Certifications: A false sense of security

Would mandatory cybersecurity certifications translate into better security?

Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.

This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.

“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote. “Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.”

His column triggered a flurry of reaction from readers, most of whom seconded his remarks by sharing observations and experiences of their own. Here is a sample of the responses, which have been edited for length, style or clarity.

Let go of that security blanket…
For once an article that speaks truth and reality. The government — DOD, in particular — has been harping on everyone to become Certified Information Systems Security Professional-certified. This is becoming a Linus security blanket for DOD. Internal training on actual incidents and related techniques on the spear tip technology is the training that good workers in cybersecurity can use, not cramming to take an exam and dump the info from the brain.
—Gil, Virginia

A misguided mandate…
In what we do, CISSP is not needed. CISSP-type security is mandated from above in generic terms. What we need are classes detailing the security settings on firewalls, Internet security and acceleration servers, domain controllers, exchange servers, Unix, Apple, etc. These are all given by the vendors of the hardware/software we use. Security comes from technical expertise of the product one is familiar with, not a generic book full of security best practices for businesses… The CISSP certification gives the government a warm, fuzzy feeling but secures nothing.
Army civilian

Why managers are to blame…
The fault lies [with] top managers not paying attention to what the information systems security manager tells them. Too often, the security issues in an organization are overlooked or ignored by top management because it either doesn't help them shine or they are just not smart enough to comprehend what the ISSM is telling them. Until it bites them in the butt or takes a financial toll, they won't budge.
—GB, Virginia

Counterpoint: A new world of possibilities
I think there is another side of certification that should be discussed. While I agree that on-the-job or hands-on experience is the best way to master a specific technology, you are limited to the technology your company uses. Pursuing certification opens your confined world to new possibilities that you would have never known about had you not pursued a high-level certificate.
—Tim

Reader Comments

Mon, Jan 28, 2013 Susan

I've got several professional IT certifications and know that they are a poor indicator of my skills. It's been years since I passed those exams, and shortly afterwards I had forgotten almost everything I had crammed into my brain. Relevant work experience is what counts. Experience is how to acquire skills and retain what you've learned. My certifications only prove that I know how to finish what I start--period. Employers, stop looking for certifications if you want to hire the right person for the job.

Fri, Jul 30, 2010

And while we are all studying for our next certification and continuing credits some 14 year old chinese kid who can care less about the answers to our theoretical questions is working his way through our so called security.

Mon, Apr 12, 2010 West New York, NY

At one time, certification made sense, today it is just a means for some people to take, pass an exam, and give others the impression that passing the test and getting the certificate qualifies the person as an expert in a certain subject or profession. This belief is a fallacy. Case and point: I saw my agency hire an individual who had CISSP, MCSE, CCNA, CNE, and several other certifications totaling about 15 to 20. This individual looked good on paper, but when it was time to show the skill that the certification required the individual did not know what to do, and had to ask or rely on others. We call these people paper tigers. If an individual have all these certifications and can’t connect or troubleshoot a PC on an enterprise network then the certifications are useless.

Tue, Feb 16, 2010 Jim Drennen Pensacola, Florida

As a certified security practitioner and a security trainer, both academic and corporate, I can see the "good" and the "bad" in this proposal. Lets start with the "bad", too many people have been promoted to pay grades above their technical and managerial competence. Until we are willing to come to grips with that reality and take steps to correct it we are just fooling ourselves to think that certification will fix the problem. I am a CISSP and have a lot of respect for the certification; however,I have known other's who were able to pass the exam that I wouldn't hire and those who could not pass the exam that I would hire. The exam is grueling and test a "baseline of understanding for the very broad field of security." The exam itself, does not guarantee security competence. I have multiple certifications and could make the same points about most of them as well; I'm not picking on the CISSP cert itself. On the "Good" side. Knowledge is good. More knowledge is even better. I am often confronted with individuals who are attending training because they need it for a promotion or that it is mandated by their employer; who feel like they shouldn't have to be here,"they've been doing this stuff for 15-20 years." The truth of the matter is there are major gaps in the knowledge base. The DoD 8570 requirements for the three levels of both IAT and IAM, in my opinion are just starting points, assuring baseline knowledge. From this baseline there needs to be a continuation to more hands-on, technical based training and certification. My point here is that many government and military employees have been sent to intense bootcamps at a high cost, only to return neither certified or capable of performing the skills, that they paid to learn. In my opinion, having attend both bootcamps and private vendor training, these venues are generally successful at actually preparing about 20% of the attendees to return and apply what was covered in the classes. We need, in-depth training, conducted on a daily or weekly basis, over a longer period of time; where the participants can put into practice what they are learning, and be evaluated on the effectiveness of what they are doing, with consequences. This applies to the private sector as well. This is not a short-term fix. The problem, as I see it is, we want it fixed and we want it now, yet neither private sector or government sector is willing to hold the players accountable. We want to throw money at the problem, buy some certifications and sleep well at night knowing "thinking" we are secure. If there is going to be these tight requirements placed on the "foot soldiers, in the trenches", there also needs to be adequate compensation for the effort and level of proficiency for the job they are doing. Certifications are not the problem or the solution. We need to require knowledge and skills that are verifiable. Certifications are a means but not the end.

Fri, Jan 15, 2010

I think some of you missed the point of the articles. Certifications are entry level period, ENOUGH SAID. Having a body of certified employees leads to a false sense of security. In a basic sense everyone is certified so they and management "thinks" they know the answers, but everyones ego is so inflated that no one every bothers to really research the answer. And certification tests rarely if any test the ability to research an issue. Besides if I wanted to hire a bunch of people to can spit out random trivia to pass a test I would look for former game show contestants. But IT Security is not a game show. As its base even though we are dealing high tech, human nature is behind it all. Attacks originate from humans and defenses originate from humans. Therefore we have to look at the natural human aspects of what certification does. Certifications clearly narrow the knowledge base and hinder diversification. It takes years to develop a test by the test providers own admissions, this narrows knowledge. And when its required to pass a test to keep your job, your primary focus is studying the knowledge to pass the test. The leads to a lack of diversification. I see it in the field happening now and its a sad state of affairs and there is no change happening because the biggest defenders of certification are the certified persons themselves, again human nature. But we need to get past this and properly prepare to defend our networks. My gosh does anyone realize that the enemy just needs to study what we study and then plan attacks outside of that realm of knowledge. In a perfect world of certifications everyone will be certified as well as the enemy. But thats not the case, just how much of the enemy do you believe cares if we are certified. Lets take this thinking back to WWII, and say that every code breaker or cryptographer had to be certified. You see how much of a weakness that would have been? Would the Windtalkers have even existed had the certification requirement been mandated? Now back to today, how many talented crackers are we missing out on?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above