cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wimremes
Contributor III

Licensure for IT/Network/Security professionals

https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342

 

While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while. In Japan, in Australia, in Singapore, in the US, and on every relevant economy around the globe. I have my personal opinion on the need for and the benefit of any licensing scheme but that is not the point I want to discuss here.

 

My primary question for today is where the organizations are that claim to represent our interests as members and professionals. This is broader than ISC2 : I'm talking CREST, CompTIA, ISACA, EC-Council, SANS, etc. etc. as well The only *action* I have seen (similar to what happened around DoD 8570) is them pushing to ensure that their certificates and certifications are recognized under the licensing scheme. There has been 0 consideration on whether the schemes as written are beneficial to the profession, or society at large. Australia is a good example as they recently approved legislation that would allow government-only backdoors in encryption. It is no surprise that they would want to regulate who can and who can not work as a cyber security professional.

 

I posit that this behavior is utterly disgraceful and warrants a response to the membership. The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. I strongly believe that the question should be asked more broadly and more insistently.

 

With ISC2 having an advocate in region (Tony Vizza), what is the organization doing to ensure the interests of the membership are considered? What is our current position in other regions and countries?



Sic semper tyrannis.
10 Replies
dcontesti
Community Champion

 

 

 

 


@wimremes wrote:

https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342

 

While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while. In Japan, in Australia, in Singapore, in the US, and on every relevant economy around the globe. I have my personal opinion on the need for and the benefit of any licensing scheme but that is not the point I want to discuss here.

 

My primary question for today is where the organizations are that claim to represent our interests as members and professionals. This is broader than ISC2 : I'm talking CREST, CompTIA, ISACA, EC-Council, SANS, etc. etc. as well The only *action* I have seen (similar to what happened around DoD 8570) is them pushing to ensure that their certificates and certifications are recognized under the licensing scheme. There has been 0 consideration on whether the schemes as written are beneficial to the profession, or society at large. Australia is a good example as they recently approved legislation that would allow government-only backdoors in encryption. It is no surprise that they would want to regulate who can and who can not work as a cyber security professional.

 

I posit that this behavior is utterly disgraceful and warrants a response to the membership. The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. I strongly believe that the question should be asked more broadly and more insistently.

 

With ISC2 having an advocate in region (Tony Vizza), what is the organization doing to ensure the interests of the membership are considered? What is our current position in other regions and countries?


Licensure of Engineers is nothing new and seems to be catching on.  As an example, in Ontario, the term "Software Engineer" can only be used by someone who have graduated from a software engineering course from one of the universities, so therefore is a protected term.

 

Engineers in Canada have been licensed for years.  They must first graduate from an accredited course and then spend 3 -5 years working, then they must sit and pass an exam, pay fees, etc. before being allowed to called themselves a professional engineer.  

 

So based on your question to Tony, I would ask what you did on the board strategy in this area whilst you were on the board (as you recently rolled off the board).  I  think that licensing of Security folks is something that should be in the Board's strategy and not left to one advocate in PacRim.  I may have misunderstood your question but I believe the conversation on licensing should be done at the board level along with it's only employee (the CEO) and that a proper plan be put in place.

 

Here is a reference to the law in Australia regarding the Back-Door in Encryption:

 

https://www.wired.com/story/australia-encryption-law-global-impact/

 

Regards

 

Diana 

 

wimremes
Contributor III


@dcontesti wrote:

 

 

 

 


@wimremes wrote:

https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342

 

While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while. In Japan, in Australia, in Singapore, in the US, and on every relevant economy around the globe. I have my personal opinion on the need for and the benefit of any licensing scheme but that is not the point I want to discuss here.

 

My primary question for today is where the organizations are that claim to represent our interests as members and professionals. This is broader than ISC2 : I'm talking CREST, CompTIA, ISACA, EC-Council, SANS, etc. etc. as well The only *action* I have seen (similar to what happened around DoD 8570) is them pushing to ensure that their certificates and certifications are recognized under the licensing scheme. There has been 0 consideration on whether the schemes as written are beneficial to the profession, or society at large. Australia is a good example as they recently approved legislation that would allow government-only backdoors in encryption. It is no surprise that they would want to regulate who can and who can not work as a cyber security professional.

 

I posit that this behavior is utterly disgraceful and warrants a response to the membership. The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. I strongly believe that the question should be asked more broadly and more insistently.

 

With ISC2 having an advocate in region (Tony Vizza), what is the organization doing to ensure the interests of the membership are considered? What is our current position in other regions and countries?


Licensure of Engineers is nothing new and seems to be catching on.  As an example, in Ontario, the term "Software Engineer" can only be used by someone who have graduated from a software engineering course from one of the universities, so therefore is a protected term.

 

Engineers in Canada have been licensed for years.  They must first graduate from an accredited course and then spend 3 -5 years working, then they must sit and pass an exam, pay fees, etc. before being allowed to called themselves a professional engineer.  

 

So based on your question to Tony, I would ask what you did on the board strategy in this area whilst you were on the board (as you recently rolled off the board).  I  think that licensing of Security folks is something that should be in the Board's strategy and not left to one advocate in PacRim.  I may have misunderstood your question but I believe the conversation on licensing should be done at the board level along with it's only employee (the CEO) and that a proper plan be put in place.

 

Here is a reference to the law in Australia regarding the Back-Door in Encryption:

 

https://www.wired.com/story/australia-encryption-law-global-impact/

 

Regards

 

Diana 

 


Thanks for asking that question, Diana. I actually pushed this topic a lot. While on the board I have been involved in both internal efforts to form an organizational opinion on this as well as cross-organization efforts that all fizzled out into nothing. The latter mostly because every org involved wanted their products to be the top choices while other org's products being secondary.  The only tangible outcome of the strategic effort to represent members better was the creation of the advocate roles. As far as I know ISC2 has not developed a unified opinion on this topic.

 

I'm aware of licensure applied to engineering disciplines. I've had several long-winded and productive discussions on the topic with WH Murray amongst others. His opinion, if I summarize it correctly, was : "self-regulate or be regulated". We have never managed to drive the former and are now facing the consequences of the latter. 

 

My concern is that fragmented licensure is a big issue for our profession, especially at a time where professionals are hard to find. Making it even harder for individuals to enter the profession is not a wise strategy.

 

EDIT : As chairperson in 2017 I personally introduced the CEO to another org that was looking to improve in this particular field and was present on the first 2-3 calls on the topic. This was subsequently handed over to the relevant advocates to lead and ended up with the other org bait and switching on ISC2. I believe the initiative died a silent death after that. I do believe that the strategy committee (and by extension the board) telling the CEO to improve how the membership (and the profession) is served/represented, combined with personal goals/targets to that end, should be sufficient to drive that goal. Execution should never involve the board or its committees.



Sic semper tyrannis.
CraginS
Defender I


@wimremes wrote:

https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342

 

While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while.

...

The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. ...


There are three reasons for governments establishing business licensing and registration programs:

 

  1. To protect the public from incompetent and unscrupulous practitioners.
  2. To control access to, and thus limit the number of practitioners in a particular field of commerce, effectively damping extreme pricing competition.
  3. To raise government revenue through fees and fines. 

Public statements by  government officials seeking and operating licensing programs and  from professional societies and certification bodies supporting the programs always trumpet Reason #1, public protection. However, there is widespread recognition that in reality reasons 2 and 3 are more prominent in the intentions of many licensing supporters, whether or not Reason #1 makes any sense for a particular program. Perform your own web search on the phrase "outrageous licensing requirements" for news articles, opinion pieces, and academic studies supporting that contention. One such academic blog by Robert J. Thornton opened with this statement:

 

"More than a half century ago, economist Milton Friedman warned in his classic book, Capitalism and Freedom, that occupational licensing “frequently establishes essentially the medieval guild kind of regulation in which the state assigns power to members of the profession.”

The result, Friedman contended, was practitioners acting in their own self-interest to limit the number of competitors, which in turn raises the price and may even lower the quality of the service provided to the consumer."

 

In contrast to licensing, many certification programs truly have resulted from a sincere desire to implement Reason #1. The organizations that originally came together in the 1990's to form the (ISC)2 and establish the CISSP  clearly did so for the altruistic approach to Reason #1. (Admittedly, there was also a sense of self-reputation protection to avoid being labeled as incompetent in information security due to poor performance of others.) Well run certification programs allow the public to use a practical yardstick when applying the principle of Caveat emptor in their own purchases. 

 

It is not uncommon for an entity seeking a new licensing program to build it on existing certification programs. This is precisely what the U.S. Defense Department did in establishing the Cyber Workforce Management Program under DoDD 8140.01 & DoD 8570.01-m. As Wim has pointed out, many certification bodies seem primarily interested in ensuring their programs fulfill the government registration processes.

 

Unlike Wim, I am also a member of both ISSA and CompTIA. I second his call for all of these organizations to develop official positions on cyber security licensing programs.  

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
wimremes
Contributor III

@CraginS I'd like to make one observation. The DoD regulations mention certifications by name as examples. It is not a prima facie example of regulatory capture. Their primary focus is on ANSI17024 accreditation for professional certifications. ISC2 was the first, and for long the only certification body, to align with ANSI requirements. Only recently (in the last 5 years?) other organizations such as SANS, ECCouncil, and others have aligned with the ANSI standard. The fallout from the requirement to pay AMFs and collect (the equivalent of) CPEs was not negligible.

 

To say I am a fan of ANSI requirements is a bridge too far but if you're going to develop a professional certification, ANSI is a pretty good yardstick and I think one of the things ISC2 has done well is following through with that focus.



Sic semper tyrannis.
CraginS
Defender I


@wimremes wrote:

@CraginS I'd like to make one observation. The DoD regulations mention certifications by name as examples. It is not a prima facie example of regulatory capture. Their primary focus is on ANSI17024 accreditation for professional certifications. ISC2 was the first, and for long the only certification body, to align with ANSI requirements

....


Wim,

I think you may have mis-read the DoD publications. They do not mention the certifications simply as examples; they mandate that workers in identified positions hold specifically named certifications within six months of appointment in order to hold onto the jobs. That is the primary focus of the Cyber Workforce Management Program, originally called the Information Assurance Workforce Improvement Program. The criteria for being an acceptable certification for the program is successful management under ANSI 17024. Thus, for certifying bodies, THEIR primary focus may be on meeting ANSI 17024 requirements, but the DoD primary focus is most definitely on workers attaining and holding very specific certifications, related to their jobs.

 

And thus I contend that the mandate in the DOD program is precisely a certification capture situation, as a means of establishing the baseline requirements for those in the identified positions. This was all complicated by the reality that a huge number of workers already in those positions did not, and in many cases, could not, qualify for the requisite certifications. As a result, DoD was very slow to actually enforce the requirements on government employees, while quickly ramping up enforcement for contractor employees in related positions.

 

As it happens, when the original DoD 8570 was being released, I was a member of a three person team within my company that had to brief up to the corporate officer level to convince our management that 8570 was not just a good idea, but was about to be a contractual requirement on all of our DoD work. It took us a year to work our way up to the top, and obtain management concurrence and support, but eventually we succeeded. From that time up until my retirement in 2018, I was effectively the 8570 go-to person in the company.

 

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
dcontesti
Community Champion


@wimremes wrote:

@dcontesti wrote:

 

 

 

 


@wimremes wrote:

https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342

 

While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while. In Japan, in Australia, in Singapore, in the US, and on every relevant economy around the globe. I have my personal opinion on the need for and the benefit of any licensing scheme but that is not the point I want to discuss here.

 

My primary question for today is where the organizations are that claim to represent our interests as members and professionals. This is broader than ISC2 : I'm talking CREST, CompTIA, ISACA, EC-Council, SANS, etc. etc. as well The only *action* I have seen (similar to what happened around DoD 8570) is them pushing to ensure that their certificates and certifications are recognized under the licensing scheme. There has been 0 consideration on whether the schemes as written are beneficial to the profession, or society at large. Australia is a good example as they recently approved legislation that would allow government-only backdoors in encryption. It is no surprise that they would want to regulate who can and who can not work as a cyber security professional.

 

I posit that this behavior is utterly disgraceful and warrants a response to the membership. The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. I strongly believe that the question should be asked more broadly and more insistently.

 

With ISC2 having an advocate in region (Tony Vizza), what is the organization doing to ensure the interests of the membership are considered? What is our current position in other regions and countries?


Licensure of Engineers is nothing new and seems to be catching on.  As an example, in Ontario, the term "Software Engineer" can only be used by someone who have graduated from a software engineering course from one of the universities, so therefore is a protected term.

 

Engineers in Canada have been licensed for years.  They must first graduate from an accredited course and then spend 3 -5 years working, then they must sit and pass an exam, pay fees, etc. before being allowed to called themselves a professional engineer.  

 

So based on your question to Tony, I would ask what you did on the board strategy in this area whilst you were on the board (as you recently rolled off the board).  I  think that licensing of Security folks is something that should be in the Board's strategy and not left to one advocate in PacRim.  I may have misunderstood your question but I believe the conversation on licensing should be done at the board level along with it's only employee (the CEO) and that a proper plan be put in place.

 

Here is a reference to the law in Australia regarding the Back-Door in Encryption:

 

https://www.wired.com/story/australia-encryption-law-global-impact/

 

Regards

 

Diana 

 


Thanks for asking that question, Diana. I actually pushed this topic a lot. While on the board I have been involved in both internal efforts to form an organizational opinion on this as well as cross-organization efforts that all fizzled out into nothing. The latter mostly because every org involved wanted their products to be the top choices while other org's products being secondary.  The only tangible outcome of the strategic effort to represent members better was the creation of the advocate roles. As far as I know ISC2 has not developed a unified opinion on this topic.

 

I'm aware of licensure applied to engineering disciplines. I've had several long-winded and productive discussions on the topic with WH Murray amongst others. His opinion, if I summarize it correctly, was : "self-regulate or be regulated". We have never managed to drive the former and are now facing the consequences of the latter. 

 

My concern is that fragmented licensure is a big issue for our profession, especially at a time where professionals are hard to find. Making it even harder for individuals to enter the profession is not a wise strategy.

 

EDIT : As chairperson in 2017 I personally introduced the CEO to another org that was looking to improve in this particular field and was present on the first 2-3 calls on the topic. This was subsequently handed over to the relevant advocates to lead and ended up with the other org bait and switching on ISC2. I believe the initiative died a silent death after that. I do believe that the strategy committee (and by extension the board) telling the CEO to improve how the membership (and the profession) is served/represented, combined with personal goals/targets to that end, should be sufficient to drive that goal. Execution should never involve the board or its committees.


Thanks for the reply Wim.

 

While I agree that execution should never involve the board or its committees (save for a few examples .... Ethics being one or Professional Practices or Compensation), it is the board's responsibility to ensure that management take/move the organization in a direction that benefits the membership.  

 

Your comment that the "initiative died a silent death" is concerning.  Was this in the strategy and that management were asked to look at?

 

Licensure might or could stop some of the nonsense that we see daily with folks gaining certifications that should not.

 

I agree with WHM that we need to "self regulate or be regulated" and @cragin that we should work with other organizations to bring something to bare.  Unfortunately even though all these organizations are typically 501C6s, they do look to ensure their certifications are listed on things like the 8570 (so they get their share of the pie). 

wimremes
Contributor III

@dcontesti if I say the initiative died a silent death, it doesn't mean that there is an implied fault on the ISC2 side. When different organizations attempt to collaborate on a certain topic, especially when some of them are relatively immature, it often ends up being a clash of agendas/priorities. In this case too many thought that there should be a hierarchy of certs and always thought their products should lead. This was particularly NOT the approach of ISC2. I actually think ISC2 did everything they could to keep the train on the tracks, to no avail.



Sic semper tyrannis.
dcontesti
Community Champion


@wimremes wrote:

@dcontesti if I say the initiative died a silent death, it doesn't mean that there is an implied fault on the ISC2 side. When different organizations attempt to collaborate on a certain topic, especially when some of them are relatively immature, it often ends up being a clash of agendas/priorities. In this case too many thought that there should be a hierarchy of certs and always thought their products should lead. This was particularly NOT the approach of ISC2. I actually think ISC2 did everything they could to keep the train on the tracks, to no avail.


So I don't think I said it was the fault of anyone, I believe I said it was concerning.......As you have not said which organization, it is hard to determine their relative immaturity.  Unfortunately, licensure cannot be two organizations dealing with their individual certifications, I believe it has to be an industry wide initiative with organizations such as ISACA, ISSA, COMPTia, (ISC)2, SANS and others.  I would look to (ISC)2 to lead this endeavour after a proper survey of the membership is done to determine if this is something that folks feel is useful to them and their careers.  As a member, I have not been asked if I believe that licensure will aid my career or hamper it.

 

Several years ago, a management consultant recommended that a survey be done of the membership to determine, it's wants and needs.  Maybe I missed the survey but I think it would benefit the organization to do one.

 

Given the current state, it is understandable that each and every organization is going to be concerned with their certs and want to keep them on things like the DoD8570,  how else will they make $$.

mgorman
Contributor II

Following the discussion is interesting, but I have a fundamental question.  What would a "cybersecurity" or "IT" license allow one to do, or the lack of stop them from doing?  Here in the US, and I believe largely elsewhere, a Licensed Professional Engineer has certain "powers" that non holders do not.  This includes the ability to sign off on items of public safety, like building plans, bridges, internal building systems (electrical, HVAC, etc.), to approve them.  There are other things as well, but that is the primary one I am aware of.  There are many structural, mechanical, electrical, software, etc. engineers that are "professional engineers", in that they are paid to be an engineer, that may work on the designs, prepare the plans, etc. but the final, legally binding, review is up to the LPE.  

 

If you had a license, and were breached, do you lose your license?  Do you have to go to court to defend yourself, as you would if it were medical or other professional malpractice?  If a building fails, the first thing that happens is the LPE that signed off on structure is going to have their license suspended, pending inquiry.  Working in an industry that seems pretty comfortable with the "not if but when" mentality, I find those difficult to reconcile.