IT expert says information security should be distinct field

The federal government needs to recognize information security as a stand-alone career field if it wants to recruit and retain the best professionals for the job, a longtime information technology specialist said on Tuesday.

"I think it's time for government people to start to push for a distinct job series," said Lynn McNulty, government affairs director for the certification group (ISC)2 and former director of information systems security at the State Department. "From a personnelist standpoint, there would be a lot of opposition to a push to create a job series for IT people, but I think the time has come to recognize that we have the numbers, we have the visibility."

The creation of a separate career field, McNulty said, "encourages people to enter and stay in the field. It enables career management of IT professionals."

Currently, information security falls under the Office of Personnel Management's 2210 job series. The profession is defined as "work that involves ensuring the confidentiality, integrity and availability of systems, networks and data through the planning, analysis, development, implementation, maintenance and enhancement of information systems, security programs, policies, procedures and tools."

"The security people kind of get lost in [the 2210 classification]," McNulty said. "It doesn't recognize the increasing granularity of the career field."

The Defense Department's efforts to recognize information security as a distinct profession and to establish the credentials for that profession already have reaped benefits, McNulty said.

Directive 8570.1, issued in 2004, mandated the professionalization of the Pentagon's information security workforce, requiring the 100,000 employees in the field to receive proper certification and complete ongoing training.

In particular, continuing education is "clearly necessary in a dynamic field like IT," McNulty said. But the program as a whole also will allow the Defense Department to manage its information security workforce better because officials will be able to track the jobs that require certification and make sure workers are maintaining requirements.

"Hopefully, this will serve as a model for the allies and coalition partners," McNulty said. "The Canadians are looking at this program for application within the Canadian military."

McNulty said that governmentwide attention to the information security profession is important. The defense and intelligence agencies are focusing more on information assurance than the civilian agencies, he said, because they see information security as integral to their mission. They are magnifying that advantage by hiring 68 percent of the graduates from the presidential Scholarship for Service program, which provides tuition for students who study IT security in exchange for two years at a government agency.

"These programs were intended to be a source of qualified people for more of the civilian agencies because they are traditionally understaffed and underresourced," McNulty said. "[Smaller agencies] probably won't be able to put these people to work right away [because they may not have information security programs up and running], but they have equally valid needs."