An accountant by training, Tan's vocation as a partner at PricewaterhouseCoopers Singapore, is to head its System and Process Assurance (SPA) and Business Continuity Planning practices.
Tan also juggles various other commitments including that of an Executive Committee member of the Singapore Computer Society, guest lecturer on IT security and audit in two local universities, and chairman of the SUN-DAC Centre for the Disabled, a non-profit set-up that provides services to adults with disabilities.
In an e-mail interview, the 54-year-old shares with ZDNet Asia the next steps forward for AISP members--over 150 to date--as well as the real test of his involvement in furthering the IT security profession.
Congratulations Gerard, on your appointment. Now that the dust has settled somewhat, can you tell us a bit more about your role and that of AISP?
Let me start with the AISP. The AISP is a government and industry collaboration which aims to transform infocomm security into a distinguished profession and build a critical pool of competent infocomm security professionals who subscribe to the highest professional standards.
The first such association in Asia, it hopes to elevate the standing, professionalism and trust accorded to security practitioners here.
The AISP will govern the infocomm security profession in Singapore through its code of conduct, qualifying criteria for membership and courseware. Through governing the profession, infocomm and end-user organizations that recruit accredited infocomm security professionals can be assured that they are highly proficient and will meet the security needs of organizations. It will also raise our members’ standing and distinguish them as trusted and competent advisers and practitioners in infocomm security.
|I believe licensing [of infocomm security professionals] will eventually happen. It makes a lot of sense and will elevate the profession to be on par with the other professions.|
My role and that of the AISP Executive Committee (Exco) is to make the above aspiration a reality in Singapore within the next three years. We've used the term "information security" rather than "infocomm security" for our association’s name as the former is a term that is widely used and more recognizable in many other countries. We intend to attract overseas members and enter into international affiliations with other similar bodies in future.
As the first AISP president, industry folks naturally look to you for leadership and future direction. What do you plan to accomplish in your term?
As a new organization, we have to build up the supporting infrastructure and processes from scratch. There is plenty of hard and dedicated work ahead for the Exco and we will need strong support from the government and industry.
The litmus test in three years' time is whether the industry will accord our members the national recognition as qualified and trusted infocomm security professionals. That is the biggest challenge during my term of office and we will work very hard to attain this recognition.
This professional body was envisioned, talked about, for about two years. Why did the formal establishment take so long?
We believe that inputs and feedback from the industry are essential in determining the role and formation of such a professional body. The feedback which we have gathered from the infosecurity industry, over the last two years, has helped us define the need and role of AISP.
Membership for AISP is currently not compulsory--doesn't that dilute the importance of the value of a professional body for IT security professionals?
That was considered but it was felt that at this point in time, legislating the profession may be a little premature.
Part of the problem is defining what qualifications should an information security professional possess and what experience he should have before he or she gains official and legal recognition as an information security professional--much like the lawyers, doctors, engineers and public accountants.
No country in the world has clearly defined this for information security professionals to the extent that they have legislated this. We have gone very far to define the criteria for membership. But I think we need a bit of time to test this out and refine our model before we make this compulsory.
I believe licensing [of infocomm security professionals] will eventually happen. It makes a lot of sense and will elevate the profession to be on par with the other professions. AISP is challenged to create the right environment and positioning for its members for this to happen.
Should IT security professionals be held accountable for negligence resulting in errors or failures of IT security projects or data leakage? What penalties, if any, should there be?
We have a Code of Conduct and investigation and disciplinary procedures for dealing with members who fail in their professional duty and responsibility. This will be used as and when required to regulate the professional conduct of our members.
According to the AISP Web site, "AISP members will be able to access a Body of Knowledge, educational programs and examinations to enable those who do not yet possess the requisite academic or professional qualifications to qualify for membership. It will also make available Continuing Professional Education programs to help members stay relevant in the profession." How soon can we expect these programs, best practices and certifications?
These are the foundation stones upon which a professional body is built upon. Our target date for the Body of Knowledge, educational programs and examinations is late 2009. We have already started work to develop and launch these programs.