An Argument in Favor of Licensing Information Security Professionals

In today’s complex and interconnected information age, with much mention of cloud, big data, mobility, social business, and cybersecurity, individuals and organizations require assurance that the systems that have become part of their everyday lives are trustworthy, reliable and secure.

Currently, it is impossible to turn to a licensed individual (or group) to obtain this assurance, in much the same way that one can enlist the services of licensed professionals such as lawyers, accountants or doctors. The main reasons one would turn to these professionals is that a license proves the individual:

  • Is a member of and governed by a recognized professional association
  • Is licensed to practice (i.e., has the required education, knowledge, skills and experience)
  • Adheres to widely accepted standards and practices
  • Is held accountable for their actions through being governed by codes of professional conduct and disciplinary processes

Being licensed and part of a professional organization also demonstrates that the individual complies with mandated continuing education requirements and is part of a professional community – possibly global – that engages in knowledge sharing and is actively involved in keeping up to date with current developments in their chosen field.

Licensing will likely become mandatory for information security as we move into the ‘internet of everything’, including interconnected household devices, autonomous cars and e-medicine. Advances like these are on the horizon and will significantly increase the reliance we place on technology. People’s lives will quite literally be at stake; in fact, this is already the case.

Given the impact on our everyday lives and potential implications for public safety, the need for licensing people who design and implement security will be as significant a need as licensing for engineers who design our buildings and infrastructure, or doctors who look after our health. The potential for harm will be too great to trust security to just anyone who has managed to land a job but who may not have the necessary skills, education or experience.

With continued focus on information security and cybersecurity in particular, we are very likely to see increased pressure to procure information assurance and security services only from licensed individuals. It is important to note that professional certifications from leading global organizations that have strong credentialing programs already meet much of the licensing requirements. Indeed, many government agencies worldwide already have a form of licensing by mandating that certain services can only be performed by certain credential holders. A licensing program could, therefore, easily leverage the efforts of existing certification organizations that have years of experience in developing training and certifications, and are already accredited by recognized standards bodies such as ANSI and ISO, to establish the standard for information security professionals.

One particular challenge is likely to be the national interests of individual countries. Although technology and information systems don’t really recognize international borders, cybersecurity and national security interests – a key driver for licensing – are likely to be country-specific. However, other licensed professions have found ways of coping with international mobility and global workforces, and no doubt so will the licensed information security professionals of the future.

As an information security professional working in a large global financial services organization with complex information security challenges, and as an individual with genuine concerns about the privacy and security of my own personal data, I would like to make a strong case for information security professionals to be licensed much like other professions. Overall, licensing will engender safer and more secure environments for doing business and lead to increased trust in, and value from, information systems.

If you want a health check of your information systems, you should be able to turn to a licensed information security professional.

Allan Boardman is an information risk manager at a global investment bank and international vice president of ISACA. He also chairs ISACA’s Credentialing and Career Management Board and has more than 30 years of experience in IT audit, risk, security and consultancy roles.

What’s hot on Infosecurity Magazine?