Does IT Security Need A Governing Body - NOT!

In the February 2009 SC Magazine, Richard Starnes, the President of the Bluegrass Chapter of ISSA, tries to make the point that there should be a governing body for IT Security ("Security needs a governing body"), such as the American Medical Association or the American Bar Association. To this I say - BS! The last thing that the IT or any industry needs today is another FAT, self serving governing body.

One of the great things about America, and Americans is that, deep down there is still a ray of hope for success through hard work and perseverance. This system allows the ones that perform well to rise to the top and those that cannot deliver to go away. Yes, I guess anyone can say that they can provide the service or solution and then not deliver, but I think we all would agree that those people do not last very long. Bad service and false commitments happens in governed professions as well, I have a lot of first hand experience there!

The IT business has had monumental growth since the early 1980's because of the innovation and creativity of the many contributors in the industry. To say that you will now have to do things a certain way and to have the certifications, (what a profit center!) in order to complete the work is ridiculous. Much of the best work and most technology advancing innovations have come from kids! I have worked with many young adults, and put in the right environment without certifications, without specific education, and without access to a common body of knowledge they were professional. And, we all know who really works in those governing bodies - the people who could not cut it on the outside!

I suspect that Richard has ties to government/bureaucracy or has been burned by a vendor for not doing his due diligence or paying attention to the wrong reasons for purchasing. Does that mean that the system does not work? If you buy something and it does not meet your expectations you either get satisfaction from the vendor to make it right or you never do business with them again.

Richard tries to point out that because there are other bureaucratic organizations that require education, certifications, and specialized knowledge before you can work in the field that you should consider this same structure for IT security, because in many cases we are already doing it. But what does that really mean?

It would mean that, many young people would be prohibited from entering the industry because of the cost for "required" education. It would mean that vendors would have to charge more because they adhere to the governing bodies rules and regulations, which are mostly self serving. However, most importantly, is that the cost for service would go up astronomically to the end users (just as medical and legal services have), at a time when we cannot put up any more roadblocks to organizations implementing systems to protect their data, their investors data, and their customers personal information. And really does the AMA, and the American Bar Association protect the end user or are they governing bodies that make the access to goods and services prohibitive for certain people and make it difficult to seek recourse for bad work. Should there be Mal-Practice insurance available for the IT Security industry too?

Although, at the initial thought, it may appear like a good idea, more bureaucracy only adds cost, slows down innovation and prohibits new comers from entering the field. Richard closes by asking the question, "Are we a profession?" I am not sure what Richard does each day, but for the last 29 years I have been in this industry it has never entered my mind. I have always know I am a "Professional".