Professional recognition helps infosec staff retention • The Register
Interview As the British information section industry prepares for government initiatives designed to expand the sector, how should existing companies protect skilled professionals from jumping on a ship? Amanda Finch, CEO of the Chartered Institute of Information Security, tells us something or two about what she thinks works.
The institute (CIISec) presents itself as “raising the standard of professionalism in the field of information and cybersecurity”. Formerly known as the Institute of Information Security Professionals, the organization is one of those slightly vague bodies whose goal is to improve certification and training throughout the industry.
“People tend to stay in roles if they develop,” Finch said The register shortly after the institute’s annual conference. “The main thing is to get the right qualifications for the right role.”
Qualifications are a minefield, and as information security digs more and more rabbit holes that professionals can fall into, a age-old problem arises: how do skilled people pass these skills on to others, especially potential new employers?
The usual answer is certificates, although there is a confusing set of these on the market today: some are recognized faster than others. While Finch says CIISec does not approve of any specific certification or competency framework, she speaks passionately about companies recognizing the talent of their employees as a tool to retain staff.
“The main thing is to really find a job in an organization that actually takes care of career development,” she says. “If you are in an organization that is interested in staff development, they will direct you to the right courses for you at this particular stage of your [career] development. “
As the industry grows, it is only natural that skilled practitioners will look for new jobs and potentially start their own business or expand existing businesses. This is likely to cause a headache for management teams as their brightest and best start looking elsewhere – so CIISec’s position is that investing in people can help companies retain experienced talent.
On top of that, the work of the Institute for Certification and Recognition of Skills widens the divide between the public and private sectors. Digital investigation is an area in which the institute believes that there will be a need for standardization and mutual recognition of skills through qualifications, and hopes to expand this in the coming months.
“One of the good things about extending the skills of cyberdigital researchers to the private sector is that it will help law enforcement,” Finch said, stressing that gathering evidence “from accredited people” benefits those who perform initial investigations into violations that could lead to prosecution.
For example, the initial response of the national lottery operator Camelot to the implementation of the black hat tool Sentry MBA against the accounts of lottery players it quickly became a multifaceted persecution – and confessions of guilt.
“Very often,” Finch continues, “law enforcement must return to the basics and conduct the investigation themselves from the outset, as they cannot trust that the evidence has been gathered in a way that will stand trial.” [the accreditation] is really important in terms of bringing [infosec and the law enforcement] communities together “.
Status is also important for CIISec; people who think that the work they do is not only valuable but recognized in society are people who will endure it for a long time. Employee status can help with this. Lots of reading Reg will be aware of the frustration of trying to convey what it means to work in every aspect of IT to ordinary end-users and users.
“This is really where we need to go as a profession,” Finch says, “is that there are routes that will take you to that particular level, so you can measure competence as well as education.”
Either way, everything sounds like a good set of initiatives. With the expansion of the information section and new bodies such as the UK Cyber Security Council stepping on their feet as a result of government announcements of skills and training, there will surely be more on the horizon.
However, another question is whether all employers will take care of raising the qualification and recognition of the staff. ®