Professionalization of Cyber in Canada
Tyson Macaulay, CISA, LEL CIE
Security Executive, Networking professional, Researcher, Board Member
Please consider this non-partisan Parliamentary petition to professionalize the practice of Cyber in Canada; specifically "to create a licensing body for cyber system security professionals with delegated authority from the federal government to regulate Canadian cyber security practices."
This has been a long time coming. In Canada, we license engineers to build roads and bridges, we license people to give massages, apply pesticides and in most provinces to style hair! But a telecom, bank, hospital, power company, government agency or any other critical infrastructure can hire *anyone* (or no one) to lead or design the security of their IT infrastructure. We need to do better.
While we have professional engineering licensing bodies in every province, they have not used thier regulatory powers to deliver the standards of performance and professionalization of Cyber; a necessary public good.
Professionalization of Cyber is not about disenfranchising anyone doing Cyber now. This is the beginning of a big process that can include provisions for grandfathering and experience-based qualifications. Ultimately, professionalization should elevate the standard of practice in Cyber nationally, for the benefit of all Canadians. This petition is about a Cyber licensure open to people from many backgrounds, not merely engineers.
This petition was made possible by the hard work of the engineering advocacy group Engineers for the Profession. (e4pinc.ca) Professionalization of Cyber in Canada has its roots within the Emerging Disciplines Task Force of Professional Engineers Ontario (peo.on.ca) dating back to 2010.
CC for cross-posting: Richard Henderson Daksha Bhasker PEng (CIE), MBA CISM CISSP CCSK CCZT Perry Steckly Faud Khan Jill Kowalchuk, ICD.D Byron Holland MBA, ICD.D Bill Dunnion Mark Tse Tim Kline Dominique Jodoin Andrew Cheung Tim Stupich F. Richard Yu Isaac Straley Blair Canavan Nick McGregor Paul Kivikink Brian Neill Michele Mosca Craig McLellan Brian O'Higgins Jerry Glowka Marc Watters Dave M. Allen (Al) Dillon Cyrus Minwalla
You can't hire *anyone* everywhere. Here in Canada, there have been standing offers for information security and infrastructure protection all the way back to IERA, ITSPS, CPSA, and others since I left that field where professional services personnel are required to have qualification aligned to rubrics that are complex and require demonstrated relevance, including bias towards recent expertise in a given area. Not one set of letters and $50K+ to some degree granting institution that teach doctrine of the past will do. Delegated authority to regulate... So that means accreditation and therefore risk & liability transfer. Is this an audit and assessment designation? If there is any form of 'sign off' then you're transferring some risk to the accredited professional. That means risking your house or having to carry insurance. Who will offer these insurance policies and what will they insure? Security design ... design of what? Code? Modular application integration? Deployments across global interdependent hosting? Application workload schedulers of cloud and virtual hosting environments? Network traffic configurations? Physical safeguards? Processes? Training of individuals? Or the Infrastructure that underpins all of those?
As a Professional Engineer who practices as a Cybersecurity Engineer, I have grave reservations that such a body is going to impinge upon the already regulated domain under the Engineering Acts within the provincial authorities in Canada. The practice of engineering is wholly within the purview of the Professional Engineering organizations within this country. The fact that those organizations are not taking to task people and organizations practicing engineering in the cyber domain without proper licensure is a separate issue. I notice in the petition, even though spear headed by Engineers for the Profession and PEO, the word engineer and engineering seem to be assiduously avoided in the petition. I would submit that a petition to enforce the proper licensing of Professional Engineers (starting with the Federal Government) for the practice of engineering activities in the cyber domain would be a more useful endeavor.
I'll add to my previous comment to remind everyone, that this also flies in the face of the good work CSE/CCCS has been doing, based on the NOS for Cybersecurity facilitated by the Digital Governance Council, through the https://www.cyber.gc.ca/en/education-community/academic-outreach-cyber-skills-development/canadian-cyber-security-skills-framework, which is meant to be reciprocal to the evolving NIST NICE Framework of the US Gov.
I'm afraid, Tyson, that this puts the cart before the proverbial horse somewhat. The Digital Strategy Council just finished the creation of a National Occupation Standard for Cybersecurity. It includes a wide variety of skills, but as I pointed out many times during its evolution, neglects to cover off Engineering. To that end, it is my firm position that Security Engineering is still in its infancy. What we have seen mature, industry wide, is the advent of Enterprise Architecture. As I noted, briefly, to you during CANSEC (was great to see you BTW) to really address Security Engineering, the industry needs to be teaching young engineers, not just Systems Engineering (ISO 15288/12207), but the inclusion of NIST SP 800-160 (Vol 1 did the alignment to 15288 best). Not only that, Canada, at this juncture, is still a gaping hole with regard to proper legislative and regulatory coverage of Cybersecurity compared to many of our partners. What we have in place is reactive and punitive, vs proactive and enabling; all this flies in the face of the "professionalism" you seek. Always available to discuss the nuances. Given the preamble to the petition, my immediate takeaway is that this would only create finger pointing during incidents.