12/3/2009 -- As Congress debates legislation to improve cybersecurity, one idea that seems to have gained traction is the development of a national certification program for security professionals.

If certifications were effective, we would have solved the security challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won't write passwords on the backs of keyboards.

Nor has the increase in the number of certified security workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals (CISSPs) in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

A certification mandate would be little more than a box-checking activity for organizations, taxing budgets and workforce, but producing few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a "license to practice" for security professionals.

Licenses are typically only required in professions in which the public is harmed by the absence of licensure. Therefore, the implicit assumption in arguing for a certification program for all security professionals both in the government and private sector is that the public is being harmed because unqualified workers are filling those jobs -- not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent security workers. That is the only problem that certification (in the form of a de facto license) could fix.

However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to security risks.

The security community needs to speak up. The security challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks. --Daniel Castro