Recently a friend asked me if I knew of anyone with a security clearance who has also passed a polygraph. It seems some agency (unknown to me) requires individuals with digital security assessment experience and the designated level of security clearances. I told my friend I did not know of anyone with that combination. He replied that the agency in question was ready to simply find someone with the necessary clearances, and teach them whatever skills were needed to perform the security assessment.
Something about this bothered me. I realized that this unknown agency was more concerned with the supposed trustworthiness of the assessor than with the skills he or she would apply to the agency's digital security interests. In other words, this agency valued a cleared yet unskilled person over a skilled yet uncleared person. In my opinion, that calculation defeats the purpose of the security clearance. Let's examine why.
A security clearance is designed to be a preventative measure that guards against a specific threat: rogue insiders. One of the most dangerous adversaries is someone on the inside, trusted with access to sensitive networks and data. It is important to ensure that people in such positions are worthy of the trust granted to them.
A security assessment is designed as another preventative measure. A security assessment enumerates vulnerabilities so they can be remediated or mitigated. These are the sorts of vulnerabilities one could expect an outsider, or more seriously, an insider, to try to exploit.
We have a situation where an unknown agency is willing to hire someone without the necessary skills to perform a very important task. That task is discovering vulnerabilities and recommending answers. This is not a job for a newbie, even if that newbie is "trusted." By putting itself in this situation, the agency has calculated that it values employing supposedly trusted newbie assessors over the act of discovering and fixing security holes.
Good vulnerability assessors or penetration testers are not born in boot camps. Discovering, validating, and remediating vulnerabilities requires more than knowing how to run Nessus or Metasploit. I doubt someone who has just learned to perform an assessment will deliver the report truly needed by this agency. The "work" by a brand-new "assessor" has just turned into a compliance item; the box has been checked, but who cares about the result?
This brings me to the broader question of clearances. What other trade-offs have been made in the interest of "trustworthiness," and at the expense of "security"? I know of people who could have made significant contributions to various projects, but had to wait months or years waiting for the appropriate security clearances. What damage was done, what missions were lost, what opportunies foresaken while the clearance process was followed? For other economics-trained readers, what is the opportunity cost of security clearances?
I read articles about problems with the clearance backlog, and these are the questions I do not see addressed.