zaterdag 14 november 2015

of the CISSP, infosec licensure, and how we bring things upon ourselves

[Disclaimer: this post represents my personal opinion. It does not represent the opinion of any past, present, or future employers, clients, or associates.

I was looking forward to a quiet Saturday evening. I'm traveling tomorrow to be on site with a client on Monday. I did not count on Ed Bellis being active on the twitters and coming up with this jewel of a tweet :

CISSP certification requirements baked into contracts make me chuckle.

It put my brain in gear.

Straight out of the gates Ed makes 100% sense. Why would certain (security-related) tasks described in a contract require a CISSP? If anything, we know there are skilled people out there without any formal education or certification. We also know that there are some pretty unknowledgeable people out there holding multiple Masters degrees and dozens of certifications. Certifications do not guarantee knowledge. Why then would clients choose to require them in contracts?

The single question from Ed actually kicks a lot of hornet nests. More than he actually thinks, I believe. Ed, as far as I understand, is a bit shocked that he -as a known expert in our field- can not work on the contract he mentions because he does not hold a CISSP. He's probably as qualified as people holding the cert, if not more. Why would companies be so stupid to keep him out of the game?

I'm certain it is not personal, Ed ;-) Companies have been burned more than once. They have payed dearly on projects they awarded to players in our markets that promised them the world, and then horribly failed. Companies bring in inexperienced consultants, make junior people "learn on the job" (and the time paid for by their clients). We know it happens. We all hope it goes away. Obviously it won't. In the mean time, the clients play poker and they are cutting their losses.

Our industry doesn't, yet, have a form of licensure. There is no obvious way to tell bad players from good players. There isn't a real bar of entry. To save some of my Saturday night I will not debate whether licensure is a good or a bad thing and if a bar of entry is needed. I've had the privilege of discussing the topic of licensure with a diverse subset of my peers and I have not made my mind up yet. I'd encourage everybody to explore the topic and ponder on it for a while. I'd be happy to engage with you.

So here I am, putting myself in the position of the client. I need outside expertise for a security project. Let's say that 1 out of 5 of my previous security projects have failed because the partners I worked with under delivered, went over budget, etc. etc. I have payed dearly for that. The obvious choice is to go with a different partner, but how do I tell which is the good partner? I have no way of doing that. Do I roll a dice and dive into the deep with a new unknown? I don't want to take that risk. What are my options?

If I want to vet every individual consultant that is going to be on my contract, that is going to cost me a lot of time. I may still not be able to validate all their experience and don't remove any of the risk. Sure, there are capable people out there but my previous experience tells me to remain cautious. What else can I do?

There is an organization out there that validates the fact that their certificate holders have at least 4 years experience in the industry. That is awesome, because now I can just check for their certificate and I know that they've been around for a while. Do they guarantee success? No, but they are not straight-out-of-school theory monkeys. At least there is a bigger chance that in the 4 years they have been around, they have seen some things and done some things that are relevant to the work they're supposed to be doing for me.

Is there a down side? Obviously. I know that there are very smart people out there without the certification that I require them to have. I am consciously choosing to not have them on the contract. Is that stupid? From their perspective probably yes. But here I am, choosing between vetting every candidate myself or relying on that certification that comes with at least 4 years of experience. Economically, I win more by doing the latter. You can argue your competence until pigs start flying, but you can't argue economics.

Now, in closure, we have to consider why we have come this far. Our industry is full of solution and services providers that jump on every opportunity to "do security", and fail at the cost of our clients. The theory of the lemon market has been repeated ad nauseum in talks, podcasts, and discussions over the past ten years (if not more). Do you truly expect your clients to sit by and do nothing? This then brings us back to the discussion on licensure. Historically, licensure has been introduced in professions for various reasons. Often they are introduced by government, to push out quacks and charlatans. Very few professions have been able to successfully introduce licensure themselves. Is it time for our profession to consider an attempt at licensure? And, if so, what would that look like?

Our clients definitely think it has become worth it to value 4 years of validated experience over X years of self-claimed expertise. Whether you like it or not.

Geen opmerkingen:

Een reactie posten