When entering a debate on whether we should institute a professional licensing regime for information security, keep in mind there are currently no initiatives that have been given serious consideration by leaders in government, the standards community or private industry. A licensing regime is a mere concept that seems to arise when people seeking a silver bullet solution to the global cyber challenge start making comparisons to other fields that successfully operate under a licensing regime – the medical field being one that is used most often.
Comparing ours to the field of medicine is gravely misleading. IT and information security are rapidly evolving disciplines in a nascent field, while medicine is one of the oldest and most established professions. The medical field has well-defined areas of expertise that have been taught in universities for decades. Information security is only now being discussed as a separate discipline, and few universities have an established, separate school of information security.
Whereas doctors and nurses have control over the decisions they make and the outcomes of those decisions, infosec professionals seldom have control over either. Rarely does an IT security person control the organization’s budget, management priorities or user behavior and thus cannot be held solely liable for an organization’s network security. Security is a direct function of risk. Most often, it is not the security professional that accepts or rejects the risk.
Licensing infosec professionals will not solve our industry’s challenge to keep networks secure. Establishing a licensing regime requires significant funding, the buy-in of those in the field, global acceptance of international standards and governance, among the many other imperatives that sustain a program of this magnitude. For the licensing concept to evolve into a realistic consideration, some preliminary questions would have to be answered.
Standards and governance: Why reinvent the wheel? A licensing program would require that global standards for evaluating information security professionals be established and maintained. Global acceptance of standards for information security professionals – such as those under ISO – have already been achieved, and it would be foolish to reinvent that wheel.
Do we want to be licensed? According to (ISC)² member polling, there is little desire by professionals in the field to create a licensing regime. Without acceptance by those in the field, this would be a wasted effort.
What roles should be licensed? Which job series of those currently established will require a license? And if only some, then why not others? Making this determination will become an area of great debate, both in local communities and around the world. Can we afford to wait for consensus in order to move the workforce forward?
Is now the time to inhibit those entering the field? The 2013 (ISC)² Global Information Security Workforce Study found that two-thirds of C-level security executives reported staff shortages. Even if licensing could raise the standard of practitioners, it could also reduce the number of qualified individuals that can enter the field.
The final price tag? One of the biggest factors against a licensing regime is the cost to support it. How will governments fund a licensing program, and how does this expense make sense when existing training and certifications are already held to global standards, such as ANSI/ISO/IEC 17024? Who will fund the significant upgrade in training and education required? Will licensed cybersecurity professionals need to carry liability insurance? How will that impact compensation? Will the additional costs drive the IT industry toward more of an off-shoring ecosystem?
With so many critical questions on the table, now is not the time to establish a licensing regime for the information security profession and entertaining such a concept distracts leadership from the real crisis at hand. Until the profession matures far beyond how it currently operates and the industry itself actually buys into the concept of licensure, it has no chance of moving beyond the status of debate topic.
Licensing will not remedy breaches that are sure to come from risk acceptance, but potential litigation for the licensed IT professional just might be the result.
W. Hord Tipton is the executive director of (ISC)² and a member of Infosecurity’s editorial advisory board. He has over thirty years of business experience, including CIO for the US Department of the Interior. Tipton is a recipient of the Distinguished Rank Award for government service from the President of the United States.