@Frank_Mayer asked,

"Many governments mandate that hair stylist be certified but require nothing of IT professionals, how does that make any senses?"

 

Professional credentialing (licenses, certifications, degrees, certificates, etc.) mandates by governments (in laws or regulations) are almost always justified to the public as being necessary to ensure competence of practitioners and safety of the public. However, if you take time to look under the hood at the processes that led to those mandates, it is not uncommon to see that a major purpose is to limit access to the profession. The goal of those already working there is to control how many new competitors appear. The current practitioners want to be sure they don't lose business, and money, to a flood of new participants in the marketplace.

 

Granted, there are those who legitimately and altruistically work to ensure standards to meet public safety needs. That is, I have inferred, what the original (ISC)2 members were trying to do.

 

Undertakers, hair dressers, barbers, florists, interior designers, school teachers, lawyers, physicians, chiropractors, private investigators, and many other professions have, over the years, formed strong, vocal "professional" associations that have proceeded to lobby, push, and donate to state legislators to establish these credentialing requirements in law. I have yet to see any IT-related organization make any attempt at all to do the same.

 

 

True, many credentials are looked at as being protectionism, however, I
am very glad that professional associations have forced competency in
all the professions mentioned, funeral directors, hair dressers,
lawyers, doctors, and the like.

Plain common sense should tell us that the limiting of people offering
the service to those who prove in some relevant and objective manner
they have clue about what they are doing is critical for the public good. 

It cannot just be buyer beware and go figure it out on your own because
we live in a highly transient society and we do not have the luxury of
getting to know who is good and who is bad by letting the market
organically take care of it.  The 1700s are well past and that does not
work.  People who like to cut corners and do whatever it takes to make a
buck, even at the expense of life, are everywhere and will do massive
damage unless their activities are nipped in the bud.

I don't want a person cutting my hair who is going to butcher my hair,
or someone burying a relative of mine who is going to care for th body
improperly, I don't want an unqualified lawyer or doctor either.   The
US education system needs to be refocused on having education and
credentialing as an integrated program in all  professional areas.

I strongly feel that in todays highly technical world that there are
very few jobs that are able to be done by people who are not highly
educated, trained and skilled through concurrent apprenticeship. 

Catastrophes have happened when unqualified people do work.  I have seen
unskilled workers do real damage to homes.  For example, I had a truly
certified duct cleaning company do work for me recently and it was good
and right, when I had uncertified people do the work in the bad old days
it was a disaster and they even left junk in the vents that made things
worse.   Again, if our academic institutions are forced to prepare
people for jobs and forced to come into the highly technical world of
the 21st century we will be the better for it. 

If you go to this link you can see how formal medical education and
licensing is relatively new but we consider it indispensable today. 
http://bulletin.facs.org/2013/07/100-years-of-surgical-education/ NO one
would allow themselves to be operated on by an uneducated and doctor
that is not board certified , but just 100 years ago, there were no real
qualifications for doctors and the society accepted unnecessary medical
malpractice as just a fact of life.  We will not stand for this now. 

Therefore, progress demands continually rising standards and rigorous
enforcement.  The Wild West needs to be consigned to history, not made a
blueprint for the future.

You know very we that if we have cybersecurity malpractice today it
could result in a catastrophic failure in operational technology where
real physical damage and loss of life on a massive scale could easily
take place. Triton is a prime example.

https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

What does our US Congress do?  They steer clear of it and do not do
their job, refer to:
https://www.csoonline.com/article/3365239/congress-steers-clear-of-industrial-control-systems-cybers...

All the benefits of modern life and the wonderful and life saving
technology, including the ability to have a fantastic infrastructure
that puts power and knowledge at our fingertips, comes with the high
price of everyone being asked to go to a much higher level and not to
just do what they feel like doing.  I  was not even 40 years ago, when i
graduated college, that having a BS degree put you in the top 10% of
educated people in the country, today a BS degree is expected and if you
do not have that or you are not licensed in a trade, then you are really
struggling. This link shows the historical trends and outlines the fact
of how critical advanced education is to the health of the economy
https://ourworldindata.org/global-rise-of-education

I am for transformational change in the way we do business world wide so
that we come  into the 21st Century and prepare for the 22nd Century. 
If we do not do that in the US, the Chinese and other forward looking
countries will and we, the US, will be left in the dust bin of history.

--
Frank Mayer, CISSP

Profile at profile:
https://community.isc2.org/t5/user/viewprofilepage/user-id/1334307903

"Educate your children to self-control, to the habit of holding passion
and prejudice and evil tendencies subject to an upright and reasoning
will, and you have done much to abolish misery from their future and
crimes from society." Benjamin Franklin

Even in the UK, government certifications for security in the public sector don't appear to take hold, but this is at least in part the number of possible certifications IT and security staff may hold.  The last effort was CCP (CESG Certified Professional), but for people who hold ISACA, ISC2 and ISO certifications, in addition to vendor certifcations, it's not that attractive to be required to have yet another qualification that largely overlaps these.

One of the benefits when the US government started mandating that the IT workforce meet a minimum level of cyber security is that it forced some people into continuous learning. It also forced some people who had gotten into IT for the "money" to start thinking about other careers. I took it as a good thing because you don't really want people in a profession who aren't into learning new threats to that profession.

That is a very accurate statement.  People who are only in information technology, especially cybersecurity, for the money do not belong in cybersecurity ,or in the fast paced technology fields, because these careers require continual work and self study that is often not recognized by executives as as a real challenge.  Only those who view life long learning as a labor of love can survive since it is a lifelong challenge to stay current.

> Frank_Mayer (Newcomer I) posted a new reply in Industry News on 05-19-2019 06:25

>    The problem is
> that our democratic governments have been ridiculously slow in embracing the
> good governance needed to regulate the tech sector properly.

Be careful what you wish for. More than three decades ago (good grief! am I ever
*ancient*!) I recall various governments trying to pass laws to make computer
viruses illegal. (Mostly under Civil Law legal systems.) They signally failed, and
sometimes spectacularly so.

>  We have very
> strict governance on the pharmaceutical industry, aviation industry, automotive
> industry, civil engineering, and just about everything else.

Thing is, we *know* about those things, and those regulations were put in place
over a long period of time. (It wasn't so long ago that seat belts weren't
mandatory in cars. Or aircraft ...) *We* don't know as much about infosec, and
*we* are the professionals ...

>  This Guardian
> article does a good job of explaining how we need just the right amount of
> governance to actually make these platforms safe

Yeah, it's that "just the right amount" that's the tricky part ...

>   In
> my opinion the politicians in America are woefully uneducated in information
> technology issues in most cases.

Unfortunately true.

>  Many of them are urgent about global warming
> and the green deal and I agree that is an issue.

And they can't even agree to do about *that* ...

>   Many governments mandate that hair stylist be certified but
> require nothing of IT professionals, how does that make any senses?    

As I note in many situations, if you can tell the difference between good advice
and bad advice you don't need any advice ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If a man is called to be a streetsweeper,
he should sweep streets even as Michelangelo painted,
or Beethoven composed music, or Shakespeare wrote poetry.
He should sweep streets so well that all the hosts of
heaven and earth will pause to say,
here lived a great streetsweeper
who did his job well. - Martin Luther King Jr.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB