Letters to the editor
Following are responses to an FCW.com poll question that asked, "Do you think federal information technology workers should be required to earn a systems security certification?"
Taking Sides on Infosec Certification
In the six years I have been an IT specialist in the federal government, I have seen many positions within IT that have never touched servers or networking equipment. Requiring certification in system security across the board wouldn't be logical.
I am my command's information system security officer, but my role as ISSO gets little attention or support because management doesn't understand the concepts. And now because of the Navy Marine Corps Intranet contract, management wants to shift the entire responsibility to the contractor, EDS.
My opinion is that any IT position that is required to interface with networking equipment or updating patches on servers should be required to have some type of systems security certification. The best — and free — training is with the Defense Information Systems Agency (www.disa.mil). The Operational Information Systems Security course provides a great overview on Defense Department requirements and risk assessment.
Sandra Fox Military Sealift Command
As a network engineer, I have the task of supporting the operations of the Air Force- level network. Recommending, installing and troubleshooting routers and switches are my major daily tasks. Considering my responsibilities, I think earning a security certification should be required.
Our way of engaging in war is far more different than what we saw 40 years ago. We all can agree that information is knowledge and knowledge is power. The war that is upon us now is the war on information.
I've attended an Air Force course called the Information Warfare Applications Course. The course is designed for federal employees and military personnel to discuss ways to identify and protect against information warfare. It really opened my eyes as to what measures are needed to help defend against terrorism.
Cyberattacks are today's new form of terrorism. Every day, terrorists are probing key systems to find out how we operate as a country. As IT professionals, we need to know what we can do to fight against this new form of terrorism.
Depending on your specialty, there are numerous security certification tracks an individual can pursue. Systems administrators, database administrators, network engineers, etc., all now have a security certification track implemented in their training packages.
Vendors such as Microsoft Corp., Cisco Systems Inc., IBM Corp. and others realize that a secured network is a healthy network. And because they realize the importance of security, they are changing the way they train.
A security certification can boost an individual's career path. Employers are always looking for someone with credentials dealing with security because they want to run a secure network to help prevent against cyberattacks.
I strongly support earning a security certification. Obtaining this certification makes an individual more valuable to an organization. A security certification illustrates that you have the knowledge and skills to secure a computer network environment.
Currently, I do not have a security certification, but I have made a decision to obtain one. I figure a security certification would put me in the driver's seat to help others defend our country against terrorism.
Cedric Jenkins Air Force
I do not think federal IT workers should be required to earn a systems security certification because of the speed at which risks, threats and vulnerabilities change. Certification of individuals who will not be tasked with staying up with the changing issues may well create a false sense of security and competency level.
This negative impact also would put a liability factor where it should not exist, with personnel showing an ability to address security but having varying competency levels depending on the latest program they have attended or incident they have participated in addressing.
Further, integration of technical and physical security issues and the human factors involved in information security make integration a must. Trying to do that and maintain an efficient network, for example, is not realistic.
We hear all too often from chief information officers that "our system is secure" when it is not. We ask how they know. They respond that staff told them so.
CIOs and chief security officers cannot rely on "certified" personnel whose primary responsibilities center around operations and not security.
Richard Jones M2000/IS