Speaking four months after the IISP was renamed as the Charted Institute of Information Security (CIIS), CEO Amanda Finch said the re-branding was “great for us, as it puts on the map” after three and a half years of application.
Speaking at Plymouth University's Secure South West conference, she said that chartered status was important as it is “recognizing us as a proper profession” and that the CIIS is “the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.”
She said that cybersecurity is still “badly defined” as a term, and work is needed to make it a profession. Admitting that we cannot be “renaissance people who do everything,” the profession has grown from when you needed to be generalist to consider multi-disciplined areas, taking in physical science, psychology, legal, compliance and different skill sets.
The CIIS determines that professionalism depends on:
- An agreed body of knowledge and skills that professionals need to have to work effectively in the field
- Ways to provide those skills through education and training programs
- Ways to accredit this process (both those identifying the body of knowledge and those teaching it) and attest that the individual has acquired those skills
- The mastery of certain defined skill sets through these processes
- Ways to demonstrate that practitioners have acquired those skills and can apply them competently
- Ways practitioners can refresh that knowledge through continuing education
- Codes of Ethics to ensure that practitioners act professionally
Finch argued that we need to recognize what we do have, and what we need to be developing to attract the best people. “We’ve been helping organizations to develop capabilities using development methodologies and frameworks” and also accrediting for competencies as, she said.
“So we developed a methodology to look at existing capabilities and skills and developing teams in this environment,” Finch said.
While companies may not always get “people with 100% of skills,” they should look at a person’s potential, “what basic skills you want them to have and upskill them.”
There will still be a need for specialists though, and to bring in expertise where it is needed, she said, concluding that we need to work as a community to bring the best talent in, and find good pathways to “demonstrate we’re a profession and make sure people come to us.”