Beyond CertificationsRecipe for a True Information Security Professional
What do the societal roles of doctors, lawyers and accountants all have in common? They are synonymous with professionalism. All must complete continuing education requirements and are upheld to rigorous academic standards and professional ethics. The professionals entrusted with your health, liberty and financials should undoubtedly possess ethical fortitude, an advanced level of applicable knowledge and skills, and assurance that their knowledge and skills are up-to-date and relevant.
See Also: Passwords Alone Aren't Enough
Certainly those charged with protecting our precious data and information assets should be held to the same professional standards. (Also, read Revelations from RSA 2012)
The mere existence of an information security professional is based upon trust and ethics.
Information technology is advancing quicker than a duck on a June bug, and information security professionals must learn all aspects of these new technologies in order to assess the risks and develop policies and best practices around them. So how can organizations ensure that their information security staff is mitigating the latest threats? And what truly defines an information security professional? Seeing capitalized acronyms after someone's name certainly looks professional, but few know what these acronyms really represent. In the realm of information security, professional credentials are defined by several components:
Knowledge + Skills = Competency
Job interviews and resumes are standard protocol for securing a job, but they don't always guarantee that the candidate possesses the precise knowledge and skill sets the company is seeking for the position. Information security credential examinations are evaluation tools to prove or disprove a candidate's knowledge, skills and abilities. However, information security professionals are not necessarily experts in every single area of information security. They are likely an expert in a few areas and possess a general understanding of other areas. In other words, not all doctors are neurologists, and that is OK. When you have a virus, you don't need to see a specialist. Instead, you need a physician who has a holistic view of how your body works and where it is vulnerable.
Rigorous credential exams representing the knowledge-base of the industry are continuously updated through psychometric evaluation and scrutinized revisions by subject matter experts. With technology and threats changing so rapidly, methodologies must be set in place to ensure that exams are testing relevant knowledge and skills.
Adhering to Rigorous Standards
Information security credentials that adhere to stringent vetting and maintenance processes earn accreditations such as ANSI/ISO/IEC Standard 17024, which sets a global benchmark for the certification of personnel, ensuring knowledge and technical competency in different professions. ANSI/ISO/IEC accredits standards developers, certification bodies and technical advisory groups to both the ISO and the International Electrotechnical Commission (IEC). To be ANSI-accredited under 17024, organizations must adhere to meticulous requirements regarding process, practice and ethics and be reviewed annually for renewal. The many areas that ANSI monitors on an ongoing basis include:
- Corporate governance;
- Internal audit and management review systems;
- Use of subject matter experts;
- Personnel files and policies;
- Management of confidential and objectivity requirements;
- Procedures for monitoring the ethics of certificate holders;
- Continuing education requirements.
Professionals earning credentials from such accredited organizations are an extension of this level of excellence and standards.
The mere existence of an information security professional is based upon trust and ethics. They are accessing information and assets that could be extremely profitable and damaging if used maliciously. Ethics are based upon acting honorably, justly, responsibly and legally - a professional ethic that accredited, certified information security professionals must abide by.
Renewal of Credentials
In due time, most people could pass a test and earn a piece of paper with their name on it, but a mere passing grade isn't enough to obtain credentials indicative of an accredited information security professional. Renewal of credentials provides additional confidence that an information security professional is equipped with the latest industry knowledge and that they are working outside of their day-to-day jobs to excel. Continuing education is vital to this process.
Emerging technologies such as cloud computing, social media and mobile devices have created new challenges for information security professionals. With emerging technologies come emerging threats. Continuing education requirements are imperative to the maintenance of a credential and to ensuring that an information security professional is equipped with the knowledge to innovate, mitigate and adapt. It's perhaps one of the least stagnant industries in the world and, therefore, requires a continuous learning process.
No single, isolated facet is the key ingredient - you need ALL of these ingredients to create the recipe for a true information security professional.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.