IT security industry 'to be professionalised'

An organisation is being set up to ensure that IT security officers are competent, but it won't have the power to stop people working if they make mistakes

IT security officers are to get their own professional body in the UK with the launch of the Institute of Information Security Professionals (IISP) next month.

The IISP, which was given the go-ahead by the Department for Trade and Industry at the end of last year, is due to officially launch in February.

Nick Coleman, the interim chief executive of the Institute, who is also IBM's head of security, told ZDNet UK that the goal of the institute is to "professionalise the industry" and ensure IT security officers reach a certain standard.

"We are increasingly dependent on information and its security — people working in this field are critical to the organisation. At the moment, there is no way of understanding if people are professionally competent," said Coleman.

He pointed out that although qualifications are important, people "can pass a qualification and don't need to worry about it again." The IISP plans to offer security professionals an "associate" or "full membership" dependent on a number of factors including industry experience and ongoing training.

The institute already has members on board from a number of companies, including BP, Royal Bank of Scotland, HBOS and Vodafone. Over the next few months it plans to build its membership base, set up a Web site and start a programme of masterclasses for chief information security officers, where they can share best practice on issues such as governance and risk assessment, according to Coleman.

Richard Starnes, the president of the Information Systems Security Association, said that the IT security industry needs a professional body similar to the Chartered Institute of Accounting and the Bar Council, which represents barristers.

"These institutions have the ability to regulate the profession, because the profession is so important to society as a whole. The information security profession is equally important in terms of its role in protecting critical national infrastructure," said Starnes.

The IISP will not initially have the power to remove the right of practice of a security officer who is deemed incompetent.

Coleman said IISP will discuss such issues in the future, but at present, it is focussing on "getting people to full membership". "If we do that a lot of other issues will be taken care of," he said.