Close this Advertisement

What is your e-mail address?
My e-mail address is:

Do you have a password?
Forgot your password? Click here
close

Certifications: A false sense of security

Would mandatory cybersecurity certifications translate into better security?

Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.

This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.

“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote. “Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.”

His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.

Let go of that security blanket…
For once an article that speaks truth and reality. The government — DOD, in particular — has been harping on everyone to become Certified Information Systems Security Professional-certified. This is becoming a Linus security blanket for DOD. Internal training on actual incidents and related techniques on the spear tip technology is the training that good workers in cybersecurity can use, not cramming to take an exam and dump the info from the brain.
—Gil, Virginia

A misguided mandate…
In what we do, CISSP is not needed. CISSP-type security is mandated from above in generic terms. What we need are classes detailing the security settings on firewalls, Internet security and acceleration servers, domain controllers, exchange servers, Unix, Apple, etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with, not a generic book full of security best practices for businesses… The CISSP certification gives the government a warm, fuzzy feeling but secures nothing.
Army civilian

Why managers are to blame…
The fault lies [with] top managers not paying attention to what the information systems security manager tells them. Too often, the security issues in an organization are overlooked or ignored by top management because it either doesn't help them shine or they are just not smart enough to comprehend what the ISSM is telling them. Until it bites them in the butt or takes a financial toll, they won't budge.
—GB, Virginia

Counterpoint: A new world of possibilities
I think there is another side of certification that should be discussed. While I agree that on-the-job or hands-on experience is the best way to master a specific technology, you are limited to the technology your company uses. Pursuing certification opens your confined world to new possibilities that you would have never known about had you not pursued a high-level certificate.
—Tim

About the Author

John S. Monroe is the editor-in-chief of Federal Computer Week.

Related Articles

Reader comments

Fri, Jul 30, 2010

And while we are all studying for our next certification and continuing credits some 14 year old chinese kid who can care less about the answers to our theoretical questions is working his way through our so called security.

Mon, Apr 12, 2010 West New York, NY

At one time, certification made sense, today it is just a means for some people to take, pass an exam, and give others the impression that passing the test and getting the certificate qualifies the person as an expert in a certain subject or profession. This belief is a fallacy. Case and point: I saw my agency hire an individual who had CISSP, MCSE, CCNA, CNE, and several other certifications totaling about 15 to 20. This individual looked good on paper, but when it was time to show the skill that the certification required the individual did not know what to do, and had to ask or rely on others. We call these people paper tigers. If an individual have all these certifications and can’t connect or troubleshoot a PC on an enterprise network then the certifications are useless.

Tue, Feb 16, 2010 Jim Drennen Pensacola, Florida

As a certified security practitioner and a security trainer, both academic and corporate, I can see the "good" and the "bad" in this proposal. Lets start with the "bad", too many people have been promoted to pay grades above their technical and managerial competence. Until we are willing to come to grips with that reality and take steps to correct it we are just fooling ourselves to think that certification will fix the problem. I am a CISSP and have a lot of respect for the certification; however,I have known other's who were able to pass the exam that I wouldn't hire and those who could not pass the exam that I would hire. The exam is grueling and test a "baseline of understanding for the very broad field of security." The exam itself, does not guarantee security competence. I have multiple certifications and could make the same points about most of them as well; I'm not picking on the CISSP cert itself. On the "Good" side. Knowledge is good. More knowledge is even better. I am often confronted with individuals who are attending training because they need it for a promotion or that it is mandated by their employer; who feel like they shouldn't have to be here,"they've been doing this stuff for 15-20 years." The truth of the matter is there are major gaps in the knowledge base. The DoD 8570 requirements for the three levels of both IAT and IAM, in my opinion are just starting points, assuring baseline knowledge. From this baseline there needs to be a continuation to more hands-on, technical based training and certification. My point here is that many government and military employees have been sent to intense bootcamps at a high cost, only to return neither certified or capable of performing the skills, that they paid to learn. In my opinion, having attend both bootcamps and private vendor training, these venues are generally successful at actually preparing about 20% of the attendees to return and apply what was covered in the classes. We need, in-depth training, conducted on a daily or weekly basis, over a longer period of time; where the participants can put into practice what they are learning, and be evaluated on the effectiveness of what they are doing, with consequences. This applies to the private sector as well. This is not a short-term fix. The problem, as I see it is, we want it fixed and we want it now, yet neither private sector or government sector is willing to hold the players accountable. We want to throw money at the problem, buy some certifications and sleep well at night knowing "thinking" we are secure. If there is going to be these tight requirements placed on the "foot soldiers, in the trenches", there also needs to be adequate compensation for the effort and level of proficiency for the job they are doing. Certifications are not the problem or the solution. We need to require knowledge and skills that are verifiable. Certifications are a means but not the end.

Fri, Jan 15, 2010

I think some of you missed the point of the articles. Certifications are entry level period, ENOUGH SAID. Having a body of certified employees leads to a false sense of security. In a basic sense everyone is certified so they and management "thinks" they know the answers, but everyones ego is so inflated that no one every bothers to really research the answer. And certification tests rarely if any test the ability to research an issue. Besides if I wanted to hire a bunch of people to can spit out random trivia to pass a test I would look for former game show contestants. But IT Security is not a game show. As its base even though we are dealing high tech, human nature is behind it all. Attacks originate from humans and defenses originate from humans. Therefore we have to look at the natural human aspects of what certification does. Certifications clearly narrow the knowledge base and hinder diversification. It takes years to develop a test by the test providers own admissions, this narrows knowledge. And when its required to pass a test to keep your job, your primary focus is studying the knowledge to pass the test. The leads to a lack of diversification. I see it in the field happening now and its a sad state of affairs and there is no change happening because the biggest defenders of certification are the certified persons themselves, again human nature. But we need to get past this and properly prepare to defend our networks. My gosh does anyone realize that the enemy just needs to study what we study and then plan attacks outside of that realm of knowledge. In a perfect world of certifications everyone will be certified as well as the enemy. But thats not the case, just how much of the enemy do you believe cares if we are certified. Lets take this thinking back to WWII, and say that every code breaker or cryptographer had to be certified. You see how much of a weakness that would have been? Would the Windtalkers have even existed had the certification requirement been mandated? Now back to today, how many talented crackers are we missing out on?

Fri, Jan 8, 2010 JT Lazo DC

This is like the FISMA debate and what Congress and Agency heads fail to realize is that their challenges in security are a reflection of how they run their overall IT programs. What we will not do is recognize the fact that we have promoted and placed people in positions to manage IT programs that are not qualified or have the experience necessary to manage large scale IT deployments, let alone security. I have been in the security business for over 20 years now in the Government and the private sector and it still bothers me that security breaches and incidents still involve mis-configured systems or networks. When I find this situation, it just tells me that management has failed to do one of the most fundamental jobs in IT, manage their systems. Yes, certifications and education will go a long way to patching the security problem but we will not solve this problem until we realize that sound management and strong development rigor will help minimize this problem. If you take a hard look at the best security shops today, you will probably notice that they also have great IT management along with executive support.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Related Webcasts

Related Resources

Editorial Webcasts

  • Service Consolidation: How to Avoid Basic Pitfalls of Shared Services Register Now

    This is the first webcast of the Series “Future First: Three Steps to Data Center Transformation”. Plan to attend this webcast to support your agency efforts to design a practical roadmap for consolidation of resources and shared services to meet current and emerging program demands. Learn from those who are doing to help you evaluate services in your current operations that may lend themselves to future shared service arrangements. Read more

More Editorial Webcasts

Federal Computer Week eNewsletters

  • Subscribe to Newsletters Subscribe

    Federal Computer Week's eNewsletters deliver the latest policy and management news to your inbox.