I’m proud to have been one of the first members of the new Institute of Information Security Professionals (IISP). For those of you who have yet to hear about this organisation, it’s ambition is “to set the standard for professionalism in information security, and to speak with an independent and authoritative voice on the subject.” It certainly has an authoritative leadership with Nick Coleman, former IBM head of security services, acting CEO and input from the likes of Fred Piper and David Lacey.
The Institute hopes to legitimise infosec professionals in the much the same manner as solicitors and accountants need to be chartered and qualified before they can practice. It’s a lofty goal because it’s such a wide ranging subject area with a vast array of different types of people who all consider themselves professionals in their field. John Madelin outlines some of the challenges faced over in his own blog, particularly where he states ” The subject extends out in every direction to an increasingly distant and somewhat ambiguous boundary.” You can read his blog here.
Over in IT Week, Phil Muncaster made the point last year about information security that “it’s not really a profession.” And he was not wrong – right now it’s a collection of individuals with backgrounds ranging from software development to network tinkering to the military who found themselves engaged in information security. And what do we mean by the term “information security professional?” I certainly place myself within this category but I don’t have the knowledge to configure a router. Conversely I know plenty of people who can configure router security but don’t consider themselves to be security professionals. In fact, many people I know who perform security related tasks would rather have needles stuck in their eyes than be considered as full-time security professionals. So is the IISP aimed at those individuals too? Should it be?
I do think that membership offers legitimacy. It demonstrates individual commitment to the profession beyond being able to complete the multiple choice questions required to achieve a CISSP. There is, however, and I think that Nick Coleman will agree, a fair way to go. Professional membership status will strengthen the external view but I’m not yet sure how much value this will offer individuals over and above professional membership of the British Computer Society and their well established – and recognised – programs for certification.
I’ll be interested in your own thoughts on this subject. Are you considering membership?