The case for professionalism in IT security

Recent discussion and engagement with the information security industry has shown there is a pressing need to formalise information security as a profession.

Wyatt, Barrie_150.jpg

Recent discussion and engagement with the information security industry has shown there is a pressing need to formalise information security as a profession.

With this in mind, a group of respected leaders in academia, government and the private sector are now trying to lay the foundations for the creation of a professional body for information security specialists.

There are several pressures demanding greater professionalisation. Information security is now seen as mission-critical to many companies where accurate, timely and confidential information underpins the success of valuable business processes.

Information security is also essential to the proper working of government and, indeed, society as a whole is dependent on critical IT infrastructures.

Regulators are increasingly asking directors and senior managers of organisations to make personal attestations over the state of their security to enforce accountability.

These directors and managers need to trust that those who are responsible for the information security of the organisation are competent and will behave in an ethical manner.

Across business and government there is a need for an organisation to set standards for professionalism in information security, and to speak with an independent and authoritative voice on the subject.

The principal aims of the planned institute will be to advance the professionalisation of information security, initially within the UK but in time globally, and to ensure standards of professionalism of individuals, courses, qualifications and operating practices.

Those behind the plan believe the institute will act as the credible and definitive expert voice for the profession to regulators, auditors, business and government. In so doing, the institute will improve communications within the information security profession and between the members of the profession and government, industry and academia.

It will also enable government and industry to have ready access to highly professional practitioners in the field of information assurance and security by providing a vehicle for members to demonstrate levels of judgement, skill and competence to their own companies, peers, clients and regulators. It is hoped the institute will become the vehicle for propagating best practice.

The Cabinet Office Central Sponsor for Information Assurance has said it believes that the creation of a high-quality professional body will not only encourage an increase in the number of individuals entering the industry, but will also raise the standard of those already in the industry as it introduces entrance requirements, linked to high-level academic and practical qualifications and a standard for continuous professional development.

These are important goals for government, both for its own information security staff and for the beneficial effect on the UK economy.

The creation of the institute would be a substantial contribution to government's national strategy for information assurance.

And the Communications Electronic Security Group, as the national technical authority for information assurance, sees this initiative as a "significant step towards raising the quality of information security and assurance within the UK", and is looking at it carefully as a potential basis for the development of information assurance practitioners within government.

This initiative is not only backed by government, but it is also supported by the leading professionals in the corporate world. Organisations backing the initiative include BP, BT, HBOS, Hewlett-Packard, IBM, RBS, Royal Mail, Vodafone, and the University of London.

It is this broad backing of government, industry and academia, as well as the status of the founder members, that will give the institute initial credibility. And the level of support from these institutions is high.

BT, for example, has given the institute its unequivocal support. "The growth of the digital network economy makes it essential that those securing business and consumer services are accredited to the highest professional standards," it said.

It is clear that business and the economy as a whole will benefit from improved professionalism. Members of the profession will also benefit since the institute will provide a comprehensive development framework and ongoing support to its members to enable them to operate at the highest levels.

One of the fundamental principles behind this initiative is that the institute should be independent.

Although the backing of government and the corporate world is critical, such a body cannot be subservient to them; it must have a voice untainted by association with others that may have vested interests.

The founders recognise that there are other bodies in this field and are seeking to establish constructive and mutually beneficial relationships with them. There is no intention to re-invent wheels, but there is a real need for an authoritative body to equip information security professionals for the 21st century.

Barrie Wyatt is on secondment from the Communications Electronic Security Group to Nottingham Policy Centre, University of Nottingham

Read more on Hackers and cybercrime prevention