Although information security (IS) has always been important, the concept of specialist qualifications in this area is fairly recent. The IS “profession” began to emerge in the 1980s, albeit in an ad hoc and piecemeal fashion and with little formality or structure. Industry leaders were self-trained and many individuals had the label of IS specialist, whereas in reality they had a particular focus on only one area of IS. At the end of the 1980s both CISSP and the Royal Holloway MSc were under development.

These were, I believe, the first dedicated qualifications available in the pubic domain. Since then the number of people specialising in IS has increased at an amazing rate, prompted by many positive events, including our increasing reliance on IT and the advent of the internet and electronic trading, coupled with an unacceptably large number of viruses, trojans and other high profile security breaches.

As the number of security specialists increased, directors and managers in government and industry needed to trust that those who were responsible for IS in their organisation were competent, in the sense that they had the necessary knowledge and skills, and would behave in a professional and ethical manner.   

“How do you recognise a competent IS professional?” was a question acquiring ever increasing importance by the late 1990s. It was this that prompted a small group of people to propose the formation of a professional body for IS. Their ideas were published in a document called “The Institute for Information Security professionals: A Blueprint”, dated 7th December 2004, in which a professional institute was proposed to ”promote information security as a recognised discipline through the provision of a framework for developing, improving and measuring the competence of information security practitioners, recognised by employers, regulators and other professional bodies.”   

The Institute of Information Security Professionals (IISP) was launched in February 2006 and has attracted much interest. Well over 1,000 individuals have joined as associates and it has the support of more than 40 corporates and government departments (for details see www.instisp.com). Although in its infancy, the IISP has the ambitious principal objective to “advance the professionalism of information security practitioners and thereby the professionalism of the industry as a whole.  

By the year 2010 the institute aims to provide a universally accepted focal point for the information security profession.” In addition, IISP aims “to act as an accreditation authority for the industry, and Membership and Fellowship of the Institute will be the internationally accepted gold standard for information security professionals.” 

In my view it is its role as an accreditation body that justifies IISP. There are now numerous knowledge based qualifications, including some high quality university degrees. However, these merely provide an indication of someone’s level of knowledge, skills and/or competencies at a given time. Many of these qualifications, for example university degrees, are awarded ‘for life’ with no obligation on the recipient to practise the discipline or to keep informed about advances in the area. 

However, membership of a professional body like IISP should imply that the individual has followed a CPD programme which, as one of its aims and objectives, ensures that they have maintained an active interest in the discipline.    Joining IISP should enable graduates from programmes such as the Royal Holloway MSc Information Security to build on this sound knowledge based qualification, to acquire further skills and competencies and to become leaders of the profession. 

Professor Fred Piper