A few weeks ago, the Obama administration released a 76-page document known as the Cybersecurity Act that could change the face of IT training and certification as we know it.
According to Dan Liutikas, senior vice president for industry relations and accreditations at CompTIA, lawmakers drafted the legislation to solve a big dilemma facing the United States and other nations around the world: How do we ensure the security of “critical infrastructure” that is at the heart of national security?
Recent events — including incidents that compromised personal information at the Internal Revenue Service (IRS) and The Ohio State University — have demonstrated that organizations in both the public and private sectors face challenges in keeping private data secure.
With this proposal, also known as the Rockefeller-Snowe bill, the government is “looking to do one of two things: either come up with a process of certification and licensure that they can implement, or come up with a method for having some other administrative body implement [it],” Liutikas said.
Liutikas recently served on a panel on this topic during the SecureAmericas conference in Arlington, Va. What he heard there was a consensus that companies would prefer a route that would lead to the oversight of security certification and accreditation, rather than the alternative model of a government body creating and implementing a program of licensure.
“I think one of the main things that might be a concern is the potential anti-competitive features,” Liutikas said. “If you have a licensing model, you’re going to find certain vendors and other organizations are lining themselves in such a way as to preclude others from being able to compete with them.”
He also noted the apparent impracticality of the licensing model. The Department of Defense (DOD), for example, indicated five years ago that it wanted to find existing certifications to put its employees through to achieve a base level of certification. To this day, only 60 percent of DOD employees have been certified, and there are years ahead before 100 percent is reached, Liutikas said.
“I think creating a licensing program — just by virtue of what you’d have to identify as [to] who is being licensed, what professionals are we actually licensing here — in itself may be an impossible task,” he said.
For the average IT professional seeking training and certification, federal regulation of IT competence would create additional barriers.
“They would have to go through the cost and expense of licensure, which may or may not include additional training,” Liutikas said. “Depending on what level of IT skills we’re talking about, cost is often prohibitive even for certifications sometimes because the training can be expensive.”
Despite these drawbacks, Liutikas said he and CompTIA support parts of the Cybersecurity Act as it relates to competency standards for IT security professionals.
“To the extent that they follow the DOD model and [look] to slot people into certification programs, and maybe make accreditation programs a part of the statute, we certainly support that,” Liutikas said. “To the extent that there might be a cybersecurity advisory panel associated with working on the bill, we would certainly support [an] industry-vetted cybersecurity panel, which we would hope to be a part of so that we can provide guidance to the legislators as they work through this process.”
Liutikas mentioned a couple positive outcomes for the IT industry as a whole, as a result of this cybersecurity proposal.
“It’s excellent for the IT industry because it’s highlighted the importance that the IT industry plays within the government space and the private sector,” he said. “It’s also good that we’re looking to make sure that the IT workforce has a minimum level of competence and finding a way to assure that competence.”
– Mpolakowski, editor (at) certmag (dot) com