Security leaders create blueprint for raising professional standards

Senior IT security professionals are pressing for new IT security qualifications and the creation of a national accreditation...

Senior IT security professionals are pressing for new IT security qualifications and the creation of a national accreditation body in a bid to improve standards.

The initiative is supported by security chiefs from companies including BP, BT, and Vodafone, academic security specialists and government representatives.

The move comes as businesses face growing pressure to demonstrate to regulators and shareholders that their IT security staff have the knowledge, skills and professional integrity to manage risks to the business.

Two-thirds of UK firms suffered malicious security breaches, with the worst incidents costing large companies an average of £120,000, the Department of Trade & Industry Information Security Breaches Survey found last year.

An IT security "blueprint" will be published this month by a working group including the IT security chiefs of BP, Royal Mail and Royal Bank of Scotland.

It will call for the creation of an Institute for Information Security Professionals to develop qualifications, set minimum standards of training and experience, create a formal career path, and lay down a code of ethics.

The blueprint will criticise the current piecemeal approach to IT security, and claim that the IT security qualifications based on multiple choice examinations – currently used as benchmarks by employers – test knowledge rather than skills and judgement.

"The community of information security practitioners is very fluid, with various untrained network engineers, programmers and security administrators calling themselves information security professionals despite having little training or experience in the field," the working group said.

Brian Collins, vice-president for external relations at the British Computer Society, which is in discussions over backing the new body, said, "If the CEO wants an information security specialist to sign off that systems are compliant, that person needs a professional body both in terms of training and a code of ethics. The business needs it."

Paul Dorey, chief information security officer at BP, said the Institute for Information Security Professionals would ensure that security professionals receive formal training and mentoring in the same way that doctors, accountants and lawyers do before they become fully qualified.

"Medical students leave university after six years of training, but they are not immediately given a scalpel. There is a process of mentoring that allows them to build up their skills. Many of us think we need this in IT," he said.

Read more on Hackers and cybercrime prevention