NetSec Letter #9 Certification of Security Professionals: Whom Do You Trust?

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

In NetSec Letter #3 (http://www.avolio.com/columns/ProdCert.html), I discussed certification of security products. I would like to spend this month's space briefly discussing certification of security consultants. I will suggest why we need it, how we get it, and what it really buys us. In 1997, Gartner Group predicted:

"We expect 1998 will be a tumultuous year for the supply side of professional security services. Enterprises should brace themselves for a new wave of 'hacker' consultants in a market that has few experts."

They were right. When I was technology marketing manager for a company, I noted, with tongue-in-cheek, "Marketing is easy. Anyone can do it." What I meant was, it seemed everyone I bumped into had an opinion about a logo, slogan, campaign, what show to be at, what magazine to advertise in, and how. I can also note - with the same sarcasm, "Anyone can do Internet security. Everyone is an expert." Just as the PC "experts" came out from under the woodwork in the 1980s, Internet and computer security experts abounded in the late 90's and will continue to into the 00's.

So, in a world in which anyone can hang out a shingle on the World Wide Web, how can we tell whom to trust? Or, as a 1984 movie asked, "Who ya gonna call?" There are three types of security professional certification and, as with product certification, they are based on who does the certifying. They are certification through references, certification through professional oversight and licensing, and certification through government licensing.

Professional Certification

Auditors have professional certification. Accountants have it. So do doctors. And information systems security folks have the "Certified Information Systems Security Professional" certification (CISSP). It is supported (through training, testing, and the rest of the certification process) by the International Information Systems Security Certification Consortium, known for obvious reasons as the "(ISC)2" -- the "I-S-C-squared."

ICSA Labs, a division of TruSecure Corporation has announced 3 levels of certification for security practitioners (see http://www.trusecure.com/html/secsol/practitioner.shtml). They are the ICSA Certified Security Associate (ICSA), the ICSA Certified Security Expert (ICSE), and the ICSA Certified Security Professional (ICSP). They are launching the ICSA test this summer. (I am on the oversight board for the ICSA Labs certifications.)

Before taking the test, both require a certain number of years and type experiences. Both require re- certification through training credits or retesting. These include university classes in the subject areas, training through institutes, training organizations, and conferences, such as CSI, Global Knowledge, SANS, TISC, and USENIX. Visit the certification web sites for information and details on requirements, testing, and re-certification. References and Other Credentials

This is what most potential clients (you!) use and count on. If someone describes herself as a computer and network security professional, we ask her for names of former clients or business associates (supervisors) we can contact. Perhaps we, or someone else in our organization, have attended a conference and heard the person speak or teach a class. Maybe the person has written a book, or magazine articles, thus revealing his understanding of subject areas of importance to us. Sometimes another professional, whose opinion we trust, recommends someone else.

Government Licensing

I am unfamiliar with requirements outside the United States. In a 1997 report from the President's Commission on Critical Infrastructure Protection entitled "Critical Foundations: Protecting America's Infrastructures," the commission suggests that the US Federal Government have a role in licensing information security professionals. The commission goes so far as to suggest that these professionals be subject to lie detector tests by act of Congress.

Pros and Cons and Recommendations

Government Licensing

I'll not discuss Government Licensing, but only say that I agree with what CISSP board member Bill Murray, said, in particular:

Professional Certification

I am an information systems security consultant, but do not carry a professional certification. I will explain why, shortly. This does not mean I think they useless. Both CSI and Secure Computing Magazine have indicated that the CISSP, for example, is showing up as a differentiating in hiring of full time personnel as well as consultants

A professional certification (CISSP, ICSA, etc.) is especially useful for the individual who has changed career focus, or who has started to specialize in this field. It may be especially beneficial to the one who has the experience required, but not the publicity afforded to a conference instructor or editor. A professional certification is useful for differentiation. Few of us would hire a person based solely on the person having some uppercase letters after her name. Probably, we would still seek references and recommendations from others.

References and Other Credentials

This is the easiest to understand, the most common, and the most time-tested. We use this method of "certification" for all sorts of things. The question is knowing who to trust and how far. Who can we trust to recommend someone else? How far can we transfer trust? Still, a bonafide positive recommendation from someone we trust or someone in a position of trust is very useful. It requires a little extra work --- contacting others --- but as I suggest above, we would do this anyway.

What to do?

If we are looking to hire someone, use what we are used to: references and other credentials. These other credentials probably include experience and may include professional certification. Certainly, if we have candidates apparently of equal suitability, look to the professional certification. Only care about federal government licensing if we are required to by law or by regulation.

If we are individuals seeking certification, it depends. If you are well known in your field already and have established credentials and an established practice, certification is less important. I, and other consultants such as Rik Farrow, benefit from already having established credentials in this particular area, though our writing, speaking, and teaching around the world.

For most people, especially those who have moved into the computer and network security space recently, a professional certification is useful. It provides a baseline for you to evaluate your own knowledge, as well as a framework for on-going education. It may also provide justification to management for sending you to training courses and conferences.

For Further Information

CSI, the Computer Security Institute -- http://www.gocsi.com/

TruSecure Corporation, ICSA Labs, and the ICSA Practitioner Certifications -- http://www.trusecure.com/

(ISC)2 and CISSP -- http://www.isc2.org/

The SANS Institute -- http://www.sans.org/

Global Knowledge -- http://www.globalknowledge.com/

USENIX -- http://www.usenix.org/

"Critical Foundations: Protecting America's Infrastructures," 1997 President's Commission on Critical Infrastructure Protection report -- http://www.info-sec.com/pccip/pccip2/info.html

Promotions, Self and Otherwise:

With friend and colleague Dave Piscitello of Core Competence, Inc. (http://www.corecom.com/) I co-wrote a feature for Information Security Magazine entitled "Signed, Sealed, and Delivered." It is a review of some new secure e-mail products. Please find it off of my page at http://www.avolio.com/papers.html.

This past month I took part in a web-chat for SearchSecurity.com (http://searchsecurity.com/). I gave a tutorial on public key cryptography. To listen and to view the slides, visit their front page and follow the link to "Live! Online Events with Industry Experts."

My next column for them will be a follow-up on some of the questions I did not have time to answer.

I also posted a recent column I did for WatchGuard on the topic of "Defense in Depth" ( http://www.avolio.com/columns/defense-in-depth.html).

##