Close this Advertisement

News

Analysis: Certifications Not a Panacea for Security Woes

  • By Daniel Castro
  • 12/07/2009
As Congress debates legislation to improve cybersecurity, one idea that seems to have gained traction is the development of a national certification program for security professionals.

If certifications were effective, we would have solved the security challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won't write passwords on the backs of keyboards.

Nor has the increase in the number of certified security workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals (CISSPs) in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

A certification mandate would be little more than a box-checking activity for organizations, taxing budgets and workforce, but producing few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a "license to practice" for security professionals.

Licenses are typically only required in professions in which the public is harmed by the absence of licensure. Therefore, the implicit assumption in arguing for a certification program for all security professionals both in the government and private sector is that the public is being harmed because unqualified workers are filling those jobs -- not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent security workers. That is the only problem that certification (in the form of a de facto license) could fix.

However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to security risks.

The security community needs to speak up. The security challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks.



About the Author

Daniel Castro is a senior analyst at the Information Technology and Innovation Foundation.

Reader Comments:

Tue, Dec 22, 2009

GOOD GOSH MAN, I agree with you. Get the word out more please! There are not enough people out there realizing the weaknesses in certifications. I look at it from a human point of view. Once a requirement is mandatory to keep your job, you will focus on that almost exclusively to keep your job. Since its takes a couple years for a certification test to be developed, well you are then focusing on outdated materials. What we are ending up with are IT people who think the same and know the same. We are losing diversity, narrowing our knowledge, and gaining a false sense of security. Since the whole world knows what certifications we require, then any attacks will naturally occur against topics not covered by those exams. Certifications at most should be at the entry level. The experienced people need to be freed up to pursue CURRENT knowledge. Take a look at any certification test and you will see questions for exploits that have long been negated. You hit the nail on the head when it comes to management, certifications are taking the decision making out of their hands when proper management and recognition of skill and where to place that skill is the real problem. The majority of people singing the praises of mandatory certification are the cert companies that more than likely lobbied for it since they stand to make tons of money and the people who already have the certifications, even though like you said, they have not done much to reduce incidents. Lastly I would like to add that the truly skilled people dont take these tests and I am directly seeing a brain drain as more of these people are leaving the field, myself included. I am tired of these highly trained certified people not understanding current topics such as sandboxes and how they apply to security. OH wait these topics werent covered on their tests. Yet when a guest was allowed to attach to our network (I didnt agree) and their laptop infected the network (because of one priorty regulated update not making it into the WU server que) they wondered why my PC was not infected. Well one, I wasnt because I directly applied the update when I noticed it was priorty regulated (add more servers microsoft!) and two, I always run in the sandbox which gets cleaned when its closed.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above