Should Aussie cyber security pros be accredited?

Australia could have an accreditation scheme for cyber security professionals in three years' time if an initiative by an industry not-for-profit is successful.

The Australian Information Security Association (AISA) has revealed it is in very early talks with Australia's Professional Standards Council to make cyber security a "real, recognised profession" under a professional standards scheme.

It would accredit cyber security professionals in the same manner as a certified practising accountant (CPA).

Offering accreditation for infosec experts would benefit businesses by giving them confidence about the individual they are hiring, and individuals by offering them a career path, AISA CEO Arno Brok told iTnews.

"We think if you're giving the keys of the kingdom to your cyber security person, you want to know that they adhere to some sort of standard," Brok said.

It would also ensure that everybody "is talking the same language", he said.

"If you ask someone now what cyber security is, you get 10 different answers," he said.

"It's important that we standardise the language and that we move away from certification and actually have a standard that people adhere to, and which is supported by government, industry and education.

"There's growing demand for cyber security experts and that's going to grow even more - we have to make sure that when kids are coming out of school they have a career path."

The accreditation scheme would be voluntary and open to non-AISA members, Brok said. It would cover things like personal indemnity insurance and involve regular interview-style skills assessments.

"Not every person in cyber security will be interested in becoming an accredited cyber security professional, but a lot will," Brok said.

"Where I think it's really good is that, rather than some certifications which require you to read a book, this accreditation means you are actually assessed on your skills and knowledge."

Those who gain the accreditation would likely be required to maintain it throughout the year, through things like writing whitepapers or giving presentations that encourage maintenance and growth of knowledge. 

It is unclear at the moment how much an accredited cyber security professional would be required to pay in annual fees.

The Professional Standards Council charges organisations fees to apply and operate a professional standards scheme.

AISA would need to pay an initial $5000 to apply to operate a scheme, then $50 per member annually if accepted. There is also a charge of $500 per quarter should any members join or leave the scheme.

Brok said he envisioned different categories of accreditation, running all the way up from pentester to CISO.

Technical skill assessments would be more straighforward to design; how a CISO is assessed on their skills would take a little bit more thought, Brok said.

What will also need to be nutted out is where the accreditation process kicks in on the food chain.

"If you want to be a firewall admin for the rest of your life, there might not be a need for you to get accredited. But if you want to move on and up and do something different, that's where the career path comes into play."

Brok said he had no intention of creating a have and have-not divide between those with and without accreditations, nor making the barriers to entry high enough to be prohibitive.

"We have to maintain a practical approach to it - if that means we work out different entry points within the scheme, then that's what we have to do. We should not make it an elite group," he said.

"It should be an enabler in your career, and further cyber security as a whole."

Having only just started discussions with the Professional Standards Council, the accreditation scheme, should it be realised, would likely take at least three years to bed down, Brok said.

"This is not going to happen in the next six months. But cyber security is at the point now where we have to make the step in that direction," he said.

"We have to plant the seed now. The council is open to what we have to say, we can start the journey, but there are so many things we need to talk about."