Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/
In NetSec Letter #3
(http://www.avolio.com/columns/ProdCert.html), I discussed certification of security
products. I would like to spend this month’s space briefly discussing certification of security consultants. I
will suggest why we need it, how we get it, and what it really buys us.
In 1997, Gartner Group predicted:
They were right. When I was technology marketing manager for a company, I noted, with tongue-in-cheek,
“Marketing is easy. Anyone can do it.” What I meant was, it seemed everyone I bumped into had an
opinion about a logo, slogan, campaign, what show to be at, what magazine to advertise in, and how. I can
also note – with the same sarcasm, “Anyone can do Internet security. Everyone is an expert.” Just as the PC
“experts” came out from under the woodwork in the 1980s, Internet and computer security experts abounded
in the late 90’s and will continue to into the 00’s.
So, in a world in which anyone can hang out a shingle on the World Wide Web, how can we tell whom to
trust? Or, as a 1984 movie asked, “Who ya gonna call?” There are three types of security professional
certification and, as with product certification, they are based on who does the certifying. They are
certification through references, certification through professional oversight and licensing, and certification
through government licensing.
Auditors have professional certification. Accountants have it. So do doctors. And information systems
security folks have the “Certified Information Systems Security Professional” certification (CISSP). It is
supported (through training, testing, and the rest of the certification process) by the International
Information Systems Security Certification Consortium, known for obvious reasons as the “(ISC)2” — the
“I-S-C-squared.”
ICSA Labs, a division of TruSecure Corporation has announced 3 levels of
certification for security practitioners (see
http://www.trusecure.com/html/secsol/practitioner.shtml).
They
are the ICSA Certified Security Associate (ICSA), the ICSA Certified Security Expert (ICSE), and the
ICSA Certified Security Professional (ICSP). They are launching the ICSA test this summer. (I am on the
oversight board for the ICSA Labs certifications.)
Before taking the test, both require a certain number of years and type experiences. Both require re-
certification through training credits or retesting. These include university classes in the subject areas,
training through institutes, training organizations, and conferences, such as CSI, Global Knowledge, SANS,
TISC, and USENIX. Visit the certification web sites for information and details on requirements, testing,
and re-certification.
References and Other Credentials
This is what most potential clients (you!) use and count on. If someone describes herself as a computer and
network security professional, we ask her for names of former clients or business associates (supervisors)
we can contact. Perhaps we, or someone else in our organization, have attended a conference and heard the
person speak or teach a class. Maybe the person has written a book, or magazine articles, thus revealing his
understanding of subject areas of importance to us. Sometimes another professional, whose opinion we
trust, recommends someone else.
I am unfamiliar with requirements outside the United States. In a 1997 report from the President’s
Commission on Critical Infrastructure Protection entitled “Critical Foundations: Protecting America’s
Infrastructures,” the commission suggests that the US Federal Government have a role in licensing
information security professionals. The commission goes so far as to suggest that these professionals be
subject to lie detector tests by act of Congress.
I’ll not discuss Government Licensing, but only say that I agree with what CISSP board member Bill
Murray, said, in particular:
I am an information systems security consultant, but do not carry a professional certification. I will explain
why, shortly. This does not mean I think they useless. Both CSI and Secure Computing Magazine have
indicated that the CISSP, for example, is showing up as a differentiating in hiring of full time personnel as
well as consultants
A professional certification (CISSP, ICSA, etc.) is especially useful for the individual who has changed
career focus, or who has started to specialize in this field. It may be especially beneficial to the one who has
the experience required, but not the publicity afforded to a conference instructor or editor. A professional
certification is useful for differentiation. Few of us would hire a person based solely on the person having
some uppercase letters after her name. Probably, we would still seek references and recommendations from
others.
This is the easiest to understand, the most common, and the most time-tested. We use this method of
“certification” for all sorts of things. The question is knowing who to trust and how far. Who can we trust
to recommend someone else? How far can we transfer trust? Still, a bonafide positive recommendation
from someone we trust or someone in a position of trust is very useful. It requires a little extra work —
contacting others — but as I suggest above, we would do this anyway.
If we are looking to hire someone, use what we are used to: references and other credentials. These other
credentials probably include experience and may include professional certification. Certainly, if we have
candidates apparently of equal suitability, look to the professional certification. Only care about federal
government licensing if we are required to by law or by regulation.
If we are individuals seeking certification, it depends. If you are well known in your field already and have
established credentials and an established practice, certification is less important. I, and other consultants
such as Rik Farrow, benefit from already having established credentials in this particular area, though our
writing, speaking, and teaching around the world.
For most people, especially those who have moved into the computer and network security space recently,
a professional certification is useful. It provides a baseline for you to evaluate your own knowledge, as well
as a framework for on-going education. It may also provide justification to management for sending you to
training courses and conferences.
CSI, the Computer Security Institute —
http://www.gocsi.com/
TruSecure Corporation, ICSA Labs, and the ICSA Practitioner Certifications —
http://www.trusecure.com/
(ISC)2 and CISSP — http://www.isc2.org/
The SANS Institute — http://www.sans.org/
Global Knowledge — http://www.globalknowledge.com/
USENIX — http://www.usenix.org/
“Critical Foundations: Protecting America’s Infrastructures,”
1997 President’s Commission on Critical
Infrastructure Protection report —
http://www.info-sec.com/pccip/pccip2/info.html
With friend and colleague Dave Piscitello of Core Competence, Inc.
(http://www.corecom.com/)
I co-wrote
a feature for Information Security Magazine entitled “Signed, Sealed,
and Delivered.” It is a review of
some new secure e-mail products. Please find it off of my page at
http://www.avolio.com/papers.html.
This past month I took part in a web-chat for SearchSecurity.com
(http://searchsecurity.com/).
I gave a tutorial on public key cryptography.
To listen and to view the slides, visit their
front page and follow the link to “Live! Online Events with Industry Experts.”
My next column for them
will be a follow-up on some of the questions I did not have time to answer.
I also posted a recent column I did for WatchGuard on the topic of “Defense in Depth”
(
http://www.avolio.com/columns/defense-in-depth.html).
##Professional Certification
Government Licensing
Pros and Cons and Recommendations
Government Licensing
Professional Certification
References and Other Credentials
What to do?
For Further Information
Promotions, Self and Otherwise: