Send in the professionals

The launch of the Institute of Information Security Professionals (IISP) in February was intended to bring a level of professionalism to the security industry. It is expected to give chief information officers (CIOs) more confidence in employing security professionals, creating secure systems and satisfying auditors.

But these developments are not expected overnight. The IISP is in its infancy, but it has some big-name backers from the security world, which bodes well for the initiative’s development.

Its aim is three-fold: to provide accreditation, to support professional development and to create a voice for the security sector.

The long list of membership applications, which includes financial institutions UBS, Royal Bank of Scotland and HBOS, reveals the pent-up demand for such an organisation, which offers three levels of membership, a code of conduct and training.

Gaps in knowledge exhibited by security professionals working in UK businesses were exposed in the government’s recent IT security survey.

The Department of Trade and Industry’s (DTI) biennial Information Security Breaches Survey for 2006 revealed just half of qualified security professionals knew the contents of security standard BS 7799 – now ISO/IEC 17799 and ISO/IEC 27001. In addition, just one in 10 UK businesses have security-qualified staff.

‘The results reinforce the message that there’s a shortage of information security professionals and a real difficulty in finding skilled people,’ says Chris Potter, a partner with PricewaterhouseCoopers, which conducted the DTI survey.

He says the poor definition of standards is illustrated by the fact that many so-called qualified professionals do not know about basic security.

‘The IISP can play a really valuable role in creating common standards,’ says Potter.

Dr John Meakin, group head of information security at Standard Chartered Bank, is a strong supporter of the Institute.

‘What business leaders are looking for is some rigour and commonality from information security professionals,’ he says.

‘Currently, people come from many different routes, including the technical and the less technical side. As a profession, it’s an amorphous mob.’

This view is shared by Paul Wood, former chief security officer at financial institution UBS.

‘There are many types of information security professional and many are self taught. Courses are specialised and there isn’t a holistic approach,’ he says.

Meakin believes the IISP will bring structure and stature to the profession.

‘The IISP’s creation is very timely. It has to be a credible body of professionals sharing ethics and practice,’ he says.

Meakin expects the initiative to raise board confidence about internal information security.

‘When a board director signs off the company accounts, he wants to be able to state with confidence that the information is right,’ he says.

‘Now, when an information security professional professes something is true to a director, it’s a case of the executive having to look into the whites of his eyes. Due diligence is hampered.’

Wood also highlights the problem of getting the right person for the job.

‘When someone comes for an interview, how can I validate what they’ve done?’ he asks.

‘The IISP will make sure their experience and knowledge is what they claim and they didn’t just talk the talk.’

Meakin points out that the role of an information security professional is evolving into an advisory one – and having IISP backing can help authenticate managerial credibility.

‘Some of the technically-driven security is being commoditised,’ he says.

‘Microsoft, for example, is putting more security mechanisms into its core products, which means that the role of a security professional is changing to one that is more managerial and mixed with addressing operational risk.’

As the IISP enhances security experts’ professionalism, Meakin says information security workers can assert their specialism.

‘We have the ability to link security technicalities with pure operational risk,’ he says.

Businesses must step up security as there are more devices linking into the network, says Martin Sadler, director of HP Lab’s Trusted Systems Laboratory and board member of the IISP.

‘Lots of players are trying to help, including administrators, architects, consultants, software developers, researchers and professional bodies, but a lot of it is fragmented,’ he says.

‘We need to orchestrate people willing to help. We must behave more as a single community,’ adds Sadler.

The IISP will help achieve integration by sharing best practice and spreading new ideas on how to defend organisations against criminals.

Tony Neate, head of industry liaison at the National Hi-Tech Crime Unit, which is now part of the Serious Organised Crime Agency (Soca), is keen to seize on the idea of unity.

‘We need trusted experts to build security into networks, but on the reactive side we need them to provide evidence in criminal and civil cases,’ he says.

The far-reaching expectations of the IISP include making it powerful enough to enforce standards and recognition beyond UK shores.

Meakin says he would like the initiative to have teeth.

‘When the General Medical Council finds malpractice by doctors, they are struck off. The IISP needs similar powers to reinforce the credibility of its members and the profession,’ he says.

‘If we want business to take professional advice at its worth, we should recognise cowboys and take them out.’

Meakin has a core team of 25 information security professionals, not all of whom are based in the UK.

‘I’d like to push for the internationalism of the IISP. You can’t squeeze it into UK plc,’ he says.

Paul Dorey, chief information security officer at BP, says the IISP recognises a growing demand for information security knowledge, skills and accountability.

‘Information security skills need to protect the systems we rely on,’ he says.

Dorey says the initiative will help security professionals deal with issues of accountability, which have intensified with the introduction of legislation such as Sarbanes-Oxley.

And to certify the ability of information security advisors to fulfil legislation requirements, he believes the IISP mentoring scheme will help people develop their judgment.

‘You can get security certifications, but they are knowledge qualifications and it’s difficult to apply knowledge,’ says Dorey.

‘Medical students are mentored: why not information security professionals?’ he asks.

Further reading:

Bankers back accreditation

Experts welcome security body

Case study: Paul Wood

Paul Wood has more than 30 years’ experience in security and has dealt with a number of security roles within government.

Significant roles include chief security officer at UBS, head of corporate security at the Civil Aviation Authority and information security consultant at Baltimore Technologies.

‘The IISP will benefit business and industry by advancing the professionalism of practitioners. It’s a major step in improving the sharing of knowledge among practitioners,’ he says.

Wood is conscious that security is fast becoming a boardroom issue and points out that increasing regulation and government focus means that good corporate standards with the right controls and policies are expected.

‘Information security managers are crucial inside the business and the business is more reliant on them for effective security procedures,’ he says.

‘Security is a key business driver and enabler. The IISP’s training programme will equip members with the right skills for this purpose.’

Wood’s confidence in the IISP’s ability to deliver a professional development programme, and provide information security workers with consistency in training, meant UBS paid £6,000 a year to join the initiative. This entitled the finance institution to 10 free memberships for the IISP.

‘I want all my information security professionals to join to benefit from the mix of mentoring, peer review and experience,’ says Wood.

‘The IISP will give IT directors something they can look to and seek advice from.’

Paul Wood left UBS on 9 April to join Aviva Group as business protection director