The Public Eye with Eric Chabrow

IT Security Profession: Heal Thyself

IT Security Profession: Heal Thyself

Governance of information security professional certification is a hodgepodge of professional associations and for-profit companies that develop and issue certifications. But a consensus of members of the Commission on Cybersecurity for the 44th Presidency, in a white paper issued earlier this week, believe there's a better way to certify IT pros: the establishment of Board of Information Security Examiners, which would set the standards for all related activities for certification.

As I referred to in my previous blog, the future of IT security professional certification may be found in the field of medicine. That analogy was made in the white paper - A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters - as well as an interview I had with its co-author, former Office of Management and Budget official Franklin Reeder.

Now, let's explore more of the commission's thinking. As Reeder and co-author Karen Evans point out, such a model of governance has worked in a wide range of professions, including those certifying daycare providers, electricians and physicians.

In medicine, the American Board of Medical Specialties oversees a regime of rigorous standards doctors need to meet before receiving board certification that furnish crucial information about a practitioners skills and knowledge to those seeking medical services. Reeder and Evans write:

"While no test or credential can guarantee an outcome, taken together with information about performance, it increases the quality of care and patient's level of assurance. Similarly, it is essential to assure that those who buy cybersecurity services have tools to evaluate the competence of those whom they engage.
"Facing medical problems, few of us have the knowledge to evaluate the competence of those to whom we turn for assistance. Instead, we rely on a combination of independently administered professional certifications and state licensing authorities to tell us whether the provider has the needed training and has demonstrated the skills that we need."

To kick start a new regime of IT security professional certification, the commission recommends the creation of a not-for-profit governance body to develop and administer certifications in two or three specialty areas and evaluate whether some or any existing certification programs meet its standards. As the commission proposes, the organization would be overseen by three to five representatives from major private-sector organizations that employ high-end cybersecurity professionals, universities with major cyber education and research programs and key government agencies and congressional committees.

The commission suggests the oversight board should direct and evaluate a two-year pilot test and, at the end of the first year, offer recommendations on whether or how the body should continue.

Also see:

Harsh Words for Professional Infosec Certification
9 Key Infosec Roles for Government
Infosec Skills Gap Threatens Key IT Systems

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.