Cybersecurity Training: Should Pros be Licensed?

Senate Bill Calls for Licensing, Certifying Fed Cyber Workers
Cybersecurity Training: Should Pros be Licensed?
A proposed cybersecurity mandate is being discussed by the senate that would affect thousands of information technology and security workers if implemented. The proposal basically requires that all government employees and contractors be certified and licensed if they provide cybersecurity services to an agency or for an information system designated as critical infrastructure. The proposal is part of the CyberSecurity Act of 2009, a bill introduced by Sens. John "Jay" Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). To ensure the security of cyber communications with global trading partners and for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes, the proposal would direct:
The Commerce Department to develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals;
It would then become unlawful for a professional lacking the proper license and certification to provide cyber security services to the US government, federal agencies or for an information system or network designated as critical infrastructure by the president.

Pros and Cons

This push toward licensing and certifying cybersecurity professionals has spurred a debate within the government and associated organizations.

"It is a good idea, but how do we implement it?" says James Lewis, Director Technology and Public Policy at the Center for Strategic and International Studies (CSIS). "There are still many unanswered questions. For example, we do not know what certified means, and what you do to become certified?"

Cybersecurity training is an initiative that takes some time to implement, he says. "It is very encouraging to see this level of attention being given to cybersecurity training and education," says Hord Tipton, CEO and president of ISC2. "However, it is one thing to write good ideas and another to follow."

Currently, if implemented, there will be numerous challenges in compliance, laws and regulations apart from the need to define cyber security skills and services, which will be an extremely daunting task, Tipton adds.

Opinions about the proposal vary, but all agree that there is nothing new about using certification as a tool for hiring, placing and enriching employees. Within the federal government, the Defense Department has had a mandatory certification (but not licensing requirement) for its information assurance workforce since 2004. George Bieber, Director of the Defense-wide Information Assurance Program mentions that considering around 30% of the DoD workforce is now certified, there is a significant positive impact seen in the performance level of employees.

"The concept is sound, but whether it will work will depend on the type and rigor of the certification," says Karen Evans, who served as the de facto federal chief information officer for more than five years until this past January. She maintains that cybersecurity is a complex field in which we need a range of skills from writing secure code to systems administration, intrusion detection and forensics. The curricula needs to be developed so that certifications can be based not only on the completion of accredited coursework, but also rigorous testing and monitored practical experience in the specific discipline and, quite often, the specific hardware in which the individual is certified. "The certification needs to match up to the needs and address the gaps in the workforce. A less than rigorous certification and licensing process could be worse than none at all," she says.

"We know we are in the right direction by inculcating a commitment to the codes of ethics and continuing education in this field," says John Rossi, Professor of Systems Management / Information Assurance, U.S.National Defense University. "The challenge lies in getting the government to fund as well as getting people to commit toward this initiative," he says.

Licensing is no different than what medical practitioners or even lawyers need to have when they practice their profession. As the security industry evolves, matures and moves toward specialization, this is something bound to happen, adds Rossi.

Kevin Sanchez-Cherry, CISSP, CFCP, ITIL, COTR, C&A Program Manager with the U.S. Secret Service, says that if the government establishes a licensing program for IT security professionals, there should be an independent organization and board handling this cybersecurity training initiative. He also proposes that licensing would be more appropriate for senior security executives. Rossi agrees and mentions that just as the department of education has the ability to accredit a university or educational institution by using outside agencies, the government should appoint an organization and committee to oversee this licensing process.

Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. "Certified" needs to be clearly defined in order for people to have a career and development path to meet the requirements, says Evans. The problem is not just about recruiting federal employees. Both federal agencies and the contractors whom they engage to support them are competing in a tough segment of the labor market. Programs like Scholarship for Service can marginally increase the supply but it will take a while, she adds. Also, there will be a huge challenge in defining job categories and job series for IT security professionals and coming up with new categories, says Sanchez-Cherry. The IT security professionals within the Office of Personnel Management are currently categorized as IT specialists, managers or program analysts.

All experts agree that this level of attention given to IT security is much needed and also think that this initiative will be successful if implemented in phases within a span of 3-5 years and modeled after the DoD certification program. "This focus on cyber security training will definitely lead to positive efforts toward enhancing our IT security workforce," says Rossi.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.