Security threats Toolkit

UK security industry gets professional body

Tom Espiner ZDNet.co.uk

Published: 28 Feb 2006 09:50 GMT

A group representing members of the UK Government, blue-chip businesses and the academic sector announced the launch of a professional body for UK information security professionals on Monday.

The Institute of Information Security Professionals (IISP) will provide a "kitemark" for security professionals, indicating to potential clients they are competent to apply knowledge, according to IISP. The Institute will also encourage professional development and support best practice, as well as being a mouthpiece for the security community, IISP said.

"Our goals are to provide accreditation, support professional development, and provide a voice for the information security industry," said Nick Coleman, head of security services at IBM and interim chief executive of IISP.

There will be three membership levels — affiliate, associate, and full. "Full membership will be the gold standard, which indicates a recognised degree of competency," said Coleman, speaking at the launch of IISP in London on Monday.

"The Institute will develop a core body of knowledge and security skills. It will become a conduit between industry and government," said Paul Wood, chief security officer at UBS.

"Over 220 individuals have applied to join, and 20 organisations have applied for corporate membership including the DTI, NISCC, and the Cabinet Office, as well as BP, HP, Barclays, Ernst & Young, BT, and Vodafone," Coleman said.

A number of professional security bodies already exist, such as ISSA and ISC². IISP claims it will add value by mentoring those who have taken security qualifications, and by providing on-the-job training. The Institute has no plans at the moment to offer qualifications, though.

"Existing qualifications are great for knowledge, but they are not based around the application of knowledge," Paul Dorey, chair of IISP and chief information security officer for BP, told ZDNet UK. "The Institute is about the application of knowledge through the execution of judgement. Through mentoring and drawing on the experience of others."

The government admitted that legislation was ineffective at keeping pace with the rapidly changing IT security environment, and so welcomed the creation of the IISP.

"We have to be light of touch, resilient, and proportionate in our response to threats. Legislation fails to prevent what it doesn't forbid. We need a professional support structure, and the Institute will provide a professional support structure for the information security industry," said Alun Michael MP, minister of state for industry and the regions.

ZDNet UK reported last month that IISP was being created. At the tine, several readers who are involved in the security business said they doubted that another body of this type was needed..

"It is my opinion that there are too many 'professional bodies' carrying on their business," said Chris Goodman.

"Unless a body actually holds worthwhile recognised examinations and issues qualification certificates then it is no more than a 'jobs for the boys' body. And as such it becomes a further unnecessary cash drain upon our society, whether it is through taxation, levy or per capita charge," Goodman added.

Telecoms operator and IISP supporter Vodafone denied that this body would replicate existing bodies' functions.

"There aren't any jobs for any boys — we all have full time jobs — and there isn't another professional body for us," Dr Michael Walker, group research and development director for Vodafone Group, told ZDNet UK.

"Most existing bodies are nearly all at the technical level. The need is for a higher level group," added Philip Virgo, secretary general of EURIM.

HP said it hoped that IISP would be another means of communicating with government, and denied that the group would be an exclusive club, saying start-ups and SMEs would be just as welcome to join as blue-chip companies.

"This is a very good conduit to government, but this is about empowering the community — we want to bring everyone on board," Martin Sadler, director of the HP Trusted Systems Laboratory told ZDNet UK. "We asked chief information security officers, and just having a 'CISSP' isn't enough. We need more than knowledge — we collectively have the responsibility of securing tomorrow's Internet."