The problem with CyberSecurity Mandates
Just got back from my 20-year high school reunion and had time to catch up on my reading. After getting through CyberSecurity training: the battle over mandates over at Federal Computer Week, I felt compelled to jot a few notes.
The article references a measure sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) that would direct the Commerce Department to “develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.” Notable quote: “It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure” (emphasis mine).
I think we all see the problems with this.
Problem 0: “Unlawful” is a land-mine. My COO has a catch-phrase that I like: Don’t run FROM something, run TO something. His point is that fear-based decisions are nearly always bad decisions. By introducing terminology in a requirement such as “unlawful” you are creating a big red flag for anyone that might even be remotely interested in your problem.
Problem 1: Certification doesn’t necessarily imply capability. Certifications only prove that at a particular point in time you had the knowledge required to pass a test. It is not an indicator that you retained the knowledge, that you understood the material you tested on, or that you are able to do the job currently on the table. We all know “paper tigers”, those consultants that have multiple certifications but lack the applied and practical skills to return significant value. I have personally been involved in follow-on engagements to clean up after a highly-credentialed vendor whose deliverables lacked actionable recommendations, parity with budget constraints, or a realistic implementation timeline. It is important to be able to properly qualify vendors and team members before engaging them.
Problem 2: Certifications provide a false sense of security if considered out of context. I have seen cases where HR was screening candidates based solely on a laundry list of Security and IT certifications. The business unit couldn’t understand why they couldn’t get qualified candidates until we discovered that HR was filtering out highly qualified consultants who simply lacked the ‘appropriate’ number of certifications. Too many organizations rely on certifications as exclusive evaluation criteria but provide little weighting to other items such as past performance, experience in their vertical, background checks, or depth of technical ability.
Problem 3: Certification requirements may introduce barriers that exclude highly qualified talent. I agree that certifications are a good differentiator when selecting a vendor or a solution. That is, when all other factors are equal, certifications make good “tie breakers”. However, they are poor discriminators – they are not unique to any vendor or solution. We all know highly qualified consultants that cannot or will not spend money on a certification costing thousands of dollars when they know it provides on value to their clients. For instance, the PCI Qualified Security Assessor certification costs over $25,000 to achieve and $10,000 per year to maintain. My firm chose not to pursue this certification and focuses instead on pre-audit services such as control selection and risk mitigation to help our clients pass the audit.
Problem 4: Certification Lifecycle is Short. I may be a little over-dramatic here, but the point is valid. The pace and velocity of change in IT is dramatic. Very few certifications provide foundational knowledge that survive over time. The CISSP is one exception as it does a deep dive into many axiomatic areas (think role-based access controls, risk models, etc).
Problem 5: Vendor Certifications are Problematic in Information Security. Many certifications are vendor centric. While this is a good thing for network- and systems-administrators (i.e. the ‘wrench turners’), its value erodes in the information security disciplines. Vendor-centric certifications often skew security theory to their product lines, and there is no independent oversight body. You are better served by balancing a combination of a technical degree, certifications and real-world experience rather than having a checklist of certifications. Consider that University degrees communicate that the candidate has a broad range of exposure to the discipline, has the ability to self-teach new material, and buckle down to achieve goals they really don’t want to (anyone remember Music Appreciation class?).
Problem 6: These requirements will trickle down to and strangle industry. The federal government has the ability to get their fingers into just about everything. In this case, the Commerce Department can pull levers like interstate trade to impose their will on business. Also, as the largest single customer in the nation, the Federal government can, has, and will continue to impose these requirements on a large percentage of commercial enterprises through contract flow-down provisions Having served the federal government for over 12 years, I continue to see such onerous requirements creep into solicitations and contract vehicles, making the cost of serving our customers untenable. We are so handcuffed by ‘checklist’ requirements that there is little funding left over to return real value to our customer, squeezing our margins, and degrading our service delivery.
Every day I see clients make these kinds of mistakes and pay the consequences. Clients who don’t understand their own needs and copy-and-paste someone else’s requirements into their solicitation. Clients who think compliance equals security. Clients who release requests-for-proposal (RFPs) where the “successful bidder must assign a to this project”.
I’d be interested in other’s thoughts on this one.
Leave a Reply