What defines an InfoSec Professional?

[James.McGovern at thehartford.com (McGovern, James F (HTSC, IT))]

Traditionally InfoSec folks defined themselves as being knowledgable in firewalls, policies, etc. Lately, many 
enterprises are starting to recognize the importance of security within the software development lifecycle where even 
some have acknowledged that software is a common problem space for those things traditionally thought of as 
infrastructure. 

The harder part is not in terms of recognizing the trend but in terms of folks from the old world acknowledging folks 
from the new world (software development) also as security professionals. I haven't seen many folks make this 
transition. I do suspect that some of it is tied to the romance of certifications such as CISSP whereby the exams that 
prove you are a security professional talk all about physical security and network security but really don't address 
software development in any meaningful way.

Would be intriguing for folks here that blog to discuss ways for folks to transition / acknowledge respect not as just 
software developers with a specialization in security but in being true security professionals and treat them like 
peers all working on one common goal.

-----Original Message-----
From: Shea, Brian A [mailto:Brian.A.Shea at bankofamerica.com]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L at securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?


The right answer is both IMO.  You need the thinkers, integrators, and
operators to do it right.  The term Security Professional at its basic
level simply denotes someone who works to make things secure.

You can't be secure with only application security any more than you can
be secure with only firewalls or NIDs.  The entire ecosystem and
lifecycle must be risk managed and that is accomplished by security
professionals.  Each professional may have a specialty due to the
breadth of topics covered by Security (let's not forget our Physical
Security either), but all would be expected to act as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.


*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************