Stuart King's Security and Risk Management Blog

I'm proud to have been one of the first members of the new Institute of Information Security Professionals (IISP). For those of you who have yet to hear about this organisation, it's ambition is "to set the standard for professionalism in information security, and to speak with an independent and authoritative voice on the subject." It certainly has an authoritative leadership with Nick Coleman, former IBM head of security services, acting CEO and input from the likes of Fred Piper and David Lacey.

The Institute hopes to legitimise infosec professionals in the much the same manner as solicitors and accountants need to be chartered and qualified before they can practice. It's a lofty goal because it's such a wide ranging subject area with a vast array of different types of people who all consider themselves professionals in their field. John Madelin outlines some of the challenges faced over in his own blog, particularly where he states " The subject extends out in every direction to an increasingly distant and somewhat ambiguous boundary." You can read his blog here.

Over in IT Week, Phil Muncaster made the point last year about information security that "it’s not really a profession." And he was not wrong - right now it's a collection of individuals with backgrounds ranging from software development to network tinkering to the military who found themselves engaged in information security. And what do we mean by the term "information security professional?" I certainly place myself within this category but I don't have the knowledge to configure a router. Conversely I know plenty of people who can configure router security but don't consider themselves to be security professionals. In fact, many people I know who perform security related tasks would rather have needles stuck in their eyes than be considered as full-time security professionals. So is the IISP aimed at those individuals too? Should it be?

I do think that membership offers legitimacy. It demonstrates individual commitment to the profession beyond being able to complete the multiple choice questions required to achieve a CISSP. There is, however, and I think that Nick Coleman will agree, a fair way to go. Professional membership status will strengthen the external view but I'm not yet sure how much value this will offer individuals over and above professional membership of the British Computer Society and their well established - and recognised - programs for certification.

I'll be interested in your own thoughts on this subject. Are you considering membership?

There is still plenty of debate on the airwaves about the value of the CISSP certification. Martin McKeay on his Network Security blog states "it's not meant to measure someone's networking knowledge and using it to do so won't work." He's right of course in the same way as passing a test on the highway code doesn't mean you have the ability to reverse into a parking space. But for all the criticism I'll make one point: it is a difficult exam that does require a lot of knowledge to be sure of passing. One could argue that someone might pass based on their theoretical knowledge alone but I'm not sure that it matters because if a person is willing to put the effort into the learning process then they should be given a chance to gain the practical skills too.

Another blog makes a point that "I think the root of the problem is the concept that the CISSP somehow measures technical competence. " The root of what problem? I don't see it - the only problem I can see is cynical, long-in-the-tooth, professionals who turn their noses up at people attempting to enter their cliche through the hard study and certification route.

The CISSP certification (which I'm proud to have achieved) demonstrates a willingness to apply self-motivated effort into an indepth and often complex subject matter. I had a colleague a few years ago who sponsored himself through a private pilot license training course on single engined aircraft. That didn't mean he then had the skills to fly multi-engined passenger jets but it did demonstrate his willingness and enthusiasm for the flying. It was that which got him picked to join an airline training programme and he now flys big jets...

So, my advice to those contemplating sitting the CISSP exam. Go for it and good luck!

I really enjoyed reading the interview with Adrian Asher in the latest edition of SC Magazine. Adrian is global head of security for Betfair: a company with more than a million registered customers processing as many transactions each day as the London Stock Exchange. I think that's a security challenge most of us would like to get our teeth into.

Adrian mentions an impending ISO27001 audit and it started me off wondering if perhaps I'm guilty of neglecting this important standard. For those of you who are not familiar, ISO 27001 is regarded as the de-facto standard for establishing, maintaining, and improving an Information Security Management System (ISMS). Achieving certification against the standard is evidence of an organisation proving that they take information security seriously

I'm certainly not unfamiliar with the standard, having documented a gap analysis for my organisation a couple of years ago. What I wasn't able to do is build a convincing business case for proceeding with a project to achieve certification. At the time, being ISO27001 certified wasn't viewed as adding value to an organisation that already had in place many mature risk and information security management processes.

I now find myself wondering if this wasn't short-sighted. I've been re-reading the standard and also reading about how others have gone about their own program of certification and the benefits they achieved from it. The aforementioned Betfair, for instance, are reported as now being able to "demonstrate its commitment to the integrity of its information systems, assuring its customers of optimum security for personal details." The CEO of CHKS, a medical consultancy organisation, stated that "ISO 27001 has provided a rigorous standards framework against which we can be objectively measured. We are delighted to have achieved this internationally-recognised certification especially as the role of IT in corporate governance continues to expand". Monitor Media, a solutions development organisation who also achieved certification state "Though we've always taken the issues of information security extremely seriously, it was nevertheless appropriate to invite an external audit from a tough and respected body like the BSI."

There are many more examples I could quote from. In short, the message is that becoming ISO27001 certified is an indication, not only of taking security seriously, but also of following a good process of governance that can be recognised within the business and by customers too. Win win.

There are many other positive reinforcements of the message that certification is a good thing such as the blog posting here from Brian Honan. In fact there appear to be few, if any, down-sides other than managing ones resources sufficiently and making the time to commence a certification project.

So, I'll be thinking about ISO27001 over the coming months and looking for the opportunity within my own organisation. I'll let you know how it goes.

I was dissapointed to learn that one particular large business in London has opted to stop considering job applicants who hold a CISSP certification. This, apparently, results from candidates who hold the certification failing to impress at interview. Unfortunately I can't link to any references for this particular information however it originated in person from a senior authority within the industry.

With this being the case, it somewhat undermines at least two of the core objectives of the certifcation. The ISC2 website describes these as follows:

Benefits of Certification to the Professional

Demonstrates a working knowledge of information security

Confirms commitment to profession

Offers a career differentiator, with enhanced credibility and marketability

Provides access to valuable resources, such as peer networking and idea exchange

I'm also not doubting that there are going to be some who have the qualification but don't make good job candidates. That doesn't diminish the value. It is what it is: a tough paper-based exam which demonstrates that an individual has knowledge. It is not a test of character or technical skill.

So, for those of you working and studying hard to achieve the CISSP, don't be disheartened. There will always be a small number of cynical old sods out there ready to rubbish hard earnt qualifications.

Today I can add a few more letters to my business card: M.Inst.ISP. Few of you will yet be familiar with what this stands for. It means Member of the Institute of Information Security Professionals and it signifies an endorsement of "knowledge, experience and professionalism" in the field of information security.

I'm proud to be one of the first individuals to achieve this accreditation. The Institute may still be in its infancy but it has its objective to "advance the professionalism of information security practitioners and thereby the professionalism of the industry as a whole." As it states here:

By the year 2010 the institute aims to provide a universally accepted focal point for the information security profession.” In addition, IISP aims “to act as an accreditation authority for the industry, and Membership and Fellowship of the Institute will be the internationally accepted gold standard for information security professionals.”

Achieving full membership is based on attested experience, professional references, and the ability to impress an interview panel and accreditation committee. In my mind this makes it a far more valid measure than a one off exam such as the CISSP.

It remains to be seen exactly how successful the organisation is at achieving its goals however, I'll be supporting it and doing what I can to contribute to its growth.

You can read more about the IISP on their website here: www.instisp.org.