Derek Mohammed, Ph.D., CISA, CISSP, PMP
The past several years have seen a proliferation of laws, regulations and standards with the purported objective of enabling organizations—public or private—to achieve information security. Many of these laws and regulations have been in response to corporate financial scandals, theft or loss of personal and private user and customer data.
Compromise of personally identifiable information (PII) and the costs associated with cybercrime show little to no evidence of diminishing. For instance, on 30 September 2010, the US Federal Bureau of Investigation (FBI) charged 37 defendants for using the Zeus Trojan and other malware to steal millions of dollars from US bank accounts.1 According to the Open Security Foundation’s Data Loss Database, 367 data breaches affecting more than 20 million records were publicly reported as of 15 December 2010.2 This compares with 141 breaches in 2005, and only nine breaches in 2000. These breaches can have a significant effect on an organization’s financial well-being. In July 2010, the Ponemon Institute estimated the annual cost of a cybercrime to be approximately US $3.8 million per year, and ranging up to US $52 million per year, per company.3
Federal and state governments have responded to this threat environment with a variety of regulations requiring companies and government agencies to audit and validate their relevant IT systems to ensure that their business processes and underlying records comply with applicable laws and regulations. Some of these include the US Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS), which are specific to an industry, and others such as the US Sarbanes-Oxley Act and the US Electronic Communications Privacy Act (ECPA), which are more industry-neutral. Each law and regulation has specific and unique requirements to which an organization must demonstrate compliance.
In response to the threat environment and the complexity of the regulations and industry standards, an increasing number of organizations are making security a corporate priority. Data protection, hiring security executives, and strengthening risk and compliance programs is how several companies responded. Even in the face of the current economy, most companies expect that security budgets will hold steady or increase. There is also a growing understanding that achieving information security and regulatory compliance can provide a competitive advantage. However, many organizations still do not have an integrated, comprehensive approach to information security.4
Today’s economic, social and legal environments demand that organizations address security as a core necessity. The environment is too hostile and the potential costs, from either cybercrime or regulatory fines, are too great not to craft a cogent enterprise security policy. This can best be achieved by adoption of an industry-appropriate certification program. Organizations need fully articulated security policies and procedures based on industry best practices to solidify their information system defenses and meet legal, contractual and regulatory requirements.
The US federal government is a proponent of certification, both for the professional and for the system. The US Department of Defense (DoD) has recognized the need for skilled, qualified information security personnel. DoD Directive 8570.1 requires all employees, military and civilian, with privileged access to a DoD system to be certified. A perusal of any job board for IT-security-related jobs shows that the private sector is largely following suit. The Information Systems Security Association (ISSA) web site has compiled a list of industry certifications varying from vendor-specific, such as Microsoft, Linux and CISCO, to vendor-neutral, such as those offered by ISACA, (ISC)2 and CompTIA, to name a few.
The 2002 passage in the US of the Federal Information Security Management Act (FISMA) began the requirement for US federal agencies to follow the National Institute of Standards and Technology (NIST) guidance. This guidance requires agencies to create system security plans, contingency plans, risk assessments and security assessments. Ultimately, these systems must be certified and accredited. In the DoD, this is accomplished through the DoD Information Assurance Certification and Accreditation Process (DIACAP). The private sector has comparable industry programs such as PCI DSS or non-industry-specific standards such as ISO 27001 or COBIT.
The belief that certification of either or both information security professionals or systems is effective in creating security is certainly not universal. Critics of FISMA, for example, contend that the act has no measurable security benefit.5 Others argue that certifications for professionals are not the answer because certification by itself does little if anything to guarantee security.6 That is, having certified employees does not mean that firewalls will be configured correctly, computers will be patched and employees will follow security policies. As aptly noted by some, if the number of certified cybersecurity workers nationwide has been increasing, why hasn’t it resulted in a decrease in vulnerabilities, security incidents or losses from cybercrime?7
If professional certifications were the solution, the problem would already have been solved. In response to the continuing threats, the regulations and compliance standards keep coming. By their very nature, these laws and regulations are reactive, usually in response to some public failure. The complexity of the resulting landscape leads to a checklist mentality. Many organizations do little more than check off the items listed in the regulations and ignore basic safeguards.8 Simply adhering to regulations and standards does not amount to a thorough security policy. Audits of compliance measures are a point-in-time measure, often performed on an annual basis, with no guarantee of ongoing efforts to keep the organization up to date. Too often, businesses view and treat regulatory compliance as a separate activity rather than understand how to incorporate compliance into their day-to-day business operations. It is this stovepipe mentality that can doom their efforts.
While there is no challenge to the value that qualified security professionals bring to an organization, the question is whether certification of those professionals brings added value. The argument that certification does not guarantee job performance is valid. There is nothing that can guarantee a level of performance when people are involved in the process. But, certifications do provide a guaranteed minimum of knowledge, skills and abilities. A vendor-neutral certification demonstrates a broad knowledge base, and generally includes access to an extensive global network of subject matter experts. In addition, the majority of certifications require continuing professional education to maintain the certification. Is this a guarantee of competent performance? No. Is it a measure of due care and demonstrated due diligence? Yes.
Regulation complexity continues to be a concern to management, but responding to that complexity is increasingly seen as simply something that must be done. As with most problems in life, simply throwing money at a problem provides little guarantee of success. Without a coherent approach to regulatory compliance, the organization can spend a lot of money to end up with noncompliant systems or redundant solutions. This is where adoption of a certification standard or framework can yield great dividends.
Many of the regulations have common requirements, such as protect the network from malicious software, maintain firewalls or implement procedures to ensure the integrity of data. Industry standards and tools such as COBIT or those from ISO or NIST provide frameworks for addressing these requirements. Each of these standards offers a structure and best practices for users to measure their own business processes. Each of these methodologies recognizes that compliance is not a onetime deal and provides a process for organizations to not only demonstrate that their security programs are effective, but also that their security programs are regularly reviewed and updated. For example, ISO 27001 is based on the plan-do-check-act process model, with a goal of continual improvement.
Again, does pursuing a certification program such as those offered for ISO standards provide a guarantee of security? Unfortunately, no. It remains possible for employees to violate corporate security policies and take home a laptop containing sensitive corporate data, for example, or for employees to be the successful target of a social-engineering attack. People are inherently unpredictable and capable of making poor choices regardless of the policies and programs in place. Nonetheless, having a robust certification program in place demonstrates due care and due diligence to shareholders and customers.
If professional and system-oriented certification programs are adopted as part of a corporate governance strategy, the benefits are even greater. Case law is increasingly recognizing the requirement for information security, and driving organizational governance over information security. The Ponemon Institute Study found that total annualized cybercrime costs for organizations with good governance practices (e.g., appointment of a CISO, creation and rollout of an enterprise security strategy, adherence to a voluntary certification program) were substantially less than the costs for companies without these features in place.9
Attaining security is hard, often annoying and something with which most people and organizations would rather not deal. Often security safeguards are seen as having negative consequences, such as added cost, inconvenience and diminished network performance. But, they are a core necessity. Customers, business partners, suppliers and vendors all demand them. Laws and regulations are requiring organizations to demonstrate due care in regards to data security. Embracing a certification standard and employing certified professionals can help address current and future regulatory compliance requirements in a proactive, cost-effective and sustainable manner.
1 Federal Bureau of Investigation, “Manhattan U.S. Attorney Charges 37 Defendants Involved in Global Bank Fraud Schemes That Used Zeus Trojan and Other Malware to Steal Millions of Dollars from U.S. Bank Accounts,” Department of Justice Press Release, USA, 30 September 2010, http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo093010.htm2 Open Security Foundation, Data Loss Database, “Data Loss Statistics,” 15 December 2010, http://datalossdb.org/statistics3 Arcsight, “First Annual Cost of Cyber Crime Study With Ponemon Institute,” 24 September 2010, www.riskandinsurancechalkboard.com/uploads/file/Ponemon%20Study(1).pdf4 Nash, Kim; “Why Technology Isn’t The Answer To Better Security,” CIO, 18 October 2010, www.cio.com/article/451092/Why_Technology_Isn_t_The_Answer_To_Better_Security5 Price, Sean; “The Fallacy of the FISMA Critics,” Information Security Today, 8 November 2010, www.infosectoday.com/Articles/Fallacy_FISMA_Critics.htm6 Tillmann, George; “Why IT Certification Is a Really, Really Bad Idea,” Computerworld, 8 June 2010, www.computerworld.com/s/article/9177809/Why_IT_certification_is_a_really_really_bad_idea7 Castro, Daniel; “The Role of Professional Certification in Securing Information Systems,” ITIF, 12 November 2010, http://itif.org/files/WM-2009-05-certification.pdf8 Op cit, Nash9 Op cit, Arcsight
Derek Mohammed, Ph.D., CISA, CISSP, PMPis an assistant professor who teaches undergraduate and graduate courses in information security and assurance at a small liberal arts university in Texas, USA. Prior to joining academia, he worked extensively in both the public and private sectors to improve the security of organizations’ critical information systems. His research focuses on improving the security of computer and network systems.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.