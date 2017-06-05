Back in February, Infosecurity reported that the IISP planned to apply for a Royal Charter, claiming that this is needed for the cybersecurity profession. We asked three experts on their view on whether this will ever happen, and what the consequences could be.

Ian Glover, President, CREST Working in information security for 36 years, Ian has been instrumental in a significant number of major initiatives in the industry, including the Cyber Essentials scheme and the UK government CIR. Ian has also worked on a number of social responsibility research projects. To have a Royal Charter and the ability to award Chartered status to ‘professionals’ working in the information security industry is a natural progression and has significant benefits for the industry and also for individuals. To justify professional status, it must be done through industry and internationally recognized professional examinations or other agreed demonstrable assessment. The industry has made very good progress in the establishment of individual certification, however, none of the existing certificates identify individuals operating at the highest level of the profession. There needs to be something for people working at senior levels in the information security industry to aspire to that provides them with a maintained recognized status, and Chartered status will provide this. It will add significant credibility to the industry and will help identify a ‘senior professional’ in the market. This will not be an easy pathway because the industry is very diverse, ranging from very deeply technical people, through policies and standards setting or auditing people to senior management with direct links to other more established areas of risk management. Information security is an emerging industry and does not, or isn’t even close to, having an agreed body of knowledge that encompasses all the roles. If a Royal Charter is implemented, it must recognize the existing career pathways but be flexible enough to reflect new roles and jobs that do not yet exist. It is not clear in my mind how all of the aspects necessary to build Chartered status can encompass all roles and all jobs in the industry, so we must start with career pathways that are understood and established and work from there, providing a process that allows for considered expansion. Information security is an international business so we must talk to equivalent issuing bodies in established and emerging regions to obtain consistency. A UK-only recognized award without equivalence will be of limited value. The diverse range of roles also makes it difficult to establish what existing professional institution should make the award. Some of these already have a Chartered status, but have a limited number of new awards they can issue. Others are attempting to obtain Chartered status but have not achieved it yet. Interestingly, obtaining Chartered status in information security will probably require demonstrable expertise that would fall into multiple existing professional institutions. The industry must start to work together on this. If particular industries or government contract any single body it will be difficult to develop and implement a process that will be widely accepted and sustainable. If specific sectors or government want to help this to happen, they should encourage collaboration. If seed funding is available it should be oriented towards helping to coordinate this collaboration, not to introduce competition in the ‘institution’ marketplace

Amanda Finch, General Manager, IISP Amanda has specialized in information security management since 1991 when she established the function within Marks & Spencer. In addition to her role at the IISP, she works with the Information Security Forum (ISF) and the British Computer Society (BCS) and has a Master’s degree in Information Security. Protecting the systems that underpin the current technology transformation gets ever more complex, and there simply aren’t enough security professionals to meet the challenges. As an information security profession, we are acutely aware of these issues but we need to address the issues more formally. The UK Government has recognized the seriousness of the problem and in its National Cyber Security Strategy (2016-2021), stated that “the UK requires a sustainable supply of home-grown cyber skilled professionals to meet the growing demands of an increasing digital economy, in both the public and private sectors and defense.” The intention is to develop clear entry and development routes for the profession, attractive to a diverse range of people. Part of this is to ensure that cybersecurity becomes “widely acknowledged as an established profession with clear career pathways, and has (a national body of) Royal Charter status.” Having a Chartered status will significantly raise the profile of our professionals and a Chartered Institute will provide clarity on the disciplines and bring us in step with other chartered professions. We need recognized skills frameworks developed by professional bodies. Through definition and standardization, professionals wanting to demonstrate their capabilities can be measured against defined criteria. Such definition will give us the ability to cultivate skills on a greater scale and provide our professionals with clear signposting for development. Professionalization is a way to demonstrate the mastery of certain skill sets essential for success, and show that those skills and knowledge can be refreshed through continuing education. To do this, we must identify the body of knowledge and skills that professionals need to have, supported by appropriate education and training programs and finally have a way to accredit this process. It is often overlooked that employers place enormous trust in their information security specialists, who often have privileged access to highly sensitive information as well as critical business systems and processes. Such trust necessitates that individuals meet the highest professional, working and ethical standards. The IISP argues that an effective alternative to today’s ad hoc, decentralized approach is needed and that professionalization requires a nationally recognized, independent organization to act as a professional body and clearinghouse for the profession. The process would unfold over several years and involve stakeholders from government, academic institutions, profit and non-profit organizations, public and private sector entities, formal and informal groups. Its responsibility would include coordinating standardized core curricula for educational institutions at all levels and encourage collaboration with both intra-university and intra-professional bodies. Chartered status would allow entitled members to stand proudly with a clear indication of meeting the highest professional standards of knowledge, skills, abilities and ethical behavior. The IISP has been applying these principles for 10 years since its formation and is keen to formalize these as institutional protocols