IISP gets former Barclays executive for growth

When the Institute of Information Security Professionals (IISP) was first announced more than two years ago, it was greeted with a good deal of enthusiasm. It came with the right sort of credentials, and the endorsement of well respected luminaries such as Paul Dorey, the head of information security at BP, and Professor Fred Piper of Royal Holloway College. Unfortunately, the announcement was made before the Institute was properly organised or funded to handle the flood of enquiries and applications that it suddenly received, not only from the UK but from around the world. The small team of volunteers buckled under the strain, and what should have been a triumphant launch turned into an administrative nightmare. Nevertheless, the huge response bore testimony to the need for a body that could take this relatively young discipline and turn it into a well-regulated profession. There was a need for the IISP, or something like it.

Since the start of 2006, however, progress has been made, albeit rather slowly. The first interim chief executive, Nick Coleman, who only worked part-time for the IISP, left late last year, to be replaced by Scott Siemers, who stayed only a few months before deciding to return to a job in marketing. The third chief executive, appointed in April, is Gerry O'Neill, an engaging Northern Irishman with more than 20 years in the business, and a former head of global IT risk at Barclays. He is a regular speaker at conferences, and has good international contacts through his work with I-4 (the International Information Integrity Institute) and COSAC.

But is he the man to put the IISP on the map? Let's find out….

Congratulations on the new job, Gerry. Why do you think you were appointed?
I think they needed someone who is well-known in the industry, and who can help the IISP grow internationally. I am the European representative for I-4, and I'm involved in running three international conferences a year, so I have good international contacts through that and other work I do. My role as IISP chief executive will only take up about half my time. I need to keep some time for I-4 and it will allow me to keep active in the business and to keep my own skills sharp. Have you been frustrated by the lack of progress at IISP?
I joined the Institute from the start, and my view was that it was the right thing at the right time. And I still subscribe to that view. But I share the frustration of some other members that it has taken two years to get where we are. I agree that it should have been well established by now. As a result, we have lost a few people along the way who did not renew their membership. I myself questioned whether to renew and was asking what value I was getting from it. The lecture programme was taking shape but we still didn't have a proper professional accreditation programme. Like a lot of other members, I was sceptical. Since coming on board, I have been looking at the membership, and surprisingly, the member numbers are holding up quite well. The acid test will come this year when they have to renew.

The way to fix it is to deliver. My predecessor and the board have got the full membership accreditation programme on the road, and more than 60 people have gone through that process [to become full accredited members of the Institute], and over 10% of applicants have not made the grade.

We have three levels of membership – Affiliate, which can include students and people with an interest in the subject; Associate, which requires the applicant to have a recognised qualification, such as CISSP, CISM or CLAS, or two years of relevant experience; and Full, where the applicant would probably have more than six years' experience, be able to demonstrate a depth of knowledge, and be interviewed by two senior professionals.

Is it too early to judge whether the qualification is recognised by employers?
Ask me that again in two or three months. I have significant aspirations for the qualification in about that timeframe. It already has a very high regard in a number of circles. Several of our corporate members have indicated that they will be mandating this set of qualification as a way for employees to proceed in their organisation. We need employers to see the value in it and start asking for it as a professional mark, and we detect a desire in both private industry and Government for a clear set of qualifications they can rely on. But what is wrong with the existing qualifications from the likes of ISC2 and ISACA?
The existing qualifications are in essence a test of knowledge. We want to engage with those organisations to achieve reciprocity of recognition. I also intend to try and co-ordinate events with organisations like ISC2, ISACA and the like, so that people don't have multiple hits in their diary. They can only go to so many events, so we want to co-ordinate with others of like interest. Our essential differentiator is that as an Institute, we are uniquely offering an experience-based professional certification. The peer interview for the full membership is the cornerstone of that certification. We recognise the certifications of other organisations as entry foundation requirements, but ours will be evidence that, as an Associate Member, the holder is an experienced practitioner of some standing. And when they feel they have the requisite depth of experience, then they can go through the process to become a Full Member. Can you explain how IISP will cope with the range of security roles?
We have a very comprehensive set of skill profiles, which map into various Job Families. This is where a lot of progress has been made. The board has developed more than 20 skills profiles, with a four-layer model ranging from 'cursory knowledge' right up to 'guru/expert' level. You score yourself when you put in the application. Some people said the application form for Full Membership was too complex, but to my mind it is like doing a comprehensive CV. If you were applying for a good job, you would express yourself at this level of detail. Someone applying for full membership will have between six and 10 years experience, so the application needs to be pretty extensive. It has to be rigorous. I have to admit I am not yet a full member myself, because I've not got round to filling out the application. But now as chief executive, I have an incentive to do it. And I'm sure they'll pick a couple of tough people to give me a rigorous interview. What international ambitions do you have?
In my first week here, I have been amazed at the number of individual overseas members we already have. They include people in the US, Mexico, Brazil, India, the Far East and Australia.

Clearly, with our headquarters in the UK and that being the main focus of our events programme, the overseas members are not getting the level of service that they can expect to receive in the fullness of time. In the short term, where we have clusters of enthusiasm, the best approach would be to set up local chapters. I shall be using my I-4 connection to evangelise the existence of the Institute overseas.

The reason I took on this job is that I still actively believe in the Institute. What encouraged me was that a lot of other people share out visions. Not just the founding members, but those who have joined since.

We have a panel of interviewers who volunteer to come along and give us their time to interview others for the professional certification. Some will host meetings, and offer their services to speak at events. The corporate members have formed a group of their own, and they are driving forward the working groups. One thing I like to see them do is to create a set of standard job definitions when interfacing with recruitment companies. So that when we say 'Policy Analyst' or 'Vulnerability Tester', it means the same to everyone. If we could build a standard understanding of what skills go with those roles, that would help.

It would also help with salary benchmarking, which we are starting soon, and which will help companies to see whether they are paying more or less than the rate for the job.

Other working groups are looking at a graduate development for new employees. This will create a managed career programme for employees, and provide them with a logbook to chart their progress.

How will you accelerate membership?
To address the problem about filling in the form for membership, which we recognise is a bit of an obstacle, we are working with several corporate members to send in an interview and assessment team to their sites. We will take a batch of applications, do a paper assessment on the first day, and by the end of a week, we could get maybe 30 or 40 members through the process. A lot of corporate members have reacted favourably to that. [IISP has 50 corporate members so far]

Corporate membership costs £6,500. The benefits include a job board that has on-line jobs board at our website, still in pilot mode at the moment. That will save corporate members the cost of a recruitment agency, so it could pay for itself very quickly.

The salary benchmarking will be a benefit. Many at the moment spend money doing it anyway, so that will save them time and effort.

Are you optimistic?
My agenda is based on non-proliferation and outreach. My door is open and I would welcome further discussion with other groups such as the BCS, for example, as well as ISC2 and ISACA. We don't want to overload people's diaries with yet another event schedule. I don't think we have missed the wave. Looking at a lot of what has happened recently, there is obviously a need for professionalisation in this space. And we can't afford as an industry to have lesser standards masquerading as professional qualifications.

I think we are already doing some right things, and we have to do more of the right things. We need a whole orchestrated package of measures. In some respect, it is just a question of raising awareness of what has been achieved so far – the working groups are adding to the value of the Institute all the time.

We also now have a well organised secretariat at the Institute. My predecessor Scott Siemers did a good job in converting what were temporary workers into permanently employed staff. It gives us a degree of consistency and stability to the back office affairs.

What is important now is our strategic agenda in the UK to develop membership and services, and then very quickly to develop a bridgehead overseas. We will need to deliver benefits for our overseas members.

Read more on Security policy and user awareness