There has been quite a bit of debate on the internet recently about professionalism in the cyber security industry.
Some well-informed, and some… well… interesting.
Starting with the interesting camp, apparently “Infosec isn’t a real profession”, based on the premise that we can’t quantify risk.
This fact was debated on the LinkedIn ISO27001 Group, which turned into a constructive debate about the balance between knowledge and experience.
The knowledge / experience debate tries to draw the line between a person that has read a book / done a training course / passed an exam (the CISSP model), versus someone that can show referenced examples of having undertaken good work in the area (the CCP model).
In reality a balance of both aspects is needed, as well as a programme of continuing professional development to keep both up to date.
The article “How do you define a cyber security professional?” reminds us of an important additional aspect in all of this – ethics and code of conduct.
It reminds us that as professionals, we build up a great knowledge set of the defences (and weaknesses) of our customer’s system, and must use that knowledge ethically.
Have you validated that the cyber security advisors working for your business have committed to a recognised code of conduct?