Security certifications like CISSP are all the rage, but just how useful are they to CSOs looking to fill critical security positions?
It is time to hire someone new for your security team, and your desk is creaking under 200 kilograms of job applications. In big, bold letters the abbreviation CISSP appears after some candidates' names. What do you do? Can you pick one of these certified professionals out of the stack and be guaranteed an expert? After all, they are certified, aren't they?
Unlike other specialist professions, like medicine, engineering or even veterinary science, there is currently no established body charged with certifying security professionals. One US-based not-for-profit consortium, (ISC)2, is attempting to fill the void with its increasingly popular Certified Information Systems Security Professional (CISSP) accreditation.
As large organizations have rushed to fill IT security positions over the past few years, the growth in the popularity of CISSP has been nothing short of staggering. Since the year 2000, the number of CISSPs has grown from 3000, to 33,000 in 2005, according to (ISC)2 president and CEO Rolf Moulton, interviewed by phone from New York.
The CISSP exam consists of 250 multiple-choice questions covering 10 different facets of information security, from access control systems, physical security and cryptography, to security management, business continuity planning and disaster recovery planning. IT training "boot camps" have also sprung up all over the world, offering intensive, six-day courses. In less than a week, you can become a CISSP - assuming you meet the experience criteria: three years spent working in one of the 10 disciplines covered by the CISSP exam [see "About CISSP", Page 55].
Far from being worried about boot camps eroding the value of the CISSP certification, Moulton says the boot camps are great - assuming, of course, that the instructors are sponsored by (ISC)2. "The boot camps that we sponsor, we view them very positively. We have a higher pass rate for our boot camp than other training," he says. "What's most important to us is if you're not an (ISC)2 instructor then we can't comment on the competency of the individual."
However, according to William Shipway, Blake Dawson Waldron lawyers' IT security manager, holding a CISSP is not everything; a candidate's work experience is a much more important factor. Shipway, a supporter of qualification, even concedes it would be possible for someone with little knowledge of computers to pass the CISSP certification if they studied the course material. Nevertheless, he says, the CISSP is a nice plus to see on someone's resume.
If engaging a consultant, Shipway prefers candidates with the qualification. While the consultant's previous experience and client list are more important, CISSPs speak a common language, he says, and tend to approach things in a similar way. The accreditation adds consistency to the lingo, and makes things run a little smoother. "You can definitely converse with them and have an understanding of the work they'll be doing," he says.
Not just any man and his dog can obtain CISSP certification; (ISC)2 requires all hopefuls to have at least three years of work experience before sitting the exam. But IT security expert Steve Manzuik, a former member of the elite BindView RAZOR security research team in the US and co-author of Hack Proofing Your Network, is not convinced the experience requirement filters out charlatans.
"A CSO knows they are getting good talent based on background checks and reference checks and not individual accreditations," Manzuik says. Manzuik concedes that short courses can be somewhat beneficial to "newbies" in the industry, but says a CISSP accreditation is just one step on a career path that requires a great deal of training and practical experience.
(ISC)2 and the supporters of CISSP say the certificate is aimed squarely at certifying a candidate's managerial aptitude in a security context, but former Network Solutions CSO turned freelance consultant Richard Forno says he has encountered some "real dummies" who tried to score good jobs by touting their security qualifications. One, he says, even succeeded in using his qualifications, which included CISSP, to wrangle a higher salary out of management. "He was a total zero," Forno says. "A total zero in architecture planning and review meetings, had not a clue about how to handle incidents on any level - operational or management."
Forno hardly offers a glowing endorsement, but independent technologist Richard Thieme, who will fly from the US to Australia to speak at this year's AusCERT IT security conference on the Gold Coast, is more charitable. "It's a transitional state. Once upon a time doctors were not licensed; these days, I prefer docs who have been to medical school," he says.
"Basic competence - beginner level, like getting a driver's licence says you can drive now, not that you're an expert driver - may be satisfactorily indicated by one or more certifications."
Government Steps In
It seems the Australian government is on the same page as Thieme. The Department of Communications, Information Technology and the Arts (DCITA) has put out a tender designed to determine the "state of play" as far as security qualifications are concerned. While the proposed contract will look at governance arrangements for the management of an IT security accreditation, any process will need to be industry driven, run and funded, according to the tender document. In other words, it will not be a regulated accreditation.
DCITA's IT security accreditation tender hints at a problem with existing US courses offered on Australian shores. "The department has been approached by a number of industry associations and industry representatives calling for the development of a qualification that is tailored to the specific needs of the Australian marketplace," the document says. The department would not disclose to CSO which bodies had approached it, citing "confidentiality reasons".
Professor Bill Caelli, head of the software engineering and data communications school at the Queensland University of Technology, is throwing his hat into the DCITA ring. Caelli has spoken out about security accreditations in the past, calling for government regulation of IT security specialists who "have a shingle on their door saying 'Security Professional'".
Due to QUT's involvement in the tender process, Caelli could not comment directly on any one security qualification, but he seems less than impressed by the spread of "boot camp" training. "There's a genuine problem that hasn't been looked at - it's called the 'hasty tasty'," Caelli says. "There's a general problem around the world in that enterprises want a one-week instant gratification course. However, the question really has to be asked what the education and training value is."
Caelli says it is impossible to teach a discipline in a week. "There's a time when a concentrated training course is appropriate, but those training courses should not be confused with real education," he says.
Caelli argues boot camp training has eroded the value of qualifications like the MCSE (Microsoft Certified Systems Engineer). During the heady days of the dotcom boom, an MCSE would virtually guarantee the holder a well-paid job. "The idea that a person can be fully educated in a short time is simply not realistic. That's different from a specific training, like how to configure a specific firewall system - maybe that is one week."
Karl Hanmore, the Bank of Queensland's IT security manager, agrees. Hanmore is from the old school of IT security, rising to his position from a background in hands-on Unix administration. "Experience goes a long way. Qualifications often point to someone's intent," he tells CSO. "When you look at overall security management, you can't become an expert in a one-week course."
The CISSP is an indication of someone's interest in security, not their ability, Hanmore believes. "If it came down to someone with no experience and a CISSP, and someone without it - a 'greyhair' - in the majority of cases people would still go for the greyhair," he says.
However, Hanmore also believes part of the problem lies with the technical experts who strive to succeed in the IT security world. "Geeky types are often people who don't work within the normal framework of learning - they're unconventional learners," he says.
And don't forget about the workers at the other end of the spectrum, the non-technical people with conventional jobs, who aren't interested in IT security as a career but are nevertheless required to be security conscious. In an effort to teach these people about the importance of information security, David Dittrich is developing security courses at the University of Washington. Dittrich, who will also speak at this year's AusCERT IT security conference on the Gold Coast, formerly worked in operations at the university, managing the security of its network, before branching out to develop the security curriculum and engage in related research projects.
"Everyone has to know about patching, everyone has to know about passwords," Dittrich told CSO by phone from Washington. "That includes doctors, lawyers and engineers. Doctors, for example, should know how to secure patient information."
It is an approach that Bill Caelli agrees with. The promotion of managerial staff with no familiarity with IT security concepts into CIO and procurement roles is a dangerous phenomenon. "There are people in the public service who are thrust into IT security jobs," Caelli points out.
But it is not just the accidental IT security staffer who Dittrich is targeting with his courses in Washington. Specialist IT graduates leave the university with a better understanding of security as well, he says. The university already offers courses in computer forensics and incident response, as well as secure coding modules for computer science students. It is an approach that has seen the university recognized by the National Security Agency (NSA) - the US equivalent of Australia's Defence Signals Directorate - as a Centre of Academic Excellence in Information Assurance Education.
The NSA push encourages uniform approaches to security education. While consortiums offering computer security certification are developing their own, disparate standards, Dittrich hopes the NSA's approach will lead to established and recognized academic qualifications.
The Secret Art
Closer to home, AusCERT's training and education manager, Mark McPherson, says something needs to be done to clarify the standing of security accreditations. "We really do need some kind of professional discipline rolled into the computer security industry. To this point it's been a craft or a secret art," he says.
University of Queensland-based AusCERT, which is funded by its members and the federal government, acts as an incident response centre and advisory body for IT security-related information. AusCERT is involved in developing its own certification criteria, along with several other bodies including the Information Security Interest Group, the University of Queensland and private sector organizations. "What we're offering isn't competition with CISSP, it's designed to go hand in glove," McPherson says.
The program AusCERT has in mind is designed to test experienced professionals, not teach them. "The examination is going to look at their existing skills," McPherson says. "It's really determining people's skill level and knowledge - their current capabilities."
McPherson claims AusCERT is not seeking to develop an official university degree. "It will just be called 'security practitioner' and hopefully it will be industry recognized," he says.
Both undergraduate and postgraduate qualifications are starting to become more popular, McPherson says, but security is learned through experience, not education. AusCERT itself takes on junior staff and trains them through hands-on experience. "We won't ignore standards, and we're certainly putting them through our exam program, but the practical application of knowledge is something the industry wants," McPherson says. He also insists that anything AusCERT puts together will be "heavily weighted" towards technical, not managerial certification.
"It's got to be. To be a practitioner you've got to know your tech stuff," he says.
This is where AusCERT's approach seems to differ from that of (ISC)2. (ISC)2's Moulton says the CISSP exam is definitely weighted towards the managerial aspects of security. The advantage of hiring a CISSP, according to Moulton, is their adherence to the (ISC)2 ethics policy.
CISSPs are required to comply with four ethical canons: protect society, the commonwealth and the infrastructure; act honourably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession. Those "who intentionally or knowingly violate any provision of the code will be subject to action by a peer review panel, which may result in the revocation of certification", states the (ISC)2 Web site. "The CISSP is not merely a certificate of accomplishment," Moulton says, "it is a sign of a professional."
However, Moulton admits not a single CISSP has ever lost their status due to a complaint to (ISC)2. Complaints have been made, he says, but none sufficient to warrant the stripping of a member's CISSP certificate.
It is hard to know how long the accreditation will survive, but Moulton has high hopes. "We could go the path of doctors or CPAs, where an organization or group provides certification," Moulton says. "I think we'd like to be that body, but we're quite a ways from pushing to be that body yet."
With the Department of Communications, Information Technology and the Arts due to establish a government-endorsed accreditation on July 15, Australians will not have to wait long to see.
The Certified Information Systems Security Professional accreditation is offered by the US-based not-for-profit organization (ISC)2, or the International Information Systems Security Certification Consortium. The CISSP exam consists of 250 multiple-choice questions covering 10 different aspects of information security and takes about six hours to complete. According to the CISSP Prep Guide by Ronald L Krutz and Russell Dean Vines, 70 percent of first time test takers pass the exam.
CISSP accreditation was first offered in 1989. There are currently 33,000 CISSPs worldwide, including 500 in Australia. Some 75 percent of the Australian members were accredited within the past two years.
(ISC)2 estimates its "market" is around 1.3 million professionals worldwide, and by 2008 that number is expected to grow to 3.1 million.
The 10 Domains of CISSP
1. Access control systems and methodology
2. Application and systems development security
3. Business continuity planning and disaster recovery planning
5. Law, investigation and ethics
6. Operations security
7. Physical security
8. Security architecture and models
9. Security management practices
10. Telecommunications and networking security