IT security officers are to get their own professional body in the UK with the launch of the Institute of Information Security Professionals (IISP) next month.
The IISP, which was given the go-ahead by the Department for Trade and Industry at the end of last year, is due to officially launch in February.
Nick Coleman, the interim chief executive of the Institute, who is also IBM's head of security, told ZDNet UK that the goal of the institute is to "professionalise the industry" and ensure IT security officers reach a certain standard.
"We are increasingly dependent on information and its security — people working in this field are critical to the organisation. At the moment, there is no way of understanding if people are professionally competent," said Coleman.
He pointed out that although qualifications are important, people "can pass a qualification and don't need to worry about it again." The IISP plans to offer security professionals an "associate" or "full membership" dependent on a number of factors including industry experience and ongoing training.
The institute already has members on board from a number of companies, including BP, Royal Bank of Scotland, HBOS and Vodafone. Over the next few months it plans to build its membership base, set up a Web site and start a programme of masterclasses for chief information security officers, where they can share best practice on issues such as governance and risk assessment, according to Coleman.
Richard Starnes, the president of the Information Systems Security Association, said that the IT security industry needs a professional body similar to the Chartered Institute of Accounting and the Bar Council, which represents barristers.
"These institutions have the ability to regulate the profession, because the profession is so important to society as a whole. The information security profession is equally important in terms of its role in protecting critical national infrastructure," said Starnes.
The IISP will not initially have the power to remove the right of practice of a security officer who is deemed incompetent.
Coleman said IISP will discuss such issues in the future, but at present, it is focussing on "getting people to full membership". "If we do that a lot of other issues will be taken care of," he said.
Talkback
It is my opinion that there are too many "professional bodies" carrying on their business. Unless a body actually holds worthwhile recognised examinations and issues qualification certificates then it is no more than a "jobs for the boys" body. And as such it becomes a further uneccessary cash drain upon our society, whether it is through taxation, levy or per capita charge.
The question should be - Will the inception of this body make any difference at the customer level? If not then it is just another self deluding concern.
Surely it is incumbent upon an employer to ensure his IT employees hold suitable qualifiaction for their job and that such qualifications (and refreshers) are "in date" .
Ahh yes, yet ANOTHER group trying to get on the 'We Secure IT Security" band-wagon.
The ISC2 is already doing this, as are a myriad of other organisations.
Why do we need yet another organisation? I agree that IT Security professionals should be held as accountable as CPAs, Nuclear Technicains and Aircraft Mechanics but we already have bodies in place that are well positioned to do this.
Now those of us in the IT Security industry have to get yet another certification, pay another set of dues and report our ongoing training to yet another organisation.
This new group appears to be for those without any security qualifications. Security professionals that already have qualifications are members of ISC2 or ISACA or ISSA. Now we have ISSP, whats next ISSQ?
As another “latest" and "best ever" security certification hits the already saturated security certification space, one asks is it really needed. With vendor neutral certifications, not to mention the ubiquitous vendor ones already available one ask do we need another security certification, with all the requisite fees and CPEs to keep up with.
With ISC2 CISSP and ISACA CISA and now CISM well established, one must ask the rationale behinde The DTI’s and Cabinet Office’s support for yet another security certification, the form of IISP. Reading, what little material available so far on IISP, it does not seems to add anything over the aforementioned and established certificates. Being a CISSP of 4 years standing and having recently passed CISM, I only see IISP adding to confusion and undermining the existing hard earned designations.
Since Novell's CNA/E hit the certification market; accusations have been rife of vendors cynically using ever innovative and sometimes as a new and important income stream. It seems vendor neutral security certifications perhaps are also being used to generate nice little “earners” for the boys. Perhaps the people behind the IISP certification need to start by demonstrating Return On Security Investment (ROSI) for their existence. Until then I like many people will not be convinced that IISP will add anything to my existing skills and designations other than CPEs and FEES.
There is a professional body for IT in the UK - the British Computer Society ("BCS"). Why develop a separate body to govern IT security? Why not bring IT security certification under the BCS?