Malpractice in Information Security?
Interesting QA over at CSO Security Counsel today with Dan Greer trying to define what is information security malpractice, and the most interesting part is that today, we can’t define it.
Dan Greer states: Malpractice insurance would assume that we know what malpractice is, and we simply do not-although the next-to-last draft of the National Strategy to Secure Cyberspace did invite the licensure of security professionals. Absent licensure, there is no gating competence standard for security professionals. The only other standard would be a code of ethics and a professional body to hold the stone tablets on which they were writ. We don’t have that either. Hence the claim that we do not know what malpractice is, at least not in the way more venerable professions do. (CSO)
A lot of folks I know have tinkered around with the idea having a licensed, bonded and insured information security person on staff. There is insurance you can purchase for information security breeches and other information security issues. You can get insurance for you company for non performance or loss due to incidents. But we really don’t have a way to build out a good actuarial table, nor do we have a really good way for insurance to quantify the risk of implementing or not implementing a particular suggestion or recommendation in information security. We have math to define risk via SANS and ISC2, we have the number of reported incidents and a loss estimate on each one, as well as the well known public and private costs to an information security breech.
The National Strategy to Secure Cyberspace has a call out to license information security practitioners; however, there is no one single baseline that is going to work. NSA sponsored centers of excellence are a good place to start to set a minimum educational curriculum, but many of us who are in security did not go to those schools, and there are many of us for what ever reason do not carry any certificate. Nor is there a national arbitration board like the APA or the Bar Association to guide and provide oversight to the industry at large. There is no one unifying frame work that we all can agree upon to build out a professional board on the order of other professions like the APA.
We do call ourselves information security professionals and we do have a number of options to set out a minimum required education, training, and certificate structure. But we still have no concept of how malpractice will be defined. We can agree that a doctor who leaves a sponge in someone is malpractice. But in our consensus risk management business environment where to implement or not implement a security control or process is dependent upon a legal framework requirement, ability of the company to do so, and the ability of the people involved to carry an agenda forward. Many information security languish due to lack of funding, skills of employees, or lack of political ability to push the process through. Are any of these malpractice in the greater sense of the word?
Is it malpractice if someone scoots through software that has no patch, or a patch was released one day ago? Is it malpractice if there are no sensors on the network and someone steals data? Is it malpractice when an information security person works in their own best interest and not the best interests of the company? The scenarios for this question are near endless but interesting. Defining what is and what is not malpractice for an information security professional also means that all the associated computer disciplines need to be reviewed as well, from system administrators, database, network, and everyone who implements those items that the information security folks have pointed out.
Defining malpractice enough to insure against it, and then defining the patterns and practices that will help build out an actuarial table so that risk can be defined in the classic insurance model is going to be difficult until we come up with a national body, that defines the standards, patterns and practices for the information security industry. We have two optimal institutions in the public sector; those would be ISC2 and ISSA. In the Government sector we have NSA, NIST and DISA to set down government standards. One unifying body though either one that is a governing body for the five groups above or some other composite of the above would go a long way to settling out all the things that we are saying we need. A combined government/public process would probably be best if we are serious about having a truly professional group like the APA and the Bar Association.
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.