Re: Federally Mandated Certification of cybersecurity professionals?

[Stephen Mullins <steve.mullins.work () gmail com>]

It's a question of scale.  I know there can be solid technical
certification programs as well.  But how do you mandate that across
everyone in the U.S. that is going to be calling themselves an
"information security professional" in the next couple of decades?
Sure, everyone wants to hire the Ph.D. computer scientist with 25
years of experience and every certification you can name, but those
people don't grow on trees, they cost a lot to hire and retain, and
they're retiring more quickly than they are being produced here in the
U.S.

InfoSec is a growth industry and the "entry point" isn't 10 years of
network admin experience like it used to be.  These days it's a
college degree.  Who pays for the Federal Certification program?

I just don't see this happening.  At most, I'd expect an adoption of
something similar to the DoD's 8570 requirements (job roles broken
down into "tiers" or "levels" with a list of certifications required
for anyone in one of those roles).  The elitist mindset only works up
to the point where run out of elite personnel.

Steve

On Tue, Apr 14, 2009 at 9:55 AM, Pete Herzog <lists () isecom org> wrote:
> Hi,
>
> > The field evolves far too quickly for it to be possible to create any
> > meaningful technical exam and apply it across the entire
> > InfoSec/CyberSecurity/bureaucratic buzzword of the day industry.  The
>
> I don't think the question here is just one of technology. Since the changes
> (I'd need a good argument to call many of them "advances") do occur at a
> fast pace even if just to have a market differentiator, it would not have to
> be a technical exam in the way of knowing all the latest buzzword
> technology. It's not necessary outside of any type of specialization.
>
> > Security field is expanding by leaps and bounds due to government
> > mandates and increased security awareness among business leaders which
> > means you need tens of thousands of young people with nothing but a
> > college degree and maybe a security+ coming into the industry every
> > year.  The best you can hope for is a thorough non-technical exam such
> > as what we already have in the CISSP to verify that someone at least
> > knows the nomenclature required to discuss the subject at hand.
>
> That would be a bad idea because you would be then arming them with security
> trivia to what-- talk the systems into giving up their problems? I am biased
> because I know there can be strong, technical certification based on field
> and specialty. We designed the OPST to be specific to the security tester,
> the OPSA to be specific to the security analyst, and the OWSE to be specific
> to spectrum (aka wireless) analysts. All are technical in regards to proving
> a certified person is capable of efficiently working with technical systems
> and get meaningful and accurate results. Many times the "new" technology
> does not change much in the way of how these professionals operate. For
> example, an OPST is as capable of testing the latest of cloud computing as
> they are to test old school infrastructure. It is not because all these
> things are covered but that they are taught how to apply a formal
> methodology to any type of test by learning how they need to understand the
> underlying technology.
>
> Sincerely,
> -pete.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------