Same Goal, Differing Approach to Certification
A college giving a grade or, for that matter, awarding a degree for successful completion of coursework is not the same as granting students who successfully complete the program a professional certification.
In an interview with GovInfoSecurity.com, Franklin Reeder said he believes the same organization that provides information security training should not grant professional certifications, contending it could pose a conflict of interest. Reeder is the former Office of Management and Budget official who this summer coauthored the Commission on Cybersecurity for the 44th Presidency's white paper on the federal workforce that, in part, called for a more rigid regime of certification testing.
Still, some readers took Reeder's comments and one of my blogs to suggest that schools should stop testing their own students. Here's how one reader put it:
"Forgive my ignorance, but in the statement 'Certifying bodies can't be in the training business; it's too much of a conflict of interest,' would this mean that 4-year universities should not grant degrees? ... So does this article lead to the belief that I must now go to a college and pay a huge amount of money to train for my master's degree and then go to some board of examiners and pay more money to take a test and prove my worth to obtain the degree? Just an interesting road that this may take us down as I am sure many college students, both current and future, will need to pay attention to this debate."
Reeder neither suggests that colleges shouldn't test their students nor grant them degrees.
The report he wrote envisions a day when a national Board of Information Security Examiners would establish more comprehensive testing than exists today to certify the knowledge of cybersecurity specialists that not only accounts for training but extensive hands-on experience.
Reeder and the report cite the medical profession as an example. Doctors graduate from medical schools that test their students on the knowledge gained during four years of training, and grant them MDs. But separate organizations test the new doctors to be licensed and after they gain experience and receive additional training, physicians can take tests to be certified in their specialties. And, that's something Reeder feels the information security profession should emulate. But his view on separating trainers from testers wasn't accepted by the commission, and wasn't part of the report he wrote.
Writing in a response, Hord Tipton, executive director of (ISC)2, defends organizations such as his that provide IT security training and certification:
"We intentionally have a strict firewall between our education and certification programs to avoid the possibility of 'teaching the exam' and thus violating a principle rule of academia. The ANSI (American National Standards Institute) accreditation of our credentials is a testament to a process that works. Our classes are only meant to serve as a refresher of what one supposedly already knows something about."
And, Tipton questions whether a board of examiners should be the only route to a more comprehensive form of certification:
"We are heading down a dangerous path by implying that only a government-run Board of Information Security Examiners is capable of determining the readiness of our security professionals. All of the current security 'confirming' organizations are doing a good job of evaluating and validating the skills of the people they educate and certify. It is a very narrow conclusion that the weakness of our security environment is the fault of the people trained, certified and on the job today."
The last comment seems to reference a paragraph in the blog, citing the commission report that says at least some credentials focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in reducing risk through identification, prevention and intervention. In the blog, I observed:
"Many certification programs are tailored to prepare infosec pros to fill out checklists to conform with the Federal Information Security Management Act. Those certifications confirm the recipient has demonstrated the skills necessary to meet compliance rules and not necessarily qualified to safeguard IT systems. As Reeder points out, it isn't the certification issuers fault; they're just meeting a market demand.
No one blames trained cybersecurity professionals that they're creating a weak IT environment. If anything, my observation is a dig at a government bureaucracy that seems more focused on check lists than securing the IT itself.
There's no doubt that cybersecurity advocates such as Reeder and Tipton seek to improve IT security training and certification; indeed, they have long histories of demonstrating such a commitment. What's important is how to better educate cybersecurity professionals and how best to acknowledge that know-how. Despite some differences on approach, that's where we're heading.