[Infowarrior] - Certifications are not a panacea for cybersecurity woes

[Richard Forno]

AMEN!!!  -rick	


Certifications are not a panacea for cybersecurity woes
	• By Daniel Castro
	• Dec 01, 2009

http://fcw.com/articles/2009/12/01/comment-castro-certification.aspx

As Congress debates legislation to improve cybersecurity, one  
problematic idea that appears to have gained some traction is  
developing a national certification program for cybersecurity  
professionals.
If certifications were effective, we would have solved the  
cybersecurity challenge many years ago. Certainly more workforce  
training, although not a panacea, can help teach workers how to  
respond to known cyberattacks. However, workforce training is not  
certification, and organizations, not Congress, are in the best  
position to determine the most appropriate and effective training for  
their workers.

Organizations know that simply getting their employees certified will  
not solve their security challenges. Although a good certification  
standard might be a measure of a baseline level of competence, it is  
not an indicator of job performance. Having certified employees does  
not mean firewalls will be configured securely, computers will have up- 
to-date patches, and employees won’t write passwords on the backs of  
keyboards. Nor has the increase in the number of certified  
cybersecurity workers nationwide resulted in any noticeable decrease  
in the number of computer vulnerabilities, security incidents or  
losses from cyber crime. Between 2001 and 2005, although the number of  
Certified Information Systems Security Professionals in North America  
quadrupled, the number of vulnerabilities cataloged by the U.S.  
Computer Emergency Readiness Team more than doubled, the dollar loss  
of claims reported to the Internet Crime Complaint Center increased  
more than tenfold, and the number of complaints the center referred to  
law enforcement increased more than twentyfold.

At the federal level, a certification mandate would be little more  
than a box-checking activity for agencies, akin to many of the Federal  
Information Security Management Act requirements that tax the federal  
budget and workforce, but produce few results. Even worse, Congress  
might go further and impose costly certification requirements on a  
broad range of private network operators and companies in many major  
industries. By requiring certification for so many jobs, Congress  
would in effect create a “license to practice” for cybersecurity  
professionals.

Licenses are typically only required in professions in which the  
public is harmed by the absence of licensure. (Perhaps that is an  
argument to require licenses for members of Congress.) Therefore, the  
implicit assumption in arguing for a certification program for all  
federal cybersecurity professionals, those involved in operating  
critical infrastructure and potentially many more individuals in the  
private sector, is that the public is being harmed because unqualified  
workers are filling those jobs -- not because of a lack of talent or  
insufficient training but because hiring managers cannot distinguish  
between competent and incompetent cybersecurity workers. That is the  
only problem that certification (in the form of a de facto license)  
could fix. However, no proponent of that approach has provided  
evidence to show that the problem exists, nor is the problem commonly  
cited in other studies as a factor contributing to cybersecurity risks.

The security community needs to speak up. The cybersecurity challenge  
is too important to allow Congress to provide a paper-thin response  
that produces nothing more than the veneer of government action  
without reducing any real risks.

About the Author

Daniel Castro is a senior analyst at the Information Technology and  
Innovation Foundation.