Does the UK Need an Information Security Royal Charter?

Back in February, Infosecurity reported that the IISP planned to apply for a Royal Charter, claiming that this is needed for the cybersecurity profession. We asked three experts on their view on whether this will ever happen, and what the consequences could be.

Ian Glover, President, CREST

Working in information security for 36 years, Ian has been instrumental in a significant number of major initiatives in the industry, including the Cyber Essentials scheme and the UK government CIR. Ian has also worked on a number of social responsibility research projects.

To have a Royal Charter and the ability to award Chartered status to ‘professionals’ working in the information security industry is a natural progression and has significant benefits for the industry and also for individuals.

To justify professional status, it must be done through industry and internationally recognized professional examinations or other agreed demonstrable assessment. The industry has made very good progress in the establishment of individual certification, however, none of the existing certificates identify individuals operating at the highest level of the profession.

There needs to be something for people working at senior levels in the information security industry to aspire to that provides them with a maintained recognized status, and Chartered status will provide this. It will add significant credibility to the industry and will help identify a ‘senior professional’ in the market.

This will not be an easy pathway because the industry is very diverse, ranging from very deeply technical people, through policies and standards setting or auditing people to senior management with direct links to other more established areas of risk management. Information security is an emerging industry and does not, or isn’t even close to, having an agreed body of knowledge that encompasses all the roles.

If a Royal Charter is implemented, it must recognize the existing career pathways but be flexible enough to reflect new roles and jobs that do not yet exist. It is not clear in my mind how all of the aspects necessary to build Chartered status can encompass all roles and all jobs in the industry, so we must start with career pathways that are understood and established and work from there, providing a process that allows for considered expansion.

Information security is an international business so we must talk to equivalent issuing bodies in established and emerging regions to obtain consistency. A UK-only recognized award without equivalence will be of limited value.

The diverse range of roles also makes it difficult to establish what existing professional institution should make the award. Some of these already have a Chartered status, but have a limited number of new awards they can issue. Others are attempting to obtain Chartered status but have not achieved it yet. Interestingly, obtaining Chartered status in information security will probably require demonstrable expertise that would fall into multiple existing professional institutions.

The industry must start to work together on this. If particular industries or government contract any single body it will be difficult to develop and implement a process that will be widely accepted and sustainable. If specific sectors or government want to help this to happen, they should encourage collaboration. If seed funding is available it should be oriented towards helping to coordinate this collaboration, not to introduce competition in the ‘institution’ marketplace

Amanda Finch, General Manager, IISP

Amanda has specialized in information security management since 1991 when she established the function within Marks & Spencer. In addition to her role at the IISP, she works with the Information Security Forum (ISF) and the British Computer Society (BCS) and has a Master’s degree in Information Security.

Protecting the systems that underpin the current technology transformation gets ever more complex, and there simply aren’t enough security professionals to meet the challenges. As an information security profession, we are acutely aware of these issues but we need to address the issues more formally.

The UK Government has recognized the seriousness of the problem and in its National Cyber Security Strategy (2016-2021), stated that “the UK requires a sustainable supply of home-grown cyber skilled professionals to meet the growing demands of an increasing digital economy, in both the public and private sectors and defense.” The intention is to develop clear entry and development routes for the profession, attractive to a diverse range of people. Part of this is to ensure that cybersecurity becomes “widely acknowledged as an established profession with clear career pathways, and has (a national body of) Royal Charter status.”

Having a Chartered status will significantly raise the profile of our professionals and a Chartered Institute will provide clarity on the disciplines and bring us in step with other chartered professions.

We need recognized skills frameworks developed by professional bodies. Through definition and standardization, professionals wanting to demonstrate their capabilities can be measured against defined criteria. Such definition will give us the ability to cultivate skills on a greater scale and provide our professionals with clear signposting for development.

Professionalization is a way to demonstrate the mastery of certain skill sets essential for success, and show that those skills and knowledge can be refreshed through continuing education. To do this, we must identify the body of knowledge and skills that professionals need to have, supported by appropriate education and training programs and finally have a way to accredit this process.

It is often overlooked that employers place enormous trust in their information security specialists, who often have privileged access to highly sensitive information as well as critical business systems and processes. Such trust necessitates that individuals meet the highest professional, working and ethical standards.

The IISP argues that an effective alternative to today’s ad hoc, decentralized approach is needed and that professionalization requires a nationally recognized, independent organization to act as a professional body and clearinghouse for the profession. The process would unfold over several years and involve stakeholders from government, academic institutions, profit and non-profit organizations, public and private sector entities, formal and informal groups. Its responsibility would include coordinating standardized core curricula for educational institutions at all levels and encourage collaboration with both intra-university and intra-professional bodies.

Chartered status would allow entitled members to stand proudly with a clear indication of meeting the highest professional standards of knowledge, skills, abilities and ethical behavior. The IISP has been applying these principles for 10 years since its formation and is keen to formalize these as institutional protocols

Robin Smith, IT Security Manager, West Yorkshire Police

Robin is IT security manager at West Yorkshire Police. He has 15 years’ experience as a privacy and compliance specialist, working across health, local government and law enforcement.

In our world where data is a currency, the information security professional becomes an essential broker. The protection of information and data is essential, and the information security industry must mobilize to support the recent application for Royal Charter status.

The recent application (submitted by the IISP) for a Royal Charter status to the Privy Council demonstrates how the profession is maturing and information professionals should support this move in a number of ways. The profession is dealing with risks that threaten the entire conduct of our digital societies.

Chartership is the level of professional registration for those working in the information professions who wish to be recognized for their skills, knowledge and application of these in the form of reflective practice.

The benefits of Chartership are myriad, ranging from the recognition of the profession as a key part of society to ensuring that individual professionals can plan his/her career path.

One of the key concerns regarding the application for Royal Charter will be the need to fuse experience with accreditation. Simply achieving Chartership should not be an objective; it should be part of a dedication to developing skills and experience within a professional industry. Evidence from other professions highlights that many individuals fail to go beyond Chartership to push the boundaries of current professional practice and orthodoxy. The information security profession must avoid this risk.

The financial costs of Chartership in other industries can also be exorbitant. A number of engineers note that the process for an individual to become Chartered can be both expensive and time consuming, with few benefits aside from the title provided by authorized organizations.

Successful applications for Royal Charter have been based around mobilizing potential senior professionals and the emerging young stars in the industry to outline the value and impact made by granting the application. The information security industry is blessed with a number of highly influential individuals who can speak with fluency regarding the present and near-term threats that are being battled. The Institute of Information Security Professionals (IISP) deserves credit for conducting an excellent initial campaign to lobby for recognition. Its membership is key to the success of this endeavor and can take action to aid the application.

The new paradigm of the digital economy requires the information security profession to be clearly identified as a key broker for all information and data assets. With the rapid development of the industry in the last decade and the array of emerging issues that shape our entire society, information security professionals should mobilize to support this campaign to ensure success. As we approach 2020, individuals working in this key sphere need to decide whether they want to shape our digital nation or simply respond to its demands. It’s really up to every individual information security professional. What do you want to do with the rest of your career?

What’s Hot on Infosecurity Magazine?