Infosec Certification: Debate Goes OnHuman Capital Crisis in Cybersecurity, Revisited
The Commission on Cybersecurity for the 44th Presidency stated that strengthening cybersecurity requires actions on a number of fronts: legal, policy, technological and human capital. Addressing that final challenge - including training and retaining the best cyber professionals - continues to stand front and center.
For example, a recent National Public Radio broadcast entitled Cyberwarrior Shortage Threatens U.S. Security quoted James Gosler, a veteran cybersecurity specialist who has worked at the CIA, National Security Agency and Energy Department: "We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time. ... It takes a very skilled person to operate at that level."
The current professional certification regime is not merely inadequate; it creates a dangerously false sense of security.
A number of organizations and initiatives address the need to raise the bar for cybersecurity professionals. We applaud the efforts of all those laboring to advance the cause of more rigorous, practically-based, independent professional certification. The challenge now is to determine accurately where we stand and how we can best get to where we need to go. Our white paper has sparked just the kind of debate and discussion on this critical issue that we had hoped for.
In a recent press release , for example, (ISC)2, an organization of 73,000 certified information security professionals worldwide, presented the results of a survey of 700 government and industry information security professionals on proposals regarding professional licensing through testing and creation of an examination review board.
Moving the Debate Forward
We are flattered to report that much of the survey focused on our white paper, although some of the questions seem to be based on a misunderstanding of our proposals. We address those points here, not out of a defensive posture but rather to move the debate forward in the interest of forging a consensus on professionalizing our cybersecurity workforce.
According to the (ISC)2 statement, 69 percent of survey respondents said "they do not believe that a government-run board of examiners will close the gap between existing certification programs and the cybersecurity skills needed in the workplace." However, we neither recommended a government-run board nor did we suggest that a more rigorous series of certifications alone will address the cybersecurity competence gap. We said that cybersecurity is a complex, highly nuanced field and that, much like medicine, requires individuals highly trained in a range of subspecialties in order to be effective.
The (ISC)2 statement also states that 53.7 percent of respondents said "they do not believe that spending money exclusively on technical training and certification programs would solve the nation's security problems." Again, however, the roadmap we laid out includes a broad range of actions far beyond just technical training and certification, from encouraging more and better education and training to more rigorous certifications at the high end that include not only knowledge-based testing but also practical demonstrations of the ability to apply that knowledge.
Addressing the Human Capital Challenge
So important is this discussion of the "how" that it is worth repeating what was in our report. Having the right number of people with the requisite technical skills matters. There are four elements of any strategy to deal with this challenge:
- Promote and fund the development of more rigorous curriculums in our schools.
- Support the development and adoption of technically rigorous professional certifications that include tough educational and monitored practical components.
- Use a combination of the hiring process, the acquisition process and training resources to raise the level of technical competence of those who build, operate and defend governmental systems.
- Ensure there is a career path, as with other disciplines like civil engineering or medicine, to reward and retain those with high-level technical skills.
(ISC)2 Executive Director W. Hord Tipton states in the press release: "The results of this poll demonstrate that although information security professionals believe that the white paper and others have accurately identified the human capital problems in cybersecurity, they have neither acknowledged the correct causes, proposed the best solutions, nor have they provided data to support the claim that fatal flaws exist in the existing certification environment."
False Sense of Security
In the course of vetting our paper, the Commission on Cybersecurity for the 44th Presidency concluded that "any efforts to mandate certifying and licensing requirements based on the current regime of professional certifications would be premature." This is especially true in the case of software engineers. We stand by our assertion that the existing regime of certifications is simply insufficient to give those who employ cybersecurity professionals or buy cybersecurity services the assurances that they need. As we stated in our paper:
It is the consensus of the Commission [on Cybersecurity] that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security for the following reasons:
- Individuals and employers spend scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and
- Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in mitigating risks and preventing and responding to attacks.
We find the response to one survey question disappointing: "Should there be a rapid movement to performance-based testing in specializations from knowledge-based testing in the information technology arena?" Only 34.3 percent said "yes," with the balance evenly split between "no" and "not sure." Granted, it is not easy to develop rigorous performance-based tests, and respondents were perhaps unclear as to the time frame meant by "rapidly." But we are convinced that existing certifications that test only knowledge are weak at best. A simple analogy is that it is better to have ballplayers who demonstrate that they can hit the ball rather than ones who have simply studied the theory of batting.
State of Certifications: Split Decision
Of course, it is important to note that what the press release does not say about the survey may be its most interesting feature -- that just as many (ISC)2 members agree with us about the state of certification as those who do not. Most answers split almost evenly between yes and no, so what the survey really shows is uncertainty. For example, (ISC)2 asked: Is there a gap between existing certification programs and the specific cybersecurity skills that are needed in the workplace? Nearly half (48.3%) of survey takers responded "yes" and another 17.6% were "not sure. Similarly, slightly more than half said "yes" (40.1%) or "not sure" (10.9%) in response to the question: Do you believe the current professional certification programs create a false sense of security?
For their part, the meaningful professional certification programs must be able to demonstrate that those who earn their credentials produce consistently better outcomes than those who do not. Again as stated in our paper: "Skills and experience matter. They must be taught, and then demonstrated on the job."
It is also important to note that there are broad areas of agreement between our paper and the views of the (ISC)2 survey respondents. As stated in the press release: "Respondents did agree that there is a critical shortage of federal information security professionals, that one of the main causes of this shortage is the lack of a career path, and that a gap exists between current certification programs and the specific cybersecurity skills needed in the federal government."
Addressing these weaknesses and strengthening the cybersecurity workforce by no means implies starting with a blank slate. As mentioned earlier and as noted in our paper, many organizations and initiatives are attempting to address the issue of cybersecurity training and career paths, including the Department of Homeland Security, International Information Systems Security Certification Consortium, Information Systems Audit and Control Association, Institute of Electrical and Electronics Engineers, Department of Justice, Federal Bureau of Investigation, National Security Agency, Department of Defense, Federal Chief Information Officers Council, Office of Personnel Management, Department of State, U.S. Cyber Command and the U.S. Cyber Challenge.
All of these efforts can be leveraged going forward in search of consensus and collaboration on improving the human resources that will protect our cybersecurity in the years ahead. That the stakes are high, there is no doubt. As stated in the NPR report:
'There may be no country on the planet more vulnerable to a massive cyberattack than the United States, where financial, transportation, telecommunications and even military operations are now deeply dependent on data networking. ... In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of U.S. computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering."
There can be no better reminder of the need to work together to put in place not only the best systems to thwart the cybersecurity threat, but also to recruit, train, and retain the best people to keep those systems up and running.
Karen Evans is national director of the U.S. Cyber Challenge and former administrator for information technology and e-government in the White House Office of Management and Budget. Franklin Reeder is founder of the not-for-profit Center for Internet Security and former official in the Office of Management and Budget.