Human Capital Discussion – Part 2.
I’m doing part 2 of my review of the CSIS paper on the human capital crisis in IT security. I think anyone who’s ever participated in development of a certification program has dreamed of the kind of certification they describe in this report. Wouldn’t it be great if we could build it and develop a group of world class security gurus? This is the kind of “build it and they will come” scenario that makes me think of cornfields and Kevin Costner.
However, I was surprised that the authors of this report could look at all of the certification work done over the past 20 years in the security profession and declare it “dangerous.” In response, the commission would create a brand new organization that could start from scratch and come up with a technical certification program that would meet the needs of a diverse federal workforce. As someone who was deeply involved in the design of the CSSLP certification, I can assure them that the devil is in the details. Any one of the listed organizations could have built a certification program like the one described, but they didn’t. There’s a reason for that.
Having worked on both the CISSP and the CSSLP I have also yearned for a more technical exam, possibly with code analysis. I didn’t get what I wanted when we developed the CSSLP, but I’m now willing to admit that I could have been wrong in my initial assessment. Although most technical security people will tell you that they’re happy to test their skills against a standard, it’s extraordinarily difficult to put a standard test onto paper (or into bits). Then, how do you build equivalent tests using both Windows and Linux, or C++ and Java? When you pair the subject matter experts up with the psychometricians, the discussions get messy.
IMO, the closest anyone has ever come in the federal government to this kind of program is the ISSEP concentration, started in 2004. The ISSEP is a coordinated security concentration between the (ISC)2 and the US National Security Agency. It is a very tough concentration that tests candidates across a range of security engineering functions. Incidentally, it also requires the CISSP as a base certification before a candidate can request the concentration. It’s a very difficult technical program to complete and I wish the authors of this report had spent some time studying the lessons from the ISSEP.
So, in order to get this out onto the blog, I’m going to stop by asking 3 questions:
- Did the committee perform an evaluation of the legal ramifications of this type of certification in the federal workforce? If so, we should hear more about this in the report.
- Did the committee look at lessons from the existing ISSEP program? There was no mention of this program in the document, so it would help to hear about direct experience with a program that most closely matches the one they describe.
- At least 10,000 highly skilled intrusion analysts have passed through the SOCs of the federal government in the past 15 years. If we have fewer than 1000 today, why did so many of them fall behind the technology curve? If there is a half-life on deep security expertise, we should consider addressing that issue before training another 10,000, shouldn’t we?
That’s my take on the issue – in two installments. I hope that the authors will take some time to take a closer look at the problem. If you think I’ve missed something, please add a comment and we can talk.
Best,
Jim Molini, CISSP, CSSLP
Jim,
You raise some interesting questions. To my knowledge, the authors did little reseach into the development of the ISSEP. I was the (ISC)2 representative to a meeting with the authors a week before the report publication. The ISSEP was not brought up. Also in attendance was ISACA, CompTIA, NIST and ANSI. The conversation was quite general in nature about better methods for testing information security professionals and lasted a bit more than an hour. The idea of licensing like doctors do was brought up by the authors however it was pointed out that doctors associations are managed at the State level, not the Federal level. I would also make the point that the licensing association is managed by doctors, in this case, it should be managed by information security professionals. The new association that you alude to is not led by information security professionals but by what appears to be a group from CSIS and Alan Paller. Interesting that the authors of the report are also on this new board which I believe raises questions about the report itself. Recently, one of the new board members raised an issue of a conflict of interest of current certification bodies doing training, doesn’t the same rule apply for a board member releasing a report that is sharply critical of their competition?
Something to ponder,
Marc Noble
Marc,
Thanks for that update. I didn’t know that these guys had already set up some kind of competing organization. However, any federal agency that wanted to hire a certification non-profit would have to open the bid to competition. Then this new firm would have to compete with organizations that have been doing certification work for decades. I’d be very interested to hear the selection board discussion when that happened. If you have a link to more info on this, please send it along.
Jim.