pressmaster - Fotolia

Information security set for steep trajectory, says (ISC)2

By helping to create a thriving, diverse and open information security community, (ISC)2 hopes to ensure a steep rise for the profession

The information security profession has reached an inflection point and is poised for growth, according to Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2.

“If we as a profession and as a society can create the conditions for success, we will see information security explode in the sense that there will be more interest in it and more demand for it,” he told Computer Weekly at the (ISC)2 Emea Congress 2016 in Dublin.

He said the event itself was aimed at helping to educate members on an ever-wider range of security-related topics in consultation with members of the (ISC)2 regional advisory council.

Davis said he would like (ISC)2 to be at the forefront of information security’s change in direction by helping to improve understanding of the profession and he is keen to ensure the opportunity is not missed.

“It requires very careful handling,” he said. “It requires government, academia, information security professionals and the community to have a properly informed discussion about who does the training and education, who owns the risk, who delivers the benefit, and what it will achieve.”

Davis wants to change public perception so that information security professionals are seen as business people above all else, and he believes the role of (ISC)2  is to help members to be as successful as possible in the profession to put it on a steep trajectory.

“My vision is to help create and support a thriving, diverse and open information security community to ensure we do not become some sort of coterie or clique,” said Davis.

He wants to dispel the perception that cyber security is something that belongs only to the realm of government rather than ordinary business and everyday life. He also wants to grow the information security community as a whole to include as many cyber security-aware people as possible.

“Information security is not just government stuff,” said Davis. “It is about people, society, business and the economy, which is why skills in these areas are also relevant, not just technical skills. And the more people who are cyber aware and can take in the basics, the easier it will be for the experts to deal with the tough stuff.”

Think more strategically

He said one of the key roles of (ISC) is to provide the tools that information security professionals need, not just to do their day-to-day activities, but also to help them think more strategically about the business.

This is over and above the standard membership benefits available to those who attain (ISC)2 certifications such as the CISSP and SSCP, said Davis. “We are continually looking to provide the tools and route maps to help people who come from the technical side to engage with the non-technical side, and vice versa,” he added.

Information security in the context of the digital world is barely 30 years old, said Davis. “We are still trying to define who we are, what we really do, and what we expect of people,” he said.

“But we are trying to do it in a world that is relentlessly technology-driven and consumer-focused, while other professions have been working these things out at a much slower pace and over a much longer time period of time without having to contend with the same rapid pace of change.”

Davis said it is challenging for information technology professionals to adjust, in a relatively short period of time, to a more business-oriented approach considering the profession’s technical roots.

Can’t be brilliant at everything

As part of the maturation process, he believes information security professionals need to avoid setting too high expectations of themselves and to recognise that although there is a need for more business focus, they cannot be expected to be “brilliant” at everything.  

Instead of beating themselves up for not being perfect, information security professionals should assess what gaps need to be filled most urgently in their own particular role and go in pursuit of the skills required to fill that gap, said Davis.

“In one company, a mainly technical chief information security officer may be perfect, while another company will require a CISO who is more of a risk manager than a technician,” he said.

“As important as it is to understand that each organisation’s needs are different, it is important to understand that cyber threats are business risks just like any other and that they need to be managed according to the organisation’s requirements and risk appetite.”

Only when organisations see cyber risks in the same terms as all other business risks will they be able to have informed discussions about the kinds of people and skills they need to ensure the security of the organisation’s data, said Davis.

“Without this understanding and without having those discussions, organisations will typically continue to hire people with the standard security qualifications and technical skills that may not necessarily meet the organisation’s particular needs,” he said.  

Read more about information security skills

Helping information security professionals to develop and enhance their skills and to improve their work performance is at the heart of everything (ISC)does, said Davis. “We need to keep being curious, we need to keep learning, because that is the way you keep your skills up to date and relevant, and that is how we find the best way of doing things,” he said.

The organisation is currently working on producing well-researched checklists, guides and articles that are easy to understand and use on topics such as the European Union’s General Data Protection Regulation (GDPR). These are being made available as webinars, podcasts, printed materials, events, social media and through the (ISC)2  members’ portal.

“Everything we are doing regarding the GDPR is aimed at helping our members have better conversations by providing things like checklists and lists of issues to discuss with the CIO,” said Davis. “It is not about the law, but about what information security professionals need to do, how they can start tackling it, and who they need to talk to.”

Followed best practice

(ISC)itself is having to align with the GDPR and is drawing on its own experiences to help its members, said Davis, and will probably end up writing a case study to demonstrate how it has followed the best practice and advice it has been sharing.

“We are aiming to produce things that will enable people to learn and take action based on the collective experience of our members,” he said. “Our aim is to enable our members to be able to act as consultants within their organisations, backed up by all we have collected and collated.”

While the GDPR project continues, (ISC)2  is just starting work on a project about securing the internet of things (IoT). The organisation is working on putting together an IoT charter that will identify the fundamental security issues and how gaps can be addressed.

“It is about how we, as a non-commercial member organisation, can bring together end users, security professionals and manufacturers before the end of 2016 to build something that makes sense to all the stakeholders and will help make everyone’s lives easier,” said Davis. “We represent a community that wants to make it work and wants to make it better.”

Read more on IT risk management