Licensing Security Professionals

I recently read an article insisting that Information Security Practitioners should be licensed.  This debate has gone on for quite some time, apparently.  Guess I missed the conversation.  I’m not one to stop yapping about security, just because everyone else has had a say…

So, according to Brian Honan, the security industry has grown, and is now recognised by IT as a necessary evil in order to protect a company’s business interests.  Yeah, I don’t find that Security gets much respect from IT or the Business, we are still a hurdle to be overcome or avoided.  Good controls, solid processes, and well-informed management are the only cures that I can see for fixing that perception.  Most Security Departments stopped saying “NO” to innovation and acceptable risk a long time ago, and switched to a more consultative strategy, “YES, if…”

“A recent report from Market and Markets claims the global information security market will grow to US $120 billion by 2017, growing at an annual rate of 11.3%.”  Brian is painting the corners and missing the big picture that this statement makes.  Security Professionals are not generally part of these studies as evidenced by the blurb for the report: “Companies such as Cisco Systems, Inc. (U.S.), Check Point Software Technologies (Israel), Kaspersky Lab  (Russia), Fortinet, Inc. (U.S.), IBM Corporation (U.S), CA Technologies (U.S.), and McAfee, Inc. (U.S.)., and Symantec Corporation (U.S.) are key market players.”  This report looks at the commercial security tools market, not the market for Security Practitioners.  The companies mentioned have little interest in fixing the security problems that we all face.  Their very existence depends on maintaining the problems and fixing the symptoms.

Licensing Security Practitioners accomplishes little in the way of pushing the adoption and implementation of what are now well established practices to common problems.  It does increase the barriers for entry into the security field for many.  It is already expensive and time-consuming to gain and maintain certification in the disciplines of security, and the markets in general are crying out that it cannot find business/technology savvy staff if the media is to be believed.

So, what IS the problem then, if we all know what needs to be done, and the practices are well established?  Simple root cause analysis indicates that Security is not convenient, and does not lend well to “agile decision-making” or in-flight management strategies.  It demands that those who strategize actually THINK their ideas through from more than the happy path perspective.  You need more than a really nifty idea that could add hundreds of thousands of dollars to the bottom line.  You need to think about how adding that nifty idea impacts everything else already in play, and the other things that are already being planned.  What is the cost if your new idea results in a data breach or allows your company to be stolen from?

In my opinion, Executives, C-Level, and middle management need to take accountability for the direction that they set for their already qualified Information Security staff.  I have seen more than one mature executive carry on like my 2 year-old grandson when I don’t provide the desired ice cream just because he hears the vendor’s bell, when told that their pet project will need to be reviewed and solutioned by security, adding several weeks to its closing date because we weren’t at the table when decisions were made.  It’s as if they think that I actually want to slow the business down from implementing some solution.

Information Security is about people, processes, controls and technologies on top of the IT stuff.  The business wants to do many things, fast to improve profitability.  IT wants to support the business by doing things that are compatible with the existing technology, efficiently.  Security wants to do the right things, for the right reasons, with the right protections, to keep people employed and profit remaining profit.

Just my 2¢, collect the whole dollar.