Private Security Industry Bill - latest Straw outrage

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Tue, 27 Mar 2001 12:25:28 +0100 

Owen:

> For many years now I have earned my crust as an 'information security
> consultant' and a practitioner offering for sale security services
> and products. I know that the security industry contains more than 
> its fair share of crooks and charlatans.

I also do consulting work; and I agree that standards generally are
abysmal

> Industry self-regulation has larely been focussed around the 'manned
> guarding' elements of the industry. In many ways that is the area that
> required most urgently an improvement in standards. 

If the bill merely sought to regulate private eyes and static guards,
then few people would object.

> However, this does not mean that all those working in 'information
> security' are competent.

As an academic, I tend to the view that ignorance is something that we
know - in principle, at least - how to fix. Why do you think I wrote my
book?

> The bottom line for me and for some others with an  inside view is
> that the incompetent and criminal should be seriously discouraged.
> That said, formal regulation promises to be a nightmare of confusion
> and contradiction.

Almost every computer system that gets built nowadays has some kind of
protection requirement, and almost every system specification contains
material on precautions. If the bill goes through as it stands, then
the Home Office will become the regulatory authority, not just for
people like you and me, but for everyone who works as a systems
engineer.

Now there has been debate from time to time about whether systems
engineers should be licenced, and some steps have been made with BCS
members being eligible for chartered engineer status. But there are
many complex issues. Most people who program computers didn't take a
degree in computer science and are members of no professional body.
Many people who do take degrees in our subject prefer to go for
American professional qualifications such as membership of the IEEE.
Regulation is a thorny issue; for it to be imposed by accident and
controlled by a department that doesn't care much about us would
clearly be a bad thing.

Ross