Re: Federally Mandated Certification of cybersecurity professionals?

[Pete Herzog <lists () isecom org>]

Hi,

> If hoop jumping bothers anyone, then this is not the industry
> for them. Security changes almost daily so there should be
> little difference in actually taking the time to jump through
> hoops in understanding the threats along with the attack
> vectors. If you can't talk the talk dot dot dot

I didn't see him say hoop jumping bothered him. He said MORE hoop 
jumping. I think we can all agree we have enough work ahead of us that 
having to give ourselves more is a significant detriment.

> Will the legislation lead to identifying and hiring the "right"
> individuals, sure it will. It will lead to the CYA (Cover Your
> A..) methodology of being able to say they took their due
> diligence. There is a disconnect many times with those who
> have a clue NOT being certified and those with certifications
> still not understanding.

Really? Because mandates to hire CISSPs for example haven't done much 
good over all. Or maybe (dramatic music) the hackers have also become 
CISSPs and to secretly figure out how to outsmart them! :) And the CYA 
motivator has, historically, never been a great reason to do anything 
productive. We should remove the CYA from business instead of 
encouraging it. And compliance is not CYA. Compliance is a risk 
decision of legal consequence where CYA is a risk decision of personal 
consequence. I'm all for compliance if done right. It just hasn't been 
done right yet.

> Personally, I believe this raises the bar for those unclued
> and certified to actually go out and re-think/re-examine
> slash "get a clue". Because it won't be something as easily
> passed as many trolls would elude to, I think the government
> is showing that even though they're taking babysteps, they're
> starting to see through the mud and wisening up on security.

I have to differ with you here. Many certifications are easily passed. 
They don't make you prove that you can do something. They are mainly 
akin to Trivial Pursuit Security Edition (TM). For the government to 
show they are getting wiser up to security, they need to actually fix 
their own audit guidelines and stop listening to the commercial 
influences that are muscling their own interests ahead of the nations. 
And I'm not just speaking of the US.

> One of my biggest problem with government is, they isolate
> themselves far too often. Instead of turning to a "best of
> breed", dual view of security (private sector/research and
> their own staff), they often rely far too much on one set
> of eyes.

They don't isolate themselves ENOUGH especially from self-serving 
commercial interests. Best of breed doesn't mean anything if it's the 
most useless breed of the species. Governments have a long history of 
working directly with great scientists in the private sector and other 
great minds, especially mathematicians, to benefit a nation. It's only 
recently that they've turned more to working with corporations and 
commercial interests instead and it's been a disaster. Yes there's a 
lot of cool new technologies out there the government can grab but not 
if they rely of security professionals with a Trivial Pursuit security 
base to put them together.

What there needs to be in security is a good competition to bring out 
the best in the profession. Then instead of just showing their 
license, they show their accomplishments, which just may be more 
realistic of their ability. It's a fact that licensing has not weeded 
out bad professionals from an industry. Like the old joke they tell us 
in med school: "What do you call a doctor who graduates at the bottom 
of his class?" A: Doctor.

Licensing has been known to lower the bar as a barrier to entry as 
oppose to lift it. This is because by imposing fees they narrow the 
number of applicants so they need to lower the know-how bar to make up 
for it. Only professional competition can raise it. The only reason 
any industry turns to licensing is because it squashes competition and 
makes more money for certain commercial interests. Security doesn't 
need more of that.

-pete.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------