Human Capital Discussion – Part 2.
I’m doing part 2 of my review of the CSIS paper on the human capital crisis in IT security. I think anyone who’s ever participated in development of a certification program has dreamed of the kind of certification they describe in this report. Wouldn’t it be great if we could build it and develop a group of world class security gurus? This is the kind of “build it and they will come” scenario that makes me think of cornfields and Kevin Costner.
However, I was surprised that the authors of this report could look at all of the certification work done over the past 20 years in the security profession and declare it “dangerous.” In response, the commission would create a brand new organization that could start from scratch and come up with a technical certification program that would meet the needs of a diverse federal workforce. As someone who was deeply involved in the design of the CSSLP certification, I can assure them that the devil is in the details. Any one of the listed organizations could have built a certification program like the one described, but they didn’t. There’s a reason for that.
Having worked on both the CISSP and the CSSLP I have also yearned for a more technical exam, possibly with code analysis. I didn’t get what I wanted when we developed the CSSLP, but I’m now willing to admit that I could have been wrong in my initial assessment. Although most technical security people will tell you that they’re happy to test their skills against a standard, it’s extraordinarily difficult to put a standard test onto paper (or into bits). Then, how do you build equivalent tests using both Windows and Linux, or C++ and Java? When you pair the subject matter experts up with the psychometricians, the discussions get messy.
IMO, the closest anyone has ever come in the federal government to this kind of program is the ISSEP concentration, started in 2004. The ISSEP is a coordinated security concentration between the (ISC)2 and the US National Security Agency. It is a very tough concentration that tests candidates across a range of security engineering functions. Incidentally, it also requires the CISSP as a base certification before a candidate can request the concentration. It’s a very difficult technical program to complete and I wish the authors of this report had spent some time studying the lessons from the ISSEP.
So, in order to get this out onto the blog, I’m going to stop by asking 3 questions:
- Did the committee perform an evaluation of the legal ramifications of this type of certification in the federal workforce? If so, we should hear more about this in the report.
- Did the committee look at lessons from the existing ISSEP program? There was no mention of this program in the document, so it would help to hear about direct experience with a program that most closely matches the one they describe.
- At least 10,000 highly skilled intrusion analysts have passed through the SOCs of the federal government in the past 15 years. If we have fewer than 1000 today, why did so many of them fall behind the technology curve? If there is a half-life on deep security expertise, we should consider addressing that issue before training another 10,000, shouldn’t we?
That’s my take on the issue – in two installments. I hope that the authors will take some time to take a closer look at the problem. If you think I’ve missed something, please add a comment and we can talk.
Best,
Jim Molini, CISSP, CSSLP
