Qualified Security

A common feeling for established professionals is that an external standard should not be applied to their field - or at least not to them personally. Various reasons are given as to why they would not benefit from a standard; it would be needlessly bureaucratic, it focuses on triviality, it wouldn't be responsive to the latest changes and anyway, they know everything that needs doing. Underlying this can also be a nagging doubt that adopting external standards would be an admission of ignorance.

It is great to see that information security as a field does not suffer from this fear of standards - if anything, the variety of specialist qualifications can be quite daunting to outsiders. Being told that there are differences between information security investigations as applied by penetration testers and information security investigations as performed by forensic scientists is enough to send most people to sleep. This gets to be a problem when a non-technical manager (or even a non-security IT manager) needs to select the right person for the task in hand.

With apologies to the accountants out there, nobody besides other accountants actually knows what being a Chartered Accountant means. The brand is so strong that providing evidence of Chartered status is a sign of excellence across a broad section of their field. The British Computer Society has rebranded itself as The Chartered Institute for IT, and perhaps over time being a Chartered IT professional will carry the same reputation for skill as being a Chartered Accountant. In the security field CISSPs, CTLs, CREST Certified Testers, Senior TIGER Scheme Testers, PCI-QSAs and good old fashioned PhD's will continue to battle it out for the upper hand as the most appropriate qualification.

Infosec security certification comes with two problems, firstly choosing a professional best suited to the area at risk and secondly of choosing a professional at all. Each of the qualifications above represent a significant investment of time and money in the field, and each is rightly regarded within the industry as the sign of a competent professional. There is significant overlap but the qualifications are by no means identical. In amongst the acronyms, some unfortunate director has to choose the most appropriate person for the job, and a CISSP just won't do when a PCI-QSA is required. All the certification schemes seem to be thriving, but their names and different qualities are just white noise to decision makers.

The entire security industry should focus on marketing itself better to the world at large, and making the value of its qualifications apparent.