It is the 25th anniversary of the Information Systems Security Association (ISSA) and the 20th anniversary of the International Information Systems Security Certification Consortium (ISC)2.
Those sorts of milestones tend to make one nostalgic and even reflective, especially if you have a four-digit CISSP certification number as I do. They are now six digits.
It is very easy for the old hands to look back at the history of our profession and say little has changed. We are, of course, still battling some of the same problems we were 20 years ago. However, things have moved on and we appear to be making progress in some areas. I am not saying these issues are ready to run up the white flag, but there are signs of progress.
As it was 20 years ago and to a certain extent still today, I would say our biggest problem is that our profession is misunderstood. Many executives just don’t get it. Many legislators are still baffled. The general public is still answering those phishing emails. Information security and privacy issues are still finding their priority and conciseness level within our society.
In my mind, two things of great significance have happened in our industry within the past three months: the Cyberspace Policy Review issued from the White House, and the Cybersecurity Act of 2009, the so-called Rockefeller-Snowe Bill.
These two events have the potential for setting the information security and privacy agenda of our industry for a generation. From an information security professional’s perspective, the Cyberspace Policy Review said very little new. However, I would argue that its eventual audience will not be information security professionals. The distilled wisdom from that report was aimed at business executives, state and federal legislators and, to a certain extent, the public at large. It was designed to frame the discussion. And that it did.
Another thing that will be framing the discussion is the Rockefeller-Snowe bill, S.773. The bill has a number of interesting aspects: It raises the profile of cybersecurity within the federal government, promotes public awareness, establishes enforceable cybersecurity standards, and provides for the licensing and certification of cybersecurity professionals.
As citizens, we should expect to be provided with a yardstick by which we may measure our confidence in protection. After all, we are not curing cancer, but we are protecting the data that will lead to a cure.