Improving The Information Security Profession
Many people today call themselves information security professionals but what is an information security professional and what does it take to be one? The Latin root of the word "professional" is profiteri, where pro means "forth" and fateri which means "confess." Taken together, they mean "to announce a belief." In other words a professional is a person making a vow to provide defined valuable services to others and to society. As such, a profession is defined as a vocation or the making of a vow to serve. People making such a vow become members of a profession and society accepts the profession, expecting it to serve the profession's declared social goals. Traditionally, when talking about professions, people would refer to medicine, law, education and clergy. By joining a profession, an individual would bind himself/herself, publicly, by a vow or oath, to a vocation or higher purpose. Over the years though, the word profession has been used to identify a wide range of vocations from sport to military, from economics to IT. We talk about professional footballers, professional soldiers, professional accountants, IT professionals and information security professionals.
If we looked at the traditional professions such as medicine, we see that they rest on three key pillars, bearing the marks of identification of the profession:
A Set of competences in a specific body of knowledge and skill;
A set of specific duties and responsibilities toward the individuals it serves and toward society along with the acknowledgement of such duties and responsibilities. Such duties and responsibilities are underpinned by clearly defined ethical principles.
The right to train, admit, discipline and dismiss its members for failure to sustain the required competences or observe the defined duties, responsibilities and ethical principles.
When it comes to information security however, most of the efforts of the professional community have been put into the following two areas:
Code of Ethics
In today's world information security professionalism has become synonymous of competence and certifications, with individuals collecting as many certifications as possible and claiming a higher level of professionalism and excellence after every certification achieved. Pursuing certified competences is definitely a very positive trend, with some certifications bearing more weights than others in terms of competence assessment and industry recognition. However, the fact that I am a competent security auditor does not mean I will apply my competence on every occasion and the fact I am competent penetration tester does not mean I will not cut corners when delivering a service in order to serve my personal interests. In other words, professionalism cannot simply rest on the pillar of competence.
The second focal point of the professional community has been the identification and definition of ethical principles associated to the delivery of the professional services, in relation to what is morally right and morally wrong. Again, these is very positive. However, history teaches us that people around the world have often disagreed and continue to disagree on what is morally right and wrong, on the ground of cultural, religious and political believes. However, the very definition of profession is not about ethics alone but about serving others and society and it requires the definition of clear duties and responsibilities towards those the professional has vowed to serve. Such duties and responsibilities form the second important pillar upon which a profession rests. Our whole point for even existing is that we serve others. As information security professionals we put our interests secondary to the interests of those we serve. We 'profess' our skills to others, and 'vow' to perform our trade to the highest known standards. As information security professionals we have duties and responsibilities towards our clients, our fellow professionals and finally towards our society.
Unfortunately, when it comes to the information security profession there are not many example of professional bodies and most of the existing code of ethics, code of conduct and principles come from the competence building business domain, which goes to wrongly reinforce the identification of professionalism with the acquisition of certified competences. Once more, a set of competences alone does not make you a professional!
Factors Undermining Information Security Profession Today
Many professions today suffer from decaying levels of professionalism, mostly due to economic pressure. To be professional means to profess one's profession according to the highest applicable standards and not only when the client can afford it or when it is convenient for us to do so. When competing with others to win a contract and in order to lower the service charges many professionals are pressured to cut corners and under-deliver in order to keep the required profit margins.
Furthermore, the level and success of most professionals is continuously measured by the fees that can be charged for the service rendered and the money made in exercising the profession, as opposed to the quality of the service rendered and the ability to perform one's duties and responsibilities with integrity. The higher the bill, the best the professional must be. A recent example is given by the legal profession in England, where the rates charged by the five "magic circle" firms have reached heights of £850 an hour! The focus of the profession has shifted from that of serving others to that of serving one-self, to make more money. Young generations choose professions on the basis of prospective earning and the achievement of a status which is no longer based on the recognition from society and peers but based on the car we drive and the house we own. Financial success should be a by-product of professional success not the other way round.
Improving the Information Security Profession
Professionalism and ethics should be embedded throughout the training received by people in the work practice. Companies should include professionalism in their core values, not just as an empty word inside the company mission statement, but based on deep and meaningful self-reflection on what it means to provide professional services and serve others. The importance of professionalism should be reflected from the outset, in the way people are recruited and later on are promoted and allowed to advance in their career. The management should commend on professional achievements as opposed to the achievement of financial goals without professionalism.
More important, the concepts of professionalism and ethics should have a mandatory place in the curriculum of every degree, from year one! Universities should consider inviting more guest speakers talking about the importance of professionalism and ethics and the fulfilment of a life spent to become a leading professional, in whatever field one chooses to pursue. When successful millionaires are invited for guest lectures to inspire young generations, they should be asked to emphasize how they lived their life on the quest for professional growth and respect for others and how their financial success was eventually a mere by-product not a goal. Inspiration and motivational talks should not focus on how people made their millions.
What the world really needs is leaders to inspire young generation to be better people and better professionals, not how to be the next millionaire.