What defines an InfoSec Professional?

[michaelslists at gmail.com (Michael Silk)]

On 3/9/07, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com>
wrote:
> Traditionally InfoSec folks defined themselves as being knowledgable in
> firewalls, policies, etc. Lately, many enterprises are starting to recognize
> the importance of security within the software development lifecycle where
> even some have acknowledged that software is a common problem space for
> those things traditionally thought of as infrastructure.
>
> The harder part is not in terms of recognizing the trend but in terms of
> folks from the old world acknowledging folks from the new world (software
> development) also as security professionals. I haven't seen many folks make
> this transition. I do suspect that some of it is tied to the romance of
> certifications such as CISSP whereby the exams that prove you are a security
> professional talk all about physical security and network security but
> really don't address software development in any meaningful way.
>
> Would be intriguing for folks here that blog to discuss ways for folks to
> transition / acknowledge respect not as just software developers with a
> specialization in security but in being true security professionals and
> treat them like peers all working on one common goal.



i hear you on this one.

australia, at least melbourne, still doesn't seem to have any idea of
software/application security professionals. almost all jobs that have
'security' in them, then go on to talk about all the firewalls you must know
how to configure. *sigh*. then there is the pen-testing side. there's should
be a new field, "security design" that accompanies application architect,
etc. then you have professional guidance of the security issues when
building for app.



-----Original Message-----
> From: Shea, Brian A [mailto:Brian.A.Shea at bankofamerica.com]
> Sent: Thursday, March 08, 2007 2:07 PM
> To: Gunnar Peterson; McGovern, James F (HTSC, IT)
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] What defines an InfoSec Professional?
>
>
> The right answer is both IMO.  You need the thinkers, integrators, and
> operators to do it right.  The term Security Professional at its basic
> level simply denotes someone who works to make things secure.
>
> You can't be secure with only application security any more than you can
> be secure with only firewalls or NIDs.  The entire ecosystem and
> lifecycle must be risk managed and that is accomplished by security
> professionals.  Each professional may have a specialty due to the
> breadth of topics covered by Security (let's not forget our Physical
> Security either), but all would be expected to act as professionals.
> Professionals in this definition being people who are certified and
> expected to operate within specified standards of quality and behavior
> much like CISSP, CPA, MD, etc.
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________



-- 
mike
00110001 <3 00110111
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070309/cb7dacb4/attachment-0001.html