Fed Infosec Certification Role RaisedSurvey: Most IT Pros Oppose a Government-Run Board of Examiners
What does IT security certification have in common with healthcare insurance? A lot of people want government officials to keep their hands off of both.
Surveys conducted before and after the midterm election reveal that most Americans don't want the federal government involved in healthcare insurance, until it's explained that Medicare is a government health insurance program. In a similar vein, an (ISC)2 survey released Wednesday suggests that an overwhelming majority of IT security professionals don't believe a government-run Board of Examiners should accredit IT security certification programs.
(ISC)2, a not-for-profit, membership-based IT security certification organization, surveyed nearly 700 IT security pros - including half working in government as either an employee or contractor - about the role of IT security certification in attracting infosec experts to government.
According to the survey, nearly three-quarters of the respondents said the federal government faces a cybersecurity skills shortage. And, nearly half agreed that a gap exists between existing certification programs and the specific cybersecurity skills needed in the workplace; nearly one-third responded they didn't see that gap. But nearly seven of 10 respondents said they didn't think believe a government-run Board of Examiners would close the gap; only 5 percent did.
Genesis of a Board of Examiners
The idea of an Independent Board of Examiner was raised in a white paper, A Human Capital Crisis in Cybersecurity, issued this summer by the Commission on Cybersecurity for the 44th Presidency, but neither the white paper nor its authors suggested the Board of Examiners be government run. In an interview Wednesday, white paper coauthor Franklin Reeder took exception to the characterization of the Board of Examiners in the (ISC)2 survey as government run :
"The survey sets up a strawman and then burns it down. ... Not only does [the white paper] not say government run, it was never the intent. I suspect you would never have gotten the commission to agree on a government-run board of anything."
Why did (ISC)2 tie the term "government run" to the Board of Examiners in its survey? A spokeswoman for (ISC)2 pointed out that the white paper proposed the creation of an oversight board to direct and evaluate a two-year pilot program to develop and administer certifications in two or three specialty areas and evaluate whether some or existing certifications programs meet its standards. Oversight board members, according the white paper, would come from major, private-sector organizations that employ high-end cybersecurity professionals, universities with major cyber education and research programs and key federal government agencies and congressional committees. A footnote in the paper says:
"Since this would be an oversight/advisory group, not a board of directors with fiduciary responsibilities, we presume that it will be possible for government officials to participate."
In the white paper, the proposed Board of Examiners and the oversight board are two different entities.
Hord Tipton, (ISC)2 executive director, wasn't available to comment, but in a statement issued with the survey results, Tipton said:
"The results of this poll demonstrate that although information security professionals believe that the white paper and others have accurately identified the human capital problems in cybersecurity, they have neither acknowledged the correct causes, proposed the best solutions, nor have they provided data to support the claim that fatal flaws exist in the existing certification environment."
Potential Conflicts of Interests?
Though not in the white paper, Reeder said in an interview earlier this year with GovInfoSecurity.com that he and coauthor Karen Evans, the former federal e-government administrator, believe that the same organizations that provide certification training should not also certify those they train, suggesting that could pose a conflict of interest. Tipton took exception to Reeder's comment, and in a written response to GovInfoSecurity.com said:
"We intentionally have a strict firewall between our education and certification programs to avoid the possibility of 'teaching the exam' and thus violating a principle rule of academia."
Tipton, in his response, questioned whether a Board of Examiners should be the only route to a more comprehensive form of certification:
"We are heading down a dangerous path by implying that only a government-run Board of Information Security Examiners is capable of determining the readiness of our security professionals. All of the current security 'confirming' organizations are doing a good job of evaluating and validating the skills of the people they educate and certify."
Tipton, citing the (ISC)2 survey, contends the shortage of government cybersecurity pros is primarily a result of a lack of a career path and professional development programs and not the certification process.
The suggestion that the government lacks a career path and professional development programs for its cybersecurity professionals isn't in conflict with potential certification reform; they aren't mutually exclusive.
A fundamental question isn't whether the government should certify IT security professionals - Tipton and Reeder agree it shouldn't - but whether the current system of education and certification will help the government attract more IT security experts to government.
The shortage of IT security pros in government is real, and the debate over whether the current regime of certification is sufficient or new ones be adopted - with or without the government's involvement - is just beginning. That discussion can only increase the awareness of the nation's cybersecurity workforce needs, and that's a good debate to have.