A little while ago I said information security wasn't a profession. It still isn't, but it should be. Ditto 'cyber security'. Nobody in their right mind, or body, would say otherwise. Now a bunch of over-influential pencil-pushers at the U.S. Department of Homeland Security have said that actually, on second thoughts, as part of the worlds biggest employer of cyber security professionals... er, not only do with think they are not professional, we don't even think they should be. Their essential argument is that because cyber security it is not yet a profession, it shouldn't be one. That's like saying because it's still night time, the sun should not be allowed to rise. It's essentially barmy.
Allow me to explain (if I have not already done so) why this is such catastrophically wrong-headed and dangerous position.
(Firstly a quick side note - whether you practice information security or cyber security depends on your organization's appetite for buzzwords and possibly what threats you are focused on, but it's basically the same discipline.)
Why this is such an astonishingly, horrendously dimwitted idea goes right to the heart of the problem with cyber security, and right to the heart of the problem with modern professions in general.
Let's take the latter first, just because it's more fun that way.
Reinventing the profession
When was the last time you went to the doctor? Once upon a time when you thought something was up, you made an appointment with your local doc and went along. He hummed, hah'd, frowned a bit and - unless it was something easy - he may have looked something up in a big book. He gave you can answer and you went home happy (and yes, he was a 'he' - but that's another matter). Today that's different. Most people will look up a complaint on the internet before visiting a doctor, if they even go to the doctor at all. When they get there they will share their research with their doctor. The patient is no longer just the person with the problem, but part of the solution. The patient offers informed challenge, and ideas that have helped others with the same complaint.
At the same time the number of specialisms we have access to is increasing exponentially. There are more specialists compared to generalists. Professionals focus increasingly on depth, rather than breadth of knowledge.
Ask a cardiologist about anaesthetics and he'll refer you to an anaesthetist. Ask a British commercial property lawyer about US immigration law and he'll refer you just as fast (if not faster).
The information you need to know to practice is now vast. Many, many years ago when medicine and law were new, there was a small but distinct body of knowledge on those areas. Over time, it grew. Until a few years ago, it was still fairly well defined. Yet last week I went to a 'Law Via the Internet' conference in Jersey at which I heard how the semantic web may one way allow legal professionals to make sense of a now vast and diverse global repository of knowledge that is too big, complex and fluid to really be called a static 'body of knowledge' at all, and also how it will enable non-specialists to do even more than they can today.
There is, in a way, no such thing as a common body of knowledge. This mysterious beast - static yet growing, changing yet consistent, secret yet the foundation of trust and confidence - can no longer define any profession, if indeed it ever did. And naturally, the idea that you can ever test knowledge of it as a test of professional is stark-raving-insane. It's not humanly possible to learn it all in hundred lifetimes. Nor would you be any use at all if you did.
Being a professional is not about knowing lots. It's about knowing how far your competence stretches, when to do research, and when to refer the problem on. Lawyers know this. Doctors know this. Accountants know this. But we security specialists still think that knowing everything is a special badge of cleverness. It's not.
Why security needs to professionalise
What are the difficulty decisions you make as a technician? How to apply knowledge or rules in a new situation? Maybe. The most difficult you will make as a professional? Right and wrong.
Was Edward Snowden right? He was unquestionably wrong to betray his employer's trust. He would probably have been wrong not to share what he knew. He did society a service by sharing - that much is now I think certain. But that does not make him right. What decision would you have made in the same place? Shared? Unlikely, in truth. Kept quiet? Maybe. Resigned honorably? Possibly. Raised concerns internally? Certainly futile and career limiting. It's a tough call that needs clear professional ethics - not ones you think are coll or remember from childhood, but clearly defined rules and principles you are obligated to uphold.
Are hackers right? Is it right to test another person's network without their permission. Certainly it's better that you discover your weaknesses because someone helpfully tells you, rather than because someone hacks your banking system for financial gain. That does not make them right though. Am I right to break into your house if instead of stealing your television I leave a note on the fridge saying I helped myself to glass of water, hope you don't mind any by the way to might want to think about a stronger lock? No - I'm a criminal.
We urgently need a clear ethic framework. We need to move away from the hacker mentality - celebrated though it is - and towards a consistently professional way of working. It's not for me to say what that is - I'm just saying we need to decide together what is and is not acceptable practice.
We need to change the mindset, and celebrate different things. Security celebrates brilliance. It's right to do so. It's awe-inspiring to work in the same field as so many amazing people. But we also need to do more to celebrate the quiet professionalism that most of us practice. We need to celebrate the diversity of our activities and interests, rather than kicking each other for being talentless policy wonks (techies on the risk folks) or socially inept technicians (risk folks on the hackers). Neither is true. What is true is that it is a wide profession - we have our cutting-edge researchers, our general practitioners, and even our quacks. They all have their place.
We urgently need to give security specialists some tools at their disposal to challenge employers when that employer is doing thew wrong thing. If you're an accountant and your boss is cooking the books, doing something about it is not an option. It's a requirement. What you do - that's a personal matter, but an ethical framework gives pretty clear guidance. I refer constantly to accountancy ethics (I'm an ACCA) as a professional framework for my work in security. There's something wrong with that - I shouldn't have to. I should have these tools as a security professional.
Where professions go wrong
Professions are not perfect. They tend to be exclusive. We need to avoid that by offering multiple routes into the profession, rather than wedding ourselves to one approach. Practice or study? Both are required, but one can partly compensate for a lack of the other, and that is as is should be. Companies should not be 'required' to hire a CISSP. But the person without a CISSP should have a way of proving their professionalism, not just their competence.
Professions can also be rather defensive. Defensive in security doesn't work. Security - indeed anything complicated - is best delivered through rigorous and constant challenge. We know this to be universally true and in this, we can light the way for others.
Professions also often become part of the establishment. We need to celebrate and love the anti-establishment, open, sharing, competence-valuing, challenge-loving, and sometimes downright freaky security community we are so fortunate to be part of, and find a way to save it from sowing the seeds of it's own destruction - which it will do, if we do not have professional standards to protect it.
The solution is complex, yet also I think mostly obvious. It's just hard to implement because it means obtaining consensus on difficult questions where there is none at present. Like, for instance, that we owe an obligation to our employer even when it's uncomfortable. Like attempting any form of attempting unauthorised access without permission is wrong, regardless of your reason. The people who do that should not be celebrated any more than we'd celebrate a doctor who harms his patients or an accountant who commits tax fraud. However cleverly they do it, they are rightly condemned by their peers.
So this is what we need to do. I've written this bit in bullet points, so even the DHS can understand them.
- Abandon the concept of a common body of knowledge. It's obsolete and irrelevant to a modern profession.
- Define instead the core areas in which a professional should be competent. That means knowledge, skills, and ethics.
- Define a clear global ethical framework all professional security bodies can adopt. Revoke certifications and accreditation publicly after a rigorous and visible investigation when people behave unethically.
- Find a common language between the governance/policy side of the profession and the technical side, and learn to trust and respect each other.
- Accept that there are many different specialisms and they all have equal merit.
- Link qualifications to analytical and business capability, not simply technical prowess. It's not enough.
- Find the the best in each of our professional bodies. ISACA is a true global membership organisation with a powerful research capability. ISC2 has a talent for creating and marketing respected and valuable certifications. The IISP in the UK is arguably the closest we have to a proper professional body in terms of modus operandii and professional rigour, but lacks global reach. Then replicate, or merge. Accountancy has numerous professional bodies - but I'd respect an American CPA the same as a British ACA or ACCA. Medicine as one per country. LAw in the UK has two, with different but overlapping specialisms. It's doesn't matter and there's room for all, but we need to raise the bar across the board
- Abolish grandfathering. It's just plan embarrassing.
- Abolish the one cert, one-exam concept. It's nonsense. A certification such as CISSP, in the context of a functional profession, should be at least 10 exams over 3-5 years.
- Reduce reliance on computerised testing and multiple choice exams. They are cheap, but largely meaningless. They work fine for testing knowledge but cannot test how you reached a conclusion, or why. These are the important questions - the ability to analyse. To go back to the Snowden analogy, I don't mind what decision you make. But as a professional, I would expect a professional to be able to justify your choice with reference to professional conduct and to understand the implications. In business, there is rarely a right or wrong. Only your best judgement, and you need to be able to show how you arrived at the conclusion you did. These things can only be tested through narrative exam or interview.
- Build in proper on-the-job assessment. As an accountant, I had to show that may work experience may many requirements in terms of both breadth and depth. I had to be able to show how much I learned in terms of knowledge, analysis, application, and ethics. And my bosses had to agree with me and sign it off. As a CISA and CISSP, I had to fill in a 2 page form of tick-boxes, write in my address and get someone to countersign. It doesn't mean much at all.
- Share. IT is good at sharing, yet much of our professional knowledge is expensive. Standards such as COBIT, ISC2s CBK, ISO27001, or the ISF Standard of Good Practice - should all be open sourced.
- Find trust. right now, security professionals are not trusted. We are - the world thinks - either dangerous or incompetent. That needs to change.
- Bring security and privacy back together. The only difference is about focus - organisational data, or personal data. The assets we are protecting are the same in concept, as are the tools and practices we use to protect them. It's wrong that a separate privacy discipline is developing - that just shows the disconnect between the security professional and the real world. We need to reconnect and heal the rift. We need to show the world that privacy matters.
- Build outward. The next generation are learning about security from the likes of anonymous and the NSA. That's wrong. They need to learn it the same way kids learn citizenship (law), first aid (medicine) or personal finance (accounts).
- Be consistent. That is probably the biggest challenge.
Whatever solutions we finally agree on, this is quite possibly the toughest challenge in security today. If we get it right, we won't just professionalise security. We'll provide a template for a modern, open and engaging profession that will inspire professions far older and more established than ours.
And if that sounds like a long, hard road? Maybe we should get moving.
Security and privacy do matter. Right now, the world is redefining itself around us. We are answering the question of our millennium: what does the networked world mean for us, for our lives and for our expectations of freedom and privacy?
Security is the solution to that problem. We need to explain how - together.
We must give ourselves the professional tools we need to challenge those who do not have the benefit of our specialist perspective.
It is a fight for freedom and trust. Not for whether we have these things, but for whether future generations will even know what they mean. For this fight we need more than the weapon of competence - we need the armour of professionalism.