At this year’s (ISC)2 Congress in Atlanta, Georgia, I caught up with Hord Tipton to talk certification updates, misspent security dollars, and where the White House is going so wrong
“The Department of Defense Directive DoDD8570 has been instrumental in setting a model for the rest of the world and mapping skills with jobs”, said Tipton, who indicated a problem in the industry with people not knowing what certification is needed for what job.
“CISSP is the most comprehensive certification in the world, and a great measure of academic ability. As the DoDD8570 breaks into different assurance levels, the CISSP wound up in most categories.”
Evaluating its certifications is a constantly evolving task for (ISC)2. “The latest is our software credential, which was approved last year.” I ask Tipton to talk me through the process for determining when a new certification is needed. “It’s methodological,” Tipton answers simply. “We always need to justify how we’re spending member money, so we do a lot of research.”
This research process, he said, begins with the workforce study. “We use this as a starting point for knowing what certification is needed, and get a consensus for what’s top of the list. Then we validate it with the industry. We ask them whether they’d use it if we built it.” With the application security certification, recalled Tipton, “Absolutely no-one denied that it was needed.”
We know our software is insecure. So we just patch, get breached, patch, get breached
Part of the validation process, Tipton explained, is focus groups made up of industry luminaries with the right areas of expertise. Once validated, the framework is built, considering how the domains and sections will look. “The job task analysis will look at the blueprint. We then use taxonomy to determine how difficult to make the questions. We test it, look at how many people passed, and look at the middle curve for range.”
At this point, Tipton explained, they start to develop the education material and build a common body of knowledge around the domain.
Tipton remembered the day he took his first test, in a room in San Francisco with 100 others. “There were people making sandwiches in the room,” he laughed recalling the distractions. “Today, technology is available to cheat so we have to put provisions in place.” He refers to the biometric-enabled testing centres, the high-pressure four-hour exam under surveillance, and even escorted trips to the bathroom.”
(ISC)2 is the only accreditation body not to reveal the weighting for each exam question. “This,” said Tipton, “is because we want them to read the whole book.”
Misspent Dollars and a Defeatist Attitude
Tipton and I find ourselves on the topic of the industry’s attitude to information security breaches. “Even we, as an industry, say ‘you’ll be breached, deal with it’. We say this because we know our software is insecure. So we just patch, get breached, patch, get breached.”
There is no public outcry for secure software, said Tipton. “People don’t scream very loud when they have to patch, and just accept the cost of fixing the software. They accept that it’s their responsibility to fix it, and I don’t like that.”
Securing software would solve so many security problems, Tipton insisted. When asked who is to blame for insecure software, Tipton points the finger at those who don’t demand secure software. “It’s a supply and demand issue. If there’s no demand, why bother supplying it?”
The cost of patching is factored in, rather than the cost of securing the software in the first place, Tipton said. This, he insisted, is wrong. “So much security spend goes on legacy technology. It’s why I worry so much about the internet of things.
“We turn out technology so fast in this industry, and then demand upgrades. We stop supporting older versions, which makes us an open target.”
Speaking of open targets, Tipton referenced the United States’ critical infrastructure. “It’s 30-40 years old and needs to be modernised. It takes a lot of money to do that, and you leave open targets. We make things too complex.”
He uses the White House as a prime example. “The lines of code supporting Obama Care is outrageous. They didn’t test it because they couldn’t,” he said shaking his head.
Hord, a pleasure as always.