At the 2012 Colloquium for Information Systems Security Education (CISSE) last month, a speaker from the US Department of Homeland Security (DHS), National Cyber Security Division, provided a glimpse of a study that was being pursued with the National Academy of Science. The speaker described a number of licensing programs used in such fields as medicine and aviation, where data reportedly concluded that to be recognized as a professional, one must be licensed.
What was surprising about the presentation was the lack of objectivity in comparing the medical field to information technology (IT). It must be understood that IT and information security are rapidly changing and evolving disciplines in a relatively new field and cannot be compared to one of the oldest and most established professions in history. Both the medical and engineering fields have well-defined areas of expertise that have been taught in colleges and universities for decades. Information security is only now being discussed as a separate discipline, and there are almost no universities that have a separate school of information security. Most colleges and universities combine information security in with their math, finance or IT departments. If the information security profession were to evolve into a licensing regime, it would at the very least need to be considered a discrete discipline on its own.
Does it seem odd that national security authorities are so closely associating licensing with professionalism? Granted, licensing does raise the standard of a field’s practitioners, but it also reduces the number of qualified individuals that can enter the field. This seems counter to the needs of IT and information security, where there are not enough practitioners to meet the current demand, and the future of the information security workforce is in jeopardy.
And then there is the issue of cost. The goal of licensing is to create a safe and secure environment for commerce and national security. Government-run licensing regimes such as those that govern the aviation community are typically supported by agencies with multi-billion dollar budgets. How will the government find the funds necessary to maintain an information security licensing program from year to year? Does it make sense to use government resources for such an endeavor? It would seem that a more sensible approach is to leverage the efforts of existing certification organizations to establish the standard for the information security workforce based on years of experience in developing training and certifications that are held to global standards, such as the ANSI/ISO/IEC Standard 17024. Perhaps those currently in the field, rather than a government agency, are in the best position to decide whether certification or licensing is the right approach for information security.
Marc H. Noble, EWB Member and (ISC)2Director of Government Affairs, was lead author of this peer-reviewed post.