Yes, you are free to go into Home Depot at any time to indulge your "do-it-yourself" fantasies as an individual homeowner. However, by a substantial body of long-standing law, you are not permitted to "hang out your shingle" to your neighbor. To do that, you must be a "licensed contractor" at some level or another, and there are very well-established statutory requirements for obtaining that licensure ... without which you are prohibited from practicing the trade. (There are likewise statutory means through which, by design, you can lose that status, either temporarily or permanently ... such that you are always goaded by the fear of that very possibility. ("Better toe the line, pal, or else ...")

Over the past decades and centuries, we of course enacted such laws for very obvious reasons: "licensed contractors" were the very ones who built our houses, our bridges, our tall bridges, our highways, and so on ... upon which our daily lives so obviously depended.

How strange it is, then, that no such scruples exist (yet ...) with regard to the new profession that has so-obviously assumed that very same(!) status: data processing.

We're daily confronted by the growing statistics. 43%(!!) of companies had "data breaches" last year ... companies from Home Depot to Jimmy John's(!!) experienced massive thefts of the financial credentials that their customers routinely provided to them in the ordinary course of conducting the ordinary business of purchasing 2x4's and sandwiches.

The first "lame excuse" that we offered was to blame "Chinese hackers." ("They somehow penetrated X levels of technical defenses ...")

The second was to blame the company's employees. ("Dammit, they forgot to lock their terminals ...")

But both of these "lame excuses" are running out of steam. No one really believes them anymore.

In my opinion, this leaves only one party to blame: "the data-processing industry itself," at least as it stands now.

So far, "anyone who self-professed competency with the use of a hammer" was summarily granted access ... to (say) "build a website" that was responsible for a company's entire business. "If you knew <<Perl | PHP | dot-Net>> and <<MySQL | what-else is-there?>>" then you were qualified to do the job. Really, the only thing you needed to know about a hammer was: which end of it to hold in your hand, and which end of it to strike the nail with. (And, if you were "cheaper by the hour," whether by virtue of being imported under "temporary" (sic ...) Visa status or simply being a resident at "that particular range of IP-addresses," then, so much the better.)

"The Internet" was merely regarded as "a happy pool of IP-addresses, all of them identical to the rest."

Likewise, "data-processing people" were regarded as a happy pool, all of them identical to the rest, no matter where in the world they were. Work was handed-out by the contract, six months at a time, and "the cheapest" was inevitably presumed to be "the best."

"The indefinable skills of the attorney" were thereby confused with those of "the paralegal." (Who, although a highly-skilled clerk, is still: "a clerk.")

Perhaps it is, at last, the proper time when "the data-processing industry" should fully assert its need(!) to be: "a profession."

After all, we are not "just building computer-programs." We're building computer-programs that, like roadways and bridges and tall buildings, people stand on.

Maybe we should demand that this undertaking be taken more seriously.

For those who don't know, sundialsvcs did a thread about this topic several months ago:

The Case for Professional Licensure in the Software Profession

Let's presume that they do, Dugan. Most folks who've been around here, have been around here for a very long time.

Yes, I do indeed think that "the software development industry is finally 'growing up' into a profession."

Most of us actually remember the "dot-bomb bubble." For a few oh-so heady years (which made some of us quite a bit of money, heh ...), all you needed to do was to breathe words, "dot-com," in order to attract Tons Of Investment Capital™. It literally could be anything ... delivering groceries, perfume, power tools, mowing the lawn ... as long as you could attach "dot com" to your harebrained scheme, you could get it funded. And go to the Second Round.

Now, as that particular sparkler is fading out, the latest harebrained scheme de jour has been: "just find the lowest dollars-per-hour, and any ol' IP-address will do, and anyone who says they can hit the nail instead of their thumb should be Hired Immediately."

Slowly, unwillingly, begrudgingly, kicking-and-screaming, our industry is being dragged to confront the following realizations:

• The mere self-professed ability to "use a tool" is not enough.
• The mere ability to "construct a construction" is not enough to guarantee the construction of a thing that will stand the test of years.
• The construction of computer software is not merely a trade, but a bona-fide profession, with risks (indeed, "to human life and safety") that can only be addressed by formalized strictures and licensure, because these are public risks.

People have always had "expectations" with regard to the things that we do. But they didn't articulate them ... they thought they could "take them for granted." However, as the material cost and the disruptive risks inexorably become more apparent to public policy, they will express themselves (worldwide) as a body of law. We should be prepared for this.

Prepared ... but not surprised, and not indignant at its coming. At any construction site, we see plenty of yellow helmets, but we are comforted to see only a very few white ones. "Not just anybody" gets to wear a white one . . . And only a very small handful of people get to affix The Offiicial Red Seal™ to the Plans that are Legally Required.™

Let's not pretend that these things are not coming to our neighborhood.

Do you really want a bureaucrat passing judgment on your ability to manage a computer, network, or program? Do you really think that the world wide web would have been allowed to spread if the government was in charge of who could work on it?

Private associations and credentials is one thing. The ability of a government to force someone to the sidelines is something else. You cannot discuss government without discussing coercive power.

With the adoption of packages replacing custom built stuff, the whole discussion will become redundant and in my view that's how it should be.

As packages grow and grow in scope, coverage and penetration, even gifted individuals and smaller consultancies who play the role of implementing and supporting systems will be swallowed up by the "certified guy" !? from the office of the big software house.

The problem about certification - unless it has the breadth of a good university degree - is that it is and will remain too compartmentalized. In my view, this is more so in certificates issued by non government bodies since they are always having to compete with certificates issued by similar organizations.

OK

Using your initial comparison (we call them tradies here in Oz) yes you need to have a licence to work *for money* as a trady but you don't need to have a licence to work as a hobbyist either on your own or a friends-neighbours-family members property.

With regards to the requirement of having a licence in IT I can't see it happening across the board. Why? there are many kids that are just as good as old timers and they are still at school and do not have a licence.

I think you are probably talking in much finer detail than my discussion but I still think it is relevant. I personally know a few people who have travelled the world because of their IT skills yet they have no formal qualification/certification and have no desire to fork out money to gain a formal qualification/certification, their skills and abilities have been learned through practical experience and that practical experience is highly sought after.

Sure, I think that most people in IT are self-taught. The concerns should be, "standards of practice," and proving that people conform to them. And, very much, to provide a Sword of Damocles to hang over their heads ... "if you lose this, you cannot eat."

I think that this sort of thing ... unpopular though it might be now ... is coming, for the very same reason that it's legally required in other Engineering practice: civil, construction, road-building, and so on. I also forsee meaningful background checks and maybe true security-clearances. You simply can't pass laws that protect "personally identifiable information" (e.g. Sar-Ox, HIPAA), nor "financial information" (the "PCI" standard within the financial trade), if you have no (comparable, legal) standards about who is doing the work nor how it is being done. As they say, "trust, but verify," and "have meaningful recourse."

And I just think of it as, "software engineering grows up." It's a direct consequence of the Internet's presence and of its touching all forms of commerce and trade world-wide ... and its capability of inflicting billions(!) of dollars in losses, both real and intangible. Yes, it would be a government-defined entity (as all other professional licensures are), but very much defined by the trade.

I am confident that software engineering will "grow up" soon, and we should be prepared for it. We should try to guide it.

I have a choice if I want to use your web site, but not if I want to use a road (civil engineers). Hence civil engineers are licensed (allowed to design and build roads for the government), but IT guys don't have to be.


I think what you will find is that eventually companies will become liable for doing financial transactions and storing sensitive data on web sites and servers that have not been audited for security. The IT guy could be a toad, and who cares. If the site passes security audits, it, and he, is good to go.

As you partly allude to below, it is the data that is the most valuable and also vulnerable thing. So far, no one's paying any legal attention to exactly what (say) a website, or a mobile application, is actually doing ... how it is made, who made it, who's legally liable for it, and so on. Especially in the case of mobile applications, which do run on something possessed by an individual (and typically, having far, far too much access to the information on it), I think that the days of "no one's paying any attention" are numbered.

Again, "web sites" are probably less front-and-center here than are mobile applications, but even so ... how can "'the site' pass security audits" if the staff isn't audited, too? Computers, and computer software, don't live in vacuums. And I believe that public awareness of these issues is very rapidly growing.

My point here, really, isn't to throw out a wild-hared prediction of doom. It is, rather, to point out a development that I think is coming to us very fast, such that we'd better be trying to (positively) influence its direction. And maybe we'd better be sweeping our own bedrooms, too. "Forewarned is forearmed."

Same soapbox, different day.

This topic has seemingly intertwined two ideas:
1. We need a better understanding of what data about us is moving around.*
2. Sundialvcs wants the government to Do It's Best to the situation.

The first seems somewhat valuable, but nobody so far as bought the second.

...

The question that always bubbles up in my mind is why Sundialvcs isn't putting his money where his mouth is and making software that deals with any of this.

If limiting or filtering data from the private level is valuable, which it may be, then offering such a service would make money. Of course, it might just be another thing to join the indomitable list of things that can hurt us but fall below the statistical noise floor. You did buy that Jet-Engine-Falling-On-Your-House insurance, right? Oops!

Does it have to be the government that drives this? Home Depot and Target aren't paying out-of-pocket entirely for their losses. They are insured. Sooner or later I would think that insurance companies will want proof of the security and reliability of a system. When a person signs up for life insurance depending on his or her age he or she completes a physical so the insurance company has a clear idea of the risk of insuring this person.

Since your argument this time is about deliberate data theft by insiders, I think it's worth pointing out that there's already a system of bureaucratic paperwork to ensure that insiders who are caught doing so cannot work in the industry again. It's called a "criminal record."

I think it's also worth pointing out what your proposal implies. "You must be licensed to work as a software developer" has a corollary: "if you are hiring software developers, then you are forbidden to hire unlicensed ones, and the sanctions for doing so will be stiff enough to deter you." The second part is essential. Otherwise, companies that are outsourcing to the lowest bidder will be even less likely to hire licensed professionals, as they'll cost even more than what those companies are already not willing to pay. As AFAIK this has not been pointed out in either thread yet, I'm curious to hear your thoughts.

Not at all. That's why I wrote:

I think what you will find is that eventually companies will become liable for doing financial transactions and storing sensitive data on web sites and servers that have not been audited for security.


Once corporations become liable for data breaches in a meaningful way (they aren't now), insurers will tighten up drastically.

I think it would end up more like the licensed engineer will have to sign off on the code so you'll end up with 2 levels.

I totally agree with you. I think that is an infinitely more likely outcome since requirements made by insurance companies do not involve the political process. Frankly I'm surprised this hasn't happened yet. My bank has had to go through the process of issuing me two new debit cards in the wake of Target and Home Depot. Obviously there is no way for me to know for sure that my card was comprised by those two incidents specifically, but the timing is certainly suspicious. The large financial institutions could more easily correlate the specifics of separate incidents of fraud to major theft events. Issuing millions of new cards at one time and going through the process to recover through their own insurance losses to fraud can't be cheap.