Sunday, March 28, 2010

Rockefeller-Snowe and Security Credentials

Legislation working its way through Congress may impose requirements for credentials on information assurance practitioners and professionals.

Two editors of SANS Newsbites responded as follows:

[Editor's Note (Pescatore): Since software engineering is still an oxymoron, there really are no meaningful software developer or IT system architect certifications. So, trying to say IT security professionals need certification will be good for the companies that will sell such certifications but really does not make sense from the point of any improvement of security.
(Paller): Cisco and NSA and SANS are compiling the available body of knowledge on what works and what doesn't work in security engineering.
They will be doing a workshop in June for people who will be hiring security engineers and architects.

I responded to them:

I agree with John that “software engineering” is an oxymoron. I argue that the application of engineering principles to software is very beneficial but very rare.

I agree with Alan that those same principles can be usefully applied to security and I commend his and any efforts to encourage it.

However, it seems to me that the certification requirements in the Rockefeller-Snowe Bill are more akin to the certification of security professionals that we have been engaged in for the last twenty years.

I would not be so dismissive of these programs as John is. Whatever else has resulted from these programs, they have had a huge impact on the documentation and spread of security principles and other knowledge. While this may be more arguable, they have also encouraged the professionalism of the practice of security.

It seems reasonable to me that agreement on the principles should come before certification or licensing. However, practice precedes either and continues even in their absence. Thousands of years of practice of engineering preceded its codification and licensing. Since we do not have the freedom to wait, we should encourage all three activities in parallel.

A dialogue between John Pescatore and myself follows:

John: Hi, Bill – I blogged on this in a bit more detail at , where I summarized:

That’s not to say there is no value in security certification as one element in evaluating security personnel.

Bill: The justification of legal requirements for minimum credentials in a professional practice go way beyond evaluating individual members of the practice.

John: But turning it into a requirement tends to make it set the height of the bar just at that level – that would not be a good thing.

Bill: Perhaps. Would you argue that the requirements for a medical license or a CPA are static? The federal government has been requiring credentials for aviation since 1917. Would you argue that the “height of the bar” is still at the 1917 level. I can testify from my own knowledge that the requirements for the CISSP are not static. When I qualified the program tested only for knowledge. Today one is tested for different knowledge as well as the skill to apply that knowledge.

John: My major issue is that there are no federal requirements for IT architect certification or software developer certification or database administrator certification. That is because certifications in those fields are largely meaningless, because software is *not* an engineering discipline yet. This is why GASP and the like, and the Security System Engineering Capability Maturity model and the like (I had involvement in the early 1990s with that one) really didn’t go anywhere. The Brits have had several certification programs that really haven’t done much to advance the state of the practice, either.

Bill: Agreed.

John: So, to have an federal information security certification requirement really is not going to be meaningful. It will just turn into a boon for certification programs.

Bill: I might agree that the field is not sufficiently mature for a federal requirement or even that the federal government should be involved in any credentialing program. On the other hand, their credentialing program in aviation has been very successful. Security operation of IT is at least as mature as the operation of airplanes in 1917.

I do not agree that credentialing programs benefit only the programs. The practice of engineering and medicine were both dramatically advanced by the credentialing programs that established minimum entry requirements to their practice.

John: Requiring training and education and job experience is so, so, so much more valuable in this kind of thing that requiring certification. This is pretty standard advice I give at Gartner to clients trying to evaluate security consulting personnel.

Bill: I grant you that certification is not sufficient for evaluation of professionals without granting that there are no benefits to minimum standards. Whether or not those benefits are sufficient to justify their requirement at law is another issue. Licensing of professional engineers was a reaction to infrastructure failure. Licensing of physicians and lawyers was a reaction by the competent minority to rampant incompetence. I do not argue that the practice of security is peer with these professions. I do argue that they were advanced by their requirements for credentials.

I think that the inclusion of credentialing in Rockefeller-Snowe is a reaction to the public perception that we are building infrastructure and that our efforts are simply not good enough. I am not sure that the remedy will be effective, much less that it is justified but I am satisfied that It will not make things worse. They certainly will not "set the bar" at today's level.

Monday, March 22, 2010

It works!

That's right. Security works. Your enterprise security program works.

Consider the following question. What part of the attacks that hit your perimeter does it resist?

a) None of them
b) Few of them
c) Enough of them
d) Most of them
e) All of them

Most of you said "c" or "d." We call that "working."

A few of you may argue that only "e" can be called working, to which I respond, "Be careful what you ask for, you might get it."

Do you know how to resist even more attack traffic? If that were the only objective, of course you do. You do not do it because resisting attack traffic is not the only objective. Even resisting "most attacks" involves at least slowing, if not rejecting, some legitimate traffic. It may also involve tolerating a resourceful attack.

Said another way, within the tough choices that face you, the security perimeter is doing what you intend. We call that "working."

Security is a hard problem; there are no perfect solutions. It requires the exercise of informed judgment. That is why we are called professionals and are paid the big bucks. Such as we are and given the conditions that we face, we do the best we can. That is called "working."