I've been off the air for about a month due to some personal challenges, so I'm just catching up on some of the older stories that have been floating out there since late September. One that has caught my eye is the National Academy of Sciences (NAS) report regarding the professionalization of information security. In this report NAS concludes that cybersecurity is best classified as an occupation rather than a profession; further, NAS concludes that professionalization of cybersecurity should only occur when "the occupation has well-defined and stable characteristics [and] when there are observed deficiencies in the occupational workforce that professionalization could help remedy." NAS (and several industry pundits) further pointed out the challenges of our ever morphing enemay as well as the self-taught nature of many of our most seasone professionals.
What struck me most about this report is that hue and cry that did not occur from security professionals. There were a small handful of articles and some (predictable) responses from folks in the who resented the implication that they were not "professionals" (in the strictest interpretation of the word), then...nothing.
It is this lack of commentary that concerns me the most. Several reasons for this.
- One of the criteria for professionalization has been (at least partially) met. The security profession is facing a shortage of qualified personnel. The operative term here is "qualified." In an era where colleges and universities are regularly pumping out folks with computer/information security degrees, senior professionals are still having difficulty finding people with the KSAs to do the work. Experience (The "E" that we add over time to KSAs) helps and is supposed to enhance basic skills...but many organizations have taken to ignoring the training and experience offered by colleges and universities as being meaningless to the security utility in the workplace. Further, there is still a wide variety of degree variance between university programs in Infosec -- and very few security professionals recommend ANY program as being appropriatly constructed to tackle a security gig straight out of the classroom. To me, this translates to a case of "deficiencies in the occupational workforce" as well as an inability to provide a steady stream of qualified personnel into the workforce.
- What do we do about it? Folks, the lack of response from us as a profession seems to indicate either that (a) we agree with the characterization or (b) while we disagree with the report we don't see how to change it. While I will be the first person to admit that there is a portion of our work is art, we cannot surrender the battle for the science lest we lose the ability to maintain the seat at the table that we have fought to occupy over the past 15 years. When organizations cannot afford to steal senior folks from other organizations, they will turn more and more to technology to substitute for experience. Should this trend occur, we may find ourselves in a position where the chief security officer position (one of the 3 most senior positions our career progression has to offer) goes the way of the VP of Telephony.
The point of this post in a fairly simple one: we cannot as professionals (even if we aren't technically a profession) to accept the status quo accurately pointed out by the NAS report. We need to find a method of identifying and fostering the skills and mindset needed to succeed and -- most importantly -- stay ahead of the bad guys. If we fail to invest in this effort than we do a disservice to our constituents as well as those who are trying to follow in our footsteps.Think I'm exaggerating? I am personally aware of three multi-billion dollar entities who have broken up their security responsibilities amongst multiple entities upon the departure of their CSO. Two of those three seem to be sustaining compliance and security levels within minimal to no difficulty.
My two cents...
(Note: the link to the report above lists a price for the printed version of the report; downloading the PDF is still free. )
No comments:
Post a Comment