What makes a professional? Is the income one earns? The knowledge one holds? The code of ethics one subscribes to? Maybe a title one holds?
Most of us, "security professionals" are members and subscribers to the "Code of Ethics" of at least one information security related body, such as the ISC2, ISACA and the ISSA, as such, we commit to be "professionals" but curiously enough one question is seldom raised: What means to be a professional.
Looking at the CISSP Prep Guide Golden Edition or similar material, you notice a cookie cutter approach so common in certification preparations material, but surprisingly enough discussions about the subject are still rare and few are the certified practitioners seem to understand the implications of being a "professional".
But if the definition of profession and professional are already concerning, even more concerning is the lack of debate on what professionalization means to the information security market. In fact, most certified practitioners believe professionalization will lead to higher quality standards to the work conducted by its peers. Still the current market situation seems to prove the opposite.
The market we are part of, is almost a circus where one can easily find heralds of fear, compliance preachers, soldiers of fortune, marketers, über-hackers obsessed with the latest vulnerability research and risk gurus that know absolutely nothing about threats.
But what if the circus is eventually healthy? Perhaps yes, especially because I can't stop developing the impression that information security isn't a science, but an art where creativity is vital.
Sadly, during the process of professionalization and the occupational closure, the definition of a core body of knowledge and learning path, are built at the expense of a greater range of experiences and opinions. The suppression of diversity creates a more cohesive labor force, but also creates professionals with less experience from other areas other than IT, or as William Barrett points, the more specialized a professional; the sharper is its focus and shorter is its sight.
So instead of pushing towards professionalization, we should seek exactly the opposite, looking into other fields, promoting new ideas.
We depend more on the ingenuity of the criminal than on the resourcefulness of the security specialist but we can still try to forecast the troubles.
PS: It is important to point that this is not a critique on the certification industry itself, but on the aspiration of certain professionals in the industry to frame it within certain parameters. As unconventional friend of mine once said (in Portuguese), certifications are useful way of setting learning targets (as much as a degree).