This article can also be found in the Premium Editorial Download "Information Security magazine: Keeping on top of risk management and data integrity essentials."
Download it now to read this article plus other related content.
I recently received a brochure promoting the Certified in Homeland Security (CHS) program, offered by the Missouri-based American College of Forensic Examiners Institute (ACFEI). The four-color glossy brochure was impressive, and chock full of patriotic imagery and allusions to 9/11. The mission of the CHS program, it reads, is "to unite and coordinate...the private sector with public and private first responder organizations and agencies as well as the government...to achieve the maximum level of preparedness to anticipate, prevent, and respond to acts of terrorism to protect our nation, communities and families." Admirable goals.
Imagine my surprise, then, when I discovered that I immediately qualify for certification. Turns out the CHS is open to just about anyone even remotely related to homeland security: IT pros, military, law enforcement, firefighters, dentists, psychiatrists...even accountants. All I had to do to obtain the entry-level CHS certification was to fill out the attached application (which details my experience, including my education and certifications in security) and mail in my check (the certification fee is $365, but you also have to be a member of the ACFEI, which costs $130 per year). No examination. No independent verification of my credentials or experience.
OK, I'll admit to being little naÏve about these things. Spam filters are clogged with e-mails from no-name universities offering
But problems with these other certifications are a blip on the radar screen compared to certifications like the CHS. First of all, this is a homeland security certification. If this were a certificate for landscapers, I wouldn't be making such a big stink. But, we're talking about matters of great weight and gravity here: public safety, health and welfare, and national security.
A legitimate professional credential, with a rigorous process for verification of experience and expertise, would be of great value to the public and the security community. Instead, in the CHS, we get a Cracker Jack certification that hurts everyone involved: the cert holders, prospective employers, other security certification bodies and, most importantly, the public--the consumers who rely on the CHS to stand for something real.
The ACFEI's willingness to rubber stamp lower-level CHS certifications is a shame because it damages the legitimacy of its higher-level CHS certs. Here's how it works: The ACFEI offers five CHS levels, from the basic to the advanced. Only the last two (CHS-IV and CHS-V) require an examination. Let's assume, for a moment, that the CHS-IV and -V are legitimate certifications based on mastery of a common body of knowledge leading to the successful completion of an extensive examination (as is the case with the CISSP, GIAC, CISA and just about every other security certification). Holders of these advanced CHS certs suffer "guilt by association." Their hard-earned CHS-IV or V, which do certify a specific knowledge base and skill set, are tarnished by the CHS-I, II and III, which do not.
I'm sure the ACFEI is a valuable association for its members. And, I'm sure the association counts many competent, knowledgeable forensics experts among its ranks. But, why undermine and cheapen all of this to make a quick buck? Security is more important than that.
This was first published in April 2005