DOD, orgs: SANS survey findings not dire

Editor's Note: This story was updated at 5:25 p.m. Jan. 9, 2006, to reflect that the SANS Institute is a for-profit institute. The story previously stated that it was nonprofit.

Providers of a number of popular information security certifications are calling findings from the SANS Institute survey a case of apples and oranges. SANS is a training and education organization for security professionals.

The institute’s survey finds that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium – also known as (ISC)2 – and the Information Systems Audit and Control Association (ISACA) think that their training does not give them a strong advantage in performing hands-on security jobs.

Those organizations’ certifications don’t improve holders’ ability to protect computer systems as much as the SANS Institute’s Global Information Assurance Certification and vendor-specific certifications do, said Alan Paller, SANS’ director of research.

But officials with the other organizations said they are not surprised that SANS put its certifications ahead of theirs for hands-on security. The survey illustrates the division of emphasis among security certification providers, said Lynn McNulty, (ISC)2’s director of government services.

ISACA aims for IT security governance, McNulty said. CompTIA courts entry-level employees, and (ISC)2 concentrates on policy and management training. All three are vendor-neutral.

Certifications set a baseline of technical experience and knowledge, but holders must keep their skills current by other means to stay effective, said Everett Johnson, president of ISACA’s International Board of Directors.

The survey’s findings indicate that “the certifications are doing the job they are intended to do,” Johnson said. “The certifications are for different purposes.”

Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications.

DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer’s office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors.

“The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification,” Paller said. “If all you’ve ever done is write policy, how would you know what to do to secure a Unix box?”

The required certifications are fine for low- and midlevel security employees, but SANS training should dominate the certifications that technical staff members receive, said Robert Ashworth, a contractor at Government Solutions Group working on information assurance at the Navy’s Space and Naval Warfare Systems Command.

Ashworth holds eight professional certifications, including (ISC)2’s Certified Information Systems Security Professional (CISSP) and ISACA’s Certified Information Security Manager.

Under DOD’s directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said.

Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said.

To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said.

Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone.