Can you share your thoughts on licensure of the Information Security space?
Do you think this is a good thing, or not?
I would like to ensure I understand your question fully. Are you talking about globally an onslaught of national laws to license security professionals? I would say generally I get nervous when government attempts to regulate a profession, however I also recognize the potential value of elevating the profession with licensing. Though I am concerned this could create potential constraints as well with the rapidly evolving nature of the security space and our roles within organizations.
David Melnick, Candidate
I think this is a very interesting question, but I agree with David that I would be very nervous about attempting to come up with a global, government regulated licensure for information security professionals. I believe this would even be a bit unprecedented, as if you look at other professions that require licensure, like law, medicine, and engineering, it's usually done at the regional level, and if you move to or want to work in another region, additional steps may be necessary to extend your license to that area. One of the benefits of certifications like the CISSP is that they are already recognized globally.
From my perspective, I believe that certification programs like those offered by (ISC)2, as well as other organizations like ISACA, are a great foundation for determining whether someone is qualified to work in the field. My wife is a license Professional Engineer (although currently inactive), so I've observed the process that she had to go through to acquire and maintain that license over the years. The level of testing, experience, and annual continuing education requirements are similar to what we have for the CISSP. However, when I previously worked in healthcare, I reported to our Chief Information Officer, who was also a practicing physician, and I have to say the level of work required to obtain and maintain a medical license is significantly higher than what we do as information security professionals. I also know many lawyers, and it seems that what they have to do for licensing resides somewhere in between the Professional Engineers and Medical Doctors.
With this background, my feeling is that we don't need a fully new approach to licensing information security professionals, but should look close at the current certifications to make sure they are appropriately representing the level of expertise required to be effective in the field. Should we raise the bar for some of the top level certifications, like the CISSP? I think this could be enough rather than coming up with a formal licensing structure.
Perhaps what we should instead focus on is regulations or laws that require that companies that fit a certain profile (e.g. public companies, or those that operate critical infrastructure), have certified information security professionals on staff. Another approach might be to require certified information security professionals perform certain tasks - for example, when submitting a plan to build a new road or building, a Professional Engineer must review and sign off on that plan, so maybe there could be an analog to that.
Thanks for asking this thought-provoking question!