IT Security Profession: Heal Thyself
Governance of information security professional certification is a hodgepodge of professional associations and for-profit companies that develop and issue certifications. But a consensus of members of the Commission on Cybersecurity for the 44th Presidency, in a white paper issued earlier this week, believe there's a better way to certify IT pros: the establishment of Board of Information Security Examiners, which would set the standards for all related activities for certification.
As I referred to in my previous blog, the future of IT security professional certification may be found in the field of medicine. That analogy was made in the white paper - A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters - as well as an interview I had with its co-author, former Office of Management and Budget official Franklin Reeder.
Now, let's explore more of the commission's thinking. As Reeder and co-author Karen Evans point out, such a model of governance has worked in a wide range of professions, including those certifying daycare providers, electricians and physicians.
In medicine, the American Board of Medical Specialties oversees a regime of rigorous standards doctors need to meet before receiving board certification that furnish crucial information about a practitioners skills and knowledge to those seeking medical services. Reeder and Evans write:
"While no test or credential can guarantee an outcome, taken together with information about performance, it increases the quality of care and patient's level of assurance. Similarly, it is essential to assure that those who buy cybersecurity services have tools to evaluate the competence of those whom they engage.
"Facing medical problems, few of us have the knowledge to evaluate the competence of those to whom we turn for assistance. Instead, we rely on a combination of independently administered professional certifications and state licensing authorities to tell us whether the provider has the needed training and has demonstrated the skills that we need."
To kick start a new regime of IT security professional certification, the commission recommends the creation of a not-for-profit governance body to develop and administer certifications in two or three specialty areas and evaluate whether some or any existing certification programs meet its standards. As the commission proposes, the organization would be overseen by three to five representatives from major private-sector organizations that employ high-end cybersecurity professionals, universities with major cyber education and research programs and key government agencies and congressional committees.
The commission suggests the oversight board should direct and evaluate a two-year pilot test and, at the end of the first year, offer recommendations on whether or how the body should continue.