Saturday, September 20, 2008

CERIAS to CAE: We're Not a Lemon

Every so often we discuss topics like starting out in digital security on this blog. Formal education is one method, with one approach being a Centers of Academic Excellence in Information Assurance Education. This program reports "93 Centers across 37 states and the District of Columbia." At first glance it is tough to see a downside to this program.

This is why I was surprised to read Centers of Academic... Adequacy, a recent post by Dr Gene Spafford. The core argument appears in this excerpt:

[W]e do not believe it is possible to have 94 (most recent count) Centers of Excellence in this field. After the coming year, we would not be surprised if the number grew to over 100, and that is beyond silly. There may be at most a dozen centers of real excellence, and pretending that the ability to offer some courses and stock a small library collection means “excellence” isn’t candid.

The program at this size is actually a Centers of Adequacy program. That isn’t intended to be pejorative — it is simply a statement about the size of the program and the nature of the requirements.

Some observers and colleagues outside the field have looked at the list of schools and made the observation that there is a huge disparity among the capabilities, student quality, resources and faculties of some of those schools. Thus, they have concluded, if those schools are all equivalent as “excellent” in cyber security, then that means that the good ones can’t be very good ("excellent" means defining the best, after all). So, we have actually had pundits conclude that cyber security & privacy studies can’t be much of a discipline. That is a disservice to the field as a whole.

Instead of actually designating excellence, the CAE program has become an ersatz certification program...
(emphasis added)


[W]e did not renew the certifications, and we dropped out of the CAE program when our certification expired earlier this year.

Wow, that is striking. CERIAS decided to remove itself from the "Centers of Academic Excellence" program for the reasons cited, plus several more listed in the blog. That's like me deciding to not renew my CISSP on moral grounds... except I did renew late last year when my employer requested the renewal and paid for it. CERIAS drew a real line in the sand and said "no thanks" to the government.

Does Spaf's comments remind you of the market for lemons?

There are good security programs and defective security programs ("lemons"). The prospective student of a security program does not know beforehand whether it is a good program or a lemon. So the student's best guess for a given program is that the program is of average quality; accordingly, he/she will be willing to pay for it only the price of a program of known average quality.

This means that the owner of a good security program will be unable to get a high enough tuition to make offering that program worthwhile. Therefore, owners of good programs will not place their programs in the CAE system. The withdrawal of good programs reduces the average quality of programs on the market, causing students to revise downward their expectations for any given program. This, in turn, motivates the owners of moderately good programs not to participate in CAE, and so on. The result is that a market in which there is asymmetrical information with respect to quality shows characteristics similar to those described by Gresham's Law: the bad drives out the good...
(That's the latest Wikipedia entry modified to discuss the issue at hand.)

The question now becomes: will any other university not renew their CAE status? Furthermore, will any of us decide not to renew our CISSP? I already decided not to renew my CCNA and CIFI certs. I let the CCNA lapse because it just isn't important for what I do. I let the CIFI lapse because the organization behind it collapsed following the tragic passing of its founder.


Anonymous said...

The CISSP at least has some intrinsic value in that it is sometimes used by employers to screen applicants. If I knew I would retire from my current position, I would drop the CISSP like a bad habit.

Look at some of the schools that are CAEs -- like Capella. They have a Ph.D in Information Security program * that has the NSA and CSA logo all over it. The curriculum is Mickey Mouse, my undergraduate degree in Computer Science was clearly more rigorous. Where's the excellence?

Anonymous said...

Whoops, I mean the NSA and CAE logo.

Andre Gironda said...

Times are changing, and so will employers.

CISSP, CISA, and NSA IAM/IEM will remain valid in the short-term for individuals.

Many organizations that demand security skills no long want lone-wolf individuals anymore, though. It's all about certifying the network or app pen-test company in the new light of PCI ASV and QSAC.

Individual certifications will pick up again. As ImmunitySec's CNOP and OWASP's Cert Project build on their already immediate success, we'll see things start to change in our industry.

There will also be some good to come from the compliance industry. Already, QPABP and CPISM appear as alternatives to the general PCI QSA certifications. ISO 27000 Lead Auditor certainly has a role.

I think the pen-test certs are dead, as are general security certs. Security+, CEH, OPST, GPEN, and most others are completely useless to our industry now. If you're not already sick of the "Learn how to be an Ethical Hacker in 5 days!" courses and SANS tracks, then hopefully you will be by the end of the year. I know that I've been sick of them since they first came on the scene. My immediate reaction to these penetration-testing certifications was revulsion.

And yet, the incident response industry has not evolved much either. The CCE and CFCE intrigue me, but they aren't cutting-edge. EnCE and ACE are more bleeding-edge, but vendor specific certs have always put me off a bit (Microsoft, Cisco, Novell anyone?).

My CCNA will also lapse in 2009, and I have no plans to renew. Why? I don't even work with networks anymore. Everything is going software development: with cloud computing, integration of Cisco/VMWare concepts, and application security -- I can easily predict a future for IT made up entirely of developers and their managers.

Anonymous said...

Richard and Andre,
What are your impressions of the GCFA? Thanks.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I got my CISSP in 2000 and will not be renewing it. I am letting it lapse because at this stage of my career, if my skill's can't get the job then I don't want it.

Anonymous said...
This comment has been removed by a blog administrator.
Sippy said...

He makes some interesting arguments, and I do agree with his overall assessment. Like similar public programs that try to reach a broad audience, it can't remain exclusive forever. CAE started out exclusive and then continually diluted itself until it was suitable for broader consumption. It seems to be a very natural evolution to me.

I think CAE serves its purpose, much like SANS, to get the public mass *informed* on and perhaps inspired about (not educated) the main issues. Whether or not that's what Dr. Spafford intended it to be is another issue.

I'm not sure "academic excellence" has ever had anything to do with the program anyway. I always thought the point of the program was to rally together a select pool of schools to come up with a curriculum that could advance *interest* in IA research across academia. That would of course eventually spread to smaller, "less excellent" schools that could participate.


Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Yes, the CAE list is highly suspect. When Norwich Univ and Capella make the list and MIT doesn't, it is, by definition, flawed.

Anonymous said...

Wrong. If MIT does not apply they will not be considered. In addition, Norwich is a fine school with a rigorous IA program.

oleDB said...

Norwich is a fine school with a rigorous IA program

Thanks for that, it made me laugh out loud and put me in a good mood.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

But the question is what does everyone recommend as far as training and\or education?

I read, I practice but the field can be so vast what should people do? I agree there is plenty of schools and certifications out there that are just lemons. However there has to be something............ and I think not everyone has the time to devote to intense academic study. There are practitioner degrees and more academic degrees. I see value in both, you just have to realize what you are getting into I guess when you assess a school or candidate.

I see many of the certifications as a bar..... if someone can't get a basic forensics cert or info security cert I have to really question their ability. But just because they have one doesn't mean they are golden!

Then after a point in one's career they become pointless. But I guess people have to decide when that works for them. I see the certs, education, and experience all help with the suits and in consulting. Results do too but they seem to like the flashy bling.

Anonymous said...

I graduated from one of these centers. I hold a master degree in IA, and I can tell you that attending those classes was very frustrating. With some exceptions, most of the security professors did not have a clue of what was going on in the IT security field. They had experience in IT/Programming, and were trying to veer off in the security, I guess because the great demand in the education market. I probably learned more from other students than from these “security” professors.
Overall, I cannot say that school was worthless. Any education is good, and obtaining a degree in anything at least shows that the holder can be committed to complete a major task, that she/he has the discipline required to tackle complex problems.

Regarding the certifications part, excepting the CISSP, I will not renew any of the certs I have. I used the highly appreciate the GIAC certifications, but this is no longer the case since they dropped the qualification papers. The problem with most of these vendor certs is that they simply check if you attended their training class.

I would probably have a look at the PMP and ITIL certifications, and, as noted by other people, I will get back and learn some more programming and development. I am even contemplating taking some programming classes at a local community college.