professionalizing IT security
the journal of Michael Werneburg
twenty-seven years and one million words
Nearly a year ago, I came across a well-written piece on the state of the IT security field, and what's wrong with it. At the time, I left a comment which I'll paraphrase here:
Through failing to professionalize we have invited the attitude that IT is a commodity function within which there is little differentiation between practitioners and no sufficient differentiation between veterans of the local industry and outsourced alternatives half a world away.
To be honest, the certifications alone don’t really cut it. The PMP is probably the widest-recognized credential in the IT industry as a whole, but I did my PMP within four months. By comparison with the accounting field, a Canadian CMA designation can take five years and that doesn’t cover all of the ground that a full CA does. I know brilliant and hard-working people in InfoSec who don’t even perceive the value of taking a CISSP.
I perceive that things are getting considerably more difficult across the board as we deal with: outsourcing of key IT functions; aging out of the industry at 40; the high turnover; the lack of employers willing to train; the high rate of change in the technology, its uses, and the threats; and the general unease with which management still treats IT issues.
The same other, a Briton by the name of Matt Palmer, has since followed up last year's article with an outline for professionalizing the field. My favorite of the recommendations:
Define instead the core areas in which a professional should be competent. That means knowledge, skills, and ethics.
Define a clear global ethical framework all professional security bodies can adopt. Revoke certifications and accreditation publicly after a rigorous and visible investigation when people behave unethically.
Abolish grandfathering. It’s just pla(i)n embarrassing.
Abolish the one cert, one-exam concept. It’s nonsense. A certification such as CISSP, in the context of a functional profession, should be at least 10 exams over 3-5 years.
The only thing I could think to add was to develop a curriculum of continuing education that is offered by someone other than bloody vendors. How can we treat product demos as seminars?
rand()m quote
Everything that can be said can be said clearly.
—Ludwig Wittgenstein