It goes without saying that we should be able to trust people who do life-critical work. Unfortunately however, the only proof of capability that software professionals can offer is the unsubstantiated opinion of their peers. The capability of software professionals is an important issue because, since the dawn of the National Strategy (2002), experts have been warning us that exploitation of the right flaw in our cyber-infrastructure could lead to an unparalleled disaster.
When it comes to software, the key to the issue lies in defining the term “capable”. Certificates and Certifications have become a cottage industry. These credentials document that the holder possesses “a common understanding of the concepts, principles, and applications” of some aspect of IT work as certified by a particular vendor. The problem is that standard professional equivalencies are not available for those certifications. So, even though an individual might possess a range of examination backed credentials it is hard to tell what those actually mean in terms some aspect of the profession, in the field of information security, government cyber security or any other industry.
The right way:
• In order to make capability certification a truly meaningful element of the profession it is a simple matter of providing a centralized agent to analyze, interpret the meaning of, and underwrite the currently existing collection of certifications.
• This does not necessarily have to be a governmental entity. But the Registry should include a sufficient authority to ensure that the purposes of whatever certifications it underwrites are properly characterized, and accurately document a given level of mastery for that specific area of professional focus.
• The ideal registry would look a lot like that provided by the International Standards Organization (ISO) for some of its professional standards in areas such as information security (ISO 27000) and quality (ISO 9000).
All certification vendors would have to be vetted by the new entity in order to determine whether their certifications correctly characterize a given level of capability. It would be a simple matter for consumers to refer to the registry in order to learn the exact capabilities of the holder. The Registry would provide the standard public warranty of trustworthiness that is currently lacking in the profession. The value to the public as a whole would be that employers would then know exactly what they are hiring and more importantly it would also identify those people who could not be trusted.
Are You Cyber Ready?
This blog helps with real world insights on the cyber security education and information security certifications.