Cybersecurity Training: Should Pros be Licensed?Senate Bill Calls for Licensing, Certifying Fed Cyber Workers
Pros and Cons
This push toward licensing and certifying cybersecurity professionals has spurred a debate within the government and associated organizations.
"It is a good idea, but how do we implement it?" says James Lewis, Director Technology and Public Policy at the Center for Strategic and International Studies (CSIS). "There are still many unanswered questions. For example, we do not know what certified means, and what you do to become certified?"
Cybersecurity training is an initiative that takes some time to implement, he says. "It is very encouraging to see this level of attention being given to cybersecurity training and education," says Hord Tipton, CEO and president of ISC2. "However, it is one thing to write good ideas and another to follow."
Currently, if implemented, there will be numerous challenges in compliance, laws and regulations apart from the need to define cyber security skills and services, which will be an extremely daunting task, Tipton adds.
Opinions about the proposal vary, but all agree that there is nothing new about using certification as a tool for hiring, placing and enriching employees. Within the federal government, the Defense Department has had a mandatory certification (but not licensing requirement) for its information assurance workforce since 2004. George Bieber, Director of the Defense-wide Information Assurance Program mentions that considering around 30% of the DoD workforce is now certified, there is a significant positive impact seen in the performance level of employees.
"The concept is sound, but whether it will work will depend on the type and rigor of the certification," says Karen Evans, who served as the de facto federal chief information officer for more than five years until this past January. She maintains that cybersecurity is a complex field in which we need a range of skills from writing secure code to systems administration, intrusion detection and forensics. The curricula needs to be developed so that certifications can be based not only on the completion of accredited coursework, but also rigorous testing and monitored practical experience in the specific discipline and, quite often, the specific hardware in which the individual is certified. "The certification needs to match up to the needs and address the gaps in the workforce. A less than rigorous certification and licensing process could be worse than none at all," she says.
"We know we are in the right direction by inculcating a commitment to the codes of ethics and continuing education in this field," says John Rossi, Professor of Systems Management / Information Assurance, U.S.National Defense University. "The challenge lies in getting the government to fund as well as getting people to commit toward this initiative," he says.
Licensing is no different than what medical practitioners or even lawyers need to have when they practice their profession. As the security industry evolves, matures and moves toward specialization, this is something bound to happen, adds Rossi.
Kevin Sanchez-Cherry, CISSP, CFCP, ITIL, COTR, C&A Program Manager with the U.S. Secret Service, says that if the government establishes a licensing program for IT security professionals, there should be an independent organization and board handling this cybersecurity training initiative. He also proposes that licensing would be more appropriate for senior security executives. Rossi agrees and mentions that just as the department of education has the ability to accredit a university or educational institution by using outside agencies, the government should appoint an organization and committee to oversee this licensing process.
Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. "Certified" needs to be clearly defined in order for people to have a career and development path to meet the requirements, says Evans. The problem is not just about recruiting federal employees. Both federal agencies and the contractors whom they engage to support them are competing in a tough segment of the labor market. Programs like Scholarship for Service can marginally increase the supply but it will take a while, she adds. Also, there will be a huge challenge in defining job categories and job series for IT security professionals and coming up with new categories, says Sanchez-Cherry. The IT security professionals within the Office of Personnel Management are currently categorized as IT specialists, managers or program analysts.
All experts agree that this level of attention given to IT security is much needed and also think that this initiative will be successful if implemented in phases within a span of 3-5 years and modeled after the DoD certification program. "This focus on cyber security training will definitely lead to positive efforts toward enhancing our IT security workforce," says Rossi.