The information security industry is still immature and failing to act or speak as one, says Dave Lewis, board...
member at security certification organisation (ISC)2.
“Information security does not yet match up to the legal and medical professions in terms of structures and defined rules of engagement, and has a lot of growing up to do,” he told Computer Weekly.
Security is still the “Wild West”, but the point has come where security practitioners can and must develop a “collective consciousness” and work together, said Lewis, a senior security advocate at Akamai.
He believes that it is time for security practitioners to put aside their individual passions and challenge their drive into the security community to raise the status of the profession as a whole.
“Too many industry events are collegiate, instead of having the community feel of events like the annual (ISC)2 Security Congress,” said Lewis.
More on (ISC)2 Congress 2013
Community events are vital, he said, because they are aimed at helping security practitioners to think more strategically as an industry.
Lewis believes the industry needs to reach out more to the businesses it supports to ensure information security is wrapped into everything the organisation does.
“Essentially, I want to engineer myself out of a job,” he said. “But industry has fallen down in the past in getting the message across, which is why we have got to come together to do a better job.”
As one of (ISC)2’s newest board members, Lewis believes the certification body has a role to play in weaving security practitioners more tightly into business.
More on (ISC)2
“Security as a bolt-on has never done anyone any good. We have got to figure out how to do better, but it is not going to be a quick and easy fix,” he said.
Lewis believes the information security industry needs a single, over-arching body that can speak for the industry, but would not commit to saying if any existing organisations could fulfill this role.
“We need an industry body to define repeatable processes for things like patching, which continues to be done poorly despite being crucial to maintaining an organisation’s security posture,” he said.
Having a set of repeatable processes that take care of the basics like patching, Lewis said will enable security practitioners to focus on the strategic vision of their organisations and manage risk more effectively.