A new non-profit group is developing certifications for
information technology security professionals that will set a high bar for IT
security practitioners in areas like penetration testing, code auditing and
control systems operation.
The National Board of Information Security Examiners (NBISE)
is a new, not-for-profit corporation headed by former NERC (North American
Electric Reliability Corporation) CSO Mike Assante and overseen by a board of
luminaries in the world of information security and critical infrastructure. The group will be designing certification
exams to test the knowledge, practical
skill and professionalism of IT security practitioners, with an eye to weeding
out the information technology world’s equivalent of quacks and hucksters.
The new tests are designed to supplant a hodge podge of
private and industry certifications for IT security practitioners, including
the CISSP and certificate programs run by the SANS Institute and other industry
and private groups. NBISE claims that too many of those tests test knowledge,
rather than hands-on skills required of practitioners.
“This is about a higher level of testing,” said NBISE
Director and SANS Institute Director of Research Alan Paller. “Its about having
confidence that the person you hired doesn’t just know the answer, but can do
NBISE Chief Operating Officer Kelly Ziegler likens the exams to those required by the National Board of Medical Examiners for aspiring physicians.
Paller said that the group is working with top practitioners
in a variety of disciplines to design exams that test practical knowledge, not
just book knowledge. Scenario testing – akin to the now famous “Capture the
Flag” tournaments at DEFCON and other hacking conferences — will be an
important component of the NBISE exams, he said.
“If you look at (penetration) testing, you can have multiple
choice questions about the correct approach when pen testing, but that’s very
different than having an actual set of systems and having to find a flag,
rather than just answer questions about how to find it,” Paller said.
NBISE plans to release its first exam in the next 30 days.
That test will be an adaptation of the UK’s Council of Registered Ethical Security
Testers (CREST) exam for penetration testing. The group is working with the
UK government’s CESG – the British equivalent of the U.S.’s National Security
Agency – to adapt that exam for use in North America, according to Ziegler.
In other areas, such as the operation of control systems and
secure coding, computer forensics and incident response and handling, NBISE is
forming national boards of experts to get to work developing exams. The group
is also being advised by the National Board of Medical Examiners on ways to
devise certification exams that test practical knowledge.
Paller said the new emphasis on certification is a response
aching skills gap in the IT security space. That gap has been underscored
by a series of studies and reports that have pointed to the need to develop IT
security expertise within the public and private sectors. Most recently, in
June, the Center for Strategic and International Studies issued a report warning
of a “human capital crisis” in cyber security.
Paller said that the profusion of different certifications
has allowed legions of poorly trained IT professionals to falsely claim
expertise in cyber security. Often, their lack of training only becomes evident
once they’ve been hired.
NBISE will also provide more focused instruction than
initiatives like the U.S. Departments of Defense’s Directive 8570 (DOD 8570),
which provides training and certification guidance for government employees who
work in Information Assurance, but give employees a menu of different
certifications to choose from in fulfilling the directive, say NBISE
The NBISE exams, once instituted, will serve as
a threshold exam for work in areas like government and financial services,
separating those with technical knowledge of a subject from those with both
knowledge and hands on experience to perform a job. Paller said that the exams,
once adopted, could take business away from certification organizations like
The SANS Institute, but that those organizations might merely shift to fulfill
a role similar to that of medical schools today: teaching students a body of
material and hands on skills necessary to pass the NBISE certification exam.