When we look at the information security field, can we see any entity that can claim to truly represent it? Is there an independent mechanism that those who wish to engage an information security professional can employ to gain some level of confidence that he or she has a base level of expertise, adheres to an agreed set of ethical values, hasn’t a criminal background and can be held accountable for his or her performance?
As far as I can see, the answer is no. So I suggest that it’s time we take a serious look at how we can professionalize our field and examine how we present ourselves to and interact with those outside of the field, be they at corporate or government level.
This will be no easy task. Information security is a niche, but encompasses many areas of specialisation and there is a lot of disparity within the field. There are also many other considerations such as international issues, how to ensure that the solution does not create more problems (for example, by becoming a “closed shop” preventing new entrants into the industry) and how to ensure large firms do not gain a competitive advantage over others.
Still, isn’t finding solutions to hard problems the reason many of us enjoy working in the information security field?
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for a number of innovative information security companies. He has addressed a number of major conferences, he wrote the book ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules. He regularly contributes to a number of industry recognized publications and serves as the European Editor for the SANS Institute's weekly SANS NewsBites.