There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.
The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."
This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros. It says in part:
A commission set up to advise the Obama administration on cybersecurity policy is considering recommending certification and training for federal IT security employees and contractors.
The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who's who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication...
[R]egulated entities, such as critical infrastructure firms, also would likely fall within its scope.
My opinion? This is a jobs program for security training and certification companies.
(Disclaimer: I still teach TCP/IP Weapons School four times per year for Black Hat, and I organize the Incident Detection Summit for SANS. I've also held the CISSP since 2001. Whether this makes you more or less inclined to listen to me is up to you!)
So what's the problem? Isn't training good for everyone?
In a world of exploding Federal budgets, every new spending proposal should be carefully examined. In the words of the article:
[M]andating certifications could be a bit limiting -- and expensive -- for the feds. "I don't know if the government has that kind of money lying around." Certification courses can cost thousands of dollars per person, for example.
Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:
Train Federal non-IT managers first.
What do I mean? Well, do you really think the problem with digital security involves people on the front lines not knowing what they are supposed to do? In my opinion, the problem is management who remains largely ignorant of the modern security environment. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.
Let's say you still think the problem is that people on the front lines do not know what they are supposed to do. Whose fault is that? Easy: management. A core responsibility of management is to organize, train, and equip their teams to do their jobs. In other words, in agencies where IT workers may not be qualified, I guarantee their management is failing their responsibilities.
So why not still start with training IT workers? Simple: worker gets trained, returns to job, the following conversation occurs:
Worker to boss: "Hey boss, I just learned how terrible our security is. We need to do X, Y, and Z, and stop listening to vendors A, B, and C, and hire people 1, 2, and 3, and..."
Boss to worker: "Go paint a rock."
Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives. Unleash competent Blue and Red teams on their agencies, perform some tactical security monitoring, and then bring the results to a class where attendees sign a waiver saying their own activity is subject to monitoring. During the class shock the crowd by showing how insecure their environment is, how the instructors know everyone's Facebook and banking logins, and how they could cause professional and personal devastation for every attendee and their agency.
We need to help managers understand how dangerous the digital world is and let them allocate budgets accordingly.