What defines an InfoSec Professional?

[secureCoding2dave at davearonson.com (SC-L Subscriber Dave Aronson)]

James.McGovern at thehartford.com writes:

> certifications such as CISSP whereby the exams that
> prove you are a security professional talk all about
> physical security and network security but really don't
> address software development in any meaningful way.

Perhaps what is needed is a separate certification.  It would be nice to know that someone knows how to write software 
in a secure manner, but it's not necessary that they know all about physical security, firewall rules, etc.  It could 
even be done at multiple levels, like Sun's Java certs, to certify knowledge of secure design principles vs. secure 
*implementation* principles, maybe even going onward to principles of building security into the process.  Something 
like, say, Certified Secure Programmer, Coder, and Software Engineer, respectively.

> Would be intriguing for folks here that blog to discuss ways

...in their blogs?  <rant size="micro">That's not discussion, that's pontificating.  It also detracts from discussion, 
by fracturing it.</rant>  Discussion is what we're having *here*, so whether someone blogs is irrelevant.

-Dave