Government Demand for Certified Security Pros
As cyber-espionage techniques continue to advance, threats and vulnerabilities on critical information infrastructures have become all too common, and the need for qualified and certified information assurance professionals is becoming imperative.
Security issues were on the back burner after the Cold War ended, but began to gain momentum again around the mid-’90s and finally became a requirement after the Sept. 11 terrorist attacks. Although security awareness has been steadily maturing over the past 10 years, it still has a long way to go, according to Kent Anderson, managing director of Network Risk Management LLC and member of the Information Systems Audit and Control Association’s (ISACA) Certified Information Security Manager (CISM) Board of Directors.
“This is a complex issue, and we are shooting at a moving target,” he said. “The technology is changing so fast that the solutions that people came up with in the ’90s may not be applicable today.”
Because society is so reliant upon computer systems and technologies continue to rapidly advance, the risks and vulnerabilities are becoming more and more threatening. Hackers or “cyber-spies” are progressively penetrating governments’ critical information infrastructures, which affects national security and the economic and social welfare of the country.
People are most aware of threats such as computer viruses, but the major threat today is that both government and commercial entities are suffering from the loss of intellectual property. Because the number of security breaches and damages are on the rise, there may be something fundamentally wrong with the nation’s approach.
“The problem is that we have been looking at security solely as a technical problem, and it is not,” Anderson said. “We really need to address people, processes and technology—meaning we need to learn how to manage risk in cyberspace.”
According to the Government Accountability Office (GAO), national security needs to be addressed at the technical, legislative, organizational and international levels. And government officials from different agencies, as well as representatives from the private sector and the general public, need to take action to ensure information security.
Anderson said security is rarely considered a design criterion for most technologies today. However, the U.S. Department of Defense (DOD) and National Security Agency (NSA) are two of the many U.S. security divisions that are aggressively addressing the vulnerability of their information infrastructures.
Critical information protection is a key part of recent national security initiatives, and both the DOD and the NSA are implementing new strategies to train, certify and manage their information assurance workforce. Building partnerships with certification vendors has been an important step in determining exactly what skills their current and future information assurance professionals need.
According to Lynn McNulty, director of government affairs for the International Information Systems Security Certification Consortium (ISC)2, the NSA collaborated with (ISC)2 in 2003 to develop and administer the Information Systems Security Engineering Professional (ISSEP) credential for information assurance professionals who want to work for NSA, either as employees or outside contractors. The ISSEP serves as an extension of the Certified Information Systems Security Professional (CISSP) certification and addresses the systems engineering side of information security. Although the NSA has chosen only to emphasize security certifications and not make them mandatory for its information assurance workforce, the organization wanted to enhance its Information Assurance Awareness program and promote continued learning.
“The need for people who can demonstrate an understanding of the doctrine that underlines the federal government certification and accreditation program is going to become very important,” McNulty said. “Certification can better the security for federal information systems and decrease the likelihood of threats.”
The DOD, however, is implementing Directive 8570.1, an information assurance training, certification and workforce management plan, which will require information assurance technicians and managers to be trained and certified to a DOD baseline requirement. The directive’s accompanying manual, to be published at the end of October 2005, outlines the specific certifications mandated by the directive’s certification program.
According to the DOD’s Web site, “The ultimate vision of the directive is a sustained, professional information assurance workforce with the knowledge and skills to effectively prevent and respond to attacks against DOD information, information systems and information infrastructures. This effort will enable DOD to put the right people with the right skills in the right place.”
In fact, many DOD officials use certifications as a way to benchmark security professionals’ knowledge and experience. “The CISSP and other security certifications are a measure of the fact that one is qualified, and certainly could influence a DOD official’s decision on who gets privileged access to classified or unclassified IT equipment and information systems,” McNulty said.
State governments have been taking a different approach to professionalize their information assurance workforce. McNulty said that many state security departments offer bonuses and salary enhancements for those information assurance employees who have acquired an approved certification.
“Although state governments’ have not yet required it, they certainly make it very advantageous for their employees to obtain a security certification,” McNulty said.
As government agencies are becoming more aware and taking the steps to equip their information assurance workforces with the skills they need to combat security threats and vulnerabilities, there also has been tremendous growth in spending on information security professionals. “I have seen an influx in information security hiring,” Anderson said. “If you look at information security job listings, you will see a tremendous amount of jobs available, whereas 10 years ago, you may have seen only two or three.”
Not only has hiring increased, but the number of certified professionals continues to increase as well. Anderson said that more than 14,000 candidates registered for the CISA examination in 2004, a record high for the 11th consecutive year.
According to McNulty, “As the DOD starts implementing its certification requirement, we are potentially looking at between 100,000 and 110,000 people seeking to obtain professional security certifications.”
Both McNulty and Anderson agree that the increased number of security professionals seeking certifications will be challenging for their organizations. However, the continued awareness, education, training and certification of security professionals are critical steps to improving government security and the professionalism of information assurance workforces abroad.
“There is no magic-bullet certification out there that is going to solve all of the government’s IT problems,” McNulty said. “However, what we, the certification community, can do is maintain the fact that our certifications are relevant and reflect the current risk environments that the government faces, and that the people who hold security certifications have the qualifications to address the different types of threats that confront the government’s systems.”
Cari McLean, firstname.lastname@example.org