Don’t professionalize, innovatize
why the solution to the issues in the information security profession will not be come from creating (yet another) governing body but could arrive via innovation. (An answer to Brian Honan article on Help Net Security).
By Eh’den (Uri) Biber
Brian Honan wrote an interesting article for help net security entitled “Is it time to professionalize information security?” It covers the discussion about the call to turn the information security into a licensed practice. I highly recommend reading Brian’s article; from it I derived the following points:
- Customers many times are unable to validate the professional level of the so-called-experts
- The quality of the work being done sometimes by so-called-experts is poor
- There is no accountability when the work quality is bad and leads to incidents and no independent body has the ability to “un-license” the so-called-professionals
- We need independent bodies to provide counter advise to interest groups (I assume privacy is a good example here)
Brian believes that if we will “professionalize” the profession it will allow us to better present our opinion and expertise with leadership – let it be corporate or government. He does admit that there could be problems such as international issues, closed guild structures that will demolish competition, and preventing the advantage of big firms. However he thinks that the current state is not better than licensing the field.
First, a disclaimer – I’ve seen Brian talk in Brucon 2009, and I don’t remember if we had a chat after the talk but considering that that Brucon motto is “hacking for b33r” I can only hope we didn’t kissed during the event :).
I can understand the pain that is leading Brian to write what he did, obviously the points he raised describes a real issues, however I tend to be a libertarian here and believe that the solution will come via innovation and educating our clients rather trying to govern our profession.
So, you think you’re smarter than a 14 year old autistic boy?
To support my claim I wish to bring a 14 years old. Jacob Barnett was diagnosed with autism at the age of two. He was silent for most of his childhood, stuck in his own universe, didn’t want to play outside, his teachers were sure he will never be able to learn anything – but now, at the age of 14 he is studying for his master’s degree, has an IQ higher than Einstein and he understand physics more than most humans on this planet.
In a recent TEDxTeen presentation he gave, Jacob explained that what made him become the genius he is “in order to succeed you have to look at everything with your own unique perspective…that means that when you think, you must think in your own creative way, not accepting everything that’s already out there”. He gives example in his lecture that due to his autism he was able to be able to think of things rather than consume information, he talks about Newton and Einstein and their ability to experience thinking about physics via their own perspective due to circumstantial reasons (for Newton it was the plague, for Einstein it was the discrimination against Jews).
Bring on the dancing masters
The same idea was similarly echoed in Gary Zukav’s 1979 wonderful book “The Dancing Wu-Li Masters”, that provided the first non-mathematical explanation to quantum physics (Wu-Li is physics in Chinese). In his book Gary explained that when most people say “scientists” they actually mean what he calls “technicians”. According to Gary, a technician is a highly trained individual who is an expert in applying known techniques and principles, and he is dealing with the known. For him, a scientist is a person seeks to know the true nature of reality, and deals with the unknown. As he said “in short, scientists discover, and technicians apply”. He also added that “it is no longer evident whether scientists really discover new things or whether they create them.”
The nature of any governing body is to … govern. It governs based on its own perspective, and it will be biased because we are all biased (another article about it soon). It will be also political because it will be required to represent a group of people and like in every case of such event politics comes to place, there will be power struggles, and personal interest, and lies… we are all only humans, and our organizations are a reflection of ourselves.
The point is that trying to define who is a good information security professional will be like trying to define if a kid is mentally capable or not (e.g. Jacob). It doesn’t work for the true mavericks, visionaries and those who are unafraid of the unknown. It’s great for defining the level of skill a technician reached, but do you really think that the only people you should consult with when you face an information security challenges are people who are experts in applying known techniques and principles, and he are dealing with the known? You can, but you need to remember that in many cases the threats that you are facing are not a result of people who think like technicians but people who think like scientists. If we will quantify the level of expertise by the quantities we are aware of, we will be blind to the quantities we cannot see. We need both, and based on history we will end up pushing the information security scientist to the other side if we will prevent them from being able and practice their skills only because the “governing” bodies will find their ideas and methods too…non governed.
We already have professional bodies that provides different accreditations such as ISACA and ISC^2. Did it create a utopian environment that solved all the issues Brian raised in his article? Of course not, and in my honest opinion adding another body will not change the situation – because regardless of all good intentions it cannot.
Innovation is our middle name
So what’s the alternative solution? I suggest we should use the wisdom of the crowd. With all the big data discussions we had in our community recently I’m sure we can easily develop tools to identify which professionals are worth hiring, which professionals should be avoided – and let the clients decide what to do. We can use algorithms which are great ways to summarize data, and they should be open sources to make sure they are not being manipulated. We have a great community that can build such solutions that will derive its data from various sources such as social media and information security related sites. Sure, that could be manipulated, as always, but I strongly believe that our community have enough bright minds that will be able to make it work. Many of us feel great passion to our profession, and our freedom to express ourselves should not be limited by a governing body that will define who is good and who is not. We all know dictatorships are bad idea, but even in democracies any society that allowed its government to take over the private responsibilities of the individuals ended up badly as the latest scandals we see in the US clearly show. If you still think regulation work… I will let Jon Stewart explain to you why you’re wrong:
Personal thoughts (or why the Beatles were right)
Being protected it is not about knowing information security facts, it is about living information security. When we feel information security we live information security. How we live is based on the story we tell ourselves what information security is. If we fear it, it will delay us, slow us, and gives us a false sense of security but will not allow us see the real opportunities out there. Only via loving information security we can reach a state of no fear, and only via lack of fear we can truly understand it. Love is awareness. Love is the sense unity, of wholeness, of nothingness. Love is the definition of true consciousness. This is our dream, it is up to us to decide how to live it, and instead of more governing I suggest to simply … love 🙂
© All rights reserved 2013