https://www.itnews.com.au/news/tech-and-telco-engineers-face-mandatory-vic-registration-rules-530342
While the above link is specific to Australia, the discussion around licensure for IT professionals - and specifically Security professionals - has been going on for a long while. In Japan, in Australia, in Singapore, in the US, and on every relevant economy around the globe. I have my personal opinion on the need for and the benefit of any licensing scheme but that is not the point I want to discuss here.
My primary question for today is where the organizations are that claim to represent our interests as members and professionals. This is broader than ISC2 : I'm talking CREST, CompTIA, ISACA, EC-Council, SANS, etc. etc. as well The only *action* I have seen (similar to what happened around DoD 8570) is them pushing to ensure that their certificates and certifications are recognized under the licensing scheme. There has been 0 consideration on whether the schemes as written are beneficial to the profession, or society at large. Australia is a good example as they recently approved legislation that would allow government-only backdoors in encryption. It is no surprise that they would want to regulate who can and who can not work as a cyber security professional.
I posit that this behavior is utterly disgraceful and warrants a response to the membership. The only organization that I'm a member of is ISC2 so here I am asking that question to ISC2. I strongly believe that the question should be asked more broadly and more insistently.
With ISC2 having an advocate in region (Tony Vizza), what is the organization doing to ensure the interests of the membership are considered? What is our current position in other regions and countries?
I would be very careful of the term Cybersecurity - it actually relates to physical security and not information security - which is what it used to be called i.e. Information Security practitioner etc. However, now with the convergence of IoT, 5G - we constantly find groups such as ASIS call themselves certified security professionals, using the same terminology including risk management, GRC etc - but in reality they are involved in physical security and investigations etc.
We have a dilemma, the terminology has changed, and everyone has adopted it, without thinking of the context. So you have many people stating they are certified in security, but in fact they are mainly certified in physical security or cybersecurity - but not Information security.
Back in the UK the British Computer Society recognised this problem and brought out an information security standard, that all people who wanted to call themselves security practitioners, had to study and pass the examination so, they could officially be deemed to be security practitioners. If CISSP is the standard within the ISC2, then we need to state it upfront as the baseline security practitioners qualification along with a set of ethics and set of rules of conduct.
Regards
Caute_cautim