On November 1st, the ISAO SO Executive Director, Dr. Gregory White, made the case to consider the utility of self and basic certifications for ISAOs. As expected, there was both support and opposition for certification from members of the information sharing community. Arguments against certification included “Certifications don’t build trust, people build trust,” and “Certification is just creating government oversight that isn’t needed or desired from those in the community.” This got me thinking. Why would I want anyone to tell me this company or product meets a minimum qualification or is recognized by a professional organization? After all, America is built on free markets and capitalism. Buyer beware! Why do we need Underwriters Laboratory (UL) or Consumer Reports (CR) or Automotive Service Excellence (ASE)? If you’re in the business, you know which product or vendor provides a reliable service; you know who to trust because you know the business. But if you are new to the business, how do you know who to trust? Word of mouth? If I don’t know, I might ask those who do. However, if I don’t know anyone who has operated or used a service in that particular industry or I’m new to an area, where do I start my research?
As a military member for 32 years, I moved every 1-2 years. I was constantly trying to find a mechanic who was competent and wouldn’t try and rip me off. Owning five cars with the newest being a 2012 model, I’m often at an automotive repair shop for either a service or vehicle repair. How do I know where to go? Sometimes I use word of mouth, trusting the word and experience of others. However, how do I know those who are making the recommendation aren’t getting ripped off? At the end of the day, I look for Automotive Service Excellence (ASE) Certified mechanics. Why? Because I worked with mechanics in the Army and those who were certified by ASE knew their stuff! Those who worked on Army vehicles without their certification were under the supervision of those who had their certification. Why? Because the certified mechanic met an objective criteria, a standard. Why wouldn’t I want certification in the information sharing business? If I am new to the cybersecurity information sharing community, should I trust someone just because they say they are good at what they do? Should I trust an ISAC or an ISAO just because someone else does? How do I know those who are part of a particular ISAC or ISAO know what they are receiving is of any value? Trust comes from experience, but it can also be bolstered by third parties who verify a set criteria is met, called a standard. Should we simply trust people and entities just because they say to? Maybe. Heck, I’m a great guy. Just ask me.
Colonel (RET) Allen Shreffler
LMI, Senior Cybersecurity Consultant
About author
Allen Shreffler is the Director of Lifecycle Management of the ISAO Standards Organization and a Senior Cybersecurity Analyst at LMI, a non-profit consulting firm dedicated to advancing the management of government. He is a 32-year Army Military veteran and served as the Director of Intelligence at the US Army Network Enterprise Technology Command (NETCOM).