[SecTor Review] Growing the Security “Profession”
Speaker: Dr. Richard Reiner
It was Day 1 of SecTor and I had gotten up much earlier than I usually do, so I was still half asleep as the SecTor house keeping was occurring, the house keeping ended and a round of applause brought me out back to reality just as Dr. Reiner was taking the stage. Needless to say, the thought of catching a few z's didn't even occur to me after the keynote started.
The topic was 'Growing the Security "Profession"' with profession in quotes. The keynote pointed out that InfoSec isn't a profession right now... we aren't recognized professionals like doctors, lawyers and engineers. Then the question was posed, should we be professionals?
A number of interesting questions were posed:
- Do we professionalize IT or IS?
- Do all aspects of IS qualify as professionals?
- Would researchers qualify?
- Would corporate security teams qualify?
- Would pen testers and auditors qualify?
- Who would benefit?
- Would IS professionals benefit?
- Would the public benefit?
In the end, no answer was given... it wasn't a "this is what we need to do" presentation, it was a "here's a concept to think about" presentation. In the end it left you thinking, which is exactly what I think a keynote should do. At first I thought it was a very cut and dry answer... yes we need to professionalize.
- We become members of a respected community
- We gain exclusivity... eliminating those who don't qualify
- We have a standardized code of ethics
- We eliminate the "piece of paper" certificates that test what you can memorize, not what you know
At least that's how I saw it at first... the more I thought about it I saw several cons.
- We cause a greater divide between the "underground" and professional sizes of IS.
- A lot of the great minds in IS wouldn't have necessarily become IS Professionals when they were doing the interesting work that they were doing.
- A standardized code of ethics has never been agreed upon in the past, and now we're going to put it in the hands of a committee to determine?
- Formal education, something that definitely isn't a requirement in IS, suddenly becomes a requirement.
So, over the past couple of days, as I've thought about this... I've realized it isn't so cut and dry... and if I had to vote for or against professionalizing IS, I'm still not sure how I'd vote. At least I'm thinking about it... and that was, as far as I understand, the intended outcome of the presentation.
Note: I just took a look at SecTor and I don't see the slides posted yet, as soon as slide decks are out, I'll attach links to them.