profession. As the security industry evolves, matures and moves toward specialization, this is something bound to happen, adds Rossi.