Re: Federally Mandated Certification of cybersecurity professionals?

[Stephen Mullins <steve.mullins.work () gmail com>]

The field evolves far too quickly for it to be possible to create any
meaningful technical exam and apply it across the entire
InfoSec/CyberSecurity/bureaucratic buzzword of the day industry.  The
Security field is expanding by leaps and bounds due to government
mandates and increased security awareness among business leaders which
means you need tens of thousands of young people with nothing but a
college degree and maybe a security+ coming into the industry every
year.  The best you can hope for is a thorough non-technical exam such
as what we already have in the CISSP to verify that someone at least
knows the nomenclature required to discuss the subject at hand.

Does anyone really believe that a bunch of political appointees that
are near the end of their careers are going to be able to create a
legitimate certification process?  No, all this will do is raise the
barrier to entry and ensure that those milking their "official
government certification" will have a job for life, regardless of any
level of competence.  Similar to how the security clearance system
works.

Steve

On Fri, Apr 10, 2009 at 8:06 AM, Pete Herzog <lists () isecom org> wrote:
> Hi,
>
> > If hoop jumping bothers anyone, then this is not the industry
> > for them. Security changes almost daily so there should be
> > little difference in actually taking the time to jump through
> > hoops in understanding the threats along with the attack
> > vectors. If you can't talk the talk dot dot dot
>
> I didn't see him say hoop jumping bothered him. He said MORE hoop jumping. I
> think we can all agree we have enough work ahead of us that having to give
> ourselves more is a significant detriment.
>
> > Will the legislation lead to identifying and hiring the "right"
> > individuals, sure it will. It will lead to the CYA (Cover Your
> > A..) methodology of being able to say they took their due
> > diligence. There is a disconnect many times with those who
> > have a clue NOT being certified and those with certifications
> > still not understanding.
>
> Really? Because mandates to hire CISSPs for example haven't done much good
> over all. Or maybe (dramatic music) the hackers have also become CISSPs and
> to secretly figure out how to outsmart them! :) And the CYA motivator has,
> historically, never been a great reason to do anything productive. We should
> remove the CYA from business instead of encouraging it. And compliance is
> not CYA. Compliance is a risk decision of legal consequence where CYA is a
> risk decision of personal consequence. I'm all for compliance if done right.
> It just hasn't been done right yet.
>
> > Personally, I believe this raises the bar for those unclued
> > and certified to actually go out and re-think/re-examine
> > slash "get a clue". Because it won't be something as easily
> > passed as many trolls would elude to, I think the government
> > is showing that even though they're taking babysteps, they're
> > starting to see through the mud and wisening up on security.
>
> I have to differ with you here. Many certifications are easily passed. They
> don't make you prove that you can do something. They are mainly akin to
> Trivial Pursuit Security Edition (TM). For the government to show they are
> getting wiser up to security, they need to actually fix their own audit
> guidelines and stop listening to the commercial influences that are muscling
> their own interests ahead of the nations. And I'm not just speaking of the
> US.
>
> > One of my biggest problem with government is, they isolate
> > themselves far too often. Instead of turning to a "best of
> > breed", dual view of security (private sector/research and
> > their own staff), they often rely far too much on one set
> > of eyes.
>
> They don't isolate themselves ENOUGH especially from self-serving commercial
> interests. Best of breed doesn't mean anything if it's the most useless
> breed of the species. Governments have a long history of working directly
> with great scientists in the private sector and other great minds,
> especially mathematicians, to benefit a nation. It's only recently that
> they've turned more to working with corporations and commercial interests
> instead and it's been a disaster. Yes there's a lot of cool new technologies
> out there the government can grab but not if they rely of security
> professionals with a Trivial Pursuit security base to put them together.
>
> What there needs to be in security is a good competition to bring out the
> best in the profession. Then instead of just showing their license, they
> show their accomplishments, which just may be more realistic of their
> ability. It's a fact that licensing has not weeded out bad professionals
> from an industry. Like the old joke they tell us in med school: "What do you
> call a doctor who graduates at the bottom of his class?" A: Doctor.
>
> Licensing has been known to lower the bar as a barrier to entry as oppose to
> lift it. This is because by imposing fees they narrow the number of
> applicants so they need to lower the know-how bar to make up for it. Only
> professional competition can raise it. The only reason any industry turns to
> licensing is because it squashes competition and makes more money for
> certain commercial interests. Security doesn't need more of that.
>
> -pete.
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class. Totally hands-on course with evening
> Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
> Penetration Tester exams, taught by an expert with years of real pen testing
> experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------