Certifications: A false sense of security
Would mandatory cybersecurity certifications translate into better security?
- By John Stein Monroe
- Jan 05, 2010
Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.
This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.
“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote. “Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.”
His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.
Let go of that security blanket…
For once an article that speaks truth and reality. The government — DOD, in particular — has been harping on everyone to become Certified Information Systems Security Professional-certified. This is becoming a Linus security blanket for DOD. Internal training on actual incidents and related techniques on the spear tip technology is the training that good workers in cybersecurity can use, not cramming to take an exam and dump the info from the brain.
A misguided mandate…
In what we do, CISSP is not needed. CISSP-type security is mandated from above in generic terms. What we need are classes detailing the security settings on firewalls, Internet security and acceleration servers, domain controllers, exchange servers, Unix, Apple, etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with, not a generic book full of security best practices for businesses… The CISSP certification gives the government a warm, fuzzy feeling but secures nothing.
Why managers are to blame…
The fault lies [with] top managers not paying attention to what the information systems security manager tells them. Too often, the security issues in an organization are overlooked or ignored by top management because it either doesn't help them shine or they are just not smart enough to comprehend what the ISSM is telling them. Until it bites them in the butt or takes a financial toll, they won't budge.
Counterpoint: A new world of possibilities
I think there is another side of certification that should be discussed. While I agree that on-the-job or hands-on experience is the best way to master a specific technology, you are limited to the technology your company uses. Pursuing certification opens your confined world to new possibilities that you would have never known about had you not pursued a high-level certificate.
John Monroe is Senior Events Editor for the 1105 Public Sector Media Group, where he is responsible for overseeing the development of content for print and online content, as well as events. John has more than 20 years of experience covering the information technology field. Most recently he served as Editor-in-Chief of Federal Computer Week. Previously, he served as editor of three sister publications: civic.com, which covered the state and local government IT market, Government Health IT, and Defense Systems.