Penetration Testing mailing list archives
Re: Federally Mandated Certification of cybersecurity professionals?
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Tue, 14 Apr 2009 11:12:35 -0400
It's a question of scale. I know there can be solid technical certification programs as well. But how do you mandate that across everyone in the U.S. that is going to be calling themselves an "information security professional" in the next couple of decades? Sure, everyone wants to hire the Ph.D. computer scientist with 25 years of experience and every certification you can name, but those people don't grow on trees, they cost a lot to hire and retain, and they're retiring more quickly than they are being produced here in the U.S. InfoSec is a growth industry and the "entry point" isn't 10 years of network admin experience like it used to be. These days it's a college degree. Who pays for the Federal Certification program? I just don't see this happening. At most, I'd expect an adoption of something similar to the DoD's 8570 requirements (job roles broken down into "tiers" or "levels" with a list of certifications required for anyone in one of those roles). The elitist mindset only works up to the point where run out of elite personnel. Steve On Tue, Apr 14, 2009 at 9:55 AM, Pete Herzog <lists () isecom org> wrote:
Hi,The field evolves far too quickly for it to be possible to create any meaningful technical exam and apply it across the entire InfoSec/CyberSecurity/bureaucratic buzzword of the day industry. TheI don't think the question here is just one of technology. Since the changes (I'd need a good argument to call many of them "advances") do occur at a fast pace even if just to have a market differentiator, it would not have to be a technical exam in the way of knowing all the latest buzzword technology. It's not necessary outside of any type of specialization.Security field is expanding by leaps and bounds due to government mandates and increased security awareness among business leaders which means you need tens of thousands of young people with nothing but a college degree and maybe a security+ coming into the industry every year. The best you can hope for is a thorough non-technical exam such as what we already have in the CISSP to verify that someone at least knows the nomenclature required to discuss the subject at hand.That would be a bad idea because you would be then arming them with security trivia to what-- talk the systems into giving up their problems? I am biased because I know there can be strong, technical certification based on field and specialty. We designed the OPST to be specific to the security tester, the OPSA to be specific to the security analyst, and the OWSE to be specific to spectrum (aka wireless) analysts. All are technical in regards to proving a certified person is capable of efficiently working with technical systems and get meaningful and accurate results. Many times the "new" technology does not change much in the way of how these professionals operate. For example, an OPST is as capable of testing the latest of cloud computing as they are to test old school infrastructure. It is not because all these things are covered but that they are taught how to apply a formal methodology to any type of test by learning how they need to understand the underlying technology. Sincerely, -pete.
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Federally Mandated Certification of cybersecurity professionals?, (continued)
- Re: Federally Mandated Certification of cybersecurity professionals? Michal Zalewski (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Michael Painter (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Thomas Lim (Apr 07)
- Re: Federally Mandated Certification of cybersecurity professionals? Wolf (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? J. Oquendo (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Andre Gironda (Apr 15)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)