Professionalism in Information Security
The information security industry continues to be under the spotlight in the wake of the almost daily occurrence of highly publicized data breaches, credit card frauds and phishing attacks. The challenges we as information security professional must address are to proactively plan against the various threats we now face, rather than simply reacting to problems through point solutions. What is needed is a holistic approach to security and governance - and much more engagement with business owners and directors.
With all of the publicity surrounding the latest raft of security threats, senior business executives are becoming increasingly aware of the effects these can have in terms of loss of corporate reputation and damage to public and customer confidence. They are, not surprisingly, looking at the information security practitioner to provide guidance in a professional manner. What they are, in effect, seeking is a professional approach to information security, in much the same way as they are required to demonstrate their professionalism in accounting, legal or human resource matters.
Characteristics of a profession
So, what does professionalization entail? Essentially it is a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value. This would normally comprise the following:
• A commonly agreed body-of-knowledge
• Code of ethics and disciplinary process
• Key competences, skills and disciplines
• A professional community which engages in knowledge sharing
• Training, development and mentoring.
What is there currently?
There are a variety of certifications and qualifications currently available in the information security space, including:
• CISSP - currently the most widely adopted certification globally
• CISA/MIIA - auditing qualifications which contain an element of information security knowledge
• CISM - recognising the specialist area of security management, and the associated management responsibilities
• MSc Infosecurity and other courses from a small number of recognised universities
• CLAS, CHECK, CREST and other specialist courses in specific disciplines.
These have all helped to establish areas of specialist knowledge, and have raised the standard by testing for knowledge in those areas. However, there is a concern that while someone may have attended a boot-camp training course, immediately followed by an examination, there is no assurance that they have the skill or competence to apply that knowledge in an applied sense and in an operational situation. What is needed is a process which scrutinises the way a candidate has demonstrated the appropriate application of knowledge in real-life practical situations.
Hallmarks of professional behaviour
The key characteristics of a professional approach to information security are:
• The possession of, and competent application of, relevant and up-to-date knowledge
• Knowing where personal limitations might lie, and demonstrating and declaring a clear understanding of this
• A willingness to share skills and knowledge to promote greater understanding
• A respect for, and willingness to comply with and appropriately use or reference, recognised methodologies, process descriptions, operating practices and frameworks, as appropriate to information security
• Shared views and values of professional behaviour and the professional body
• Continued professional development, maintaining knowledge and skills to ensure they remain current and relevant.
Professional competences for information security
The requirements of a professional approach to information security can be broadly grouped in terms of the following types of skill and competence:
• Technical
• Process
• Managerial
• ‘Soft skills’ such as communication and influencing
• Professional contribution.
The IISP (Institute for Information Security Professionals) was formed just over two years ago. It has developed a ‘skills and competence’ matrix comprising 33 different skill areas, which can be used as a basis for developing and assessing those of its members who are seeking to gain Full Membership accreditation. The key skills defined are:
• A1 – Governance
• A2 – Policy and Standards
• A3 – Information Security Strategy
• A4 – Innovation and Business Improvement
• A5 – Information Security Awareness and Training
• A6 – Legal and Regulatory Environment
• A7 – Third-Party Management
• B1 – Risk Assessment
• B2 – Risk Management
• C1 – Security Architecture
• C2 – Secure Development
• D1 – Information Assurance Methodologies
• D2 – Secure testing
• E1 – Secure Operations Management
• E2 – Secure Operations and Secure Delivery
• E3 – Vulnerability Assessment
• F1 – Incident Management
• F2 – Investigation
• F3 – Forensics
• G1 – Audit and Review
• H1 – Business Continuity Planning
• H2 – Business Continuity Management
• I1 – Research
• I2 – Academic Research
• I3 – Applied Research
• J1 – Teamwork and Leadership
• J2 – Delivering
• J3 – Managing Customer Relationships
• J4 – Corporate Behaviour
• J5 – Change and Innovation
• J6 – Analysis and Decision-Making
• J7 – Communication and Knowledge-Sharing
• K1 – Contributions to the Community
• K2 – Professional Contributions
• K3 – Professional Development
The above list indicates the broad range of skills represented by our profession, and the intention is that each candidate will have a unique profile embodying a mix of these skills. The professional assessment for membership seeks to determine that the individual possesses the appropriate skill level (on a 1-4 scale) across the above spectrum, with minimum thresholds and core skills areas. Further information can be found at www.instisp.org
The Full Membership accreditation
This is a three-stage process:
1. Initial candidate application and self-declared competence and evidence, paper-reviewed by assessor
2. Professional interview with two peer interviewers
3. Moderation and final approval by Institute’s Accreditation Committee.
The process is now well under way, with several hundred people expected to have achieved the Full Member accreditation during the course of 2008. There are also several working groups, and an active corporate membership group developing initiatives of real value to corporate members and government bodies.
Looking forward
In line with the continued demand for recognised professionals in information security, we see the IISP moving forward in the following way:
• Consolidation in the UK, with an emerging branch structure, and active working groups that are defining further areas of process and discipline
• Internationalisation, initially into Europe, North America and Asia, focusing on areas of demand, or where the Institute currently has existing member clusters
• Development of further specialist areas
• An improved information security service to organisations and business in general
• Enhanced governance and data stewardship.
Ultimately, the intention is to help ensure fewer breaches and a reduced impact from those that do occur, which after all is what we are all striving to achieve!
The author
Gerry O’Neill is Chief Executive Officer of the Institute of Information Security Professionals.