The funniest thing about mandating security certifications
The current push for mandatory security certifications reminds cartoonist John Klossner of America’s Funniest Home Videos.
If I accomplish nothing else as a parent, I want my children to know that the TV show America's Funniest Home Videos isn't. Funny, that is.
Most of you may know this already, and consider this a pointless goal given its obviousness, but I am finding this to be a bigger challenge than I first thought. At a recent social gathering of families, I came upon a group of kids flocked around a television watching AFHV, and laughing uproariously. I have to admit, I'm not an expert on this production, but I've seen enough episodes to help me get the gist of the format. The particular episode my kids were watching seemed to have a theme of people riding vehicles — bikes, wagons, skateboards, etc. — that ended up crashing into things.
My kids were not pleased with me as I commented, "That's not funny," after every clip of someone riding their bike off a roof. (I think I may have been embarrassing them in front of their friends.) I pointed out to my captive audience that the show cut away after every "funny" accident, never showing the participant getting up and walking away from the scene. The children got especially touchy when I started listing the injuries I imagined the people in the videos suffered— "Oooh, that's probably a broken collarbone"; "Ouch, he tore his ACL," etc. — and they asked me to leave when I began chanting "That's not funny, that hurts" after every video.
This isn't too different than the slapstick-oriented comedy I ingested as a kid — the Three Stooges, Keystone Cops and Little Rascals shorts, and any Warner Brothers cartoon. I think my problem is partially in the titling. Calling something "funny" is subjective enough, but calling it "funniest" draws a line. I think the majority of us are instinctively cynical when presented with anything called the "___est."
(If they had labeled those movies from my childhood "The Three Funniest Stooges" I might have had a more cynical outlook. But probably not. Which is why, as an adult, it is my responsibility to ensure that my children know the difference between humor coming from the exposition and universality of the human condition and the humor of a 40-year-old riding a tricycle off of a shed roof into an inflatable wading pool.)
This is similar to the qualms I have with IT certification programs. Certification is awarded to those who complete a course in their particular expertise, whether it be software, maintenance or, in the administration's current proposal, security. This is like calling them "America's Smartest Security People." (Okay, it would be more accurately titled "America's Most Qualified Security People," but you know how TV shows go for hyperbole.)
The comedian Don Novello, better known as Father Guido Sarducci, had a routine he called the Five Minute University in which he proposed a college program comprised of everything you remember from college five years after graduating, which would be about five minutes of material. As he points out, college is just memorization for the tests, much of which is soon forgotten. There was little real-world experience in this program.
I think most folks' concerns with certification are similar. Do I want someone working on my network who learned the particulars in a six-week program or someone who has been working with the technologies for years and has real-world experience?
There is also the "one-size-fits-all" aspect of certification training: Can one course in security be equally applicable through the many different systems and needs of agencies? One worry about certification training is that a central body — in this case Congress — will be deciding the security needs that are better known by the individual agencies. This is the equivalent of picking one style of automotive tires for the entire country to use in winter.
That said, I think certification training serves a purpose and should be encouraged for all federal personnel, not just IT workers. I have found that taking courses in work-related fields has helped me pick up skills and, more importantly, learn the vocabulary needed to speak with the real experts. I might not be a good Web designer (I'd call my show "The Goodest Web Designs"), but through the equivalent of certification courses, I'm able to recognize my needs and converse more effectively with someone who is. Having the entire workforce familiar with the terminology and technology involved would be helpful to all.
But don't take a course and then put up a sign telling me you are an expert. And don't ride a skateboard off a cliff and tell me it's funny.