Someone wrote to me to ask:
Are you aware of any professional associations for IT security you could recommend I become a member of?
I have no answer there - would anyone any recommend an association? And more importantly, why?
Posted by iang at March 30, 2006 10:45 AM | TrackBackWell there are lots of orgs out there, ISSA, ISACA, ASIS, FIRST. I've been members of the the first and the last. The best thing I've gotten out of them both is the contacts and not so much the contact. That and they all have lots of capital letters :)
Posted by: Arthur at March 30, 2006 11:11 AMSuch associations are needed because of the lemon nature of the information security market. Without reliable and cheaply verifiable signals about quality, the market will not pay for decent information security solutions.
Where to I apply for membership in a reputable guild and what kind of masterpiece is required by its council? ;-)
Posted by: Daniel A. Nagy at March 30, 2006 01:02 PMI want unpublished hacks.
Posted by: Jimbo at March 30, 2006 01:38 PMI don't care to belong to a club that accepts people like me as members.
Posted by: Groucho Marx at March 30, 2006 04:13 PMIt would be nice to find an association that wasn't crowded with -
a) CISSPs that think that it is cool to have ", CISSP" after your name as if it meant something
b) ex-policemen in pursue of National Security and fighting Cyberterrorism
c) IT managers that that are mostly interested in how to Secure your Windows Workstations against 0day Malware
Being a member of ISC2 and ISACA, I have to say there are some advantages, but not as many as I hoped. From a credential perspective, some clients ask for letters like CISM and CISSP after the name, and there is useful information disseminated by both organisations.
I am more optimistic of the new IISP (Institute of Information Security Professionals) and www.intisp.com. Have to see how it goes, I guess.
Posted by: Rory at March 31, 2006 04:11 AMSemi-random thoughts on this:
My experience has been that the more focused organizations -- limited geographically or by subject matter specialization -- have given me the most value. Once an organization tries to have "broad infosec coverage" at a level beyond, say, a US state, it starts to suck. Specifically, by 'suck' I mean it takes my dues money and spends it on conferences where I can hear what I already know from people who appear to make their living as speakers rather than researchers, managers, or implementers.
Grassroots groups at a local level can be very rewarding. The networking/schmoozing aspect, because the people are already members of a community, has always seemed authentic rather than slick. That's a huge plus.
In a group which has a narrower topical focus, knowledge typically is deeper, so you don't get the "hear what you already know" issue. However, which such group is "the right one to join" is a matter of taste/intellectual orientation.
One group which isn't local and isn't narrowly specialized and is worth being involved with (and has more capital letters than ISSA or FIRST!) is USENIX.