Friday, August 19, 2011

Catastrophic failure for certifications of the APD

There was an interesting news story about the City of Atlanta police officer certification scandal that's happening now in Atlanta. About 200 police officers have lapsed or incorrect certifications, affecting cases that go as far back as 20 years. A police officer cannot make lawful arrests or collect evidence without this certification. The "seven deadly" convictions such as murder, rape, and arson are particularly likely to be thrown out now because of the especially high importance the arrest warrant has in those cases.

This is a brittle and inflexible system where if one part of the process breaks down it becomes a catastrophic failure. We need our legal system to be absolute and unmalleable so that there is justice and equality, but that doesn't lend itself to having a backup plan. Here the symptom of the brittle system is that they rely entirely on the certification to validate the system. If the certification process is broken then the system fails and deadly criminals go free. The article says "There is no excuse to have officers who are not trained. That is a danger to the citizens and it is a danger to police officers," meaning that uncertified cops are dangerous. But the reality is that a substantial amount of the 200 officers that made arrests while not certified did the right thing and took deadly criminals off the street. We want those criminals to stay behind bars. In order to keep these criminals behind bars the city must acknowledge that the certification does not create the good cop, and a cop can practice good law and order without taking a test. Therefore the test is not absolutely necessary. This is in direct conflict with the nature of law to be absolute and without exceptions. So, in order to protect justice, the arrests will be rendered invalid, deadly criminals will go free, and the system will suffer a catastrophic failure.

Does Information Security have a similar vulnerability to failure based on its similar relationship to certifications? Certifications such as CISSP are not required by law, but many companies won't hire without one. By supporting certifications, a customer is saying they believe the certification is the difference between a "good" security professional and a "bad" or even "dangerous" security professional. So the question is, just like in the case of the Atlanta Police turning over their arrests, if the Security Professional loses their certification, would the customer then suddenly render all of the future work invalid? If they found out the Sec Pro didn't have a certification afterall, would they throw out the test and have it done over?

The lapse in certification provides an opportunity for the customer to dispute the validity of the work if they don't like how it makes them look. On the Errata blog, we've talked before about how the deliverables of a pentest can be more like a negotiation than a fact-finding mission. Companies spend just as much energy explaining why the test is wrong as they do remediating the findings. Having a certification to call into question is another opportunity to do this, because in a security assessment, the customer is both "the convicted criminal looking for a loophole" and "the victim."

If the certification is good at accurately distinguishing a competent security professional, then the Industry should do as the City of Atlanta is doing, and protect it by throwing out the work of security professionals who's status has lapsed. But, as Robert Graham wrote in an Errata blog post, certifications like the CISSP are actually ethically dubious and certify unqualified people, so it would be better if no company supported them in the first place and security professionals were judged on the merits of their work/portfolio instead. This would help to minimize one path of failure in Information Security.

No comments: