Should Information Security Professionals be Licensed to Practice?

Written by

Last week we published accompanying editorials from our most recent print edition that asked a rather simple question: Should information security professionals be licensed to practice?

Arguing in favor of such a licensing scheme, ISACA’s Alan Boardman lays out several reasons why infosec professionals should join the ranks of other licensed professionals, drawing parallels between information security practitioners and doctors.

On the other side of this argument, (ISC)²’s Hord Tipton said such a licensing regime is premature for a nascent market like information security, asserting that such a system would provide more uncertainty than assurances.

Infosecurity held and open admission period for opinion articles on this topic, and we eventually settled on the two we felt most thoroughly articulated the opposing viewpoints for this debate. Nevertheless, we received many submissions that are worth sharing with our readers. Below are some excerpts from these submissions – with my own assessment to wrap a bow on it. As always, I encourage you all to provide your own comments and tell us where you weigh in on this debate.

A. Kayode Adesemowo, Consultant, SOAMS Consulting, and Chartered Engineer:

“Most professions that touch on human and/or public safety are licensed: medical, auditing, traditional engineering, and so on. It takes a licensed engineer to "sign-off" on a project. One of the key requirements for me becoming a Chartered Engineer is an in-depth understanding of my field and the impact of decisions on the bigger picture, and especially how they affect humankind.

Licenses are usually issued to regulate activities that are deemed potentially dangerous or a threat to the public, or which require a high level of specialized skill. The danger and skill elements inspire governments not to allow a free-for-all, but to regulate the activity, and licensing is a well-established and convenient method of regulation.

Why not Information Security, given that most systems runs on "IT"? We should care that the people who touch on personal privacy and the CIA of information (confidentiality, integrity, availability) produce proper designs, implement workable solutions, and operate without a material impact on people’s lives.

As privacy issues and cybercrime increasingly affect the ‘man on the street’, safeguarding them will at a minimum require oversight by licensed professionals. Certifications and licenses can be beneficial both in showing that the consultant has achieved a certain level of expertise and professionalism as judged by an outside party, and in providing you with some protection in the event that an accident or other incident occurs. Although licenses and certifications are not fool-proof means of judging a professional, they do offer great benefits.

It would not be a tall order to license information security professionals. Leveraging on existing national and international structures and international bodies (such as ISACA and (ISC)²) is a way to go. It is imperative that certain areas of IT and information security be regulated, and therefore require licensed professionals.”

David Harley, CITP, FBCS, CISSP, Small Blue-Green World, ESET Senior Research Fellow:

“It's an attractive idea in principle, forcing (or enabling) security practitioners to demonstrate their technical competence and ethical grounding, whereas right now anyone can declare themselves an expert and proceed to provide really bad advice and services. And to some extent there are certifications that map very approximately to the kind of specialized formal training that is supposed to be characteristic of the 'real' professions – (ISC)2, SANS/GIAC, IISP, ISACA, and so on.

In real life, I don't think it's practical. Security professionals are too broad a church: it's more realistic to compare them to all manner of healthcare workers rather than doctors. Even if you trust the certifying organizations in terms of validating the types of generalist or specialist skills their certs address – and many don't, even among holders of those certifications – what you're really talking about is an overarching authority to implement certification of many types and skill set levels (and mind-sets), from CISOs to lab-rats to threat analysts to journalists to trainers to pen-testers to vulnerability researchers. What we have now is anarchy, but in the licensing scheme lies bureaucracy."

Brian Honan, BH Consulting:

“I would be in favor of licensing infosec professionals. We are working in an industry that is expanding rapidly and with a great demand on companies looking to recruit people to fill security roles. However, it is very difficult to discern if someone is really suitable for a role where they will be handling sensitive data, corporate secrets or testing the security of other businesses. We typically would not use a plumber who was not properly trained and vetted to fix our toilet, or use a taxi driver who was not properly licensed. It’s time we brought a level of not just professionalism, but accountability, to the industry”

Sarb Sembhi, CISM, CISSP-ISSAP, GCIH, GAWN, Director - Consulting Services, Incoming Thought:

“So many organizations have been breached that it is highly unlikely any one of the perpetrators had a license to practice, and the security professionals who attempted to protect these organizations wouldn’t have done their jobs any better had they a license to practice. There is a place for certifications, but a license won’t make any difference and would restrict some of the skilled people from contributing their talents for good rather than bad.”

Amorosi’s Take

I tend to agree with Hord Tipton and Sarb Sembhi in this area. With the infosec profession still in its infancy, it seems that establishing a licensing regime at this point is a bit premature, but it is something we may need to keep in mind for the future, as standards and best practices throughout the industry continue toward harmonization. I also agree that now is not the time to discourage those who are not “licensed practitioners” from entering the information security workforce.

Each time I have a conversation with an infosec professional, I try to make a point of asking them about their previous work experience and educational background. It’s now no surprise for me to hear that many of the current practitioners in this industry started their careers in fields other than computing, or programming, or risk management. They are lawyers, accountants, and in at least two cases I can think of, one-time aspiring rock stars.

Passing the bar exam does not make someone a good lawyer, just as finishing a medical residency doesn’t necessarily mean a licensed physician will achieve good outcomes for their patients. While “licensed professionals” such as lawyers, doctors, engineers, and accountants have been practicing their craft for decades – or even centuries – requiring that the embryonic field of information security be held to this standard is a step down the wrong path at this point. After all, each organization will have different requirements for its security practitioners – with some needing CISOs who are more adept in management than technical prowess, while others will seek out more of the hard-core types with deep-rooted technical skills.

In the end, it’s the unique requirements of the organizations employing information security professionals that will drive the search for the appropriate practitioners, and not any need to pass a government-mandated licensing exam.

What’s hot on Infosecurity Magazine?