The Expert's View with Hord Tipton

Beyond Certifications

Recipe for a True Information Security Professional

What do the societal roles of doctors, lawyers and accountants all have in common? They are synonymous with professionalism. All must complete continuing education requirements and are upheld to rigorous academic standards and professional ethics. The professionals entrusted with your health, liberty and financials should undoubtedly possess ethical fortitude, an advanced level of applicable knowledge and skills, and assurance that their knowledge and skills are up-to-date and relevant.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

Certainly those charged with protecting our precious data and information assets should be held to the same professional standards. (Also, read Revelations from RSA 2012)

The mere existence of an information security professional is based upon trust and ethics. 

Information technology is advancing quicker than a duck on a June bug, and information security professionals must learn all aspects of these new technologies in order to assess the risks and develop policies and best practices around them. So how can organizations ensure that their information security staff is mitigating the latest threats? And what truly defines an information security professional? Seeing capitalized acronyms after someone's name certainly looks professional, but few know what these acronyms really represent. In the realm of information security, professional credentials are defined by several components:

Knowledge + Skills = Competency

Job interviews and resumes are standard protocol for securing a job, but they don't always guarantee that the candidate possesses the precise knowledge and skill sets the company is seeking for the position. Information security credential examinations are evaluation tools to prove or disprove a candidate's knowledge, skills and abilities. However, information security professionals are not necessarily experts in every single area of information security. They are likely an expert in a few areas and possess a general understanding of other areas. In other words, not all doctors are neurologists, and that is OK. When you have a virus, you don't need to see a specialist. Instead, you need a physician who has a holistic view of how your body works and where it is vulnerable.

Rigorous credential exams representing the knowledge-base of the industry are continuously updated through psychometric evaluation and scrutinized revisions by subject matter experts. With technology and threats changing so rapidly, methodologies must be set in place to ensure that exams are testing relevant knowledge and skills.

Adhering to Rigorous Standards

Information security credentials that adhere to stringent vetting and maintenance processes earn accreditations such as ANSI/ISO/IEC Standard 17024, which sets a global benchmark for the certification of personnel, ensuring knowledge and technical competency in different professions. ANSI/ISO/IEC accredits standards developers, certification bodies and technical advisory groups to both the ISO and the International Electrotechnical Commission (IEC). To be ANSI-accredited under 17024, organizations must adhere to meticulous requirements regarding process, practice and ethics and be reviewed annually for renewal. The many areas that ANSI monitors on an ongoing basis include:

  • Corporate governance;
  • Internal audit and management review systems;
  • Use of subject matter experts;
  • Personnel files and policies;
  • Management of confidential and objectivity requirements;
  • Procedures for monitoring the ethics of certificate holders;
  • Continuing education requirements.

Professionals earning credentials from such accredited organizations are an extension of this level of excellence and standards.

Ethics

The mere existence of an information security professional is based upon trust and ethics. They are accessing information and assets that could be extremely profitable and damaging if used maliciously. Ethics are based upon acting honorably, justly, responsibly and legally - a professional ethic that accredited, certified information security professionals must abide by.

Renewal of Credentials

In due time, most people could pass a test and earn a piece of paper with their name on it, but a mere passing grade isn't enough to obtain credentials indicative of an accredited information security professional. Renewal of credentials provides additional confidence that an information security professional is equipped with the latest industry knowledge and that they are working outside of their day-to-day jobs to excel. Continuing education is vital to this process.

Continuing Education

Emerging technologies such as cloud computing, social media and mobile devices have created new challenges for information security professionals. With emerging technologies come emerging threats. Continuing education requirements are imperative to the maintenance of a credential and to ensuring that an information security professional is equipped with the knowledge to innovate, mitigate and adapt. It's perhaps one of the least stagnant industries in the world and, therefore, requires a continuous learning process.

No single, isolated facet is the key ingredient - you need ALL of these ingredients to create the recipe for a true information security professional.

Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.



About the Author

Hord Tipton

Hord Tipton

CEO, (ISC)²

Tipton is the executive director for (ISC)², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.