« Don’t put all your eggs in one basket
Opinion - Who owns your data… Not you. »

Certifications can be good or bad?

SANS Newsbites reports:

Breaches Point to Problems with FISMA (12 June 2006)
Some observers are hopeful that recent data security breaches at US government agencies could prompt changes to the Federal Information Security Management Act (FISMA). They say FISMA certification and accreditation requirements consume large portions of IT budgets, leaving the actual implementation of security measures under-funded. The OMB has given no indication that FISMA will be amended.

This is an interesting issue.

One the one hand, a recognized certification process can be a good thing. Organizations that have achieved the certification have, presumably, reached a quantifiable level of achievement.

You expect a certain level of excellence, for example, from an ISO 9001 certified organization, of CMMI Level 5 certified software development firm.

But there is a dark side.

Certification and recertification processes require significant overhead. In a resource constrained organization simply putting forth the effort to achieve and maintain a certification may leave little resources to actually perform their duties!

I try to bring this home by thinking about my local mom-and-pop bagel shop. Suppose we introduce a “bagel quality certification.” Shops not meeting the standard will be heavily taxed, and may not receive permits allowing them to operate.

I can imagine that even in an event where the certification requirements were low, this would place a significant burden on the shop…

The same could be true for governmental organizations that FISMA governs. But only to an extent. Eventually just about every governmental organization will be able to increase funding to meet the mandate. This, in turn, invariably leads to higher taxes, which, in the very long run, reduces the number of patrons to my favorite mom-and-pop bagel shop…

I won’t get started on the economics here, but the point is clear. Certification systems are great. Legislated performance is great. Both must provide a path to increased value that exceeds the cost of implementation. Otherwise something will invariably suffer. Quality, innovation, service… Something will give.

Bill

This entry was posted on Friday, July 7th, 2006 at 8:47 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply