professionalizing IT security

Toronto, 2013.10.10
Nearly a year ago, I came across a well-written piece on the state of the IT security field, and what's wrong with it. At the time, I left a comment which I'll paraphrase here:

Through failing to professionalize we have invited the attitude that IT is a commodity function within which there is little differentiation between practitioners and no sufficient differentiation between veterans of the local industry and outsourced alternatives half a world away.

To be honest, the certifications alone don’t really cut it. The PMP is probably the widest-recognized credential in the IT industry as a whole, but I did my PMP within four months. By comparison with the accounting field, a Canadian CMA designation can take five years and that doesn’t cover all of the ground that a full CA does. I know brilliant and hard-working people in InfoSec who don’t even perceive the value of taking a CISSP.

I perceive that things are getting considerably more difficult across the board as we deal with: outsourcing of key IT functions; aging out of the industry at 40; the high turnover; the lack of employers willing to train; the high rate of change in the technology, its uses, and the threats; and the general unease with which management still treats IT issues.

The same other, a Briton by the name of Matt Palmer, has since followed up last year's article with an outline for professionalizing the field. My favorite of the recommendations:

Define instead the core areas in which a professional should be competent. That means knowledge, skills, and ethics.

Define a clear global ethical framework all professional security bodies can adopt. Revoke certifications and accreditation publicly after a rigorous and visible investigation when people behave unethically.

Abolish grandfathering. It’s just pla(i)n embarrassing.

Abolish the one cert, one-exam concept. It’s nonsense. A certification such as CISSP, in the context of a functional profession, should be at least 10 exams over 3-5 years.

The only thing I could think to add was to develop a curriculum of continuing education that is offered by someone other than bloody vendors. How can we treat product demos as seminars?

leave a comment

By submitting this form you agree to the privacy terms.