Why Certify? The Significance of ICSA Labs Certification
April 20, 2015
By George Japak, Managing Director, ICSA Labs

When it comes to security, many vendors consider certification of its products by an independent organization an option, not a requirement. However, third party testing is an important element when a company is deciding on technology solutions that are part of its security management program.

Security management programs can be very complex and require a sound foundation of products and services. Much like the foundation of a house, security certification shores up your business’ foundation, enabling what is built on top of it to function as it should.

ICSA Labs Managing Director George Japak shares his thoughts about why security vendors and the enterprises that use their products should not ignore the importance of certification testing.

Before we get into why it is important to be certified, can you give a quick overview of what certification entails?

At ICSA Labs, certification starts with a vendor inquiry. We then provide the vendor a list of certification requirements and we outline the commitment the vendor should expect to make. Certification not only involves the testing that is required to attain a successful outcome, but an agreement and commitment to ongoing certification maintenance.

What is the value of certification?

Providing an ICSA Labs’ certification carries significant meaning. For the vendor or developer, it is an independent mark that signifies that the vendor has attained a milestone and satisfied a rigorous set of standards for its product. Certification is proof of its due diligence and can be a competitive differentiator that provides assurance to its customers.

In the case of the enterprise, certification provides a critical component to the due diligence process. Whether you are spending tens of thousands or millions of dollars for a given technology, you are looking to solve a problem, not invite new ones or get a false sense of security.

Today, data breaches are impacting virtually every type of organization and making the right technology decisions is imperative. Implementing and maintaining a robust security program across an enterprise is a critical task and the foundation of that complex system is the underlying technology that supports it. Knowing those solutions have been ICSA Labs certified creates much needed peace of mind knowing that the product vendor is committed to risk reduction, increased security, trust and, ultimately, usability of its product.

What do you hear most from vendors who chose not to certify?

Budget is of course a frequent reason that vendors choose not to certify their products. This is mostly due to an inability to develop a business case and show a tangible return on investment for the dollars spent on certification testing.

Then there’s the resource requirement. It takes significant resources, dedication and discipline on the part of the vendor to not only moves their product through the rigorous certification testing requirements, but to maintain it afterwards. Not all vendors are up to the challenge.

The question many times is not, “why vendors chose not to get certified,” but “why vendors are not certified.” A few years ago, ICSA Labs published a Product Assurance Report, which reported that 96 percent of products failed the first attempt at certification testing.

How can vendors overcome the challenges to certification?

Certification provides strong proof of due diligence. The unfortunate situation is that many enterprises don’t do much due diligence beyond a product demonstration or a response to an RFP.

Certification by an accredited organization, such as ICSA Labs, immediately signifies that the product was held to the high standard of an independent third-party organization. Ultimately, it comes down to motivation and stimulus.  Motivation comes from the vendor and stakeholders looking to do the right thing — not just flashy marketing material or a demo — and stimulus comes from an enterprise that demands certain requirements.

Why does ICSA Labs’ years of experience in certification testing matter for customers?

ICSA Labs customers  participating  in  our  certification  programs  benefit  from  the  breadth  and  depth  of over 20   years of   expertise in   information   security   product  testing.  By testing and certifying their security products they are contributing to improving the products that benefit their customers and the security ecosystem. ­­We work to continually improve and provide value for all of our stakeholders. 

ICSA Labs will be issuing their Excellence in Information Security Testing (EIST) awards on Monday, April 20 at 6pm PST in the Verizon Booth (N3101) at the RSA Conference in San Francisco. The awards recognize clients that have achieved successful completion of 10, 15, or 20 years of continuous ICSA Labs information security testing.

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.