Recently in Certification Category

Licence to practice information security?

| More
Here in the UK, you need a licence to drive a car, or watch television. You also  need a licence to go fishing. You don't need a licence to have a child - unless you want to adopt or foster somebody elses. In those circumstances you have to undergo a thorough assessment of everything from sexual orientation to your preferred brand of tea. However, there is no licence to prevent two neanderthal inhabitants of the British underclass to mate, produce and then leave their offspring to rot in squalor. The result is stories such as this one here where a mating pair took their hungry pup out to the pub, or this now infamous tale of the mother who organised the kidnapping of her own daughter in order to claim a ransom.

Some other things you'd need a licence for: to operate as an acupuncturist, own an airgun, run a butchers shop, hold a car boot sale, operate as a debt collector, give public demonstrations of hypnosis, run a lottery, or hold a public procession. And if your name is James Bond, you require a licence to kill.

A few years ago there were rumblings of proposals to licence IT security professionals as a part of the Private Security Industry Bill. The resulting Security Industry Authority currently licences guards, wheel clampers and a variety of others (read more here). IT and Information Security professionals do not require any qualifications or licence to practice. There are plenty of certifications around but none of them are obligatory. It's up to the employer, and the individual. I've worked with plenty of very skilled and knowledgable individuals who have no security specific certifications and encountererd a few not so accomplished who have one or more.

Given the information security disasters of 2008, should we be heading for a time where information security professionals are obligated to be licenced to practice? Would it make any difference or make those of us in the industry more accountable?

Additional note: added 8 January

The idea of a parental "breeding licence" has actually been proposed before. "Prime Minister" Jim Hacker mentioned it in a classic episode of Yes Prime Minister. See below....

Open University course on forensics

| More
Only a couple of weeks to go until I commence a new course through the Open University entitled Computer Forensics and Investigations. You can read more about what this course offers online here .

While the course will not make me an expert on the subject, it should be a good primer for further work, and give me some extra capability within my own organisation.

The Open University is an excellent way to gain new qualifications and I'd recommend it to anyone who can muster up the commitment to study in their own personal time.

Value of CISSP status

| More
CISSP_logo.jpgIt's been a while since I updated my CISSP certification with CPE credits. In fact, I've not even thought of it even though I've got plenty accumulated and was wondering why I continue to pay the annual subscription fee year after year. Am I getting any value from it?

On saying that, I've been giving some encouragement to a techie in the office who is presently working towards his own CISSP certification. Working through the various domains seems to have sparked a deep interest in the subject for him, and I'm pretty sure that by the time he comes to sit the exam that he'll have a an excellent foundation of relevant knowledge.

(ISC)² say that the CISSP provides information security professionals with not only an objective measure of competence but a globally recognized standard of achievement. For my own part, if I'm recruiting a security analyst then I'll favour the CVs of those who have the certificate - in fact, I'd make it a requirement on the job spec. It shows me that it's not just an IT person trying his luck but somebody who has gone out of their way to get professional recognition. It doesn't guarantee they'll be brilliant at their jobs but it's a good place to start.

So, back to the question. Am I getting value from my own certification? Maybe not directly anymore but it helped get my foot through the right doors when I needed to and I recognise the work that's required to achieve it. I'm going to submit my CPEs today and bring my account up to date.

Professional Accreditation - IISP

| More

Today I can add a few more letters to my business card: M.Inst.ISP. Few of you will yet be familiar with what this stands for. It means Member of the Institute of Information Security Professionals and it signifies an endorsement of "knowledge, experience and professionalism" in the field of information security.

I'm proud to be one of the first individuals to achieve this accreditation. The Institute may still be in its infancy but it has its objective to "advance the professionalism of information security practitioners and thereby the professionalism of the industry as a whole." As it states here:

By the year 2010 the institute aims to provide a universally accepted focal point for the information security profession.” In addition, IISP aims “to act as an accreditation authority for the industry, and Membership and Fellowship of the Institute will be the internationally accepted gold standard for information security professionals.”

Achieving full membership is based on attested experience, professional references, and the ability to impress an interview panel and accreditation committee. In my mind this makes it a far more valid measure than a one off exam such as the CISSP.

It remains to be seen exactly how successful the organisation is at achieving its goals however, I'll be supporting it and doing what I can to contribute to its growth.

You can read more about the IISP on their website here:

CISSP - is it worthwhile?

| More

I was dissapointed to learn that one particular large business in London has opted to stop considering job applicants who hold a CISSP certification. This, apparently, results from candidates who hold the certification failing to impress at interview. Unfortunately I can't link to any references for this particular information however it originated in person from a senior authority within the industry.

With this being the case, it somewhat undermines at least two of the core objectives of the certifcation. The ISC2 website describes these as follows:

Benefits of Certification to the Professional

  • Demonstrates a working knowledge of information security
  • Confirms commitment to profession
  • Offers a career differentiator, with enhanced credibility and marketability
  • Provides access to valuable resources, such as peer networking and idea exchange
  • So, is the certification still worthwhile making the effort for? Yes it is! There will always be a minority quick to rubbish the value of qualifications - unfortunately some of those individuals are going to be in positions of responsibility to the detriment of people working hard to get ahead in their careers.

    I'm also not doubting that there are going to be some who have the qualification but don't make good job candidates. That doesn't diminish the value. It is what it is: a tough paper-based exam which demonstrates that an individual has knowledge. It is not a test of character or technical skill.

    So, for those of you working and studying hard to achieve the CISSP, don't be disheartened. There will always be a small number of cynical old sods out there ready to rubbish hard earnt qualifications.

    ISO 27001

    | More

    I really enjoyed reading the interview with Adrian Asher in the latest edition of SC Magazine. Adrian is global head of security for Betfair: a company with more than a million registered customers processing as many transactions each day as the London Stock Exchange. I think that's a security challenge most of us would like to get our teeth into.

    Adrian mentions an impending ISO27001 audit and it started me off wondering if perhaps I'm guilty of neglecting this important standard. For those of you who are not familiar, ISO 27001 is regarded as the de-facto standard for establishing, maintaining, and improving an Information Security Management System (ISMS). Achieving certification against the standard is evidence of an organisation proving that they take information security seriously

    I'm certainly not unfamiliar with the standard, having documented a gap analysis for my organisation a couple of years ago. What I wasn't able to do is build a convincing business case for proceeding with a project to achieve certification. At the time, being ISO27001 certified wasn't viewed as adding value to an organisation that already had in place many mature risk and information security management processes.

    I now find myself wondering if this wasn't short-sighted. I've been re-reading the standard and also reading about how others have gone about their own program of certification and the benefits they achieved from it. The aforementioned Betfair, for instance, are reported as now being able to "demonstrate its commitment to the integrity of its information systems, assuring its customers of optimum security for personal details." The CEO of CHKS, a medical consultancy organisation, stated that "ISO 27001 has provided a rigorous standards framework against which we can be objectively measured. We are delighted to have achieved this internationally-recognised certification especially as the role of IT in corporate governance continues to expand". Monitor Media, a solutions development organisation who also achieved certification state "Though we've always taken the issues of information security extremely seriously, it was nevertheless appropriate to invite an external audit from a tough and respected body like the BSI."

    There are many more examples I could quote from. In short, the message is that becoming ISO27001 certified is an indication, not only of taking security seriously, but also of following a good process of governance that can be recognised within the business and by customers too. Win win.

    There are many other positive reinforcements of the message that certification is a good thing such as the blog posting here from Brian Honan. In fact there appear to be few, if any, down-sides other than managing ones resources sufficiently and making the time to commence a certification project.

    So, I'll be thinking about ISO27001 over the coming months and looking for the opportunity within my own organisation. I'll let you know how it goes.

    CISSP - is it worth it?

    | More

    There is still plenty of debate on the airwaves about the value of the CISSP certification. Martin McKeay on his Network Security blog states "it's not meant to measure someone's networking knowledge and using it to do so won't work." He's right of course in the same way as passing a test on the highway code doesn't mean you have the ability to reverse into a parking space. But for all the criticism I'll make one point: it is a difficult exam that does require a lot of knowledge to be sure of passing. One could argue that someone might pass based on their theoretical knowledge alone but I'm not sure that it matters because if a person is willing to put the effort into the learning process then they should be given a chance to gain the practical skills too.

    Another blog makes a point that "I think the root of the problem is the concept that the CISSP somehow measures technical competence. " The root of what problem? I don't see it - the only problem I can see is cynical, long-in-the-tooth, professionals who turn their noses up at people attempting to enter their cliche through the hard study and certification route.

    The CISSP certification (which I'm proud to have achieved) demonstrates a willingness to apply self-motivated effort into an indepth and often complex subject matter. I had a colleague a few years ago who sponsored himself through a private pilot license training course on single engined aircraft. That didn't mean he then had the skills to fly multi-engined passenger jets but it did demonstrate his willingness and enthusiasm for the flying. It was that which got him picked to join an airline training programme and he now flys big jets...

    So, my advice to those contemplating sitting the CISSP exam. Go for it and good luck!

    Opinion on the IISP

    | More

    I'm proud to have been one of the first members of the new Institute of Information Security Professionals (IISP). For those of you who have yet to hear about this organisation, it's ambition is "to set the standard for professionalism in information security, and to speak with an independent and authoritative voice on the subject." It certainly has an authoritative leadership with Nick Coleman, former IBM head of security services, acting CEO and input from the likes of Fred Piper and David Lacey.

    The Institute hopes to legitimise infosec professionals in the much the same manner as solicitors and accountants need to be chartered and qualified before they can practice. It's a lofty goal because it's such a wide ranging subject area with a vast array of different types of people who all consider themselves professionals in their field. John Madelin outlines some of the challenges faced over in his own blog, particularly where he states " The subject extends out in every direction to an increasingly distant and somewhat ambiguous boundary." You can read his blog here.

    Over in IT Week, Phil Muncaster made the point last year about information security that "it’s not really a profession." And he was not wrong - right now it's a collection of individuals with backgrounds ranging from software development to network tinkering to the military who found themselves engaged in information security. And what do we mean by the term "information security professional?" I certainly place myself within this category but I don't have the knowledge to configure a router. Conversely I know plenty of people who can configure router security but don't consider themselves to be security professionals. In fact, many people I know who perform security related tasks would rather have needles stuck in their eyes than be considered as full-time security professionals. So is the IISP aimed at those individuals too? Should it be?

    I do think that membership offers legitimacy. It demonstrates individual commitment to the profession beyond being able to complete the multiple choice questions required to achieve a CISSP. There is, however, and I think that Nick Coleman will agree, a fair way to go. Professional membership status will strengthen the external view but I'm not yet sure how much value this will offer individuals over and above professional membership of the British Computer Society and their well established - and recognised - programs for certification.

    I'll be interested in your own thoughts on this subject. Are you considering membership?