Professional status is a curious phenomenon which must be examined more closely.
There is today widespread use of “professional” and “pro” not only as making a living from a trade – particularly one of the vocational graduate trades – but also as a marketing device. Items such as shampoo sold as “professional” but clearly for domestic use suggest suitability for the advanced user aiming for the higher quality which professionals produce. One might consider the term “professional” to be an inscription, in that it has a common but nebulous definition written into the network by repetition, which needs only to be referenced to allude to high levels of skill, judgement and reliably high quality of output, without detailed examination of the exact claim.
It is however both simultaneously and conversely used by some as a more formal term for those trades for which qualification is by graduate study and subsequent postgraduate industry qualification; this sense is still very much alive for some. Its exact definition for this sense is dependent on current perceptions of the term, but distorted by the gravitas of the prototypes in the field, thus the perceptions of professionalism and what it means to be a professional (as represented in Fig. 19) are very much part of the network rather than mere intermediaries.
Candidate Professional Body PROFESSIONAL
STATUS Traditional
Professions Define
Other Professional
Bodies Template
Is gateway to Regulate and maintain Maintain
Fig. 19: Partial view of an orthodox model of professional status.
If “professional” can be simply mentioned to denote a tool brand’s halo model, promise high-quality electrical installation or attest to post-graduate practice-based qualification, it has become a black box: punctualised and used without explanation or examination. But translation here is incomplete; no professional body has control, which demands that the unpacking of that box to explain the network weakness. Which style of profession is referenced by professional certifications in Information Security? To be enrolled by a professional body practitioners must themselves want to obtain that professional status, but what elements for them comprise that status? What are the demands which a professional body must answer to avoid network weakness and thus fail to achieve translation? Since other professions’ identities shape those impressions, they too are at large in the network.
The prevailing impression was that Information Security is too specialist and emerged too recently to be accepted as a profession in the traditional sense. To the layperson, the practitioner’s services are unclear, forming part of IT or the corporate police force. Lack of status to the layman is significant; to this group, contact with the public means exposure and thus an identity in the public mind, and consequently status. This would suggest that the public perception of professionalism is another entity affecting the network, which again is affected by perceptions of the other traditional professions.
This makes for an interesting aside for the theorist; Freidson (1970, pp.21–22), for example, makes a distinction between consulting and technology professions. Whereas medics are required to have status in the eyes of the laity, technical specialists need only be respected by
peers. To Abbot (1988, p.118), working with the public directly is distasteful; senior professionals delegate this to juniors, or entire junior professions (barristers to solicitors and doctors to nurses, for example). Professional status for these people was associated with a high impact of incompetence, particularly as support for the paramount position of medicine.
“I think the stakes are much higher for a doctor. No marketing professional’s going to kill a load of people if they get it wrong.”
[CHA33M-SM54]
Potentially, this limits the ambition of practitioners seeking that status. Two people however, a professional body and the government interviewee, noted that security was moving towards protecting personally significant interests and safety, as more systems were entrusted to electronic operation, thus this may support future changes.
“Safety is now reliant so much on security, safety for many many years has looked at as component failure and hazards like weather and all that kind of stuff, but it doesn't include malicious action. And we're seeing more and more malicious action which will now affect safety.”
[GOV01E-GV01]
Public perception of absolute status was not the most notable issue. Rather it was the distinction itself – the crystallisation of discrete roles and identities within professions and the hierarchy between the professions themselves – which was seen as crucial. Whilst these professions are seen to have well-established roles with formal paths to qualification, the career path and “rank structure” of Information Security is not seen to be present, for good or bad.
“Again, I go back to medicine; there's lots of specialisms in medicine that have developed over many years but everybody agrees that a neurologist does things with the brain and not with the kidney. I don't think we're in that position.”
[GOV01E-GOV]
This lack of clear terminology creates a difficulty in making comparisons between employment roles, which in turn complicates the process of qualification and makes the claim of representing a discrete and identifiable profession difficult. One of the principal challenges to regulation and greater organisation was thus held to be drawing the boundary around the profession, something which Abbot (1988) suggests is a dynamic process over time as adjacent professions jostle for control. Without that boundary it is difficult to select and enrol a discrete set of actors.
The question of coherence was seeded from the literature, given the efforts to codify roles. One line of questioning was the broadness of the different skill sets; whether for example a forensic analyst or firewall engineer was part of the same profession as someone who creates policy or educates an end-user. As seen earlier, the literature strongly suggests this to be the case. Two
educationalists saw technical and policy aspects as separate professions, however generally this sample simply noted the complexity of the current status without advancing any potential ideological boundaries.
“So while everyone can have quite distinct roles, you actually need all of them to make it work. ... [Y]our elliptical curve cryptography person knows everything about how to encrypt something and decrypt it but doesn't necessarily understand the wider context of why you might need to do it.”
[TEC72E-AN91]
It is noteworthy that several people mentioned the IISP Skills Framework as a factor for change, either usefully to define the roles and hence education paths for those roles, or less usefully as a constricting force which does not reflect the less predictable course of a typical business career.
Either way this typography of roles is generating comment in the industry, potentially representing an inscription in the network, accepted without further discussion as a role reified:
a physical symbol for its contents. Such entities are useful for creating stable networks, since a network whose base elements are constantly having to re-assert themselves against challenge will be weak.
Overwhelmingly the perception was that whilst not yet complete, Information Security had the potential to become (or even should be) recognised as a profession; it was felt to have sufficient intellectual depth, but had not yet achieved matching gravitas and status of more structured examples. It was almost unanimous that a CISO would not enjoy equal status to a company lawyer; government noted that it sought actively to improve this status, not being particularly high, otherwise there was no clear difference on this point between the source types.
The above does not imply zero status for all practitioners; status is simply won by the individual, assisted by job title, hierarchical seniority and perceived personal competence. By contrast it was felt that “recognised” professionals command automatic respect; their claims are accepted in the network by reference to the status of their profession alone. ANT here shows the power of non-human actants; whatever the motivation of physicians to advance their own status, without any likely intentionality on the part of the human doctor the status of their profession has effect in a distant, almost unrelated network.
“Medicine's another great example. Doctors, medical students spend two years basically in a classroom where they learn how the human body works. … They start off with a broad knowledge, and they narrow down, because the principles work no matter where you are.”
[PRO29E-PO42]
Exceeding even obscurity and the lack of structured roles and qualification was a perceived lack
of maturity and history, charmingly expressed as “It's not old enough. Doesn't even have a nice building in London” [GOV01E-GV01]. The “heritage” of other professions qua profession was arguably over-estimated; interviewees spoke of medicine as having “hundreds of years” or
“millenia” of history, whereas Freidson (1970, pp.5–21) places a recognisable medical profession no earlier than the end of the nineteenth century. The black-boxed status invokes a sense of ancient foundation which would not withstand unpacking.
“Security is where medicine was many hundreds of years ago, in that we apply treatments that sometimes work and sometimes don't, and we don't always know why.”
[GOV01E-GV01, emphasis added]
Security was seen to be less mature and of a lower status even than the more modern examples mentioned in the interview protocol (pharmacy, nursing and engineering). Two perceptive voices challenged the question, denying the implied recent emergence of engineering. One noted that civil engineering prior to its professionalisation dated back to Roman times and another noted that engineers were socially prominent in the Victorian era but did not protect their status (notably similar to Larson’s (1977, pp.25–31) treatment of engineering). It is apparently perception of maturity which influenced the sample and thus against which offers of representation by a professional body will be judged, both by practitioners and government, made more difficult by the short history of information processing.
“The technology we work on has only really been around since 1945. It's transforming itself every two or three years, so we are playing catch-up in a way that other professions never had to.”
[PRO29E-PO42]
One professional body noted that they had an aim to be more comparable to other professions, however another aimed not to be of equal status so much as being equally well-organised and ethically practised. Again, the perception of the other professions clearly has a strong bearing on what would be required in a regulated network. These comparisons hinted for example at the direction the speaker saw for the occupation.
“Security … is still seen as something you can spend three years doing as part of your overall career. Of course yes in three years you might become a bottom-end GP in medical terms if you're lucky but the reality is it'll take you many years to become a specialist.”
[GOV01E-GOV]
As an aside, it is most interesting that the government interviewee should criticise this sense of not requiring specialised knowledge but strongly resist the profession being licensed as discussed in other sections.
In terms of structure, the practitioners in the main felt that whilst an earlier IT career provides
important technical grounding for key areas of policy enforcement, career background should not necessarily determine potential. Earlier sections showed that the practitioners similarly refuse to insist on graduate education, something which the educators naturally consider to be a natural foundation for a career. One person noted that the general increase in popularity of university education may (once more) require a person to be a graduate in order to be considered a professional in future. The sense here was that this stemmed from the statistics of modern practice and custom rather than a phenomenological analysis of the essence of profession.
Looking to the future, it was felt that the role itself will change. One practitioner predicted that recruitment will be from a much wider variety of skill types; this made an interesting contrast to the government (DBIS, 2014a) view that more entrants with STEM subjects are needed, suggesting a continuing technical bias. All parties agreed on the lack of competent staff in the market and the importance of increasing the supply to the industry of trained staff.
“We're [producing graduates at] way below the amount of people required to cover this kind of role.”
[EDU54-CL11]
As the government has recognised this, in theory this creates the conditions where it may wish to delegate the task of regulation.