Penetration Testing mailing list archives
Re: Federally Mandated Certification of cybersecurity professionals?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 3 Apr 2009 17:00:18 +0200
A nationally recognized certification program could lead to a more professional view of our field. Right now anyone with a laptop, nmap and Nessus can call themselves a cybersecurity professional.
The same argument could be easily made about every other white collar job - but regulation is expensive and discourages people from pursuing certain careers, which is why we use it sparingly. Sure, local and federal governments like to sometimes impose no-op red tape requirements (such as the need to register or apply for a permit) on a random subset of professions, but meaningful and in-depth certification is rare. Given that this particular field is already suffering from a shortage of qualified employees and that the wages are already high, broad regulation would probably do more harm than good in terms of making it harder to afford and secure relevant security expertise for your business. Also keep in mind that in their general capacity, incompetent IT security professionals cause a comparable or lower risk than incompetent developers or system administrators - so any argument to single out this group seems to be weak. What seems to be more appropriate is setting rules for certain businesses to adhere to - but even then, the actual benefits of existing regulations versus the cost of compliance... coupled with the ease such rules might be gambled, and how they often mandate pathologic auditor-auditee relationships... eh. Furthermore, note that the industry already has an elaborate systems of well-recognized certifications in place, most of them with bars set higher than any compulsory scheme could ever be (particularly given the range of job levels and specializations it would need to cover) - and it is arguable how well these certifications weed out the incompetent in their own ranks. /mz ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Federally Mandated Certification of cybersecurity professionals? Dave Kleiman (Apr 03)
- RE: Federally Mandated Certification of cybersecurity professionals? Shenk, Jerry A (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Louis Brooks (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? John Bambenek (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Michal Zalewski (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Louis Brooks (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Michael Painter (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Thomas Lim (Apr 07)
- <Possible follow-ups>
- Re: Federally Mandated Certification of cybersecurity professionals? Wolf (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? J. Oquendo (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- RE: Federally Mandated Certification of cybersecurity professionals? Shenk, Jerry A (Apr 03)