More rigour, less geek, more respect

By on
More rigour, less geek, more respect

In my position, I get to read an awful lot of submitted articles, supposedly from infosec professionals with centuries of experience between them. And I also get along to a lot of conferences where many of the same people share their wisdom with the rest of the world.

It's amazing how many of them are keen to express the highly original opinion that security is about "confidentiality, integrity and availability". Not only that, it's about "people, process and technology." Wow.

They might express it in a variety of ways, but that is what so many of the articles and talks boil down to. The same people also complain that senior management never listen to them or give them the resources they need.

Can you see where I'm going with this?

Unless we start to raise the level of discussion in our industry, we will continue to be typecast as a geeks or bores, forever standing on the sidelines complaining that no one will listen.

I know IT security concerns confidentiality and people, but we need to move on from the Ladybird Book of Security, and decide what we are going to do with the knowledge. Of course, technology alone will not be able to protect us from security breaches, but we need to decide how far we are going to trust it, and then decide what to do about user awareness and training.

Two features in this month's issue of SC go some way toward tackling this apparent dead-end in our thinking.

Our front-cover interviewee Ira Winkler, author of a new book called Spies Among Us, makes the point that most of our security problems could be solved by getting the basics right, hardening operating systems and limiting access rights to the bare essentials. In other words, practising what we preach, rather than just talking about it.

The second feature comes from the head of security at Cancer Research, who discusses the role of professional qualifications in our industry. He makes the very practical point that if you don't have a proper professional certification, then you will find it increasingly difficult to find a job. Employers might not know what a CISSP or CISM is, but they are starting to demand some kind of similar certification before they'll even see you for an interview.

He also considers the new Institute of Information Security Professionals, which, unlike those US-driven certification schemes, sets out to go beyond the multiple-choice exam and create a true benchmark of professionalism for our industry.

We should all support the idea of the IISP. It offers the best chance so far to put IT security on a new footing, and create respect for its members. And it is likely to demand a more rigorous approach to the subject, which can only be good for all of us.

Ron Condon is editor-in-chief of SC Magazine

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?