Next, professional certifications already exist in cybersecurity, and have been adopted internationally. Most of these are even accredited by the American National Standards Institute (ANSI), and adhere strongly to the National Institute of Standards and Technology (NIST) publications. They all share the goal of providing a professional certification to those individuals with the requisite experience and knowledge, not to mention expanding the professionalization of the information security community across the globe. The Department of Defense got involved in this arena, and after a lengthy and collaborative process, issued DoD Directive 8570, requiring these existing professional certifications to be carried by those individuals with significant cybersecurity responsibilities. But again, the authors of the white paper, when they were in government, did nothing to increase the adoption of these certifications across the executive branch, nor did they embrace the DoD model by requiring these certifications for federal civilian agencies.
Next, we must acknowledge the cybersecurity technology industry in developing rigorous training and certification programs for the use of their technologies. After all, who better to test technical and practical skills than the manufacturers of the technology that is to be deployed in the cybersecurity risk equation? Microsoft, Symantec, McAfee, Cisco and all the rest have robust and successful certification programs already in place. When in need of a forensics examiner, employ one who has the certification in the tool being used, and not any other certification.
The assertion that a qualified and competent cybersecurity work force cannot be built based on existing professional certifications is absurd. And before considering legislating this matter, why not first (a) create an actual OPM series for the cybersecurity professional so that standards of performance and career progression can be put in place, and (b) adopt existing certifications on a mandatory basis across the government? Are these not the logical steps to consider before legislating an absurd and untested assertion?
But wait! Next we learn of the National Board of Information Security Examiners (NBISE), who also considers the existing certifications insufficient in some way. [Coincidentally, the NBISE leadership consists of the former OMB officials who wrote the white paper, the CSIS official who sponsored the white paper, and the SANS Institute’s Director of Research.] The NBISE will provide certifications that presumably go over and above the ANSI-accredited certifications such as the CISSP and the CISM.
It takes a good 25 years to create an admiral or a general to carry out our nation’s most critical and sensitive missions in order to protect and defend the Constitution. Should we now license them? And at a time when our nation needs to cut costs, why does the CSIS white paper recommend, and the Senate’s staff draft propose legislating a flawed concept that enriches a special interest?
Let’s be sensible. Now is not the time for experimental legislation, now is the time to get OPM to establish a job series and a career path for the cybersecurity professional, and now is the time to compel adoption across the executive branch of internationally accepted cybersecurity certifications already in existence. To do less is irresponsible, and to do more is absurd.
Bruce Brody, chief executive officer of the IT security consultancy New Cyber Partners, is the former chief information security officer at the departments of Energy and Veterans Affairs.