There’s been ongoing discussion in Congress about licensure for IT security professionals, with even some mention of making licensing mandatory for those who seek to work in this area. It’s even possible to argue that DoD 8570 does this already, to some extent, for those who work in areas that touch on Information Assurance (IA) for the US Department of Defense and its contractors and suppliers.
To that end, high-profile infosec expert and author Daniel Castro provides some fascinating discussion and food for thought on this topic in a recent article for CertCities.com entitled “Analysis: Certifications Not a Security Cure-All.”
I don’t think he means this information as a ding on the Certified Information Systems Security Professional (CISSP) credential, but here’s my favorite snippet of information from this story:
Nor has the increase in the number of certified security workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals (CISSPs) in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.
Alas, no increase in the knowledge or credentials of employees in an organization can offset strange and outmoded views of risk and security management. Both Castro and posters to the comments on his story observe that avoidance of risk (perhaps best understood in psycho-babble terms as “denial”) remains the predominating security strategy in most businesses and organizations even today. Until hard-boiled risk assessment and management percolates into the executive suite and becomes a more standard tool for allocating and managing resources, this situation is likely to continue. In the interim, no mandates nor other forms of incentive are likely to make big differences in how businesses and organizations operate and behave. Despite this state of affairs, however, infosec certs remain popular among IT employers, and likely targets for IT professionals seeking to add to their technical competencies.