Would you undergo serious surgery without checking the credentials of the surgeon? Of course not. Would you board an airplane without some assurance that skilled people maintain and fly that plane? Probably not. The same logic applies to the protection of important information at government agencies.
A professional certificate doesn't guarantee that a practitioner can perform a particular task or isn't impaired in some way. But it provides some assurance that the person has met certain requirements, subscribes to some professional and ethical standards, and risks disbarment by violating those standards. For someone who wants a haircut, a certificate on the wall probably is proof enough of a stylist's skills. But for risky procedures, such as surgery, people probably would look beyond the surgeon's professional certification at references or track records. Still, credentials are an important first cut in protecting consumers.
Many people in the critical role of assuring that the nation's information infrastructure is safe have little, if any, training. Their work ranges from operating systems that process sensitive medical records for veterans to supporting the sophisticated communications systems on which the nation's warfighting ability depends. All too often, under-trained security workers are flying by the seat of their pants-a risk agencies can no longer afford because systems are far more complex than ever. Test after test conducted by the General Accounting Office shows that the government's systems are vulnerable, monitoring tools are insufficient, and response systems are inadequate.
Much is being done to make the technology less vulnerable. Organizations such as the Center for Internet Security, with which I am associated, and vendors such as Dell are developing safer technology right out of the box. The Federal Trade Commission says the government should buy products in which security is "baked in"-a notion that promises to gain currency in the months ahead. Buying products that are already hardened eliminates the expensive and time-consuming process of retrofitting those systems.
Even if every new piece of software and hardware were perfectly secure, the government relies on a cadre of security professionals who help configure the systems, monitor them and respond to incidents. Updating the government's hundreds of thousands of old systems-which could be defined as anything purchased last month-continues to pose a formidable challenge that can only be met by skilled cybersecurity professionals.
Chief information officers have the right to insist that their system administrators have the requisite credentials. Indeed, it's their duty. Various organizations offer professional certifications in security, including Security+ (from the Computing Technology Industry Association), the Certified Information System Security Professional (from the International Information Systems Security Certification Consortium), the Certified Information Systems Auditor (from the Information Systems Audit and Control Association) and the Global Information Assurance Certification (from the SANS Institute). And the number is growing.
The cost of these certifications is trivial compared with computer security expenditures or an organization's total investment in information infrastructure. Costs range from hundreds of dollars for the tests to the low thousands for basic training. If CIOs aren't ready to invest that kind of money in protecting their systems, then they have more serious problems.
Several large companies have adopted certification requirements for their system administration employees and are providing them the support they need to get certified. Those who don't meet the requirements lose privileged access to systems. Several federal agencies, including the Defense, Energy and Veterans Affairs departments are considering similar policies. At first, employees might feel that their competence is being questioned. But when it becomes apparent that the objective is to upgrade their skills, not weed them out, strong support generally will follow.
Operating a complex information infrastructure without insisting that systems professionals with security responsibility be properly certified is like running a hospital without checking the credentials of the doctors and nurses. It is nothing less than malpractice.