One of my biggest gripes about the upcoming cybersecurity legislation is the threat of mandatory certification for security professionals.
There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.
The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."
This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros.
My opinion? This is a jobs program for security training and certification companies.
Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:
Train Federal non-IT managers first.
If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.
