Certifications: A false sense of security

Certifications: A false sense of security
Certifications: A false sense of security 

By John S. Monroe
Jan 06, 2010

Nothing irks a security professional more than the suggestion that the 
federal government could improve security by setting up a standard 
certification program for agency staff members.

This idea, which is gaining traction in Congress, might sound 
reasonable. But many security experts say it is a red herring. One such 
expert is Daniel Castro, a senior analyst at the Information Technology 
and Innovation Foundation, who wrote a column on the topic [1] for

"If certifications were effective, we would have solved the 
cybersecurity challenge many years ago," Castro wrote. "Certainly more 
workforce training, although not a panacea, can help teach workers how 
to respond to known cyberattacks. However, workforce training is not 
certification, and organizations, not Congress, are in the best position 
to determine the most appropriate and effective training for their 

His column triggered a flurry of reaction from readers, most of whom 
seconded his remarks by sharing observations and experiences of their 
own. Here is a sample of the responses, which have been edited for 
length, style or clarity.



Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods