Whatever the industry, you can always count on some voices calling for more government regulation—usually in the name of protecting consumers, securing infrastructure, stopping terrorism and putting an end to the torture of little children. Unfortunately, these efforts, although perhaps well meaning, are misguided. Given the growing concern over cyber attacks and other network/information threats, the information security industry is just one target of the drive to “professionalize.”
Drop the Euphemisms
Proponents of a cause, understandably, attempt to avoid using language that will rile those they’re trying to sway. Thus, for instance, in the perennial abortion debate, there’s “pro-life” and “pro-choice”—not “pro-restriction” and “pro-termination” (although each side may use such terms when referring to the other). In the case of efforts to regulate the information security industry, a common term is professionalize. Who can be against people in this field being “professional,” especially when it’s such a critical job?
The problem is that what is meant by professionalize is much more akin to nationalize (or, perhaps, socialize) than what might otherwise come to mind. A recent Computerworld article, citing a study by the Pell Center for International Relations and Public Policy at Salve Regina University, said, “In order to professionalize the field, stakeholders will also need to establish certification and licensing requirements for each specialty as well as apprenticeship and residency requirements.”
According to Investopedia, nationalization “Refers to the process of a government taking control of a company or industry, which can occur for a variety of reasons.” Citing a very close example, “In the United States…the last true nationalization of an industry was the government takeover of airport security after the September 11th tragedies in 2001.” Because a knowledge-based industry like information security lacks any real tangible assets, imposition of licensure and other certification requirements is effectively nationalization, since the government becomes gatekeeper of who may and may not participate, as well as how they must conduct themselves in the business. To be sure, licensure doesn’t necessarily imply employment by the government, but it still entails government approval of prospective participants.
In this case, the call to professionalize the industry is an underhanded way of asking for a government takeover.
A comparison to the takeover of airport security by the government is apt. This nationalization of a security industry has been anything but laudable: from the use of arguably ineffective scanning machines (affectionately termed porno-scanners) to the inflexible, laughable and cruel targeting of people who pose no threat, the TSA has become one of the most despised federal agencies (second, perhaps, to the IRS and NSA). And don’t forget that professionalize was the term that politicians and other supporters used to refer to this nationalization process.
The Computerworld article adds, “The Pell study calls for the creation of a nationally recognized association to set professional standards and education and training requirements for cybersecurity similar to what the American Medical Association (AMA) does in the medical field.” No greater example of licensure and government control of an industry can one find—nor a greater example of an industry on course to destroy itself and a good chunk of the economy. Even the so-called Affordable Care Act has been unable to contain the costs that the same government has ensured through ridiculous licensing and regulatory requirements.
Other examples of regulated industries that regularly disappoint are anything to do with construction: electricians, plumbers and other contractors, for instance, who often charge hefty fees for slipshod work. (Just type “contractors are” in the Google search field and see what pops up.) The laundry list of justifications—protecting consumers, ensuring “professional” work and so on—melt away when a contractor’s excuses and blame-the-customer rigmarole starts.
Furthermore, turning more specifically to the field at hand, one might be more inclined to trust government oversight if that government wasn’t a security delinquent (see here and here, for instance). To be sure, legitimate and knowledgeable professionals (even though they may lack government licenses) would be involved in the nationalization scheme, but like any government program, the ultimate responsibility falls on representatives who are beholden only to whomever has the most money (or the most votes)—a less than encouraging thought.
The Usual Suspects
Nationalization of industries to impose uniform standards sounds in principle like a good idea, but as the cases of the medical and airport-security fields suggest, they practical outcome is a net disservice to customers. One alternative is private certifications: if an employer wants evidence of skills or knowledge, this avenue can be helpful. Citing an author of the Pell Center report, Computerworld said, “Currently, it is difficult to determine the actual skills and abilities of professionals based on their education or certification credentials, she said. It is even harder to map those skills to real-world job requirements.” Welcome to the real world. Licensure suffers the same problems: as the government-school diploma and, increasingly, public-university degree show, pieces of paper issued by government-controlled or government-backed institutions are more indicative of an ability to jump through hoops and play Simon Says than to prove useable knowledge or experience.
The only question is whether companies wish to invest in ensuring that they are hiring the professionals they need for information security. The technology world is rife with examples of private consortia establishing standards and other metrics for all sorts of critical networking and other tasks, often without the prodding or confiscated money of politicians. Licensure is simply an easy way to shove the costs of background work on taxpayers—effectively, socialization of security. To be sure, proponents of “professionalization” will state that the entire public has something to gain and on and on, offering the usual hackneyed justifications for yet another program to be administered by a government that can’t afford half of what it’s already doing.
Perhaps the only thing standing between and unregulated information security industry and the formation of the industry’s own version of the TSA is some catastrophic cyber event, or just a series of moderately destructive events. But perhaps all that the industry needs is time to mature. As the nature of so many cyber threats indicate, security will always be one step behind the threat. Investing in security, although it may protect profits, typically cannot generate them. Investing in attacks, however, can generate profits. Simply looking at the economic and risk factors, then, security is always behind the curve. Licensure will do nothing to change that situation, but it will introduce the kind of ridiculous, brain-numbing hurdles that do more to hinder innovative thought and work than to promote it.
Image courtesy of Gsmith1of2