Quick Study

By Brian Robinson

Blog archive

In the future, everyone may be a cybersecurity professional

The Commission on Cybersecurity for the 44th Presidency has published its findings on the “Human Capital Crisis in Cybersecurity” and, as earlier reports suggested, it could be the spark for a wholesale change in the way the entire government IT work force is trained and certified.

Long term, if the commission’s recommendations are accepted, the professional bona fides of those who work in software development and network operations, as well as in traditional security areas such as intrusion detection and forensics, would be decided by an independent Board of Information Security Examiners. These areas are also critical to cybersecurity, the commission believes.

The commission identified a total of nine key roles in cybersecurity many of which, as with the above, don’t usually fall under the cybersecurity umbrella, including such things as systems administrator and even technical writer. “At least for the moment,” the commission said, it’s not including “executive and leadership roles or specialized functions unique to national security, intelligence or law enforcement.”

If you read through the commission’s report, however, it wouldn’t be surprising to eventually find just about any job that touches on IT, and therefore cybersecurity, included in this list.

The push for certification of cybersecurity professionals, and along with it the definition of just who fits that bill, will be controversial, given that there are many people already involved in cybersecurity that don’t have any formal qualifications. The commission tackles that by comparing the current state of cybersecurity to the practice of medicine in the 19th Century. Likewise, it said, the cybersecurity field has “lots of often self-taught practitioners only some of whom know what they are doing.”

It goes on to say:

“What has evolved in medicine over the last century is a system that recognizes that different kinds of skills and specialties are required. And, since most of us are not able to access the qualifications of a practitioner when a need arises, we now have an education system with accreditation standards and professional certifications by specialty. We can afford no less in the world of cyber.”

Those will be fighting words to some, and there’s a widespread dislike of the idea that the government could take a lead on deciding who is and who is not a cyber professional. But given the urgency that’s building around cybersecurity and the lack of people to fill essential roles, the commission’s recommendations will likely get a sympathetic hearing.

Posted on Jul 26, 2010 at 7:27 PM


Reader Comments

Wed, Jul 28, 2010 Susan Alders Millington, TN

Certifications are good up to a point. They tell you someone studied a specific type of material and was able to pass a qualification test of the information they studied. Okay, this does not speak of their 'work ethic', their 'initiative', their 'integrity', their ability to provide solutions to a security situation or their ability to provide ideas to make an IT environment better. Taking a test and passing it does NOT provide for a well rounded Qualified Skilled IT professional. I have seen to many people get a certification and just do NOT apply anything they studied. Coming across as all that and yet not able to resolve or manage any particular security threat.
We should NOT get so rapid around the certifications. We are going to need the total professional, one who takes stalk in the lessons learned which then allows us grow and improve. Education, Experience and time in the craft ALL should be apart of the total IT professional.

Wed, Jul 28, 2010 Karl Corona, California

If current cybersecurity professionals do not like the government direction then this community needs to implement their own definition of want it means to earn and maintain certification of cybersecurity professionals. If this community leaves a vacuum someone will fill it for them.

Wed, Jul 28, 2010

Well ain't that something new...Here's what's going to happen: the government policy "experts" will again take the easy way out, and simply state everyone who wants a government IT security gig (or wants to work as a government consultant) needs a CISSP. My dog has a CISSP. Seriously.

Wed, Jul 28, 2010

Licensing of MDs works because there exists a formal body of knowledge, mostly based on generally accepted scientific principles and peer-reviewed research. An individual's understanding of that body of knowledge can be tested and evaluated. Further, there is a reasonably clear path to continuing that education. And then there's the ultimate test: a doctor whose knowledge is lacking is often referred to as "the defendant." Nothing similar exists for "cybersecurity." We don't even have a generally accepted definition of the term, and we have even less understanding of what it means to be a practitioner. The field is also changing so rapidly that any certifiable knowledge would be obsolete within weeks. The recommendation for a rigorous certification system is based on a complete lack of understanding of the problem.

Wed, Jul 28, 2010

I can see retirement coming so soon!!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
 Top 100 Slideshow
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts