COMMENTARY

Certifications are not a panacea for cybersecurity woes

As Congress debates legislation to improve cybersecurity, one problematic idea that appears to have gained some traction is developing a national certification program for cybersecurity professionals.

If certifications were effective, we would have solved the cybersecurity challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won’t write passwords on the backs of keyboards. Nor has the increase in the number of certified cybersecurity workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

At the federal level, a certification mandate would be little more than a box-checking activity for agencies, akin to many of the Federal Information Security Management Act requirements that tax the federal budget and workforce, but produce few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a “license to practice” for cybersecurity professionals.

Licenses are typically only required in professions in which the public is harmed by the absence of licensure. (Perhaps that is an argument to require licenses for members of Congress.) Therefore, the implicit assumption in arguing for a certification program for all federal cybersecurity professionals, those involved in operating critical infrastructure and potentially many more individuals in the private sector, is that the public is being harmed because unqualified workers are filling those jobs -- not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent cybersecurity workers. That is the only problem that certification (in the form of a de facto license) could fix. However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to cybersecurity risks.

The security community needs to speak up. The cybersecurity challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks.

About the Author

Daniel Castro is a senior analyst at the Information Technology and Innovation Foundation.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Thu, Jan 7, 2010 Lawrence Pingree Pleasanton, CA

You know its just one more method for the government to make $. Certifications only mean that you can read a book and recite the words. Its not a real gauge of a person's real knowledge. Just like PCI is not the "Solution" to security. Security is an ever changing wall that needs to be rebuilt, and certifications and their ilk are typically behind by ages. Besides, I don't think there's been that many incidents of security professionals doing a poor job, its typically management that makes the poor choices based on costs or previously meeting some regulation stopping short of real threat management.

Tue, Dec 22, 2009

Certifications belong at the entry level period. Once a person is beyond that level, certified or with experience its time they sharpen their skills in the real world and not have to worry about answering a,b,c questions. All this mandatory requirements is just leading to a false sense of security because once something is mandatory to keep your job its human nature to focus entirely on the subjects to keep your job. So with everyone getting certified and recertified, we are ending up with a workforce whose knowledge has been predetermined by a bunch of test providers. To make things worse, since the tests take years to develop, we have people with outdated knowledge. One of the worst things we can do for the rapidly evolving field of computer security is happening before our eyes. We are narrowing knowledge, focusing energies in the wrong places, and stamping out diversification. You can count of future attacks against networks to be based on concepts outside whats tested on cert exams. And speaking of SANS, how many of these guys do you think hold a CISSP? http://edition.cnn.com/2009/TECH/12/21/cyber.challenge.hackers/ I am sure they will be certified soon so they can be poster boys for the certified world. The irony is the real talent does not come from certification, its born in spite of it. And the truly gifted people I know would always fail the cert exam because they are thinking so far outside that narrow minded box. One comment after looking at a practice exam was "I cannot believe the writers of these questions would actually want me to protect my network in such a foolish way."

Mon, Dec 14, 2009 IA Officer DC

i think the thing to start with is the infosec job category itself. It needs to be pulled from under the IT Specialist category and made it's own, with the various subdisciplines under it. Then each role can be revewed for its competancies and after that, certifications and/or licenses should be looked at. It is true that having a cert or license isn't the end-all-be-all, but if implemented properly, they can help a hiring manager sort through all the resumes and find the most qualified candidates through certs, work experience and proven knowledge.

Fri, Dec 11, 2009 Army Civilian

The article mirrors all things we had stated about the mad dash to "certify" with CISSP.

In what we do, CISSP is not needed. CISSP type of security is mandated from above in generic terms. What is needed are classes detailing the security settings on firewalls, ISA servers (almost same thing), domain controllers, exchange servers, Unix, Apple...etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with not a generic book full of security best practices for businesses. After all, we are government and best practices for businesses mostly do not apply to us.

The CISSP certification gives the government a warm fuzzy feeling but secures nothing. It reminds me of the ITIL certification push...nice to have read it but almost no one uses it properly if used at all.

Tue, Dec 8, 2009 Peter Hillier Ottawa

Notwithstanding the obvious gaps in personal certifications, an equal challenge is compliance activities against a myriad of redundant control objectives coming from new and emerging self-appointed regulatory bodies. The eHealth sector is a recent example where the Canada Health Infoway has set on the certification path for eMR vendors, but they are not accredited by any standards body at all. This exacerbates the security practitioners frustrations, as well as the business.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above