The current generation of information security professionals understand that data protection is not only about technology, according to Adrian Davis, European managing director of (ISC)2.
“The first generation created the basics of security, the next generation started to write it down and codify it, and the generation after that were the first to begin to see it as a career, but a mainly technology-focused career,” he told Computer Weekly.
“But we are now on to the next generations that see security as being a blend of social, people and technology, and to be successful, we have to be capable across all of them and a specialist in one or more, which shows that the profession is beginning to mature,” he said.
This means that in addition to being a technologist, information security professionals typically have a good understanding of risk and are able to communicate with people in the business they support.
“Information security professionals are also increasingly expected to learn, develop and behave like any other professional,” said Davis.
He believes that professional bodies such as (ISC)2 have an important role to play to support information security professionals beyond providing certifications.
“It is no longer just about the exam and the certificate, but also about where an individual goes from there, and so all professional bodies have the responsibility to help drive growth and development.”
The challenge, however, said Davis, is that industry bodies, the industry and information security professionals are all developing simultaneously.
“It is not always easy to do what needs to be done because everything is continually changing, and that is where individuals also struggle,” he said.
“If new threats and technologies are being thrown at you continually and you are always fire-fighting, it is difficult to take a step back and think about leaning about thing like business communication.”
In the UK and elsewhere, academic and training institutions are beginning to include business-related skills and topics in IT and IT security courses, but that will take time to deliver results.
“We won’t see graduates of courses with data security woven all the way through before at least 2018 or 2019, so while the foundations are being laid, it will take time for the benefit to be felt,” said Davis.
Greater business focus and integration
In the meantime, however, potential information security leaders are facing the challenge of learning to do their jobs with a greater business focus and integration.
“This is where professional organisations need to be able to give members the tools they need to enable change and help them understand that certifications are just the start of the journey. But it is up to them as individuals to decide how far they want to go,” said Davis.
This, he said, is another sign that information security is maturing as a profession because the standards and support mechanisms are emerging to enable graduates to choose their own path.
“We are evolving in information security the equivalent mechanisms and support networks that enable medical graduates, for example, to choose to become a GP or a surgeon and then fulfil that choice,” said Davis.
An important role for professional security bodies, he said, is to help members understand how the job is changing and provide the tools they need to make and fulfil their choices or to develop their careers when they are comfortable to do so.
However, Davis believes the much tougher data protection regulations on the way in Europe will force business leaders to understand the problem and stop treating it as a technology issue.
We need to ensure the profession as a whole are ready to talk to the business because having waited a long time for this opportunity, we want to make sure that we don’t blow it Adrian Davis, (ISC)2
There is already a greater understanding and awareness of cyber security in the most mature organisations, he said, but these tend to be mainly in the technology industry and regulated industries such as financial services and pharma, while the automotive industry is lagging 10 to 15 years behind.
“Once business leaders from all industry sectors understand that they are personally responsible, they will not sign off on risks they don’t understand, and will hopefully start to engage with information security professionals in a different way,” said Davis.
As organisations become increasingly reliant on information, he believes that executives who fail to understand the role and importance of information and information security will lose their positions.
“But once they understand that information has a value on the balance sheet and that they could lose their jobs if they don’t take this seriously, they are going to want to know how to look after it,” said Davis.
Providing the environments and tools that information security professionals need to develop and grow is a key area of focus for (ISC)2, he added.
“We need to ensure the profession as a whole are ready to talk to the business because having waited a long time for this opportunity, we want to make sure that we don’t blow it,” said Davis.