A new non-profit group is developing certifications for
information technology security professionals that will set a high bar for IT
security practitioners in areas like penetration testing, code auditing and
control systems operation.

The National Board of Information Security Examiners (NBISE)
is a new, not-for-profit corporation headed by former NERC (North American
Electric Reliability Corporation) CSO Mike Assante and overseen by a board of
luminaries in the world of information security and critical infrastructure.  The group will be designing certification
exams to test the knowledge, practical
skill and professionalism of IT security practitioners, with an eye to weeding
out the information technology world’s equivalent of quacks and hucksters.

The new tests are designed to supplant a hodge podge of
private and industry certifications for IT security practitioners, including
the CISSP and certificate programs run by the SANS Institute and other industry
and private groups. NBISE claims that too many of those tests test knowledge,
rather than hands-on skills required of practitioners.

“This is about a higher level of testing,” said NBISE
Director and SANS Institute Director of Research Alan Paller. “Its about having
confidence that the person you hired doesn’t just know the answer, but can do
the job.”

NBISE Chief Operating Officer Kelly Ziegler likens the exams to those required by the National Board of Medical Examiners for aspiring physicians.

Paller said that the group is working with top practitioners
in a variety of disciplines to design exams that test practical knowledge, not
just book knowledge. Scenario testing – akin to the now famous “Capture the
Flag” tournaments at DEFCON and other hacking conferences — will be an
important component of the NBISE exams, he said.

“If you look at (penetration) testing, you can have multiple
choice questions about the correct approach when pen testing, but that’s very
different than having an actual set of systems and having to find a flag,
rather than just answer questions about how to find it,” Paller said.

NBISE plans to release its first exam in the next 30 days.
That test will be an adaptation of the UK’s Council of Registered Ethical Security
Testers (CREST)
exam for penetration testing. The group is working with the
UK government’s CESG – the British equivalent of the U.S.’s National Security
Agency – to adapt that exam for use in North America, according to Ziegler.

In other areas, such as the operation of control systems and
secure coding, computer forensics and incident response and handling, NBISE is
forming national boards of experts to get to work developing exams. The group
is also being advised by the National Board of Medical Examiners on ways to
devise certification exams that test practical knowledge.

Paller said the new emphasis on certification is a response
to an
aching skills gap in the IT security space
. That gap has been underscored
by a series of studies and reports that have pointed to the need to develop IT
security expertise within the public and private sectors. Most recently, in
June, the Center for Strategic and International Studies issued a report warning
of a “human capital crisis” in cyber security.

Paller said that the profusion of different certifications
has allowed legions of poorly trained IT professionals to falsely claim
expertise in cyber security. Often, their lack of training only becomes evident
once they’ve been hired.  

NBISE will also provide more focused instruction than
initiatives like the U.S. Departments of Defense’s Directive 8570 (DOD 8570),
which provides training and certification guidance for government employees who
work in Information Assurance, but give employees a menu of different
certifications to choose from in fulfilling the directive, say NBISE
organizers.

[block:block=47]

The NBISE exams, once instituted, will serve as
a threshold exam for work in areas like government and financial services,
separating those with technical knowledge of a subject from those with both
knowledge and hands on experience to perform a job. Paller said that the exams,
once adopted, could take business away from certification organizations like
The SANS Institute, but that those organizations might merely shift to fulfill
a role similar to that of medical schools today: teaching students a body of
material and hands on skills necessary to pass the NBISE certification exam.

Categories: Compliance, Government

Comments (21)

  1. Anonymous
    2

    Finally. Finally people are starting to wake up to the realization that CISSPs are NOT technical people and are NOT “security experts”. There are certainly those that ARE security experts that have gotten this cert, but the vast majority can’t do anything technical if asked to. I have talked to some seriously ignorant people in the IT security space who work at financial institutions and elsewhere that shock me with their lack of technical knowledge. Not only that, it scares me that they are responsible for protecting their clients’ sensitive information.

    I look forward to the day that the CISSP is completely done away with unless it’s ONLY required for a management position.

  2. Anonymous
    4

    I’m still trying to figure out Alan Paller’s involvement here given his relationship with SANS, the SANS Institute, and by relationship, GIAC.  Especially when SANS and GIAC have historically been focused upon applied knowledge, which directly translates to capability.

  3. Anonymous
    5

    While SANS is focused on applied knowledge, I can attest to the fact that I have passed multiple GIAC exams with a score of 90% or better with very little skill. I am a good test taker and I know the answers to the questions being asked due to the excellent course material SANS provides and my preparation for the exam, but I seriously doubt my capability to perform adequately in the jobs corresponding to the exams beyond an entry level ability. For instance, I passed 2 of the GIAC penetration testing exams at 90% or higher and I couldn’t write a line of code if my life depended on it. Find me a qualified penetration tester that can’t write exploits on the fly when the test demands it. I didn’t think so.

    This is a step in the right direction. CREST is very well regarded in the industry and it will be interesting to see if this can take a foothold here.

  4. Anonymous
    6

    Having worked in information security for 30+ years I take exception to the claim that this profession is populated by “quacks and hucksters”.  I have had the honor of working with exceptionally capable technical specialists who worked very hard to protect the organizations where they worked.  The protection of government and critical infrastructure systems from attack or compromose needs to be a high priority.  A focus only on technical skills to the exclusion of good business and risk management sense misses the important and necessary link with why we do cybersecurity.  The CSIS report rightly identifies the need in government to attract the skilled technical people required to implement and manage security programs.  The need I believe has more to do with the failure to identify a career path for security professionals than it does with the lack of qualified people in the workforce.  The situation is much different when comparing public and private sector security programs and outcomes.  The CSIS report identifies the need for a holistic solution to cybersecurity.  A true holistic approach recognizes the multiple skills and capabilities that are needed in organizations to protect organizations.  A focus only on technical skills will fail to deliver a true holistic solution to what is an enterprise risk management problem.

  5. Anonymous
    7

    This is interesting, but I don’t know how it play out considering that head hunters and firms regard the CISSP so highly..I agree that this cert is really watered down (btw, I do hold it as well as GIAC). I must say that it is an empty feeling having passed the GIAC and CISSP in hindsight..SANS gives you the answers and the CISSP is basic infosec at best – really non-technical…

  6. Anonymous
    8

    Solving the problem of certiifcation glut with more certifications, sounds great. The overselling of this one makes it sound particularly promising </sarcasm>

  7. Anonymous
    9

    I have a dumb question. How come the same people that wrote the CSIS report last month calling for a board of information security examiners are running this board? Doesn’t that seem kind of odd? I mean you are tasked with providing unbiased guidance to the president and you say “you should really set up a new non-profit to supplant all the existing certification programs, oh and by the way we just happen to have one set up…” :)

  8. Anonymous
    10

    Another cert? Please, there’s enough certs already competing in the marketplace. The fact is, CISSP/CISM/CISA are the de facto strategic level security certifications. ISC2 and ISACA are compliant with ISO/IEC 17024, are already well established and recognized within the business community. SANS GIAC, CEH, coupled  with vendor specific certs, fill the requirement for technical security certification. What does this cert have to offer besides a lot of chest pounding? Nothing.

  9. Anonymous
    11

    It is so disconcerting see comments like “CISSPs …and are NOT “security experts”

    Aside from the fact that it’s a expansive, general and inaccurate statement, it perpetuates the idea the security team members are solely “firewall guys”.

    While that is a worthy role many are happy with, hanging a broad label degrades the security professionals who strive to ensure the entire enterprise is secure.  Receiving visibility for security initiatives (outside of network changes) becomes next to impossible when our own try to limit the rest of us in this way.

    I’m the first to admit that there are hacks in our industry – like every other.  I applaud any attempt that allows my competent colleagues to separate from the pack.  Let’s be careful how we go accomplish that task.

     

  10. Anonymous
    12

    Paller is an asshole, as director of research for SANS, why rubbish their certifications in the name of this new quango crowing about its self worth.

    SANS should kick him out.

     

  11. Anonymous
    13

    SANS delivers quality training (albeit very expensive).  However, Paller’s continued puffery and shameless promotion has weakened the SANS brand.  Perhaps he’s become a victim of his own success?

  12. Anonymous
    15

    If it brings CREST to the US, I’m all for it. I’m just wondering whether the requirement to be an employee of a CREST company will be there, since I doubt that will ever happen in my org. I’d love to see CREST and ISECOM become mainstream here. Flush the CEH down the crapper where it belongs!

  13. Anonymous
    16

    For the person who commented on Allan Paller and the need to fire him from SANS you probably don’t realize he is SANS and an owner rarely fires himself.

    I agree that the OSSTMM would really be a great start to train Security Tester on real skills. Like Pete Herzog always says: If you wish to get cool training then you take the CEH. If you wish to get skill and prove you can walk the walk you take the OSSTMM certs.

    Who is CREST?

    Even a few years ago they did not exist. Now we are going to use them as the example of what should be done in the US. I think someone is either blind or deft or both. We do have great training already but little on the side of WHAT DOES ONE REALLY NEED TO KNOW in each specific employment.

    We are too focus on letters after peoples names but not enough on skills.

  14. Anonymous
    18

    Go read the following article from Paller and Reeder (the author of the CSIS whitepaper that this article cites)

    http://www.govexec.com/story_page.cfm?articleid=18002&printerfriendlyvers=1

    Paller and Reeder (NBISE’s – Chairman) have been pushing this agenga for the past 10 years.

    I also heard that the other major certification bodies (except SANS because of Paller’s support) were left out of the discussions. Hard to call it a ‘National Board” if you prevent other key stakeholders like ISC2, ISACA, ISSA, and CompTIA from contributing.

    Unless of course you are trying to create a monopoly. Words like “supplant” in the article above don’t leave a lot of room for doubt what these guys are trying to do…

  15. Anonymous
    19

    Anything with Allan Pallard’s name has got to be bogus. First of all you insist that the certification of the IT security have hands on experience. What about the monkeys who run the network and the servers? Most if not a great majority of them have zero knowledge.  What about the managers who manage these systems? Once again zero knowledge.  Talk about stupid is as stupid does. This is another one of those get rich quick organizations who are just trying to get their foot in the door.  BLA! Pootooie!

    Most system administrators know how to install an operating system, set up users and maybe patch a system that’s it.  They know nothing about monitoring a system, reporting on a systems status, securely configuring a system nothing.  I could take 80% of the system administrators and put their knowledge of IT security in a thimble and still have enough left over for their managers.

    Managers don’t know how to make the system admins accountable and the ones who have established some sort of internal control had it created or forced upon them and still can’t understand why they get those reports.

    You think IT people should be certified I agree but don’t keep harping on the IT Security people. What the two or three you found who passed the test with no experience.  Yeah great compartive study.  Sounds like a right wing anti health care reform with their token Canadian who needed brain surgery.  Give me a break.

    I can top your swayed survey, for every one IT Security certified individual you show me who you say can’t do the job I can fill up a convoy of 18 wheelers like undocumented aliens who have zero knowledge more than how to set up accounts and they do that wrong.

    And technical knowledge what is that? Let’s see how about running an internal Nessus scan against a new server and giving the results to the system admin.  How many times have I done that and got a blank stare like I’m speaking pig latin yiddish.  The manager has no clue what to do with the results and the system admin knows only that you’re interfear with his facebook time.

    You want a certification? How about certifiying the system admins first then the managers? How about we stop hiring idiots as managers who have about as much knowledge of IT security as Snookie knows about diet.  You want a job as an IT manager, where’s your certification.  Oh guess what they don’t require one.  It doesn’t take anyone with any REAL knowledge.

    If it’s not broke don’t fix it.  But a lot of good you do if you don’t know when it’s broke.

  16. Anonymous
    20

    It is unlikely that SANS will get rid of Alan Paller since he owns SANS. SANS is a for profit company with sales of approximately $30million.

  17. Anonymous
    21

    I would agree that Paller is an asshole. Not only is he an asshole, but his security knowledge in many areas is dead wrong. At a recent RSA conference people were talking about how he has been dispelling misinformation in particular about security compliance.  It is very unfortunate. He is without a clue and his dumb remarks are giving SANS bad name. 

Comments are closed.