Harsh Words for Professional Infosec Certification
Extremely tough language on the state of information security certification can be found in the just-issued report from the Commission on Cybersecurity for the 44th Presidency, which states:
"It is the consensus of the commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security."
Retired Office of Management and Budget official Frank Reeder along with Karen Evans, who once headed OMB's e-government office, co-wrote the white paper. I spoke with Reeder on Tuesday, and asked him whether the commission intended to be so rough, and he replied:
"Absolutely. Yes, they are harsh words. That was deliberately intended to call attention to the issue."
The report cites the following reasons for its tough-love approach to certification:
- Individuals and employers spend scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and
- Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.
That last point, looked at another way, is that many certification programs are tailored to prepare infosec pros to fill out checklists to conform with the Federal Information Security Management Act. Those certifications confirm the recipient has demonstrated the skills necessary to meet compliance rules and not necessarily qualified to safeguard IT systems. As Reeder points out, it isn't the certification issuers fault; they're just meeting a market demand.
But the market is changing. Decrees from OMB and legislation before Congress has the federal government moving away from paper-compliance under FISMA and toward continuous monitoring of IT systems to assure they're truly secure. And that requires a new type of expertise. NASA is one of the first federal agencies moving toward continuous monitoring, and here's how its chief information security officer, Jerry Davis, sees it:
"You are definitely talking about a different skill set. It is more of an operations type activity versus a compliance activity and what we are doing ultimately is we are operationalizing compliance. There is a little bit more of a technical skill set that an organization will need."
Certifications won't go away; they'll be even more crucial in credentialing IT security professionals, but as Reeder said, they must change:
"We're hoping over time that entities will emerge that will issue much more rigorous certifications and that the certifications that already exist will continue as I think they are to evolve into much more rigorous indications that the folks who hold them are highly skilled."
As Reeder sees it, the cybersecurity profession is where the medical profession was more than a century ago, and in the report, he and Evans wrote:
"In many ways, cybersecurity is a lot like 19th century medicine - a growing field dealing with real threats with lots of often self-taught practitioners only some of whom know what they are doing. What has evolved in medicine over the last century is a system that recognizes that different kinds of skills and specialties are required. And, since most of us are not able to assess the qualifications of a practitioner when a need arises, we now have an education system with accreditation standards and professional certifications by specialty. We can afford no less in the world of cyber."