Blogger: Ramon Krikken
This blog post is based on a draft of the U.S. Senate Bill “The Cybersecurity Act of 2009” and the provided by the Senate Committee on Commerce, Science, and Transportation. There are many potential aspects of this to be discussed, but this post focuses on the requirement to “Provide for licensing and certification of cybersecurity professionals.”
If you read the introduction of the bill, it becomes pretty clear why the government is taking this interest. Statements such “[The U.S. is] unprepared to respond to a ‘cyber-Katrina’” and “if the 9/11 attackers had chosen computers instead of air planes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center,” are clearly meant to illustrate the clear and present danger that our “cyber-weaknesses” present.
Whether you consider this FUD or fact is a different question, but it certainly is true that part of our economic wellness (and our collective or individual safety, when we look at defense, utilities, energy, and aerospace for example) depends heavily on information technology and the information it stores, processes, and transmits. If the consequences are considered that grave, and the probabilities more than unlikely, it could certainly make sense to require real professionals on the job. Certification and licensing seems like a good mechanism to control this, I’m just afraid the government might get it wrong – good intentions go bad, sacred cows are not easily slaughtered … just like lobbyists.
“The” information security professional does not exist. Just as it takes many different engineers to build something, it takes many different security specialties to get things secure enough. To pretend that the average security professional harnesses all required knowledge is silly – in fact, I object to the notion that security (or at least large parts of it) could be executed well enough without intimate knowledge of that which is being secured. So what certification(s) would be used?
Aside from the specialization, there should also be a consideration of skill. If the consequences are indeed as grave as outlined in the bill, I’ll take the cyber-equivalents of the military and special forces, not the shopping mall guard and airport security, please. So a good percentage of CISSPs – the ones with only the book-smarts – are now out of the race (no offense to knowledgeable security professionals with a CISSP – I have one myself, too). And of course, the CISSP was never intended to be the end-all and be-all of critical infrastructure cyber-protection training, but the current overall education and training system does leave me to wonder how this will be executed.
Perhaps we have general practitioners and specialists, like in medicine. Maybe we can have apprentices, journeymen, and masters like in some of the skilled professions. Would throwing the ISC2, ISACA, SANS, and a whole host of other certifications in a blender do us some good? I don’t know the answer, but I do hope the committee(s) will take a real hard look at what it takes to be any type of information security professional in a critical infrastructure protection role.