Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Federally Mandated Certification of cybersecurity professionals?

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 3 Apr 2009 17:00:18 +0200
A nationally recognized certification program could lead to a more
professional view of our field. Right now anyone with a laptop, nmap and
Nessus can call themselves a cybersecurity professional.


The same argument could be easily made about every other white collar
job - but regulation is expensive and discourages people from pursuing
certain careers, which is why we use it sparingly. Sure, local and
federal governments like to sometimes impose no-op red tape
requirements (such as the need to register or apply for a permit) on a
random subset of professions, but meaningful and in-depth
certification is rare.

Given that this particular field is already suffering from a shortage
of qualified employees and that the wages are already high, broad
regulation would probably do more harm than good in terms of making it
harder to afford and secure relevant security expertise for your
business. Also keep in mind that in their general capacity,
incompetent IT security professionals cause a comparable or lower risk
than incompetent developers or system administrators - so any argument
to single out this group seems to be weak.

What seems to be more appropriate is setting rules for certain
businesses to adhere to - but even then, the actual benefits of
existing regulations versus the cost of compliance... coupled with the
ease such rules might be gambled, and how they often mandate
pathologic auditor-auditee relationships... eh.

Furthermore, note that the industry already has an elaborate systems
of well-recognized certifications in place, most of them with bars set
higher than any compulsory scheme could ever be (particularly given
the range of job levels and specializations it would need to cover) -
and it is arguable how well these certifications weed out the
incompetent in their own ranks.

/mz

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: