Certifications: A false sense of security

Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.

This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.

“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote. “Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.”

His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.

Let go of that security blanket…
For once an article that speaks truth and reality. The government — DOD, in particular — has been harping on everyone to become Certified Information Systems Security Professional-certified. This is becoming a Linus security blanket for DOD. Internal training on actual incidents and related techniques on the spear tip technology is the training that good workers in cybersecurity can use, not cramming to take an exam and dump the info from the brain.
—Gil, Virginia

A misguided mandate…
In what we do, CISSP is not needed. CISSP-type security is mandated from above in generic terms. What we need are classes detailing the security settings on firewalls, Internet security and acceleration servers, domain controllers, exchange servers, Unix, Apple, etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with, not a generic book full of security best practices for businesses… The CISSP certification gives the government a warm, fuzzy feeling but secures nothing.
—Army civilian

Why managers are to blame…
The fault lies [with] top managers not paying attention to what the information systems security manager tells them. Too often, the security issues in an organization are overlooked or ignored by top management because it either doesn't help them shine or they are just not smart enough to comprehend what the ISSM is telling them. Until it bites them in the butt or takes a financial toll, they won't budge.
—GB, Virginia

Counterpoint: A new world of possibilities
I think there is another side of certification that should be discussed. While I agree that on-the-job or hands-on experience is the best way to master a specific technology, you are limited to the technology your company uses. Pursuing certification opens your confined world to new possibilities that you would have never known about had you not pursued a high-level certificate.
—Tim