Defining the Term Certification
Though Alan Paller is research director at the SANS Institute, the highly regarded information security training and certification organization, he supports the idea that organizations providing IT security training shouldn't conduct certification testing, too. But, Paller said, he doesn't expect SANS to abandon certification testing.
Why? The answer can be found in the definition of the word certification.
First, some background.
Franklin Reeder, the former Office of Management and Budget official, co-authored a white paper on building a federal cybersecurity workforce from the Commission on Cybersecurity for the 44th Presidency. The paper, A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, delves extensively into the need for cybersecurity education and certification, but in an interview with GovInfoSecurity.com, Reeder forwarded the idea he said he shared with co-author Karen Evans, director of the U.S. Cyber Challenge, that the same organizations that provide IT security training shouldn't grant certifications:
"Certifying bodies can't be in the training business; it's too much of a conflict of interest."
I caught up with Paller last week at the U.S. Cyber Challenge in Brooklyn - SANS helped found the challenge and provides training at the camps preceding the competition - and asked him what he thought of Reeder's idea. Paller said he'd like to see the cybersecurity community emulate the medical profession in which schools and hospitals train physicians and other healthcare professionals, with separate organizations doing certification, adding:
"The only reason SANS did testing, and we'll continue to do testing, is to allow people who graduate from our courses to demonstrate to their employers that they really mastered that material. But for certification and licensing, we definitely see a much more rigorous system. The current certification cannot stand as a foundation for licensing. You need much, much more hands-on testing; you got to prove that they can do it."
As an educational institution, SANS gives tests just like colleges and universities. Said Paller:
"Because our courses are so in-depth, if you pass one of those tests, you're very different from everybody else. It doesn't mean you're certified, just really different. Right now, we use the word certification; it's the only word we have. But as we move forward, we think the word certification will be owned by this National Board of Information Security Examiners, and the guys who sell training won't be in the business of certifying people. They'll be in the business of teaching."
The commission recommended the establishment of an independent Board of Information Security Examiners to develop and administer a process for certifying cybersecurity professionals in specialized areas that should include not only so-called cybersecurity roles, such as intrusion detection and forensics, but areas such as software development and network operations that are crucial to information security.
The commission report, however, does not recommend the licensing of cybersecurity professionals, at least in the foreseeable future. It's not a question of semantics, but one of pragmatism. The IT security profession and its institutions just aren't there yet.