What is a security professional? Knowing what good looks like
OPINION Information security is no longer a subset of other business activities, it is a business activity in itself, maturing into information assurance and needs accredited professionals to handle it, says Amanda Finch
Media coverage of large-scale security breaches has focused board-level attention on protecting corporate information. Business leaders are increasingly concerned with security issues, especially any compromise of customer information and intellectual property. However, they often struggle to understand what sort of people they should be looking for to help protect their organisation and where they might find them.
To be agile, organisations need people they can work with to drive their business strategy. They want this across cyberspace, particularly in cloud computing, big data, mobile devices and social media. That means the modern security professional needs multiple skillsets, from communications to technical competence.
The person responsible for protecting information in larger organisations is often called the chief information security officer (CISO). A CISO’s core expertise is to understand IT security or information security above all else. They are seen as the protector of information and the responder to incidents. To be able to cope with these challenges and the speed of change, your CISO needs to understand your business, the risks it faces, and its appetite for more risk
In this changing world, the new CISO needs to understand how information security can empower an organisation to meet its strategic goals. Equally, they must understand how it can make or break the organisation. They may also need to help the organisation move from compliance and crisis-driven strategies towards a more mature risk-based approach, where they spend more time reducing future risk and less on mitigating current threats and regulatory issues.
A strategic mindset is required in order to be able to look at the changing threat landscape, understand the implications of developments in technology and working practices, and be able to interpret how this will affect the organisation.
CISOs must be allowed to assume a business-leadership position, dispelling the idea that security is a technology and support function. Strong communication skills are paramount, with the ability to influence at board level to ensure appropriate programmes are realised to maximise and prioritise best use of available resources. Where they should be positioned within the organisation will depend on the existing structures, but to work effectively there should be a dotted line to the chief information, risk and finance officers.
In addition, they must ensure that information security permeates the organisation. This ranges from understanding the information risks posed by new and existing ventures, developing secure systems and infrastructures, maintaining appropriate controls, implementing governance structures, and evangelising a strong security culture across the organisation at all levels.
It is a task that some, including the UK Government in its 2011 Cyber Security Strategy, are now calling information assurance. It represents maturation from IT security through information security to information assurance.
All this requires analytical, organisational, technical and communication skills. It is unlikely that one person will be able to cover everything to the level required, so the CISO must be supported by an effective team of security professionals.
These professionals will, of course, have varying skillsets – specialisation increases as the environment becomes more complex – so it is important to understand what you are looking for. A highly technical developer or penetration tester may not be the best person to evangelise a security culture, say, while a risk analyst may not be the best person to configure a complex firewall.
Larger organisations can generally support larger teams with a wider range of expertise. However, even here it may be more appropriate to buy in specific expertise that is expensive to maintain and only occasionally needed, such as forensic analysis and penetration testing.
Similarly, smaller organisations may need consultancy to help define strategy and good process. Whether employing individuals directly or using third parties, it is important to ensure that the recruiter or contractor is supported by someone that understands the skills being offered – and to seek assurance through accreditations, recommendations and references.
So how do you identify a good practitioner? The Institute of Information Security Professionals (IISP) has been providing accreditations for a number of years. The model it uses works on the basis that a security professional has deep and demonstrable knowledge; it therefore expects accredited members to demonstrate that they have invested in themselves through training courses and qualifications, such as a Master’s degree in information security.
They also need to demonstrate that they have effectively applied this knowledge within the working environment and evidence their depth of knowledge. Finally, they need to show that they can work as a professional within an organisation using skills such as team working, leadership and corporate behaviour.
The accreditation is rigorous carried out through peer review by existing member, and includes an in-depth interview for the higher full membership level. Criteria are measured against the IISP skills framework which was developed through public and private sector collaboration by world-renowned academics and security experts. So when employing security professionals you need to ensure that you measure against these criteria and “know what good looks like”.
The UK Government is also taking the development of security professionals seriously, using its Cyber Security Strategy to set out the actions it is taking to reduce the risk and secure the benefits of a trusted digital environment for businesses and individuals.
Part of this strategy was the introduction of a certification scheme to help the public sector recruit information assurance (IA) and cyber security professionals with the right skills, at the right level, for the right jobs. The certification process is designed to increase levels of professionalism in information assurance, and it uses the IISP skills framework to define the competencies, knowledge and skills required for specialist IA roles.
Amanda Finch is general manager at the Institute of Information Security Professionals. A former board member and programme director of the institute, she has specialised in information security management since 1991, and was awarded 2007 European Chief Information Security Officer of the Year by Secure Computing magazine.