Blueprint for professionalism in IT security

For most employers, hiring IT security staff is a difficult challenge. The security profession has grown up in an ad hoc way over...

For most employers, hiring IT security staff is a difficult challenge. The security profession has grown up in an ad hoc way over the past 20 years and there are no widely recognised definitions of what IT security should cover, let alone any consensus on what qualifications and experience IT professionals should have.

However, a small group of leading security professionals is determined to change this. The group, with members from IT end-users, government, academia, suppliers' organisations and the British Computer Society, has got together to create a blueprint for the profession's future.

The aim is to turn IT security into a recognised profession on a par with the medical, accounting and legal professions, with a recognised body, qualifications, established career paths, mentors and career development programmes.

"A medical degree is the longest and most challenging degree. Students leave university after six years, but they are not immediately given a scalpel. There is a process of mentoring which allows them to build up their skill. Many of us think we need this in IT," said Brian Collins, vice-president for external relations at the BCS and group member.

"As security has developed as a profession that businesses increasingly rely on, we are called on to demonstrate our fitness as professionals. This takes the form of skills, knowledge, personal integrity and professional judgement."

The group began to come together about a year ago when security chiefs were evaluating how they could demonstrate their compliance with Sarbanes-Oxley and similar regulations. They realised that although they could show they had the right security processes and procedures in place, it was much more difficult to demonstrate that their IT security staff had the right skills, qualifications and ethical standards.

Over a series of meetings the group began to assess what support, training and experience IT security professionals needed. It came to the conclusion that security qualifications did not offer sufficient guarantees of professionalism.

Members felt that although examinations such as the certified information systems security professional and the certified information security manager test knowledge, they were not universally recognised and did not assess the skill and judgment of IT professionals.

Similarly, there was a feeling in the group that none of the existing professional bodies dedicated to security, which include organisations such as ISC2, Isaca, and Icaf (see box), performed the full range of roles they were looking for.

"Speaking personally, I think there is not one institute that has reached the level of the other professions, such as accountancy and law," said Nick Coleman, chairman of Saint, a security group for IT suppliers and member of the working group.

"There is not one organisation with the senior members of the community in it which can give a clear accreditation and an impartial kite mark to one's career. If I was trying to get my skills recognised and sign up to a competency framework, there is no body I can turn to."

The group believes that a new professional body is needed to set and monitor professional standards. This could either be created from scratch or it could be formed by developing one of the existing associations. A draft blueprint identifies the key goals that include formal education, a common body of knowledge, entry requirements, a communications network and legal recognition.

Under the blueprint, the body would accredit academic courses and professional development schemes for security professionals and provide a mentoring scheme. It would offer information on best practice, leading-edge security thinking and advice on developing a career. It would also act as a voice to government, allowing security professionals to express their views on key regulatory issues.

"We did not want to see a professional body that was just about the systems admin end for a large enterprise. We wanted to see it as a much wider body covering everything from research to a finished project," said group member Martin Sadler, lab director at HP Labs.

Collins said, "If the chief executive wants a security specialist to sign off that systems are compliant, that person needs the backing of a professional body. The business needs it."

One of the challenges facing the body, provisionally dubbed the Institute for Information Security Professionals, will be to agree what IT security should cover. Although most people agree on the core elements, such as confidentiality and availability of information, there are disputes over whether business continuity, fraud prevention and physical security should be included.

Although the proposals are at an early stage, they have attracted interest from the BCS and the Institute for Communications Arbitration and Forensics. The group is also seeking government funding and plans to consult more widely as its proposals develop.

The BCS is considering backing the project and one proposal is to develop Icaf into a professional body.

The group has set itself the target of getting the beginnings of a suitable professional body up and running by September. The task is urgent, said David Lacey, director of information security at Royal Mail, given the growth in importance of IT security and compliance over the past two years.

"We need to have something in place this year. There is a need for people to demonstrate professionalism. If we leave it too long, something else will fill the gap. If the blueprint is not implemented, there is a danger we will accept second best."

The blueprint working group       

  • Nick Coleman, chairman, Saint 
  • Robert Coles, head of security consultancy, RBS 
  • Brian Collins, vice-president of external relations, BCS  
  • Paul Dorey, chief information security officer, BP   
  • Chris Ensor, R&D, NISCC 
  • David Lacey, director of information security, Royal Mail 
  • Fred Piper, professor of security,  Royal Holloway (UCL) 
  • John Regnault, head of security technologies, BT Exact 
  • Kevin Riordan, strategy and programme management, CSIA    
  • Martin Sadler, lab director, HP Labs 
  • Phil Severs, head of group information risk, HBOS 
  • Alan Stanley, managing director, Information Security Forum 
  • Mike Walker, head of R&D, Vodafone Research   
  • Richard Walton, consultant, Walton-Mackenzie Information Assurance 

The blueprint working group members are working on the project in a personal capacity.

Existing IT security organisations       

Security Alliance for Internet and New Technologies (Saint)  Saint is a supplier-led body supported by IT suppliers' trade body Intellect. It was launched in 2001 to bring suppliers, government and business together to promote security awareness and best practice in the UK. Members give their time on a voluntary basis. 

Information Systems Audit and Control Association (Isaca)  Isaca is a professional body formed in 1976 with 35,000 members worldwide. Membership is broad, and covers information systems auditors, consultants, trainers, IS security professionals, regulators, chief information officers and internal auditors. The Isaca offers certified information systems auditor (CISA) and certified information security manager (CISM) accreditation.  ' 

International Information Systems Security Certification Consortium (ISC2)  ISC2 originated in the US as a non-profit membership body but is increasingly active in the UK.  It certifies industry professionals and practitioners under an international standard, administers the CISSP security qualification - recognised as a gold standard by many employers - and ensures members keep their competencies up-to-date. 

Institute for Communications Arbitration and Forensics (Icaf)  Icaf is a not-for-profit professional institution. It was set up in 2001 through the Communications Management Association. Its mission is to promote "best practice in the security of information, the resolution of IT-related disputes and the solution of IT-related crime". 

SysAdmin, Audit, Network, Security Institute (Sans Institute)  The Sans Institute was established in 1989 as a co-operative research and education organisation.   It offers security professionals accreditation through the global information assurance certification, which covers areas such as security essentials, intrusion detection, incident handling, firewalls and perimeter protection, and operating system security. 

Information Assurance Advisory Council (IAAC)  The IAAC is a partnership of policy makers, law enforcers, researchers and academics that aims to address information infrastructure protection. It develops policy recommendations for government. The organisation is sponsored by commercial organisations, government policy makers and the research community.

Read more on IT risk management