Mandatory certification & licensing for IA professionals

In this fourth article in this five-part series, I look at the controversy surrounding U.S. government proposals for mandatory certification of security professionals.

* * *

On April Fool's Day 2009, senators John D. "Jay" Rockefeller (D-W.V.) and Olympia Snow (R-Maine)> introduced Senate Bill 773, "A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes." The bill's short title is the "Cybersecurity Act of 2009."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this fourth article in this five-part series, I look at the controversy surrounding U.S. government proposals for mandatory certification of security professionals.

* * *

On April Fool's Day 2009, senators John D. "Jay" Rockefeller (D-W.V.) and Olympia Snow (R-Maine)> introduced Senate Bill 773, "A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes." The bill's short title is the "Cybersecurity Act of 2009."

Among other important proposals bearing on the security of critical communications and computing infrastructure, the bill would introduce what Scott Petersen of SearchCompliance.com describes as, "a raft of new federal security standards and certification and licensing requirements that could have major impacts on businesses and security professionals."

Ben Bain ably summarized the key points of the bill about licensing in a June 18, 2009 article in Federal Computer Week.

From what I can tell by reading the pro/con arguments, here's a summary of the arguments. I leave it to readers to make up their own minds.

Support
• Other professions involving public safety require government-sanctioned standards and licenses: why shouldn't critical infrastructure receive protection?
• Federal government involvement will support nationwide promulgation of better security standards than a hodge-podge of state-government run programs or the chaos of independent standards.
• Defining federal security standards will lend credibility to information assurance and serve as a boost to security awareness.
• Federal standards for the civilian sector will inevitably improve government standards as well.
• Forcing industry to spend money on training and certification will overcome the risk-tolerant, short-term focus on quarterly bottom lines that interferes with rational security management.
• Certification would weed out charlatans and incompetents who move from victim to victim as they provide bogus, wasteful, ineffective information assurance advice.
• Certification, with its usual requirement for continuing professional education, may support continued learning and adaptation to a changing security environment.
• The new law would bring regulatory and legal pressure to bear on the private sector to bring security standards in line with government security standards such as the Federal Information Security Management Act (FISMA).
• Legal force would bring the research and standards defined by the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) to the private sector more strongly.
• Testing, certification, and licensing should be removed from organizations that profit from training and education.
• All resistance to government involvement in any aspect of business is the mark of either Fascists or devil-worshippers. [OK, it's joke No.1 – it's an unspoken bias that I suspect is held by some proponents.]