Licensing cybersecurity professionals, I

see signs that it is having a positive impact.

License versus certification
The new proposal would affect the entire federal IT industry — from contractors to government employees and the many companies that provide information assurance certification and training. The use of certification as a tool for hiring, placing and promoting employees is certainly nothing new. However, a mandatory licensing program would be unprecedented, and that proposal has proven particularly contentious.

“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC)² and a former federal information security program manager. (ISC)² is one of numerous organizations that constitute an expansive training and certification industry.

McNulty said he is not hearing a lot of complaints about the certification requirement, but many people have a problem with the licensing requirement.

During a round-table discussion on certifications (ISC)² hosted in early June, several participants said the licensing requirement would represent a departure from the state-based approach to validating the qualifications of professionals such as doctors and lawyers.

Federal licensing of cybersecurity professionals “would fly against that principle, and it just doesn’t make a lot of good sense in my opinion,” said John Lainhart, public-sector service area leader for security, privacy, wireless and IT governance at IBM’s Global Business Services. He participated in the (ISC)² round-table discussion as a representative of the Information Systems Audit and Control Association, which provides cybersecurity training and certifications.

Critics say another problem with licensure and its added layers of federal oversight is that the government’s training and testing programs would not evolve as quickly as industry-driven certification programs. This would be a significant slowdown for an industry that changes as rapidly as IT does, and could dampen rather than boost the growth of a newly trained cybersecurity workforce, said Dan Liutikas, another round-table participant and senior vice president, chief legal officer and corporate secretary at CompTIA, an IT industry and training association.

Bain writes that another issue with licensing is what form the testing should take. Alan Paller, director of research at the SANS Institute, a cybersecurity training, certification and research organization, supports the idea of evaluating security professionals’ skills in operational situations, as airplane pilots are tested. He added that if the government establishes a licensing program for IT security professionals, it shouldn’t belong to the commercial world. “It should be owned by a completely independent organization that isn’t trying to sell something already, and they should not be able to do any training at all — none,” Paller said.

Tomorrow: The current state of play