Goals for the next 40

Forty years is a long time, all things considered.

In 1978, I wasn’t born yet, the Certified Protection Professional (CPP) designation was a year old, and the concept of information security meant something altogether different than it does today.

But I think we can all agree that what has changed the most is the security professional himself or herself. No longer strictly a middle-aged white male former policeman, but an increasingly diverse, educated professional who is able to speak the language of business. Perhaps it’s time for a bit of self-reflection so that we can chart the direction of the security industry over the next 40 years.

Improve the image of the security professional. Our first priority must be to ensure that the general public views a role in security as a professional career, because that visibility will translate into greater recognition among senior management AND attract better and more diverse talent to security roles. Public education in this manner does not come quickly or inexpensively and this will take the entire industry coming together (and spending together) to make this change.

Increase awareness among information security professionals. Too often, it’s us versus them. They don’t know we exist, or they think we’re all retired cops collecting a pension who only call them when our laptops don’t work. And why should we care about them? Take a look at the growth of their budget or head-count in your organization over the last 10 years and compare it to your own! Threats in the InfoSec space get much of the public attention, so promoting our role and professionalism to this group is almost as important as promoting it to the public. But this goal is all about small wins and creating relationships with your peers inside your organization or within related organizations (vendors, clients, professional associations).

Refine security education for all levels of security professionals. Security-related college programs with fantastic co-op placement opportunities are common in Ontario, and elsewhere in Canada, to the best of my knowledge. But graduates from these programs struggle to find good employment within the security industry and are often forced to start work as a security guard — a job for which they didn’t need to attend college. Educational offerings at the college level need to be more widely recognized by the industry, and the best ways of doing that are participating in course design/delivery and hiring the graduates. And while the CPP and other professional designations are great for confirming a common understanding of security principles, they are not a substitute for formal education for senior security professionals, which should be a graduate-level degree program.

Provide pathways for young people in the industry. Finding a job as a young person fresh out of school can be daunting and security professionals are not always the most welcoming, suspicious as we are! Networking geared towards Young Professionals within associations like ASIS is a great start, but these young people need mentors. Whether through a formal and structured process or just someone you stay in touch with, making yourself accessible to young people as a mentor is a great way of improving our industry.

Improve the gender (im)balance within the industry. The good news is that by pursuing these first four goals, we will probably already make an impact on this one; the bad news is that it still won’t be enough. Women make up a small portion of our industry and both the image and character of our profession suffer as a result. This too will take time, and we need to ensure our industry is both an attractive, and a safe, career choice for everyone. That means promoting fairness and transparency, discouraging an “old boys club” atmosphere and encouraging new approaches and styles.

There’s some food for thought. Agree or disagree?