[ISN] Web extra: DOD, orgs: SANS survey findings not dire

[InfoSec News]

http://www.fcw.com/article91890-01-09-06-Web

By Michael Arnone
Jan. 9, 2006 

Survey respondents say several popular certifications don't prepare
employees to handle information security as well as vendor-specific
certifications do.

Providers of a number of popular information security certifications
are calling findings from the SANS Institute survey a case of apples
and oranges. SANS is a nonprofit training and education organization
for security professionals.

The institute's survey finds that respondents with certifications from
the Computing Technology Industry Association (CompTIA), the
International Information Systems Security Certification Consortium -
also known as (ISC)2 - and the Information Systems Audit and Control
Association (ISACA) think that their training does not give them a
strong advantage in performing hands-on security jobs.

Those organizations' certifications don't improve holders' ability to
protect computer systems as much as the SANS Institute's Global
Information Assurance Certification and vendor-specific certifications
do, said Alan Paller, SANS' director of research.

But officials with the other organizations said they are not surprised
that SANS put its certifications ahead of theirs for hands-on
security. The survey illustrates the division of emphasis among
security certification providers, said Lynn McNulty, (ISC)2's director
of government services.

ISACA aims for IT security governance, McNulty said. CompTIA courts
entry-level employees, and (ISC)2 concentrates on policy and
management training. All three are vendor-neutral.

Certifications set a baseline of technical experience and knowledge,
but holders must keep their skills current by other means to stay
effective, said Everett Johnson, president of ISACA's International
Board of Directors.

The survey's findings indicate that "the certifications are doing the
job they are intended to do," Johnson said. "The certifications are
for different purposes."

Paller said he is especially worried because the Defense Department
requires its frontline information assurance employees to have those
nontechnical certifications.

DOD officials are confident in their choice of certifications, said
Bob Lentz, director of information assurance in the DOD chief
information officer's office. The department has codified security
competencies for its IT security employees under Directive 8570.1,
"Information Assurance Training, Certification, and Workforce
Management." Frontline security employees must have certifications
from CompTIA or (ISC)2 but not SANS or vendors.

"The key error is that [DOD officials] took security managers who
never had hands-on security experience to design a security
certification," Paller said. "If all you've ever done is write policy,
how would you know what to do to secure a Unix box?"

The required certifications are fine for low- and midlevel security
employees, but SANS training should dominate the certifications that
technical staff members receive, said Robert Ashworth, a contractor at
Government Solutions Group working on information assurance at the
Navy's Space and Naval Warfare Systems Command.

Ashworth holds eight professional certifications, including (ISC)2's
Certified Information Systems Security Professional (CISSP) and
ISACA's Certified Information Security Manager.

Under DOD's directive, someone with CISSP certification could get any
technical or managerial position, even though CISSP should not qualify
people for technical positions because it is more analytical, Ashworth
said.

Officials might have chosen CISSP because many people hold that
certification, which could make it easier for DOD to fill positions,
Ashworth said.

To improve frontline security, DOD and certification vendors must
create progressively harder, platform-specific security tests to
evaluate low-level security employees, Paller said.

Once they do, Paller predicts that the rest of the government and
industry will follow suit, improving security for everyone.