twitter facebook rss

Professionalization: should infoSec professionalize?

Posted by on January 25, 2016.

In the context of this discussion, ‘professionalization’ is the creation of a governing body for cyber security practitioners, much like the American Medical Association (AMA) was created to oversee medical professionals. For the sake of argument, we’ll call this putative professional security body the Cyber Security Association (CSA).

The question – should infosec professionalize? – was the subject of a recent discussion among CISO members of Wisegate. It was prompted by the publication of Martin Zinaich’s paper, What Does Information Security Have In Common With Eastern Air Lines Flight 401?  Martin’s paper likens the state of current cybersecurity to the Flight 401 disaster. During the flight, the aircrew became fixated with a minor problem – an indicator light which had burned out – failing to notice the autopilot was disconnected and the aircraft was in slow descent. Eventually the aircraft crashed in the Florida Everglades. Martin’s conclusion is that the effectiveness of information security is in a similar decline; and that the only way to reverse this process is through the oversight and governance of a professional AMA-like Cyber Security Association. Martin summed it up like this:

The Information Security profession must connect real business risk with the business in such a way that places the business in a position to lead Information Security. Professionalizing this industry may just be the only hope of making that switch and thus solidifying a permanent positive impact.

So, what would The CyberSecurity Association (CSA) Mission Statement look like? We took the mission statement of the American Medical Association, changed just a few words and this is what we came up with:

To promote the art and science of cybersecurity and the betterment of user safety…

The CSA has a robust House of Delegates consisting of representation from every State and cybersecurity society, a solid base of security professionals, a thriving advocacy influence, the most revered journals and resources in cybersecurity, and respected security tools.

Together, we can shape a better, safer future – not just for users and practitioners, but for the country as a whole.

But professionalization is a difficult issue and it has to be said that the discussion came to no firm conclusion about the methodology but it became clear that nearly all members believe it to be a good idea if it can be done. So the question is how? While it is true to say that some of the CISOs present doubted that it could be achieved at all, others suggested that using the existing security certification organizations could provide a route. The advantage is that these organizations already have the numbers. ISACA, for example, has more than 140,000 constituents in over 200 countries; and it has already developed the well-received COBIT governance and good practice security framework.

The bottom line, however, is that ISACA is a business – it sells security certifications in competition with other security certification companies. Not all of these certificates are particularly valuable. And most of them do not adequately address what many CISOs believe to be their biggest problem: integrating security into the spirit of the business. It is true that some of the certification bodies have attempted to elevate security into the business, but the reality is, they have failed. Security is currently likely to be in a corner of the IT department, trying to push good practices upwards whereas it should be at board level pushing security downwards.

But – and there’s no way we can avoid the cliché – there is an elephant in the room. If security practitioners don’t come together and develop a professional body, then government will impose one upon them.

The last thing that companies or users need is security built by government preferences. Best practice will, for example, be defined not by absolutes but by government back doors. This is not fanciful, and we won’t even need a cyber 9/11 to kick it off – it is already happening. Government is beginning to impose its preferences on industry. In November the New York State financial services regulator described proposals for new regulations. These will require companies to appoint a chief information security officer, will require that CISO to deliver annual reports to the financial services regulatory body (signed off by the board), and instigate multi-factor authentication for both employees and customers. This is effectively creeping government professionalization of information security.

And Martin Zinaich is absolutely right. Security professionals need to come together to form a Cyber Security Association – and they need to do it soon before government removes that option.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Insights | Tags: ,