Is it time to professionalize information security?

The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate. I think it is time to examine the question again and see what we need to do (if anything) in order to provide those outside the information security field with the ability to engage with individuals to whom they can entrust the security of their data and, ultimately, their business.
My own views regarding this topic fall squarely into the pro side of the debate, and I will tell you why I think we need to look at this issue.

Our industry has grown from being a very niche and often overlooked discipline within the IT field to one that is recognised as being critical in protecting the data, systems and infrastructure that many rely on daily. This also led to the information security industry becoming now one of the fastest growing markets within IT. A recent report from Market and Markets claims the global information security market will grow to US $120 billion by 2017, growing at an annual rate of 11.3%.

Many countries have recognised how important information security is to their own national security and have developed cyber security strategies to secure their critical network infrastructure.

Needless to say, with this estimated growth and government interest, a lot of players will be looking to move into the field. Many of those will have highly trained, skilled, and professional staff and should be welcomed, especially when there is a shortage of experienced professionals in the sector and it is known that there is currently a 0% unemployment rate in the information security field. Unfortunately, there will also be many who will see this as an opportunity to make huge amounts of money by providing below par services to clients. This will reflect poorly on them, but also on the industry as a whole.

At the moment, there is not much that can be done to prevent anyone from claiming to be an information security expert. Indeed, experienced professionals in the field have taken to online forums and Twitter to lament the lack of quality work many of them encounter when working with clients. We often hear of vulnerability scans being passed off as penetration tests, products being touted and sold as silver bullets for any and every security problem, or compliance checklists being used to determine whether an organisation is secure.

While the “caveat emptor” (let the buyer beware) principle can be applied to the above anecdotes and it can also be pointed out that the affected companies should have done research in order to select the most appropriate individuals to help manage their issues, have we ever stopped to consider how a company could do this in a timely manner, and particularly in a field where they already lack expertise? A mechanism by which customers could independently verify the credentials, expertise and professionalism of those they are about to do business with could help address this issue.

Another cause for concern is the lack of accountability for when the quality of work is not at the expected level. There is currently no helpful mechanism within the information security industry for individuals or companies to be held accountable for subpar or unfit products or services. Customers taken advantage of by these individuals have little or no recourse apart from an expensive court case to highlight the problems they have experienced and to alert others to prevent them from being victimized, too. An independent body (such as those seen in many other professions) with the ability to withdraw a company’s or an individual’s professional standing could be an option for these companies.

With the increasing interest and awareness by governments on the importance of information security to their national security and economic stability there is a need to ensure the appropriate input and expertise is being brought to bear on policy decisions that impact us all. Input from independent and trusted bodies rather than vested interests, such as lobbyists or large corporations, will become more and more essential.

When we look at the information security field, can we see any entity that can claim to truly represent it? Is there an independent mechanism that those who wish to engage an information security professional can employ to gain some level of confidence that he or she has a base level of expertise, adheres to an agreed set of ethical values, hasn’t a criminal background and can be held accountable for his or her performance?

As far as I can see, the answer is no. So I suggest that it’s time we take a serious look at how we can professionalize our field and examine how we present ourselves to and interact with those outside of the field, be they at corporate or government level.

This will be no easy task. Information security is a niche, but encompasses many areas of specialisation and there is a lot of disparity within the field. There are also many other considerations such as international issues, how to ensure that the solution does not create more problems (for example, by becoming a “closed shop” preventing new entrants into the industry) and how to ensure large firms do not gain a competitive advantage over others.
Still, isn’t finding solutions to hard problems the reason many of us enjoy working in the information security field?

Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute’s weekly SANS NewsBites.