Hopefully this doesn't come off as "pick on SGS Blog" day, but there was a passing comment in a new post there today that I felt needed a quick comment. Specifically:
"Maybe NBISE, in addition to creating a better breed of cybersecurity practitioner, can help define and grow a corps of energy sector security executives comfortable with working at the BoD and C-suite level."
I've half-watched, with heavy eye-rolling, the early efforts of the National Board of Information Security Examiners (NBISE). My cynicism grows out of seeing tons of certifications in this industry that are meaningless, and yet overhyped as some sort of useful panacea. Much of this can be tied to the CISSP, which was effectively mandated in U.S. DoD Directive 8570.1. The net effect of that mandate has been to see a glut of under-qualified CISSPs in the work force flogging a certificate that they think proves that they're experienced "subject-matter experts." Sadly, having sat through tons of interviews with folks like that, I can tell you that it's not true. Incidentally, completing a SANS course or a basic certification is comparably shallow and only indicative of an interest in career development, not expertise.
Anyway... I could rant on endlessly, but I won't. Instead, I just want to highlight that - as a society - we have not ever really struck on a good way to assess competency. Degrees, certificates, etc., all provide a baseline measure of a degree of information learned, but they don't generally demonstrate actual competency. Note that many skilled and high-risk professions (e.g., electricians, plumbers, carpenters, doctors, police, firefighters) actually have fairly extensive additional training programs, complete with mentorship or apprenticeship periods that must be completed prior to being allowed to go solo (and, in high-risk professions, "flying solo" is often not allowed as a standard practice). It seems to me that this should be a consideration for our field(s) in the future.
Lastly, I do agree with the overall point of the post (and the original WSJ article): we do need to be reaching out to the Board and educating them on their complete risk profile, including IT (operational) risk. This practice should be part of a standard briefing, provided in business terms, and tied to a commercially reasonable, legally defensible plan of action. But you already knew that... ;)