Re: Federally Mandated Certification of cybersecurity professionals?

[Pete Herzog <lists () isecom org>]

> It's a question of scale.  I know there can be solid technical
> certification programs as well.  But how do you mandate that across
> everyone in the U.S. that is going to be calling themselves an
> "information security professional" in the next couple of decades?

First, you're preaching to the choir. I am against federally mandated 
certification and licensing. Very against it. I am certainly not 
against wanting all security professionals to know how to do their 
jobs right though.

> Sure, everyone wants to hire the Ph.D. computer scientist with 25
> years of experience and every certification you can name, but those
> people don't grow on trees, they cost a lot to hire and retain, and
> they're retiring more quickly than they are being produced here in the
> U.S.

Have you seen the OPST? The idea is to teach people how to test 
correctly, how to be self sufficient, and how to be in control of your 
tests. The OPSA teaches how to analyze through different types of 
tests, determining if results are factual, seeing through FUD and 
marketing, and many other walk-the-walk things an Analyst needs to 
know as well as where to keep learning.  Something like that in 
colleges would be a good start. Why are schools graduating security 
practitioners without giving them operational security practice?

> InfoSec is a growth industry and the "entry point" isn't 10 years of
> network admin experience like it used to be.  These days it's a
> college degree.  Who pays for the Federal Certification program?

It would be pushed onto the practitioners of course. That's one of the 
things I hate about it. It would also be full of loopholes and 
grandfathering clauses and other watered-down requirements and 
contingencies. It wouldn't work.

> I just don't see this happening.  At most, I'd expect an adoption of
> something similar to the DoD's 8570 requirements (job roles broken
> down into "tiers" or "levels" with a list of certifications required
> for anyone in one of those roles).  The elitist mindset only works up
> to the point where run out of elite personnel.

I actually hope it doesn't even come to that. Those requirements need 
some seriously unbiased, third-party review because right now they're 
just political- bought and sold.

-pete.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------