The import of infosecurity
Regarding Federal Computer Week's Jan. 9 story, "SANS: Popular certifications don't ensure security," the information security landscape is more threatening and challenging each day. The tools and, most importantly, the skills necessary to navigate this landscape must be many and varied. That is why the world of security preparedness and assurance must be inclusive of many products, technologies, skills and professional certifications and not an exclusive realm for the few, as advocated by some in our industry.
For the past three years the Computing Technology Industry Association has conducted a benchmark study on information technology security and the workforce. For the past three years, this study has found that human error either alone or in combination with a technical malfunction is responsible for nearly 80 percent of IT security breaches organizations experienced. That strongly indicates that information security preparedness is everyone's responsibility, from the chief executive officer in the corner office to the clerk in the mailroom.
But security responsibilities vary for different levels of employees and so should the skill sets for these workers. Security technicians require different skills and professional certifications than do security managers. Similarly, security managers require different skills and certifications than security policy-makers. This is the case in many IT careers and job roles. There is an appropriate place for many levels and types of professional certification. Vendor-neutral certifications are critical in addressing security skills that professionals need to function in an increasingly complex and interoperable systems
Since its creation, CompTIA Security+ certification has never strayed from its mission to be the foundation-level, vendor-neutral professional certification for network security practitioners with two years' experience and who have daily hands-on responsibility for information security. The objectives for CompTIA Security+ were derived through comprehensive input from across private industry, government and academia. The original exam resulted from the collective expertise of more than 1,100 subject-matter experts worldwide. With the help of the information security industry, CompTIA Security+ continues to be evaluated and updated as required by the changing environment, ensuring that IT practitioners are well-prepared to meet the ever-changing world of information security.
Our most recent post-certification study found that an overwhelming majority of IT professionals more than 84 percent would recommend CompTIA Security+ certification to others in the information security arena.
In its Directive 8570.1, the Defense Department indicated that different security solutions, skills and professional certifications are appropriate for different levels of employees. The DOD policy also requires that certifications comply with the International Organization for Standardization 17024, a rigorous set of product development and maintenance requirements, a key aspect of which is the careful separation of the training and certification processes.
CompTIA strongly concurs with DOD's approach, and we look forward to working with the DOD and other organizations to strengthen our information security preparedness.
President and Chief Executive Officer
Computing Technology Industry Association
Ham radio works, too
Regarding Federal Computer Week's Dec. 5, 2005, story, "A not so dry run," I was surprised to see that your long article on Hurricane Katrina communications which listed what did and did not work did not once mention amateur radio in the entire piece. The article even refers to the October congressional hearings in which amateur radio was proud to be the only presenter that could say, "It did work."
Ham radio operators supplied communications for the American Red Cross, the Salvation Army, many Voluntary Organizations Active in Disaster groups and emergency management offices. Ham radio operators were the first to report the levee breaks. They were the ones relaying calls for help that were ricocheting off long distance cell systems. Ham radios were even requested by the Coast Guard, hospitals, shelters, schools and many government agencies. There were about 1,000 amateur radio operators involved in the immediate areas, and thousands more around the country.
The success of the hams was documented by several major media outlets, including The Wall Street Journal, The New York Times and The Washington Post. This is why the complete omission of any mention of them in this article is most perplexing.
American Radio Relay League
Regarding FCW.com's Jan. 6 story, "CIO: FBI will focus on info sharing in 2006," when the FBI's CIO expresses the desire to award a contract for Sentinel as the key event in the FBI program for information sharing, this indicates that the FBI is not ready to build this vital capability. What is being done to change the culture of the FBI to promote the ethic of sharing information as "the way of doing business"? What is the role of the FBI's director in leading this transformation? Simply throwing money at technical solutions is not the solution.