Leverage Existing Expertise to Address Shortage of Information Security Professionals

By Richard Clark, CISA, CGEIT, CRISC, and W. Hord Tipton, CISSP-ISSEP, CAP, CISA

It is clear that there is a critical shortage of U.S. federal information security professionals, as articulated in the recent prepublication release of the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44^th Presidency whitepaper (.pdf) titled "A Human Capital Crisis in Cybersecurity."

Because this "human capital" issue is so critical, all involved voices--especially those who are on the front lines of information security, education, career development and certification--should be consulted and heard prior to the US Congress moving forward with pending legislation on cybersecurity. The expertise and insight from information security professionals represented by organizations including (ISC)², ISACA, CompTIA, the Information Systems Security Association (ISSA) and others are essential to the development of effective legislation and, more important, to addressing the shortage.

Leaders of (ISC)² and ISACA, which are highly respected professional bodies that represent the information security community around the world, encourage members of Congress to take advantage of our decades of experience and leverage the existing valuable certification and training infrastructure. 

While we  support in concept the three legs of the report's recommendations: a) Better technical training; b) certifications tied to work requirements; and c) leveraging procurement and human resources to bring the right people and technology to organizations, we also have deep reservations about the way in which this report has been drafted and some of its analysis and recommendations.

The report recommends, among other things, the creation of a National Board of Information Security Examiners to close the gap between existing certification programs and specific skills; an emphasis on technology-specific certifications as a means of replenishing the current shortage of qualified professionals; a shift in focus in training and certification from security principles and best practices to primarily technical skills; and imposing licensure upon information security, as with the medical profession, to ensure a qualified information security workforce. We don't agree that these recommendations address the true causes of the shortage or that they will deliver the appropriate solutions. 

New survey data back up our assertion. (ISC)² recently polled nearly 700 front-line information security professionals from government and industry on trending proposals regarding professional licensing through testing and the creation of an examination review board.  The poll found that a majority of professionals do not agree with these proposals.

For example, 69 percent of respondents to the (ISC)² poll said they do not believe that a government-run board of examiners will close the gap between existing certification programs and the cybersecurity skills needed in the workplace. The narrow approach of establishing a "National Board of Information Security Examiners" could undermine a specific goal of President Barack Obama's Administration and security leaders-to achieve a global approach to cybersecurity. Our organizations are well-positioned to advance that proposition, as both are international, and many of our certifications are applicable and held by professionals outside of U.S. borders.  

Additionally, 53.7 percent of respondents said they do not believe that spending money on exclusively technical certification programs and training would solve the nation's security problems. As a nation, we must continue to support all aspects of cybersecurity, such as the design and development of more penetration-resistant information technology products and systems, which form the core of an organization's cyber defenses. The report needs to strike more of a balance between personnel issues and technological advancements.  

As Congress grapples with the complexities of cybersecurity and how to effectively professionalize the workforce for 21^st century challenges (both federal and civilian), it is wise to utilize the existing programs and knowledge and consider certain guideposts:

• Identify multiple sources of information to determine the adequacy (and gaps) of the current certification process. The recent critique of the current certification system did not include input from our organizations or from the accrediting body for certifications. In addition, there are many dedicated government officials who work daily on these matters and who should be consulted.


• Weigh whether current and proposed solutions support the goal of achieving a global approach to cybersecurity. Our organizations are active in the U.S. and global marketplaces and share the belief that cybersecurity must be addressed across national boundaries. Myopic proposals will not be effective, will not fully address concerns and should be resisted.


• Carefully review empirical evidence to determine the correct approach between knowledge-based and performance-based training. In the absence of an agreed-upon comprehensive body of knowledge, common taxonomy and definition of a cyber professional, it is difficult to assess the need for and practicality of a performance-based training program. Moreover, thought must be given to the capacity to rapidly deploy and execute performance-based testing. Hastily replacing one system for another could result in several issues, including significant bottlenecks that would run counter to our national interest.


• Ensure that certification requirements do not become overly technology-specific. An effective certification regime must help meet the need for professionals who have a thorough understanding of industry best practices, a broad knowledge of the field, sound professional judgment, and experience flexible enough to recognize, assess and manage threats in any environment and amidst a quickly changing landscape. Certifying professionals in specific technologies quickly becomes outdated when solutions and processes change with the marketplace.

As global leaders in the certification community, (ISC)², ISACA and many other organizations share a common goal to coordinate long-standing expertise in technology, education and certification with the needs of the U.S. government stakeholders so that together, we can best ensure that professionals have the necessary expertise in cybersecurity and can effectively serve the national interest. As Congress weighs the best way to enhance the capability and professionalization of the workforce, we ask that they take these points into consideration and meet directly with information security leaders who can contribute to and assist in bringing a more balanced perspective to this crucial topic.

About the Authors:
Richard Clark, CISA, CGEIT, CRISC, is chair of ISACA's Government and Regulatory Agencies Committee.
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, is executive director of (ISC)² and former CIO of the U.S. Department of the Interior.