Making the Case for IT Security Certification

Interview with Hord Tipton of (ISC)2 Eric Chabrow (GovInfoSecurity) • June 30, 2009

Hord Tipton recognizes that many critical federal cybersecurity positions would go unfilled in the coming months and years if the federal government required all of its information security professionals be certified as some lawmakers have proposed.

Still, as an eventual goal, filling federal IT security posts with certified professionals would benefit the government in its quest to secure data and technology, the executive director of (ISC)2, the not-for-profit certifier of IT security professionals, says in an interview with the Information Security Media Group (see transcript of interview below).

As head of (ISC)2, it would be surprising if Tipton didn't see the benefit of certification, which requires specific levels of education and experience.

"I have looked at a lot of resumes over my career; resumes can say a lot of things," says Tipton, the onetime CIO at the Interior Department. "One is education and then how do you validate that education and the competency that goes with that. The second piece is experience. No one wants to fly with a plot that has a pilot's license but he has no solo hours and he hasn't spent any time in the air. You have to have a good balance of the two is our philosophy."

In the interview, Tipton also discussed:

Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents;

Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and

Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools.

Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

ERIC CHABROW: How would you grade the federal government in making its employees and other constituents aware of IT security?

HORD TIPTON: Based on long experience with the government, I have seen it grow steadily over the years. Each year, it seemed to get a little bit better. In the Department of the Interior, each year it was mandatory we had various levels of training for end-users and each year we tried to make the material a little more relevant. It also became a bit more difficult and they had to study materials until they actually got passing grades on it.

At that point, we actually got to where we would do some spot testing just to see and make sure that our training was effective. That of course was centralized by the Office of Personnel Management for a more consistent promoting continuity across the government better and that seems to have worked quite well.

CHABROW: I should have mentioned that you were at one time the CIO at the Department of the Interior.

TIPTON: That's correct, but I have fully recovered.

CHABROW: Good. What are some of the challenges agency face?

TIPTON: Security awareness for the end-uses when I left, and this was about two and half years ago, was a once a year event and it is very strict. You must actually pass the training, you must go through it and that is everyone from the top executive all the way to even contractors.

Once a year may not be often enough. End-user training must occur much more frequently than that. The social engineering piece of it is so easy to dilute people that we need more frequent training. You also need the follow up just to make sure that people really and truly understand the dangers and some of the tricks that are used out there to deceive them.

The other aspect of training that needs strengthening to some degree is what we call role-based training for the professionals in the IT area who need to be technical in many areas and to keep up with the rapidly changing pace of technology.

CHABROW: What are some of the common problems you find with end-users?

TIPTON: You start with the e-mail. E-mail is the gateway that has to stay open. You have to have [e-mail] to conduct your business. And, having the right IT controls on the e-mail system to prevent people from actually having freedoms and flexibilities within the e-mail stream is necessary.

For example, it is just not a safe habit to allow people to use the links that often come in e-mails to get to the web and other sites. Using plain text is not as colorful, it is not as functional as the HTML versions of e-mail, but it is much more secure. A lot of this depends, of course, upon the situation and the risk that agencies are willing to take with their e-mail, but what we find is that is a primary weak link.

Another area that needs a lot of monitoring at least is the collaborative Web 2.0 type of functions. Messaging was always a concern for us, and then there are all sorts of versions of instant messaging. Now we deal with the Facebooks, we deal with MySpace, we deal with Twitter, there are just more ways for people to actually communicate even outside of their e-mail streams that are potential vulnerabilities.

CHABROW: Is the solution to ban them or is the solution to find some safe way for them to use them?

TIPTON: Oh no, no I am not suggesting that they be banned. It is like wireless, wireless was very scary to us several years ago, and it is still very scary, but if you look around wireless has not been stymied, it has grown by leaps and bounds and is a major part of our infrastructure.

The key is to, as we say in the security business, build your secure in from the front end of whatever process it is you are trying to allow and on wireless you need to have your infrastructure constructed carefully before you start, on instant messaging it is the same thing. There are versions of instant messaging that are secure and you might need to make sure that you have the right controls over that, otherwise you are going to have severe data leakage issues.

Skype is another means of communication that has progressed quite technically, but in terms of security, we will give them some kudos for actually improving and instilling trust for a lot of people by the use of a very common tool out there.

The answer is to try to avoid saying no, but at the same time trying to get yourself in on the front end of these new technologies before the business actually launches them.

CHABROW: How important is it for all government cybersecurity professionals to be certified?

TIPTON: We believe that it is a critical measuring point, a milestone, and we are not saying that certification is the magic silver bullet or anyone's solutions, but there are a lot of demand right now for different skills throughout the security world and there are a lot of credentials, there is a lot of training and educational tools and courses that are available to them.

I have looked at a lot of resumes over my career; resumes can say a lot of things. One is education and then how do you validate that education and the competency that goes with that. The second piece is experience. No one wants to fly with a plot that has a pilot's license but he has no solo hours and he hasn't spent any time in the air. You have to have a good balance of the two is our philosophy.

CHABROW: Some people argue that government should not have to require all cybersecurity professionals to be certified, at this point in time at least, because if they did that they wouldn't have enough people to staff all of its positions.

TIPTON: It is a problem. You know, I have to look back at the DOD model, the I think 8570.1, that put this requirement and did a mapping of their job skills to determine actually what certification they wanted in place and they gave themselves several years in which to accomplish that. I think that number amounted to something like 100,000 people. There probably aren't 100,000 people, there certainly weren't at the time they launched their directive, but we have 63,000 just in the (ISC)2 arena at this point and other security organizations have smaller numbers at the same time. It is a doable thing. It couldn't be done overnight.

But there is another aspect of certification that is to me critically important at this point and that is at least some assurance to you that the people you hire have to keep up with their skills. In order to stay certified and to maintain our credential you have to amass a certain number of what we call continuing professional education credits over a three year period, and without maintaining those credits, you loose your certification. There are various and different ways and types of grades of those credits.

You not only want to hire someone that is competent today, you want to make sure that they are at least tuned in to remaining competent over an extended period of time.

CHABROW: Are you encouraged with what you see coming out of the Whitehouse with President Obama's cybersecurity plan?

TIPTON: Those are very good signals. Very positive signals. We are particularly encouraged by a couple of things in there, one being the notion that the public awareness has to be greater and that goes way beyond government.

Public awareness is a program, an aspect of education that we at (ISC)2 have been focused on here for a couple of years. At one time we were focused at the accomplished individuals, five years experience with a certification. We now are looking in the grade schools. We are looking at places that our academia is missing, the teaching skills. We find that teachers really are not comfortable with teaching in areas that they haven't had formal training on.

When we went to school to get teaching degrees to get just about any type of a professional degree there were basic academic requirements, math, science, and if you were not really accomplished in those you had to take general math and general science, but there was at least a recognition you had to have basic academic skills.

And as a result of that, when we have issue today, we know in most cases who to call. If there is a burglar outside your house you call the police. If you think you are having a heart attack and you need medical services you call 911. It is 10 o'clock at night and you are trying to balance your checkbook and you notice some irregularities and the next thing you know you think you are a victim of identity theft, who do you call 911 doesn't work. And it is not clear within our framework exactly how we manage this.

We have a lot of work to do on that public awareness front in my opinion across the board. We need to get it in the grade schools; we need to get it into our high schools, colleges and basic core courses in the universities.

We are particularly passionate with a program at this point that we call Facing Secure Online that is targeted for children ages 11 through 14. It is tried and true and we have done it in several countries, I think over 20,000 students now through the training. It is an opportunity for our 63,000 members to give something back to the public. Having participated in a few of those myself I can tell you they really make you feel good when you can walk away from kids and classrooms and feel like you have left something positive with them.