[ISN] Certifications are not a panacea for cybersecurity woes

From: InfoSec News <alerts_at_private>
Date: Fri, 4 Dec 2009 04:10:08 -0600 (CST)
http://fcw.com/articles/2009/12/01/comment-castro-certification.aspx

By Daniel Castro
Commentary
FCW.com
Dec 01, 2009

As Congress debates legislation to improve cybersecurity, one 
problematic idea that appears to have gained some traction is developing 
a national certification program for cybersecurity professionals.

If certifications were effective, we would have solved the cybersecurity 
challenge many years ago. Certainly more workforce training, although 
not a panacea, can help teach workers how to respond to known 
cyberattacks. However, workforce training is not certification, and 
organizations, not Congress, are in the best position to determine the 
most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will 
not solve their security challenges. Although a good certification 
standard might be a measure of a baseline level of competence, it is not 
an indicator of job performance. Having certified employees does not 
mean firewalls will be configured securely, computers will have 
up-to-date patches, and employees won.t write passwords on the backs of 
keyboards. Nor has the increase in the number of certified cybersecurity 
workers nationwide resulted in any noticeable decrease in the number of 
computer vulnerabilities, security incidents or losses from cyber crime. 
Between 2001 and 2005, although the number of Certified Information 
Systems Security Professionals in North America quadrupled, the number 
of vulnerabilities cataloged by the U.S. Computer Emergency Readiness 
Team more than doubled, the dollar loss of claims reported to the 
Internet Crime Complaint Center increased more than tenfold, and the 
number of complaints the center referred to law enforcement increased 
more than twentyfold.

At the federal level, a certification mandate would be little more than 
a box-checking activity for agencies, akin to many of the Federal 
Information Security Management Act requirements that tax the federal 
budget and workforce, but produce few results. Even worse, Congress 
might go further and impose costly certification requirements on a broad 
range of private network operators and companies in many major 
industries. By requiring certification for so many jobs, Congress would 
in effect create a .license to practice. for cybersecurity 
professionals.

Licenses are typically only required in professions in which the public 
is harmed by the absence of licensure. (Perhaps that is an argument to 
require licenses for members of Congress.) Therefore, the implicit 
assumption in arguing for a certification program for all federal 
cybersecurity professionals, those involved in operating critical 
infrastructure and potentially many more individuals in the private 
sector, is that the public is being harmed because unqualified workers 
are filling those jobs -- not because of a lack of talent or 
insufficient training but because hiring managers cannot distinguish 
between competent and incompetent cybersecurity workers. That is the 
only problem that certification (in the form of a de facto license) 
could fix. However, no proponent of that approach has provided evidence 
to show that the problem exists, nor is the problem commonly cited in 
other studies as a factor contributing to cybersecurity risks.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Fri Dec 04 2009 - 02:10:08 PST

This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 02:30:17 PST