Information security has been described as a career by design, but one that needs to be certified globally.
Speaking at the CRESTcon conference in London, BT’s Ray Stanton said that the security professional has to have standards in a time where there is inconsistency. While an audience member said that there was a danger that this would create an elite and leave small businesses behind, they admitted that there needs to be a level of competence.
Stanton agreed that uncompromising skills was an issue, but also was the issue of the security professional being a professor of risk and asked the audience if they were prepared to take on that role at their organisations?
He said: “Everyone has a definition of what risk is, but the problem is no one actually defines it, but you have got to define it to your way and sometimes it doesn’t matter what the industry is saying.
“What defines the information security professional? Accreditation? Certifications? Experience? Education? A part of the solution is that over the past 15 years we have made a step towards professionalism across the globe.”
Making reference to the venue of the Royal College of Surgeons, where professionals are proven by qualifications and experience, Stanton was asked if the term security professional was too broad? He said: “We are bringing people together across the globe, but there is no standard on security. PCI DSS created one because they did not have one, and they made that decision. They made a decision on consistency on achieving something.”
Stanton, who freely admitted to not holding any industry certifications, said that this was “a career by design not by accident. It is about developing where you are as some skills mean more than others,” he said