The debate about how to inject provable professionalism into the information security industry has been reactivated by the Private Security Industries Act, which talks about the regulation of security consultants and the criteria for licensing. Although the intention of the act was to apply to physical security, it caused ripples in information security.
There are now a (small) number of degree courses and security professional accreditation schemes, but there is much confusion about their relative merits.
So for the past six months, a small group of prominent IT security specialists has held a number of brainstorming sessions to tackle some of these problems. Their conclusion, set out in a blueprint document, was that there was a need for a professional body to set and monitor standards and to ensure the fitness of IT security practitioners – an Institute for Information Security Professionals.
In addition to providing accreditation for IT security workers, the institute would act as a focal point for the profession, determining the boundaries of what constitutes information security, establishing a code of ethics, and so on.
Work is currently in progress to transform that generic blueprint into a more detailed proposal. This work is funded by the DTI and the Cabinet Office and has the support of the following impressive list of major players – BP International, BT Exact, CESG, HBOS plc, Hewlett-Packard Labs, IBM, (ISC)2, Royal Bank of Scotland, Royal Mail and Vodafone Research.
Anyone interested in the blueprint or with a contribution to the debate should email Barrie Wyatt at email@example.com