11.22.07

[SecTor Review] Growing the Security “Profession”

Posted in Conferences / Training Sessions, IT, Reviews, Security at 12:13 pm by Tyler Reguly

SecTor Keynote
Speaker: Dr. Richard Reiner
Presentation (pdf)

It was Day 1 of SecTor and I had gotten up much earlier than I usually do, so I was still half asleep as the SecTor house keeping was occurring, the house keeping ended and a round of applause brought me out back to reality just as Dr. Reiner was taking the stage. Needless to say, the thought of catching a few z's didn't even occur to me after the keynote started.

The topic was 'Growing the Security "Profession"' with profession in quotes. The keynote pointed out that InfoSec isn't a profession right now... we aren't recognized professionals like doctors, lawyers and engineers. Then the question was posed, should we be professionals?

A number of interesting questions were posed:

  • Do we professionalize IT or IS?
  • Do all aspects of IS qualify as professionals?
    • Would researchers qualify?
    • Would corporate security teams qualify?
    • Would pen testers and auditors qualify?
  • Who would benefit?
    • Would IS professionals benefit?
    • Would the public benefit?

In the end, no answer was given... it wasn't a "this is what we need to do" presentation, it was a "here's a concept to think about" presentation. In the end it left you thinking, which is exactly what I think a keynote should do. At first I thought it was a very cut and dry answer... yes we need to professionalize.

  • We become members of a respected community
  • We gain exclusivity... eliminating those who don't qualify
  • We have a standardized code of ethics
  • We eliminate the "piece of paper" certificates that test what you can memorize, not what you know

At least that's how I saw it at first... the more I thought about it I saw several cons.

  • We cause a greater divide between the "underground" and professional sizes of IS.
  • A lot of the great minds in IS wouldn't have necessarily become IS Professionals when they were doing the interesting work that they were doing.
  • A standardized code of ethics has never been agreed upon in the past, and now we're going to put it in the hands of a committee to determine?
  • Formal education, something that definitely isn't a requirement in IS, suddenly becomes a requirement.

So, over the past couple of days, as I've thought about this... I've realized it isn't so cut and dry... and if I had to vote for or against professionalizing IS, I'm still not sure how I'd vote. At least I'm thinking about it... and that was, as far as I understand, the intended outcome of the presentation.

Note: I just took a look at SecTor and I don't see the slides posted yet, as soon as slide decks are out, I'll attach links to them.