SANS: Popular certifications don't ensure security

Editor's Note: This story was updated at 5:22 p.m. Jan. 9, 2006, to reflect that the SANS Institute is a for-profit institute. The story previously stated that it was nonprofit.

Many popular information technology security certifications don't improve holders' ability to ensure computer systems' security, according to a new survey from the SANS Institute, a training and education organization for security professionals.

The survey found that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium -- also known as (ISC)2 -- and the Information Systems Audit and Control Association (ISACA) think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do.

Because respondents could vote for multiple certifications, "the low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that these certifications should not be relied upon for people with hands-on security responsibilities," said Alan Paller, the institute's director of research.

The findings have tremendous implications for federal IT decision-makers, who use certifications to hire people, set salaries and trust that workers have the necessary skills to protect mission-critical systems, Paller said.

He is especially concerned that the Defense Department now requires its frontline information assurance employees to have such nontechnical certifications. DOD's decision, finalized in December, came after the Titan Rain scandal last year in which international cybercriminals circumvented DOD's security measures and stole classified information.

"If these certifications do not correlate with hands-on security skills, then DOD is misleading its commanders by implying their people have the necessary security skills when they do not," Paller said.

Certification providers disagreed with the survey's findings, which showed -- by margins as large as 6-to-1 -- that the SANS Institute's Global Information Assurance Certification (GIAC) and vendor-specific certifications more effectively train people to improve security than programs that are not platform- specific.

The other organizations contend that their services provide enough technical background for frontline security employees to adequately protect mission-critical systems.

The SANS Institute is arguing that frontline security employees must know the nuts and bolts of the technology they use, said Lynn McNulty, (ISC)2's director of government services. (ISC)2 agrees that security professionals need product and platform knowledge, but managers must have a broader perspective to coordinate activities effectively, he said. He added that vendor-specific certifications can limit career progress.

(ISC)2's Certified Information Systems Security Professional and ISACA's Certified Information Security Manager, two of the most popular and prestigious certifications, target their audiences well and are professional milestones, said Everett Johnson, president of ISACA's International Board of Directors.

DOD officials are satisfied with their choice of certifications, said Robert Lentz, director of information assurance in the DOD CIO's office. The department has codified competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification and Workforce Management," which requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.

Lentz said the certifications ensure that information assurance employees have adequate hands-on experience. Combined with additional specialized training that commanders provide on-site, they will ensure sufficient security for mission-critical systems, he added.

To improve frontline security, DOD and certification organizations must create new platform-specific security certifications -- sets of progressively harder security tests -- to evaluate the proficiency of low-level employees responsible for hands-on security, Paller said.