professionalizing IT security
the journal of Michael Werneburg
twenty-seven years and one million words
Nearly a year ago, I came across a well-written piece on the state of the IT security field, and what's wrong with it. At the time, I left a comment which I'll paraphrase here:
Through failing to professionalize we have invited the attitude that IT is a commodity function within which there is little differentiation between practitioners and no sufficient differentiation between veterans of the local industry and outsourced alternatives half a world away.
To be honest, the certifications alone don’t really cut it. The PMP is probably the widest-recognized credential in the IT industry as a whole, but I did my PMP within four months. By comparison with the accounting field, a Canadian CMA designation can take five years and that doesn’t cover all of the ground that a full CA does. I know brilliant and hard-working people in InfoSec who don’t even perceive the value of taking a CISSP.
I perceive that things are getting considerably more difficult across the board as we deal with: outsourcing of key IT functions; aging out of the industry at 40; the high turnover; the lack of employers willing to train; the high rate of change in the technology, its uses, and the threats; and the general unease with which management still treats IT issues.
The same other, a Briton by the name of Matt Palmer, has since followed up last year's article with an outline for professionalizing the field. My favorite of the recommendations:
Define instead the core areas in which a professional should be competent. That means knowledge, skills, and ethics.
Define a clear global ethical framework all professional security bodies can adopt. Revoke certifications and accreditation publicly after a rigorous and visible investigation when people behave unethically.
Abolish grandfathering. It’s just pla(i)n embarrassing.
Abolish the one cert, one-exam concept. It’s nonsense. A certification such as CISSP, in the context of a functional profession, should be at least 10 exams over 3-5 years.
The only thing I could think to add was to develop a curriculum of continuing education that is offered by someone other than bloody vendors. How can we treat product demos as seminars?
rand()m quote
You can easily judge the character of a man by the way he treats those who can do nothing for him.
—Malcolm Forbes