John Howie, chief operating officer for Cloud Security Alliance, sees a need for a certification for professionals to prove their competencies in cloud computing. (Nicole Blake Johnson / Federal Times)
SAN FRANCISCO — There are a host of certifications and credentials that today’s information security professionals can choose from to validate their skills.
But industry groups are hoping to add another certification to that growing list as the federal demand for secure cloud computing options increases. For the past six months, the nonprofit Cloud Security Alliance (CSA) has worked with certification bodies such as ISC2 to create a certification for professionals to prove their competencies in cloud computing.
The organizations have yet to formally announce this partnership but provided a few details on their work here at the RSA conference.
“There is a screaming need for qualified individuals,” John Howie, chief operating officer for CSA, said in an interview. Howie expects that industry will voluntarily adopt the certification when it is released, but regardless, he expects individuals will opt to get cloud computing certifications to prove their competency to potential employers.
Howie could not say when the certification will be released but said CSA will take its time to create a quality certification.
Today, there is no certification for cloud computing. But Howie said he has seen an uptick in demand for a cloud computing certificate currently offered through CSA. Anyone can take the online test to receive CSA’s certificate of cloud security knowledge, but it does not take into account an individual’s hands-on experience and can verify only a person’s knowledge at a point in time, Howie said. The certificate costs about $300.
A certification is more rigorous and is granted only to people who can prove — through an exam — their knowledge of cloud security, who have the years of experience and who can demonstrate an ongoing commitment to continuing professional education, Howie said. Certifications would be more costly because the certifying bodies must ensure individuals have the necessary prerequisites, knowledge and experience. Random audits and fact-checking are required to prove this information is accurate.
But even certifications have shortcomings. Defense News, a Federal Times sister publication, reported earlier this month that many Defense Department cyber professionals are undertrained, despite receiving the required certifications created by organizations outside DoD. Those certifications have come under fire for failing to test the capabilities of cyber defenders.
Howie said a certification would be one means of proving to third-party auditors that the individual contractors operating and overseeing federal data in the cloud are competent. He sees the certification supporting the government’s cloud security program, which requires companies to meet baseline security standards before hosting government data in the cloud.
“The government has a vested interest in seeing something like this come to market and be maintained by very professional and respected organizations in the industry,” Howie said.