Re: RE: present day admin skills

[Robin S.Socha <robin-dated-1011088471.c99edd () socha net>]

* George Capehart <capegeo () opengroup org> writes:
> On Thu, Jan 10, 2002 at 08:52:15AM -0500, R. DuFresne wrote:

George,

> > [...] I have little sympathy for these situations folks talk themselves
> > into being hired for.  It boils down to a point of passing the buck and
> > not taking responsibility. 

[...]
> What we have here is a failure of management.  What I mean is this: If
> the managers of the sysadmins that are described in this thread a) had
> a clue about what skills their people needed to have and b) provided
> leadership and actually developed the skills of their people, this
> problem wouldn't exist. 

Chicken. Egg. Problem. Let me tell you, why:

> If managers know what skills the people in their department need,
> they should hire the people with those skills.  If people with
> those skills are not available, then they should get training for
> the people they have or hire those people whose skill sets come
> closest to those required and then get training for them to fill
> in the gaps. 

Food for thought. Imagine an international consultancy. Imagine this
consultancy being in the risk consultancy business for more than 20
years. World market leader. Great consultants. Happy clients. Arrive the
90s. Miss business opportunity. Stick to what you know and do best
because "computers are not a risk $MILITAY_UNIT or $INTELLIGENCE_SERVICE
people deal with". Arrive 2000. Big bucks. Clients wanting full service,
integrated solutions, *one* team of consultants for the whole risk
management business.

Panic. Recruitment. Helplessness.

> The manager who hires unskilled people should be fired. 

The manager in question may have been very successful for many years in
related, yet non-computer-related fields. Information security has not all
that very much to do with computers if you think about it. Countermeasures
to industrial espionage don't, either. But suddenly[1], there are attacks on
clients that *are* computer-related, and the company wants to help these
people. What is the management supposed to do? You don't use subcontractors
for projects in which people's lives are at stake. The client won't let you,
anyway. Sowhat do you do? You hire someone who fits your team, fits the
clients, and then *hope* that he can deliver what is in his CV - which may
or may not have much to do with the problem at hand other than "sysadminning
large corporate networks for 10 years".

> The manager who doesn't see to it that his/her people get the training
> they need to keep up with the requirements on their job as it evolves
> should be fired.  

Some things cannot be trained. Running a secure Unix firewall for a
large corporation with a heterogeneous network of vulnerable machines
running $CRAP_OS_OTW is nothing you learn in seminars (at least not in
Germany, believe me!). It has to be learned on the job.

> The manager who doesn't mentor his/her people should be fired.  

Consider this: You are a manager. Not a line manager, mind you. A
manager. Your task is to run a profit centre. With shareholders on
your back. You know fsck all about computers (certainly not enough to
qualify as a firewall superadmin who know $OS because you've actually
worked with it for > 10 years). Now what do you do? How do you expect
to find the right people for the job? How are you supposed to mentor
your people?  We're not talking about "let's get some Win2k boxes
with Checkpoint and we're, like, totally secure". We're talking about
ground-breaking work for international clients running multi-billion
businesses. And these clients do *not* want $FOREIGN_COMPANY because
they trust yours. Ummmmm... problems, eh?

> Problem is, that manager is only going to be held accountable for the
> shape of his/her staff if *his/her* manager has a clue about what is
> going on.  And so on all the way up the chain.  

Well, one gets promoted up to the level of your maximum incompetency that
your company can still bear. There is no real solution for this problem
unless you are already excellent and have managers who fully understand
what their staff are supposed to do. In the computer industry, this is
rather unlikely. I have difficulty following recent developments in Unix
firewalls. But I have clients who run 15 different OSes and approximately
that many different firewall suites. Now what?

> I've seen this to one degree or another in every organization in which
> I have worked, and since I'm a consultant, I've been in a few . . .
> Seems that it's not as bad in smaller companies as it is in larger
> ones . . . 

That may or may not be true. One company I know quite well is a) world
market leader in business risk consultancy, b) small, and has c) massive
problems recruiting IT security and InfoSec consultants. Because they
almost don't exist in Germany. You can't take some 18-year-old hippy to
a board - they won't buy he's good.

It's not only a consultant problem - it's a client problem as well. The
grey suits expect consultants to like nice and smell good. The best people
I know in IT security look like shit and smell like rabid beavers.

> iff the right leadership is in place at the top.  

It never is.

> Larger companies are doomed.  Too many layers of people with whom the
> Peter Principle caught up.

Well, mass execution of the International Middle Management Proletariat has
been considered many times before. It's an appealing thought, particularly
if you're a conslutant and want your bosses $COMPANY_CAR. Usually, though,
it's won't solve too many problems.

> On the surface, this might not seem to have much to do with security,
> but it does.  "People" is one of the Defense-in-Depth triad.  Bottom
> line is that lack of security is as much a problem with management as
> anything else . . . IMHO.

It's both, I think: today's managements (40-60) unable to relate to
computer problems *and* clients expecting magic dust being sprinkled on
their networks by men in black.

BTW, I found a way to streamline our recruiting process. It's called
Public Relations. It may be hard to believe, but InfoSec isn't much of a
deal in German business newspapers. I wrote an article that addressed
the problem. We had launched a job ad before and the people who showed
up all sucked. Interestingly, we got some really good applications after
this article. May have been luck, but I think that some HR people are
simply looking in the wrong places.

P.S. is this really necessary? These people are all on the list.
,----
| firewall-wizards () nfr com, dufresne () sysinfo com,
| thomas.ray () tcud state tx, adam () homeport org, jsdy () center osis gov,
| proberts () patriot net, crispin () wirex com
`----

Footnotes: 
[1]  For values of suddenly >= "we're British, we don't need computers"...
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards