The Expert's View

There's No Need for New IT Security Certification Process

Comparing Infosec Pros with Neurosurgeons Is Flawed Notion
There's No Need for New IT Security Certification Process

When I was a federal chief information security officer, I assembled a skilled and motivated team of professionals to handle our many challenges. I required a diverse team of program managers, financial planners, technical writers, compliance experts, training and awareness specialists, audit liaison administrators, security architects and various other professionals with the knowledge, skills and abilities to carry out our responsibilities. For those highly technical or specialized skills that are not readily available within the federal environment, I drew upon commercial industry to provide the required talent. The challenge always was to find the right people with the right skills to do the job.

For nearly two decades, professional certifications in the information security field defined the body of knowledge and provided the ANSI-accredited process by which to achieve the credential. (ISC)2 has been joined in this arena by the ISACA, CompTIA and a few other organizations, all of whom share the goal of providing a professional certification to those individuals with the requisite experience and knowledge, not to mention expanding the professionalization of the information security community across the globe.

The Department of Defense got involved in this arena, and after a lengthy and collaborative process issued DoD Directive 8570, requiring these existing professional certifications to be carried by those individuals with significant cybersecurity responsibilities. Thankfully, I drew on these certification processes to deliver a pool of qualified and competent professionals to meet our challenges.

Along comes a troubling concept from a recent white paper written under the auspices of the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency, asserting that the federal government should eschew these professional certifications in favor of supposedly more advanced ones that test knowledge and skills, and even goes so far as to claim that existing certifications are wasting scarce resources. The proposed language from the white paper that was offered up to any new legislation states: "Beginning three years after the date of enactment of this act, it shall be unlawful for an individual to be employed as a provider of cybersecurity services to any federal agency who is not a cybersecurity professional unless such an individual is operating under the direct supervision of a cybersecurity professional."

Next we learn of the newly formed National Board of Information Security Examiners, whose founders include the authors of the white paper, also considers the existing certifications insufficient in some way. The NBISE would provide certifications that presumably go over and above the ANSI-accredited certifications such as the CISSP and the CISM, because like "neurosurgeons, fighter pilots and power grid systems operators," the NBISE certifications will require demonstrated skills, not just knowledge.

Flawed Notion

The notion that cybersecurity professionals are to be compared to neurosurgeons, fighter pilots and power grid operators is flawed. For comparison, a lawyer must pass a bar examination in order to determine whether he or she is qualified to practice law in a given jurisdiction, and an accountant must pass the Unified Certified Public Accountant Examination in order to be certified as a CPA. To be considered qualified and competent to manage large acquisition programs in the federal government, the Project Management Professional or its equivalent is required. Where did the notion come from that a 'license' of some kind should be required of the cybersecurity professional, and what, exactly, distinguishes the cybersecurity professional from the lawyer or the CPA?

On top of that, who better to test technical and practical skills than the manufacturers of the technology that is to be deployed in the cybersecurity risk equation? Symantec, McAfee, Cisco and all the rest have robust and successful certification programs in place. When I need a forensics examiner, I will employ one who has the certification in the tool I am using, and not any certification offered by NBISE. To assert that a qualified and competent cybersecurity work force cannot be built based on existing professional certifications is absurd.

The practicality of the approach that the CSIS white paper proposes and the NBISE is attempting to capitalize upon is not clear. The Office of Personnel Management has resisted a classification of cybersecurity professionals for more than a decade, so determining who, exactly, should possess the NBISE certification is problematic, even before we get in front of the federal labor unions. And in times of federal budget crisis, is it wise to assert that a new and costly credential should replace existing ones that are ANSI-accredited and accepted by hundreds of thousands of practitioners and employers around the world?

I can produce individuals with the CISSP or CISM credential who possess guru-level technical skills in cybersecurity, and who would avoid the NBISE certification simply on the grounds that it asserts their current credentials to be meaningless wastes of scarce resources.

The Department of Defense teaches that, before attempting to initiate any new program, always ask "What problem am I attempting to resolve?" This is a question that the CSIS white paper and NBISE have not adequately addressed.

Bruce Brody, chief executive officer of the IT security consultancy New Cyber Partners, is the former chief information security officer at the departments of Energy and Veterans Affairs.



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.