John Klossner

Blog archive

The funniest thing about mandating security certifications

If I accomplish nothing else as a parent, I want my children to know that the TV show America's Funniest Home Videos isn't. Funny, that is.

Most of you may know this already, and consider this a pointless goal given its obviousness, but I am finding this to be a bigger challenge than I first thought. At a recent social gathering of families, I came upon a group of kids flocked around a television watching AFHV, and laughing uproariously. I have to admit, I'm not an expert on this production, but I've seen enough episodes to help me get the gist of the format. The particular episode my kids were watching seemed to have a theme of people riding vehicles — bikes, wagons, skateboards, etc. — that ended up crashing into things.

My kids were not pleased with me as I commented, "That's not funny," after every clip of someone riding their bike off a roof.  (I think I may have been embarrassing them in front of their friends.) I pointed out to my captive audience that the show cut away after every "funny" accident, never showing the participant getting up and walking away from the scene. The children got especially touchy when I started listing the injuries I imagined the people in the videos suffered— "Oooh, that's probably a broken collarbone"; "Ouch, he tore his ACL," etc. — and they asked me to leave when I began chanting "That's not funny, that hurts" after every video.

This isn't too different than the slapstick-oriented comedy I ingested as a kid — the Three Stooges, Keystone Cops and Little Rascals shorts, and any Warner Brothers cartoon. I think my problem is partially in the titling. Calling something "funny" is subjective enough, but calling it "funniest" draws a line. I think the majority of us are instinctively cynical when presented with anything called the "___est."

(If they had labeled those movies from my childhood "The Three Funniest Stooges" I might have had a more cynical outlook. But probably not. Which is why, as an adult, it is my responsibility to ensure that my children know the difference between humor coming from the exposition and universality of the human condition and the humor of a 40-year-old riding a tricycle off of a shed roof into an inflatable wading pool.)

This is similar to the qualms I have with IT certification programs. Certification is awarded to those who complete a course in their particular expertise, whether it be software, maintenance or, in the administration's current proposal, security. This is like calling them "America's Smartest Security People." (Okay, it would be more accurately titled "America's Most Qualified Security People," but you know how TV shows go for hyperbole.)

The comedian Don Novello, better known as Father Guido Sarducci, had a routine he called the Five Minute University in which he proposed a college program comprised of everything you remember from college five years after graduating, which would be about five minutes of material. As he points out, college is just memorization for the tests, much of which is soon forgotten. There was little real-world experience in this program.

I think most folks' concerns with certification are similar. Do I want someone working on my network who learned the particulars in a six-week program or someone who has been working with the technologies for years and has real-world experience?

There is also the "one-size-fits-all" aspect of certification training: Can one course in security be equally applicable through the many different systems and needs of agencies? One worry about certification training is that a central body — in this case Congress — will be deciding the security needs that are better known by the individual agencies. This is the equivalent of picking one style of automotive tires for the entire country to use in winter.

That said, I think certification training serves a purpose and should be encouraged for all federal personnel, not just IT workers. I have found that taking courses in work-related fields has helped me pick up skills and, more importantly, learn the vocabulary needed to speak with the real experts. I might not be a good Web designer (I'd call my show "The Goodest Web Designs"), but through the equivalent of certification courses, I'm able to recognize my needs and converse more effectively with someone who is. Having the entire workforce familiar with the terminology and technology involved would be helpful to all.

But don't take a course and then put up a sign telling me you are an expert. And don't ride a skateboard off a cliff and tell me it's funny.

 

Posted by John Klossner on Jan 19, 2010 at 12:19 PM


Reader comments

Tue, Feb 2, 2010 Hollywood

You don't find AFHV funny? Weird.

Fri, Jan 29, 2010 CyberSecurity

A Security Certification, I don’t care what type (Security+, CISSP), is an oxymoron. It tests only for already known solutions, in other words, “What’s already in the box.” A good security professional needs to be able to think outside the box to be of any real value to an organization. A security certification only proves one is a good technician but technicians don’t win the war, strategists do and there are no metrics to measure one’s strategic potential or capability. As the military found out, an officer shouldn’t get promoted to General or Admiral because one went to War Collage but based on their strategic skills gather from actual combat experience.

Mon, Jan 25, 2010 Bill Frederick, MD

If the author is hiring someone based solely on their certifications, then the author deserves what he gets. All certifications are not alike. The Security+ certification is significantly different than the CISSP certification. And you cannot pass the CISSP certification test on memorization. It is designed to get you to think through the answer to come up with the best answer, which may still be a bad answer, but better than the others.

Wed, Jan 20, 2010 DOD

If the author thinks that graduating from college is all about memorization, then he has apparently never taken a calculus class. Much of the training provided is oriented towards getting the student to properly analyze the situation to come up with the correct solution. Passing a properly made test should be a good indicator of that person's ability to properly analyze situations of the nature that are being tested. Yes, experience does matter. To recieve my Professional Engineer's licence I had to show a minimum of four years of experience working under other PE's, an appropriate degree from an accredited university, and written endorsements from other PE's I had worked with - as well as passing the PE test. Documenting my work experience had to be backed up with the test to show that my training and experience was actually sufficient to show that I was competent enough in my field to earn the licence. That is how a good certification test works. Of course if the certification test is not a very good one then you may be able to make the case that it should not be used.

Wed, Jan 20, 2010 Warner Virginia

Security specialists could be certified in a way similar to how physicians are certified. To become "Board Certified" in a particular medical discipline requires a combination of practical experience in the form of a residency (working under supervision) and demonstrating mastery of a relevant body of knowledge via rigorous examinations. Professional certification mechanisms useful for comparison exist in numerous other fields whose competency we depend on such as engineering and accounting.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above