Certifications: A false sense of security

Would mandatory cybersecurity certifications translate into better security?

Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.

This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.

“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote. “Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.”

His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.

Let go of that security blanket…
For once an article that speaks truth and reality. The government — DOD, in particular — has been harping on everyone to become Certified Information Systems Security Professional-certified. This is becoming a Linus security blanket for DOD. Internal training on actual incidents and related techniques on the spear tip technology is the training that good workers in cybersecurity can use, not cramming to take an exam and dump the info from the brain.
—Gil, Virginia

A misguided mandate…
In what we do, CISSP is not needed. CISSP-type security is mandated from above in generic terms. What we need are classes detailing the security settings on firewalls, Internet security and acceleration servers, domain controllers, exchange servers, Unix, Apple, etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with, not a generic book full of security best practices for businesses… The CISSP certification gives the government a warm, fuzzy feeling but secures nothing.
Army civilian

Why managers are to blame…
The fault lies [with] top managers not paying attention to what the information systems security manager tells them. Too often, the security issues in an organization are overlooked or ignored by top management because it either doesn't help them shine or they are just not smart enough to comprehend what the ISSM is telling them. Until it bites them in the butt or takes a financial toll, they won't budge.
—GB, Virginia

Counterpoint: A new world of possibilities
I think there is another side of certification that should be discussed. While I agree that on-the-job or hands-on experience is the best way to master a specific technology, you are limited to the technology your company uses. Pursuing certification opens your confined world to new possibilities that you would have never known about had you not pursued a high-level certificate.

About the Author

John Monroe is Senior Events Editor for the 1105 Public Sector Media Group, where he is responsible for overseeing the development of content for print and online content, as well as events. John has more than 20 years of experience covering the information technology field. Most recently he served as Editor-in-Chief of Federal Computer Week. Previously, he served as editor of three sister publications: civic.com, which covered the state and local government IT market, Government Health IT, and Defense Systems.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.