It’s time that the security industry stopped trying to play paramilitary games and started trying to do a good job (aka “best practices”.) It would be a very pleasant change.

Currently, the three major information security religions – ISACA, ISC2, and SANS – offer a total of roughly 75 different certifications. This laundry list of certifications leads to a set of fairly serious problems:

  • Security professionals need fold-out business cards
  • Organizations need an equivalency look-up table for resume filtering

These problems are entertaining to describe this way, but also present a real problem – how can you objectively determine whether or not a given candidate has the skills necessary to do the job that they’re being asked to do?

Recently, The Commission on Cybersecurity for the 44th Presidency released a fairly damning report entitled “A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters” available as a PDF which essentially calls out the old-line security certification bodies for producing really good compliance rubber-stampers but not functional security practitioners. A real gap that needs to be managed – outside of the scope of the pre-existing commercial security certifications.

Then things get interesting, this requirement was speedily turned into the ‘National Board of Information Security Examiners’ and if you just glance under the covers, you’ll discover something very interesting.

Report authors: Franklin S. Reeder, Karen Evans, James Lewis

NBISE Leadership: Franklin S. Reeder, Karen Evans, James Lewis

It’s almost like they were ready to go with all of the answers to the problems they created… I guess they had some insight into what the report was going to say.

If you look around a little bit, you’ll likely reach the same conclusion that I did: SANS is a little miffed at EC-Council being named in the most recent DoD 8570 directive and someone specifically wanted to carve out a little bit of a government-regulated monopoly on security certifications – a permanent revenue stream.

I don’t think that this response is any more useful or valid than the position of the traditional security certifications. It’s yet another organization which exists for the service of it’s self – not it’s members and certainly not the ultimate end-users of it’s membership.

If you are a member of ISACA, ISC2 or SANS, I would encourage you to ask yourself what they’ve done for you lately, what they’ve done to make the information security profession more respectable, and most importantly how many hours has it been since they suggested to you that you need to help them get more members.

After all, making a scarce resource less scarce is the best way to increase quality and make sure your value stays high.