Mixed views on AU IT security accreditation

The security community is bitterly divided about any possible national IT security accreditation scheme. Some say Australia needs one, while others say the whole idea is a waste of time and the government should just implement internationally recognised standards.

The security community is bitterly divided about any possible national IT security accreditation scheme. Some say Australia needs one, while others say the whole idea is a waste of time and the government should just implement internationally recognised standards.

A number of security providers were overwhelmingly positive about any possible scheme, which will be the focus of a study carried out by an as-yet undecided consultant to the Department of Communications, Information Technology and the Arts. Alan Bell, who is McAfee's marketing director for the Asia-Pacific region, said a scheme was necessary.

"We need an Australian national certification scheme for security professionals to take into account our local security issues, legislation and corporate governance needs," Bell told ZDNet Australia&nbsp. "At a time when security is of national importance, it is good to see that this issue is on the national agenda."

And SurfControl managing director Charles Heunemann agreed. "If you look at even the guidelines that have been produced or recommended by the Defence Signals Directorate as mandatory recently, we're going to have our own regulatory schemes controlling IT security, and I think there should be an accreditation process in place," said Heunemann. The DSD is Australia's national authority for signals intelligence and information security.

According to Heunemann, "It'll also help to at least ensure that there is a minimum standard of knowledge professionalism out there amongst security providers."

Malcom Lister, Computer Associates' director of security for Australia and New Zealand, said the interest in a national IT security accreditation scheme revealed a growing level of maturity in the security industry, and even said such a scheme could lead to a business security qualification at a similar level to a Masters of Business Administration (MBA).

The security arena, according to Lister, "used to be very technically focused, but is now linking-in areas like risk, compliance and business strategy. Once can perceive a security-type course having some sort of parallel to an MBA-type course."

But not everyone agrees. Paul Macrae, who works at MessageLabs in a business development director capacity, said the whole idea was laughable and that there were international standards that could be better applied.

"I don't see what them setting a single standard in Australia is going to help with," said Macrae, "because if anything they should be looking at the global picture and making sure that there is an integrated standard and an integrated process, and working with other entities in other places around the world."

There is "nothing at all" that is specific to Australia that would require a localised security qualification, according to Macrae. "This is ridiculous, it's just people wasting their time when they could be doing something more serious, like actually protecting or educating the small to medium enterprise (SME) market, which is a much more useful thing," he said.

And James Turner, who manages the security portfolio at analyst firm Frost & Sullivan, agreed with Macrae. "Security skills are a sought after commodity in the Australian market," said Turner. "and having our own certification limits our access to overseas skills. The reverse is also true: what Australian IT security specialist is going to bother getting some local piece of paper, wasting time and money, when this will not be widely accepted overseas?"

"Is a multinational organisation going to be interested in security resources that are certified only to work in Australia?" asked Turner. "Of course not, because resources need to be mobile and flexible - especially in the scarce market of IT security skills."

Turner and Macrae both highlighted certain internationally recognised standards such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) qualifications, which have been widely recognised in the marketplace for a number of years. Both also mentioned the SANS Institute as a provider of certification, including the Global Information Assurance Certification (GIAC) program.

"It would have been a far better initiative to say: "How do we align ourselves with international standards that exist?", rather than shoot off on a silly tangent - which they've certainly done," said Macrae. Turner added: "There isn't anything so incredibly unique about the Australian industry that established international security certifications are neither relevant or good enough."

"Australia is not an island on the Internet," said Turner. "We are part of a global 24-hour community. If Australia was not plugged into the rest of the world then I could understand us needing to establish our own IT security skills accreditation."