For years, there have been calls for IT managers or directors to form themselves into some kind of professional, accredited body. So far, it has had little effect; the profession – if it is one – is just too varied, volatile and mixed up with general business management.
But in one area, at least, some kind of rock-solid accreditation seems to be a very good idea: information security. The more industry relies on information systems, the more it needs to be sure that the people who design and manage their security can be completely trusted.
In late February, after a remarkably quick period of gestation, an influential network of well placed UK IT security specialists announced the formation of the Institute of Information Security Professionals (IISP).
The main goal is to establish information security as a profession, with accredited IISP members trusted in the same way that accountants or lawyers are. The group will also lobby on information security issues, and provide professional development help.
The new body begins its life with some impressive credentials of its own. It is the brainchild of Professor Fred Piper, of London University’s Royal Holloway College, who has taught executive-level security courses for 15 years. He has been backed by dozens of leaders in the field in the UK: Paul Dorey, the CISO (chief information security officer) of BP will be the inaugural chairman, backed by peers such as Paul Wood of UBS, Paul Simmonds of ICI, and David Lacey, recently departed CISO of Royal Mail. Nick Coleman, interim CEO, is likely to leave IBM to take up the post permanently.
All of these individuals were at the London launch, hosted by the UK’s Department of Trade and Industry, where most agreed that the organisation’s toughest challenge will be accreditation, policing and discipline. In their on-stage remarks, Dorey and Woods spoke of the importance of trust, of ongoing professional development, and of the need to supplement existing one-time technical qualifications with an ongoing accreditation system.
Stringent standards
No one dissented with this view. But off stage, almost all present agreed that this will not be at all easy. By its very nature, security demands the highest standards: that means individuals must be checked on entry, measured over time against stringent standards, and, importantly, there must be machinery in place to admonish or even expel individuals who transgress.
This policing role could bring many problems – a point made both by Piper and Simmonds. They know that if the group becomes as influential as they hope it will, then sooner or later its procedures and decisions will face legal scrutiny. The IISP could, after all, have the power to make or break careers.
Interim CEO Coleman said these problems were understood, and that the IISP is already benchmarking itself against similar bodies in other professions – such as the Law Society and the British Medical Association. The IISP is being advised by Robert Cardina, a US lawyer who has worked with the Law Society and the US Bar Association, which has “the most gruelling amount of due diligence of any association in history”. But, he said, it is still not clear exactly what “due diligence” will mean for the IISP.
In India, a similar effort to provide ongoing accreditation among general IT professionals is underway, but it is backed with several million pounds from the Nasscom trade association. It too foresees difficulties should members complain about its decisions.
The crucial issue of the IISP will be how the highest, ‘gold standard’ members will be monitored, and how the disciplinary process works. Entry for lower levels of membership, affiliate and associate, will be relatively easy, with the former requiring an identity check and the latter two years experience in the field and a recognised qualification.
In spite of the challenges, the involvement of so many CIOs and CISOs appears to show this body is badly needed. Interest to join has flooded in from around the globe.
It is widely acknowledged among IT directors that individuals who have breached security rules are often re-employed doing similar jobs at similar companies – sometimes because their dismissal involves an agreement to keep the offence quiet. IISP accreditation might make this less likely.