CertCities.com -- The Ultimate Site for Certified IT Professionals
Free CertCities.com Newsletter via E-mail Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... News ..News Story Friday: April 4, 2014


Analysis: Certifications Not a Security Cure-All


12/3/2009 -- As Congress debates legislation to improve cybersecurity, one idea that seems to have gained traction is the development of a national certification program for security professionals.

If certifications were effective, we would have solved the security challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won't write passwords on the backs of keyboards.

Nor has the increase in the number of certified security workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals (CISSPs) in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

A certification mandate would be little more than a box-checking activity for organizations, taxing budgets and workforce, but producing few results. Even worse, Congress might go further and impose costly certification requirements on a broad range of private network operators and companies in many major industries. By requiring certification for so many jobs, Congress would in effect create a "license to practice" for security professionals.

Licenses are typically only required in professions in which the public is harmed by the absence of licensure. Therefore, the implicit assumption in arguing for a certification program for all security professionals both in the government and private sector is that the public is being harmed because unqualified workers are filling those jobs -- not because of a lack of talent or insufficient training but because hiring managers cannot distinguish between competent and incompetent security workers. That is the only problem that certification (in the form of a de facto license) could fix.

However, no proponent of that approach has provided evidence to show that the problem exists, nor is the problem commonly cited in other studies as a factor contributing to security risks.

The security community needs to speak up. The security challenge is too important to allow Congress to provide a paper-thin response that produces nothing more than the veneer of government action without reducing any real risks. --Daniel Castro



There are 15 CertCities.com user Comments for “Analysis: Certifications Not a Security Cure-All”
Page 1 of 2
12/16/09: James Goodwin says: Amen. I would support professional licensure for IT security staff and a way of esuring a basic level of competentcy but it would in no way be a replacement for proper risk management techniques.
12/16/09: Anonymous says: Professional licenses are an interesting concept and they will be useless within the industry. When committing budgets, resources, proper procedures and "providing" some form of security of data and access to data, that falls within the realm of Board of Directors and C-level Staff. Numerous times, I have encountered C-Level and mid managers who cannot grasp the reality of a loss or why budget should be available for it. The risk management technique is avoidance until there is a loss or there is a substantial fine which will put them out of business. Congress should create and enforce jail time and financial penalties for C-Level executives for each data breach they allow. Once that occurs, then security will have a chance to live within a business.
1/22/13: Butterfly from iAUmgOqBwefD says: No cmoplinats on this end, simply a good piece.
1/22/13: Deandre from psfzwqfSdHAyJDlwHq says: That's raelly thinking of the highest order
7/1/13: michael kors factory outlet from [email protected] says: good share. michael kors factory outlet http://www.michaelkorsioutlet.org/
7/5/13: christianlouboutinoutleta.com from [email protected] says: good share. christianlouboutinoutleta.com http://www.christianlouboutinoutleta.com
7/25/13: Snapback Hats For Sale from [email protected] says: good articles Snapback Hats For Sale http://www.discount-snapbackhats.com/
8/30/13: authentic nfl jerseys china from [email protected] says: thanks for share! authentic nfl jerseys china http://www.cheapnflljerseysfromchina.com
9/4/13: moncler jackets sale from [email protected] says: thanks for share! moncler jackets sale http://www.moncleresale.org
9/5/13: nfl authentic jerseys from [email protected] says: nice articles nfl authentic jerseys http://www.cheapauthenticnfljerseyss.com
First Page   Next Page   Last Page
Your comment about: “Analysis: Certifications Not a Security Cure-All”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top