Licensed to Hack

[InfoSec News <isn () C4I ORG>]

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=20224

Mark Joseph Edwards
March 7, 2001

Security is still a red-hot industry, showing no signs of cooling down
any time soon. Opportunity abounds for security aficionados to niche
themselves into this exploding market space, as witnessed by several
new consulting firms that have catapulted themselves into the realm of
Fortune 1000 clients. But, as with any hot market, we can expect to
find wolves in sheep's clothing hoping to take advantage of someone.
If you can't afford well-known and trusted security consultants, who
do you hire to assist with your needs? How can you adequately and cost
effectively investigate candidates?

Some security-related professionals, such as gun-carrying security
guards, are required to obtain training and licensing to ensure
they're qualified for their jobs. Obviously that's not the case with
information security, so screening candidates for security-related
work isn't as easy as hiring an armed security guard, whose
credentials and capabilities have already been verified to some
extent. Would licensing information security professionals be a
benefit to society? Some members of British government certainly think
so.

On December 7, 2000, a bill was introduced to the British House of
Lords that proposes that all security consultants receive training and
be licensed by the government before performing work for outside
entities. Licensees would include anyone who performs security work
for a third party. In the case of security consulting businesses,
licensees would also include anyone in the company that manages all or
part of the company's operations or its employees. According to the
bill, the license could cost as much as 36 pounds (about $53 US), and
licensees would have to undergo a background check to ensure they
don't have a criminal history. One premise behind the bill is to help
ensure that unsuitable people don't gain positions of trust in private
industry. The other premise is to provide a deterrent in the form of
criminal punishment for unlicensed practitioners and those people who
hire unlicensed practitioners.

The security industry does need better standards for security
professionals (not to mention software developers), but I'm not sure
how I'd react to such a bill if it were introduced into American
government. Perhaps such standards are better left under direct public
control, similar to how in America we rely on Underwriter's Labs for
product safety and certification testing. Can a similar entity suffice
for information security?

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".