Cybersecurity credential could make hiring even harder

Few things agitate the workforce more than having the government get involved in deciding who qualifies as a professional in a particular field. Passions are likely to be stirred once again now that the Commission on Cybersecurity for the 44th Presidency is set to recommend to the Obama administration that federal information technology security workers be formally certified for their cybersecurity skills.

The commission is also expected to propose that the certification requirement be extended beyond federal employees and contractors to encompass regulated entities, such as critical infrastructure organizations, reports Kelly Jackson Higgins at DarkReading.

As Higgins points out, the demand for cybersecurity professionals will explode in the near future. The Homeland Security Department wants to hire 1,000 of them, but there simply aren't enough qualified candidates to go around. Requiring formal certification could make it even harder to fill positions — a point that some commission members recognize. Higgins quotes Tom Kellermann, a member of the commission and vice president at Core Security Technologies, as saying that adding certification to the mix could create a monster when it comes to recruiting cybersecurity professionals.

Commission members and former government officials say the commission will recommend that the administration establish a certification body with the same kind of oversight that the National Board of Medical Examiners provides in health care, according to NextGov’s Jill Aitoro. Furthermore, the commission will advise the administration to define a core set of skills that cybersecurity workers must have.

However, Aitoro also quotes an unnamed Air Force official as saying it’s not the government’s job to push certification requirements, which he said he believes will make it harder to recruit talented workers. “Government doesn’t train doctors and lawyers — they hire them,” he said.

In an opinion piece in Federal Computer Week, Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, said most organizations understand that "simply getting their employees certified will not solve their security challenges." At the federal level, a certification mandate “would be little more than a box-checking activity for agencies,” he added.

The commission’s report, which is due to be published late this month or in early July, will revive a debate that first surfaced last year when Sens. Jay Rockefeller (D-W.Va) and Olympia Snowe (R-Maine) proposed that the Commerce Department establish a licensing and certification program for cybersecurity professionals.

However, another bill under consideration seeks to expand DHS' authority to secure the country's computer systems. If passed, it could wind up giving DHS the power to decide what the new cybersecurity certification will entail.


About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Wed, Jul 28, 2010 Susan Alders Millington, TN

Certifications are good up to a point. They tell you someone studied a specific type of material and was able to pass a qualification test of the information they studied. Okay, this does not speak of their 'work ethic', their 'initiative', their 'integrity', their ability to provide solutions to a security situation or their ability to provide ideas to make an IT environment better. Taking a test and passing it does NOT provide for a well rounded Qualified Skilled IT professional. I have seen to many people get a certification and just do NOT apply anything they studied. Coming across as all that and yet not able to resolve or manage any particular security threat.
We should NOT get so rapid around the certifications. We are going to need the total professional, one who takes stalk in the lessons learned which then allows us grow and improve.

Thu, Jul 8, 2010 Patrick DoD

In my opinion, the way to avoid hiring "Paper Tigers" is to verify the Education and Experience of perspective candidates. Continuing education / training along with competency testing should be part of the career conditions.

Thu, Jul 1, 2010 Jeffrey A. Williams Frisco Texas

As history teaches us most of these certificate issued programs have very little to do with the skill set or skills of IT security or any other IT professional. As a vetran and 30 year IT security professional and a teacher of some of these here today and gone tomarrow certificate classes/programs I find this sort of a 'check the box' sort of hiring or consideration desire and or requirement very very questionable.

Thu, Jul 1, 2010 Nitch New York

The problem is that GOV has no idea how deep the BS is that the Vendors are feeding them. The problem also is that there are a great deal of "security" people that in reality are wannabees. 20+ years in IT Security and I still laugh at those that get a Cert and fall flat on their face in a real-life problem. We need better schools and training than we do another level of certifications and nonsense. Besides, all this from a GOV that took over the Oil Spill and is layering red tape to soak it up. It just don't work!

Thu, Jul 1, 2010

We've been here before, too many times. When I was (much) younger we were deluged with proposals to license programmers. This initiative was, of course, pushed by those who offered training and/or testing. Unfortunately, licensing or certification requires a formal body of knowledge constructed on (generally accepted) scientific principles, which exists neither for programming nor security. It sort of exists, at least at a basic level, for certain professions, such as some types of engineering, architecture, doctors, therapists, etc. Without that body of knowledge, there is nothing to teach, certify, or practice. "Cybersecurity" (what a horrible term) is in its infancy (or, more accurately, still in the womb). Whatever knowledge we could possibly test now will be obsolete within months. What we really don't need are more people with a sinecure based on yet another useless piece of paper.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group