There are many trusted professions from which we can learn. The obvious, oft-quoted candidates are medicine, law and accountancy, and additional globally governed fields such as aviation. Analysis of these professions demonstrates that, in general, there is significant agreement on what constitutes professionalism. These trusted professions share a number of defining characteristics, including: defined levels of approved training, comprehensive written and oral testing, active demonstration of competency, internship and structured paths for career progression, performance monitoring by a governing or regulatory body, effective and evident disciplinary and enforcement procedures, clear rules of operation, and regulation and/or licensing.

To the objective observer, our profession does not compare well. The reality of our professional certification space is that we claim the term "professional" by passing simple multiple-choice examinations that largely test our recall of knowledge rather than competency. There is no pass rate for pilots (a candidate is either good enough or not) and I have no desire to ever have to rely on a heart surgeon who possesses 70 percent of the knowledge required to operate successfully but has never demonstrated professional competency at using that knowledge in practice.

Diversity and dynamic professional scope exist within information security. As an employer I may need staff with management skills, technology skills, architecture skills, or an emphasis on assurance, governance or operational risk management. Moreover, if I operate in critical national infrastructure or national security, I may need higher levels of skill than those required for a security role in a retail outlet. The term "common body of knowledge" is the oxymoron — there is a body of knowledge, but it is not common to all professionals.

Criticality of profession dictates that someone must take a lead — and someone will rise above the clutter. The first government, body or society to deal adequately with responsibility for protecting the information society and the knowledge economy will issue a real wakeup call to members of the information security profession, and we had better be ready to respond.