The Field Report
There are 18,000 banking institutions in the U.S., and somebody has to blog about their breaches, concerns and security successes.
Healthcare Information Security Blogs
Harsh Words for Professional Infosec Certification
July 21, 2010 - Eric Chabrow
Comments (3) Read All Posts (23)
"It is the consensus of the commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security."
Retired Office of Management and Budget official Frank Reeder along with Karen Evans, who once headed OMB's e-government office, co-wrote the white paper. I spoke with Reeder on Tuesday, and asked him whether the commission intended to be so rough, and he replied:
"Absolutely. Yes, they are harsh words. That was deliberately intended to call attention to the issue."
The report cites the following reasons for its tough-love approach to certification:
- Individuals and employers spend scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and
- Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.
That last point, looked at another way, is that many certification programs are tailored to prepare infosec pros to fill out checklists to conform with the Federal Information Security Management Act. Those certifications confirm the recipient has demonstrated the skills necessary to meet compliance rules and not necessarily qualified to safeguard IT systems. As Reeder points out, it isn't the certification issuers fault; they're just meeting a market demand.
But the market is changing. Decrees from OMB and legislation before Congress has the federal government moving away from paper-compliance under FISMA and toward continuous monitoring of IT systems to assure they're truly secure. And that requires a new type of expertise. NASA is one of the first federal agencies moving toward continuous monitoring, and here's how its chief information security officer, Jerry Davis, sees it:
"You are definitely talking about a different skill set. It is more of an operations type activity versus a compliance activity and what we are doing ultimately is we are operationalizing compliance. There is a little bit more of a technical skill set that an organization will need."
Certifications won't go away; they'll be even more crucial in credentialing IT security professionals, but as Reeder said, they must change:
"We're hoping over time that entities will emerge that will issue much more rigorous certifications and that the certifications that already exist will continue as I think they are to evolve into much more rigorous indications that the folks who hold them are highly skilled."
As Reeder sees it, the cybersecurity profession is where the medical profession was more than a century ago, and in the report, he and Evans wrote:
"In many ways, cybersecurity is a lot like 19th century medicine - a growing field dealing with real threats with lots of often self-taught practitioners only some of whom know what they are doing. What has evolved in medicine over the last century is a system that recognizes that different kinds of skills and specialties are required. And, since most of us are not able to assess the qualifications of a practitioner when a need arises, we now have an education system with accreditation standards and professional certifications by specialty. We can afford no less in the world of cyber."
 |
 |
 |
 |
|
 |
I really do not know what they are talking about. My question is exactly and specifically how do we get the knowledge to go to continuous monitoring from compliance with FISMA? What credentials is the white paper referring to in the statement "Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention" In my opinion, certs like CISA, CEH, and CISSP give the person the knowledge to practice operations security. After this knowledge then they need actual hands on experience using various commercial and free operations security tools. the White paper criticizes certifications when the problem was the law and FISMA. I say get rid of the idiots who wrote the FISMA and FISCAM guidance and start over approaching the security problem from a standpoint of how to provide operations security and continuous monitoring instead of a checklist for compliance with laws and regs. I fail to see the connection between failure of Federal Government operations cybersecurity and certifications as a causation.
Posted by butle49056@hotmail.com on July 21, 2010 @ 11:24 AM
I strongly disagree that all certifications provides a "false sense of security/" Infosec Pros/Ethical Hackers/Whitehats/Pentesters/whatever your title is, knows what they're talking about if they've done the certifications from offensive security. This is not my attempt at selling their products, but merely a fact that their courses do challenge even skilled infosec pros when we're talking about the OSCP and especially OSCE certifications.
Hunting for "0days" and developing custom exploits is not something which gives a false sense of security.
It's what real hackers do, on both the good and the bad side. (Know your enemy and his or her capabilities.)
But I do agree, that some of the other certifications can and may give a false sense of security, but not all of them. I believe certifications from ImmunitySec and Core Security are worthy enough to be mentioned as quality.
Hunting for "0days" and developing custom exploits is not something which gives a false sense of security.
It's what real hackers do, on both the good and the bad side. (Know your enemy and his or her capabilities.)
But I do agree, that some of the other certifications can and may give a false sense of security, but not all of them. I believe certifications from ImmunitySec and Core Security are worthy enough to be mentioned as quality.
Posted by MaXe on July 21, 2010 @ 11:00 AM
I agree that the certifications that seem to be most highly sought after (CISSP, GSEC, CISA, CISM) are mainly aimed at managing a security team, not performing security work, but it seems that there are organizations like SANS and Offensive Security that aim more at training the technical side. (yes I know that GSEC is a SANS cert, but they do offer others)
The biggest problem seems to be that the world seems to think of these security management certs as the be-all and end-all of security training. I think that it's important to start thinking of CISSP and GSEC as important, but not as all you would ever want/need. CISA and CISM are nice complementary certs for those aiming at the management, policy writing and paperwork end, but the technical people need to have technical certifications as well, and employers need to be willing to send them for technical training.
The biggest problem seems to be that the world seems to think of these security management certs as the be-all and end-all of security training. I think that it's important to start thinking of CISSP and GSEC as important, but not as all you would ever want/need. CISA and CISM are nice complementary certs for those aiming at the management, policy writing and paperwork end, but the technical people need to have technical certifications as well, and employers need to be willing to send them for technical training.
Posted by macphersonr@whitby.ca on July 21, 2010 @ 10:27 AM
Topics of Interest
Latest Tweets & Mentions
Posts By Category
- ACH
- Agencies
- ARRA/HITECH
- Audits Investigations Reports
- Authentication
- Banking Today
- Budgeting & Funding
- Business Continuity & Disaster Recovery
- Cloud Computing
- Committees and Testimonies
- Compliance
- Congress
- Cybersecurity
- Electronic Health Records
- Emerging Technology
- Encryption
- Endpoint Security
- Federal Trade Commission
- FISMA
- Fraud
- GAO
- Governance & Standards
- Health and Human Services
- Health Information Exchanges
- HIPAA
- Homeland Security Department
- ID & Access Management
- Identity Theft
- Identity Theft Red Flags Rule
- Incident Response
- Information Security Compliance
- Insider
- Insider Threat
- Law Enforcement
- Laws, Regulations & Directives
- Leadership & Management
- Legislation
- Medical Identity Theft
- Messaging
- Mobile & Wireless
- National Credit Union Admin.
- Network & Perimeter
- Office of Civil Rights
- Office of Management & Budget
- Office of National Coordinator
- Payments
- PCI DSS
- Physical Security
- Privacy
- Risk Assessment
- Risk Management
- Security Leadership
- Social Engineering
- Social Media
- Staff & Recruitment
- Technology
- Training & Education
- Web Security
- White House
- Wire
Authors & Blogs
The Public Eye
Keeping tabs on federal government efforts to protect citizens' privacy
-
Industry Insights
Insights and opinions from the thought-leaders who represent the industry’s services and solutions providers.
Career Insights
Insights from advisors, consultants and practitioners who know what it takes to be a successful security professional
The Security Scrutinizer
Keeping an eye on efforts to protect the privacy and security of personal healthcare information
The Fraud Blog
Tracking fraud incidents and trends wherever -- and however -- they occur.
Recent Comments
"I would not say "... separating the real (physical security) and the virtual (security) is becoming harder to..."
Read Post | Jump to Comments"Why is the healthcare industry so far behind the curve when it comes to technolgy? They will spend millions on MRI..."
Read Post | Jump to Comments"Let's not forget that the recent Mumbai terror strike has exposed how the terrorists have become tech. savvy and used..."
Read Post | Jump to Comments
