Information security professionalism requires both credentialing and codes of professional practice

It's time for information security practitioners to be recognized as professionals.

professional development 9

Cyber and information security literature – including accompanying reader’s comments – continuously debate the merits of professional certification for cyber and information security professionals.

Some consider certifications an acknowledgment by an independent organization of their expertise in the security discipline. Others consider it a money grab by these same organizations and believe that certifications prove nothing. 

Since I hold a number of certifications, I’ll understand if you feel that I have a personal stake in advocating for these certifications. But I believe the issue is greater than that.  Given the prominence, risk and public concerns with security, maybe the question that is better asked is whether it’s time for security practitioners to be recognized and regulated as a profession rather than an occupation or industry and if so, what obligations would such a profession face.

Our profession’s experts come from various disciplines and do not follow a single path to success. I’ve seen firsthand truly outstanding and innovative professionals who mastered their trade through the school of hard knocks - informal yet rigorous experience and disciplined self-study and continuous learning. 

Other professionals I encountered apply their impressive academic background or experience as business leaders to lead very effective security functions. Many, including newcomers to the profession formalize their knowledge by attending training courses and eventually demonstrating their knowledge through the attainment of certifications.

Our profession’s challenge is that the public (including hiring managers) does not know how to properly assess the qualifications – whether technical, business and yes integrity of the security professionals that it is hiring. 

I’m not sure if current certifications placate the public interest and related concerns.  Too often, we encounter work performed by security consultancies aggressively promoting their formal qualifications such as professional certifications but quite frankly deliver poor services and products. The scope and quality of penetration tests differs dramatically between consultancies yet each promotes that its consultants, because they are certified, have performed a reliable test.  Perhaps it is not the certified individuals but rather the profession’s lack of a code of practice. 

Unfortunately, too often we in the security community rely on our “clients” to be educated consumers and to be able to differentiate between well-qualified practitioners who are not certified versus certified practitioners who may not be qualified to perform a particular task. Of course, this doesn’t even consider the need for the public to differentiate among the various certifications that our profession has.

Peer and employer recognition within technology-related professions has always focused on specific technical abilities rather than a broader set of skills. The ability to provide superior knowledge to solve a technology problem motivated many technology professionals and their peers. Many employers in pursuit of professionals with the latest technology skills would in hiring decisions only consider those with specific skills no matter their background, rather than others who brought broad-based backgrounds that could be adapted to solve many types of challenges. 

Short-term this was a bonanza for the technicians among us including numerous job opportunities and higher pay. Long-term this turned into a disaster for the information systems professional as they were unable to attain the broad business skills needed to rise in the corporate hierarchy or to lead the more influential executive consulting practices.

Perhaps we can learn from other professions. Being a CPA in addition to maintaining some of the traditional information security credentials (e.g., CISSP, CISM, and CISA), I’ve experienced differences between the professions but none as pronounced as that related to competence. The following is extracted from Section 201 of the American Institute of Certified Public Accountants “Code of Professional Conduct and Bylaws:”

“A member's agreement to perform professional services implies that the member has the necessary competence to complete those professional services according to professional standards, applying his other knowledge and skill with reasonable care and diligence, but the member does not assume a responsibility for infallibility of knowledge or judgment.

Competence to perform professional services involves both the technical qualifications of the member and the member's staff and the ability to supervise and evaluate the quality of the work performed. Competence relates both to knowledge of the profession's standards, techniques and the technical subject matter involved, and to the capability to exercise sound judgment in applying such knowledge in the performance of professional services.The member may have the knowledge required to complete the services in accordance with professional standards prior to performance. In some cases, however, additional research or consultation with others may be necessary during the performance of the professional services. This does not ordinarily represent a lack of competence, but rather is a normal part of the performance of professional services.

However, if a member is unable to gain sufficient competence through these means, the member should suggest, in fairness to the client and the public, the engagement of someone competent to perform the needed professional service,either independently or as an associate.”

Perhaps a similar commitment from those security practitioners who maintain certifications is required to promote and recognize information security as a “learned profession.” Usually when a state regulates through licensure a “learned profession’ – such as a CPA, some aspect of protecting the public’s interest is generally involved. 

For example, in New Jersey, professions (both professional and occupational) are regulated by the Division of Consumer Affairs. But that would also require that those security practitioners that do not believe in certifications, recognize that some method of independently validating an individual’s competency (e.g., typically by testing) is also required to promote the profession and protect the public’s interest.

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline