The proposition behind this piece is to prompt a dialogue within our industry on an important question: Are we a profession? The natural answer for anyone in our trade is: “Yes, of course.” My reply is: “Why do you think that?”
When a person is asked to name three professions, often the answer is: doctor, lawyer and accountant. What are the characteristics that describe a profession? The definitions of profession or professional tend to include such phrases as experienced, academic qualifications, certifications, specialized knowledge and/or skills, quality of work, high ethical standards, or unified common body of knowledge.
The information security industry possesses many of these same characteristics. There are numerous academic qualifications and certifications for information assurance. Most would agree that our trade requires specialized knowledge and skills. There are countless international standards which seek to ensure the quality and consistency of our work. Many of the information assurance organizations and certification bodies, such as ISACA, (ISC)2, ISSA and SANS, require adherence to a code of conduct for membership. Several of those same organizations have described a common body of knowledge.
The one characteristic lacking in those definitions of the information security professional and the field itself, is the existence of a governing body and force of law. The medical profession has the American Medical Association (AMA) and state medical boards. The American Bar Association (ABA) and state bar associations serve the legal profession. The accounting profession is governed by the American Institute of Certified Public Accountants (AICPA) and state accountancy boards.
A number of years ago, I was involved in discussions surrounding the formation of the Institute of Information Security Professionals (IISP) in the U.K. It states that, “One of its main activities is to act as an accreditation authority for the industry.” And it has made a considered and deliberate start.
Given the issues that we face daily, given our liability, legal and regulatory environments, the seriousness of what we do, and the effect it has on our society, it is time for us, our industry associations and certification entities, to begin the dialogue surrounding the formation of a governing body with the force of law. Are we a profession? That is the question.