Security is still a red-hot industry, showing no signs of cooling down any time soon. Opportunity abounds for security aficionados to niche themselves into this exploding market space, as witnessed by several new consulting firms that have catapulted themselves into the realm of Fortune 1000 clients. But, as with any hot market, we can expect to find wolves in sheep's clothing hoping to take advantage of someone. If you can't afford well-known and trusted security consultants, who do you hire to assist with your needs? How can you adequately and cost effectively investigate candidates?
Some security-related professionals, such as gun-carrying security guards, are required to obtain training and licensing to ensure they're qualified for their jobs. Obviously that's not the case with information security, so screening candidates for security-related work isn't as easy as hiring an armed security guard, whose credentials and capabilities have already been verified to some extent. Would licensing information security professionals be a benefit to society? Some members of British government certainly think so.
On December 7, 2000, a bill was introduced to the British House of Lords that proposes that all security consultants receive training and be licensed by the government before performing work for outside entities. Licensees would include anyone who performs security work for a third party. In the case of security consulting businesses, licensees would also include anyone in the company that manages all or part of the company's operations or its employees. According to the bill, the license could cost as much as 36 pounds (about $53 US), and licensees would have to undergo a background check to ensure they don't have a criminal history. One premise behind the bill is to help ensure that unsuitable people don't gain positions of trust in private industry. The other premise is to provide a deterrent in the form of criminal punishment for unlicensed practitioners and those people who hire unlicensed practitioners.
The security industry does need better standards for security professionals (not to mention software developers), but I'm not sure how I'd react to such a bill if it were introduced into American government. Perhaps such standards are better left under direct public control, similar to how in America we rely on Underwriter's Labs for product safety and certification testing. Can a similar entity suffice for information security?
What do you think? Should security professionals be subject to mandatory background checks and licenses? Stop by our home page and cast your vote in our latest security poll. I'll present the results in a future edition of this newsletter.
Before I sign off this week I want to introduce our newest team member, Ken Pfeil, whose reports about all the latest security risks will appear on our Web site and in this newsletter. Welcome aboard Ken!