Make IT workers accountable, experts urge

Asia's industry players call for higher status to be accorded to the profession, and believe legislation of IT security professionals is inevitable.
Written by Vivian Yeo, Contributor

Industry players in Hong Kong, Malaysia and Singapore are urging for greater control over IT security professionals, to safeguard the interests of both professionals and businesses.

ZDNet Asia contacted several industry observers across the region who support the legislation of security specialists and believe this path is inevitable.

Aloysius Cheang, president of the Special Interest Group in Security and Information Integrity (SIG^2) in Singapore, said in an e-mail interview that legislating information risk and security professionals is a "must-go", given the increasing importance of securing a company's assets.

The idea is to elevate the profession to that of doctors or lawyers, he said. At a more extreme level, IT security professionals should be held liable for errors or negligence during the undertaking of an IT security project, Cheang added.

Despite the importance of IT security, he noted that those in the profession are still not accorded the appropriate level of respect. For example, instead of directly to the CEO, the chief security officer often reports to the head of finance or head of operations. This makes it difficult for him or her to carry out security audits on the chief finance, information and operating officers.

[? $GLOBALS[POLL_ID] = 20003944; template("/zd/common/poll/index.htm");?]

IT security today is, therefore, still "a soft science" with no common baseline of measurement of an IT security executive's professionalism, Cheang said. "There is no professional association that regulates IT security, governs the profession and sets a baseline of performance, ethics, progression and career development," he said.

Lee Kwok Cheong, president of the Singapore Computer Society, added: "IT infrastructure is no less important, and life-impacting, as physical infrastructure like buildings, roads and bridges.

"You would not buy or live in a building not designed by qualified architects and engineers. Why would you accept anything less from the IT profession?" he said.

Husin Jazri, director of the National ICT Security and Emergency Response Center (NISER) in Malaysia, agreed. He noted that a high standard of professionalism in the area of information security is now crucial. "Organizations realize the importance of certified information security professionals with current skills and knowledge, to ensure a safe environment for them to conduct businesses," Jazri said.

ZDNet Asia understands that the issue of legislating IT security professionals is still a nascent one in Malaysia. According to NISER's Husin, more discussion is needed to gather inputs of stakeholders in the country.

Industry player and businesses also need to be given "ample time to understand the necessities and implications", he added.

In Hong Kong, Sin Chung Kai, a legislative councilor who represents the Information Technology Functional Constituency (ITFC), said he does not rule out such requirements in future.

However, rather than mandate a license for all types of IT security personnel, only qualified personnel should be licensed and publicly recognized, he said in an e-mail interview. That would pave the way to ensure businesses adhere to the use of qualified IT security professionals for "certain mission critical projects", he noted.

Issues to resolve
However, while there is now recognition of the need to certify IT security professionals, experts caution that the IT security industry is very young compared to the medical, legal or accounting industries.

"The Hippocratic Oath (observed by medical practitioners) is 2,000 years old, the legal profession is at least 1,000 years old, the accounting profession is 500 years to 1,000 years old... computer security hasn't been around for 20 years," said Anthony Lim, vice

chairman of the security chapter under the Singapore Infocomm Technology Federation (SiTF). "But of course we don't have to wait so long to legislate IT security."

Lim acknowledged that it would not be an easy task to define the minimal criteria for someone to be labeled an IT professional.

"Does it mean that someone who works in a SMB (small and midsize business) environment cannot hope to become an IT security professional?" he said. "Does everybody have to apply for jobs in big companies with large complicated environments before they can hope to enter IT security?

"We haven't answered that question, and as long as we don't answer that question, it delays the ability to implement the legislation of IT security professionals," said Lim.

ITFC's Sin also highlighted the challenge of establishing legislation to hold IT security professionals accountable for any error or negligence in large projects.

"How does one define mission-critical or big projects?" he said. "For instance, a person who installs a virus-protection software may or may not be required to obtain a license to carry out the task."

NISER's Husin added that education and training opportunities are another area of concern. He noted that there has to be sufficient relevant certifications to meet the needs of the various security job functions, as well as the organization's business needs.

Progress in Singapore
According to Cheang, SIG^2 has been working with the Infocomm Development Authority of Singapore (IDA) since 2004 to lay the groundwork for a professional charter pertaining to information security practitioners. Last month, the SIG^2 Committee convened and voted to dissolve the society, and form the Association of Information Risk and Security Professional (AINSEP).

SIG^2 has also called for an Extraordinary General Meeting on Jun. 30 to discuss, among other things, timelines and milestones toward the formation of AINSEP.

ZDNet Asia understands from SiTF's Lim that Singapore is fast gearing itself to enhance the IT security profession, up to a level that is similar to that of medical professionals or lawyers.

In an e-mail reply, an IDA spokesperson told ZDNet Asia that it is spearheading efforts to establish a professional body for executives in the infocomm security realm. This will help build up a pool of competent IT security professionals in the country, the authority said.

AINSEP, which is expected to be launched at the end of the year, aims to elevate the status, professionalism and trust accorded to the professionals, through "a recognized body and qualifications, established career paths and career development programs", said he IDA spokesperson.

According to SiTF's Lim, some progress has been made in the development of a career and recognition framework. Lim is involved in a working group, set up for this purpose.

He noted that the framework will take into account an IT security professional's years of appropriate experience, type of specialization, and the depth of industry expertise. It would serve not only as a career roadmap for IT security professionals, but also offer a resource and referral point for employers.

Lim expects that in future, any individual who wishes to work as an IT security professional in Singapore will be required to be licensed with the professional body.

SCS's Lee stressed the need for a right balance to be struck between a heavy-handed approach and a self-regulating one--should Singapore be among the earliest countries in the region, or world, to legislate the IT security profession.

He added that legislation should not stop at IT security professionals.

"It could be convenient to start with IT security professionals, but let's not stop there," he said. "The various sub-branches of the IT profession should all eventually be covered by similar legislation and qualification frameworks."

Editorial standards