'No need' for Aussie IT security certification

Proposals for an Australian certification program for IT security skills seem unlikely to get off the ground with the industry favouring instead an audit of existing programs. The federal government conceded ahead of next month's scheduled release of a report into the proposed program industry participants in a recent workshop "did not identify a compelling need" for a new certification.

Proposals for an Australian certification program for IT security skills seem unlikely to get off the ground with the industry favouring instead an audit of existing programs.

The federal government conceded ahead of next month's scheduled release of a report into the proposed program industry participants in a recent workshop "did not identify a compelling need" for a new certification.

The participants agreed instead that "a common understanding of the content and value of existing security qualifications would be desirable," the Department of Communications, Information Technology and the Arts said today.

Some internationally recognised standards used in Australia include the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) qualifications, which have all been around for a number of years.

Mark Ames, secretary of the Information Security Interest Group, a local body representing security professionals, agreed that an assessment of existing qualifications was uppermost in the industry's thinking.

"There seems to be a fair consensus amongst the people who were interviewed, that it's [the report] looking largely at so-called market forces," Ames told ZDNet Australia. "In other words, let's see what wins the hearts and minds of employers and people who care to put down the money to get one of these [certifications]."

"That's where I suspect it will come out that there has been some concern that the government might be too hands-off," he said, adding that federal officials should probably look to throw their weight behind the best few security certifications available.

The security consultancy who ran the 15 June workshop in Sydney -- SIFT -- is preparing a report on behalf of the federal government into the need for a new IT security skills accreditation or certification scheme.

SIFT's report is being circulated by DCITA for one last round of participants' comments before publication in late October.

SIFT's brief from the government makes it clear industry support is critical to a new program. "This consultancy aims to arrive at an industry consensus on the need for an IT security skills accreditation [or] certification scheme and the formulation of options on possible structure and governance arrangements.

"Any process will need to be formulated on the basis of it being industry-driven, run and funded".

However, the lack of vendor participation at the workshop may raise questions about whether the security community's diverse views were adequately reflected at the event.

Michel Hedley, head of the education and skills portfolio for the Australian Information Industry Association, said only around 12-15 of the 40-plus organisations interviewed by SIFT and subsequently invited to the workshop turned up.

Those were mainly composed of trade groups like AIIA, Hedley said, although he noted he wasn't sure if his meeting was the only one being held. "The numbers were a bit disappointing actually ... the vendors don't turn up to things like this any more," he said.

DCITA said attendees reviewed five different models proprosed by SIFT for a way forward for the industry.

SIFT's final report on the matter has been handed over to DCITA, according to the firm's principal consultant Nick Ellsmore, who took a central role in carrying out the research.

Ellsmore declined to comment on the report's contents, but did tell ZDNet Australia the industry had been very vocal in putting forth its views.

Getting good security workers
Ames said a secondary trend that could be reflected in the report was that the problem of getting good security workers would not be solved by certification.

"That came up very strongly, that it's really up to people who are engaging security workers, to do the hard yards and do due diligence [before employing them]," he said.

"Just because someone has a whole slew of letters behind their name, that doesn't mean they'll be able to do what you want them to."

ISIG's own stab at providing an Australia-specific accreditation -- launched last April around the same time as DCITA's study was awarded to SIFT -- was proving successful, according to Ames.

He said around 50 security professionals had applied for the scheme. The body has a membership of between 300 and 400. ISIG will also soon launch a new 'grandfather' acreditation that will formally recognise those with more than 15 years' experience in the IT security industry.