A New Certification for Mobile Device Security Assurance?

The Credentialed Mobile Device Security Professional cert is just getting underway, so it's still something of an unknown quantity. I spent an interesting hour on the phone with Mobile Resource Group's Peter Coddington recently, however, and came away convinced that the program is both worthwhile and highly marketable. IT pros interested in a vendor-neutral certification aimed at promoting secure computing involving mobile devices and access will definitely want to look into this offering.

The Mobile Resource Group is a Baltimore-based holding company that offers the CMDSP certificate. PaRaBaL is another Baltimore-based "mobile enablement" company that specializes in implementing mobile access solutions and security for companies and organizations, primarily at the enterprise level. Coddington heads up both organizations and is an eager evangelist for the new certification. That said, Coddington has also done everything he can to keep the two organizations discrete and disjoint, to the point where he himself is the only common human element between them.

The CMDSP program was recently (2013) established to meet a need for vendor-neutral coverage of mobile device security concepts, tools and techniques. As Coddington and I agreed by phone, there aren't that many certifications of any kind that address mobile security topics. Some certs cover mobile security in passing, as is the case for numerous all-purpose vendor-neutral security certifications like those offered by SANS, CompTIA, (ISC)², ISACA and so forth.

The few credentials that do directly address mobile security are vendor-specific and tangential, tied either to particular mobile platforms or to specific security solutions that offer a mobile device management (MDM) component.

What makes the CMSDP interesting and potentially valuable, therefore, is that it takes a vendor-neutral approach to the security concerns involved in protecting corporate resources, maintaining data security and integrity (at rest and in motion), and establishing and enforcing policies and access controls to promote and protect safe computing.

This mindset must prevail, no matter what kinds of mobile devices may be in use, and no matter to whom the devices in question belong. Mobile security is complicated in that the devices themselves are typically pulled from a mixed bag that contains iOS, Android, and often other mobile device OSes as well. And while plenty of mobile devices in use still belong to employers, rather than employees, BYOD is very much on the upswing.

The primary target for the CMDSP is IT professionals who are responsible for managing mobile device use at the enterprise level, a job role that the CMDSP language identifies as a "mobile IT administrator." Here's how the CMDSP Training page describes someone who earns this credential: CMDSP individuals are security practitioners who are expert in managing mobile devices so that his/her enterprise can use mobile devices securely without exposing the enterprise to any vulnerabilities.

Furthermore, credentialing expert Jan Paul Miller (a contractor to the Mobile Resource Group who helped to design the certificate program) describes a person who has earned the CMDSP as follows: A Credentialed Mobile Device Security Professional (CMDSP) is an information technology professional experienced in managing mobile IT duties within an organization. This professional's duties typically entail installing and integrating various components of a mobile security system into an organization's IT architecture and ecosystem.

The pros of this certification are as follows, as far as I can tell based on currently available information:

? The credential meets a marketplace need hitherto unmet by other, already available mobile device oriented certifications.
? The credential has been designed and vetted by experienced working professionals deeply enmeshed in the subject matter.
? The Mobile Research Group has hired a well-known professional psychometrics firm to handle job task analysis and exam item development using industry best practices for certification exam development and delivery.

Potential cons to this certification include the following elements:

? The sponsoring organization has taken steps to keep its hands off the certificate program, but that same company (PaRaBaL) is one of only two authorized training providers for the CMDSP exam. The other, CWSI, is a well-known mobile IT integration company in Ireland and the United Kingdom.
? Training attendance will be required to earn the CMDSP, and training costs $1,795 for a 2-day class (in the U.S., at PaRaBaL). That's a fairly high rate per classroom seat per day, compared to other training center costs.
? The program hasn't been around very long, so there's no access to ratings or feedback from attendees. Likewise, employers have yet to register the credential on their radars, nor have they started widely requesting employees to earn the CMDSP, nor made much mention of the CMDSP in job postings.

What does all this mean? IT professionals charged with mobile device security will definitely want to check out the CMDSP. Those IT pros who need training and knowledge in this area should consider taking the training class and chasing the CMDSP credential.

There's strong potential for the CDMSP to have staying power and real value, but that's yet to be demonstrated and proven. When I select credentials for inclusion in the "best of" lists that I put together at Tom's IT Pro, for example, some of my criteria include the following items where it makes sense to incorporate them:

? Five or more years of independent operation (for new, or newish topics like Mobile Device Security, I'm willing to set this one aside)
? A certified population of 5,000 or higher (for new topics, this number can be reduced, but not set to zero)
? Frequent mention in job postings, hiring ads, and so forth (a basic and necessary test of value)
? Name recognition and perceived value that justifies time, money and effort required to earn the certification (another basic and necessary test of value)

As things stand right now, the CMDSP is so new it currently meets none of these criteria. But all new cert programs have to start somewhere, at some time or another. I'm latching onto CMDSP earlier than I have for many other IT certifications currently available, because this one shows enough promise and potential value to be very much worth noticing. That is especially true if your job responsibilities include mobile device security, and you've been looking for some input and guidance on how to understand and implement mobile device security at the enterprise level. For such IT pros, the CMDSP shows every sign of playing out as a good career investment.