Certifications Are Not a Panacea for Cyber Security Woes
Daniel Castro writes on FCW.com:
As Congress debates legislation to improve cybersecurity, one problematic idea that appears to have gained some traction is developing a national certification program for cybersecurity professionals.More here.
If certifications were effective, we would have solved the cybersecurity challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.
Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won’t write passwords on the backs of keyboards. Nor has the increase in the number of certified cybersecurity workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.