My own views regarding this topic fall squarely into the pro side of the debate, and I will tell you why I think we need to look at this issue.
Our industry has grown from being a very niche and often overlooked discipline within the IT field to one that is recognised as being critical in protecting the data, systems and infrastructure that many rely on daily. This also led to the information security industry becoming now one of the fastest growing markets within IT. A recent report from Market and Markets claims the global information security market will grow to US $120 billion by 2017, growing at an annual rate of 11.3%.
Many countries have recognised how important information security is to their own national security and have developed cyber security strategies to secure their critical network infrastructure.
Needless to say, with this estimated growth and government interest, a lot of players will be looking to move into the field. Many of those will have highly trained, skilled, and professional staff and should be welcomed, especially when there is a shortage of experienced professionals in the sector and it is known that there is currently a 0% unemployment rate in the information security field. Unfortunately, there will also be many who will see this as an opportunity to make huge amounts of money by providing below par services to clients. This will reflect poorly on them, but also on the industry as a whole.
At the moment, there is not much that can be done to prevent anyone from claiming to be an information security expert. Indeed, experienced professionals in the field have taken to online forums and Twitter to lament the lack of quality work many of them encounter when working with clients. We often hear of vulnerability scans being passed off as penetration tests, products being touted and sold as silver bullets for any and every security problem, or compliance checklists being used to determine whether an organisation is secure.
While the “caveat emptor” (let the buyer beware) principle can be applied to the above anecdotes and it can also be pointed out that the affected companies should have done research in order to select the most appropriate individuals to help manage their issues, have we ever stopped to consider how a company could do this in a timely manner, and particularly in a field where they already lack expertise? A mechanism by which customers could independently verify the credentials, expertise and professionalism of those they are about to do business with could help address this issue.
Another cause for concern is the lack of accountability for when the quality of work is not at the expected level. There is currently no helpful mechanism within the information security industry for individuals or companies to be held accountable for subpar or unfit products or services. Customers taken advantage of by these individuals have little or no recourse apart from an expensive court case to highlight the problems they have experienced and to alert others to prevent them from being victimized, too. An independent body (such as those seen in many other professions) with the ability to withdraw a company’s or an individual’s professional standing could be an option for these companies.