Information security is a booming industry, but by most standards, it is still tiny compared with other sectors. Symantec, which towers over most other players, has a healthy annual turnover of $5 billion (£2.5 billion), but that is still less than the annual group profit of Tesco, and just 5% of Tesco's turnover. And if Symantec was in pharmaceuticals, or most other industries, it would be a minnow.
My point is not to diminish Symantec's achievements, but to remind ourselves that the security industry consists of a relatively small circle of people, and to ask the question: with so few people, why do we need so many professional organisations to represent us?
Ah, you reply, that is because all the organisations have different pedigrees and perform different functions. ISACA is for the auditing end of the business, while ISC2 is for more technical people. The Information Security Forum is for large corporations with £20,000 or so to spend each year, while I4 is another very exclusive club for large companies with deep pockets.
Then we have a mass of different qualifications and certifications, from a wide range of organisations, from the British Computer Society, to ISC2, ISSA and ISACA, to Universities, to the new(ish) Institute of Information Security Professionals (IISP).
We also now have Crest, a new body that aims to certify penetration testers for general industry, mirroring the CHECK system that operates for public sector work.
Which is great, up to a point. But I saw the situation from a different perspective recently when I fell into conversation with someone who runs a security practice, and asked if any of his staff had become members of the IISP.
Some had, he sighed, but the sheer cost of keeping up with all the memberships was getting him down. "I have to pay for their CHECK certification, for CLAS, then for their CISSP. Then I've got ISF membership, BCS memberships, so really the last thing I need is another subscription to pay. Why can't some of these organisations get together and join forces?"
It was a point well made. By spreading our efforts across a multitude of different agencies, we risk duplication of effort and we also risk diluting our influence when it comes to influencing Government policies.