RE: HR and management - Was: CISSP Question

["Craig Wright" <Craig.Wright () bdo com au>]

Yousef,

I agree that many firms have Personnel Departments in an autocratic model dating to the 1950's or earlier and have not 
come into the new millennium.

 

IT is seen in firms as a menial task as we (the IT people) do little to change this perception. I work with Accountants 
and finance on a day to day basis. It would be nice if I could make them move some way to understanding the role of IT 
(and I will admit there is a small move over time), but I can achieve more by going their way and learning to speak in 
their language.

 

Finance, HR and business groups all have their TLA's and technical jargon. As an example, I was in training this week 
for an Embedded Derivatives course. It is amazing how many industry specific technical terms that are used in finance. 
They think in their terms and we think in ours. 

 

As for the status quo, it can change. It takes effort and resilience.

 

If it is outside your career path - invest in yourself. Take responsibility for your own future. I have never waited 
for my employer to pay for my training (even when I had my own outsourcing firm). 

 

As an example, my LLM (masters in law) which I am due to complete this year is funded through a prior pay rise. I took 
the time to get a tax office ruling that it was deductible and thus can have the money taken off pre-tax from my wages. 
I arranged with my employer for them to pay the Uni from each pay and as I did not see the extra money I can not miss 
it.

 

This range of knowledge helps me find even more faults with how firms are running. The difference is that I no longer 
try to report just a problem, I present a solution. For instance, a listed international mining client that I was 
involved with for their SAP systems this week runs their Asia Pac systems from KL. They remotely access the servers. 
All records are thus in KL. Systems and security are ok, but they have an issue. 

 

Under the Australian Corps Act [Sect 289(2)] there is a requirement to notify ASIC if financial records are kept in a 
jurisdiction other than Australia. Rather than just stating this, I reported that this is the issue, and to fix it you 
need to submit ASIC form 313 - a 1 page form with the following info...

 

With my main roles managing the IT team, consulting and related tasks, this may seem outside my responsibility. Maybe 
it is. However, next time I state an IT related issue, people listen. As I have demonstrated that I can communicate in 
their world and aide in theirs, they will give some leeway into mine.

 

I started as a cynic as well and this was more than true a decade ago, but it is a path that leads to a dead end. I 
focus my cynicism in other ways these days ;). 

 

The steam engine was first patented in 1698. IT is analogous in many ways to the steam engine. Many today believe that 
the steam engine was the driving force to the industrial revolution. I would however disagree. Like IT, the steam 
engine was the precursor to the real revolution. The real impact was created when the steam powered train was invented. 
This invention changed the face of Europe, the Americas and the world. 

 

There are a few possible candidates for the train in my IT analogy, but they are not here as yet. We are in the time 
before that revolution. In the next 10-20 years changes beyond what we, let alone our parents and grand parents could 
imagine are set to occur.

 

IT will be there as a keystone, but it is not the end. It is just a means; this is where most people fail to 
understand. For all I can say, though IT will be involved in design, a bio-informatics derived solution may come to 
replace many of our preconceptions of the world in a short time. The change will be something that most of us have no 
idea about, something simple and another thing that we can not fail to see when it is in place but can not comprehend 
now.

 

Why this diversion, because IT is not the goal of business, it is an enabler. It is not an end in itself. We are the 
early engineers of a new age. It is of no use to simply design a better steam engine for the sake of it, rather what 
does it power?

 

IT needs to work with business. For IT security to be effective we need to understand business. Business is about risk. 
All profit is created through risk. All evolution and the creative forces of society are through risk. Without risk we 
stagnate.

 

However, we need to understand what the impacts are to assess risk. This means working with business and understanding 
their needs. We are not here to remove all risk, this never occurs - not even in front line military operations. We 
seek to reduce risk to an "acceptable level". If we accepted no risk, than there would never be any foreign military 
action, as people always die.

 

Likewise in business, government bonds are used as the risk free rate. If your firm is making less profit than the risk 
free rate - than it has no reason to exist. It becomes a dead weight loss to society and over time the loss of 
investment which it creates costs jobs - not just to itself, but to the economy as a whole.

 

What does this mean...? It means that unless business continues to cut costs, to think of new ways to save and scrimp, 
that they will stagnate. This means taking roles to outsourced firms and using foreign workers. They are people too. I 
have worked in India. There were a lot of highly skilled people there - they deserve the opportunity. Mostly though, 
increased trade means increased international wealth which flows back and creates new jobs in the original countries 
and in the end we all benefit.

 

Getting to the originating point and thus concluding this circle, HR is also a function of this process. It is stated 
that you are not high enough up the ladder to influence management, I disagree. Get to know people in the firm, stand 
out. 

 

I may be though of as eccentric, strange, an enigma and many other less flattering terms - but I am remembered in firms 
I have worked with. More importantly, I get to make changes and influence people. 

 

To influence people within HR does not require that you have positional power or authority. We in IT have chosen a path 
that is not based on positional power, yet we fail to comprehend this. We are empowered through expert knowledge. If we 
wish to make an impact we need to look outside the boxes we started in and learn to relate to those how are not in IT.

 

Start by getting to know people - have a chat in the morning. Learn something about the others in the firm and learn to 
communicate without being an "IT person". The only way we make a change is to drive change. 

 

Regards,

Craig

 

As a separate Post Script:

There are numerous people on and off the list who fail to see value in a doctorate or even other post graduate 
education. Primarily and in more ways than it seems - one benefit of this process is to be able to sit and write a 
thousand or two words in a matter of minutes in a comprehensible manner. 

 

Having completed the creation of a dissertation of 80-100,000 words, a small note such as this becomes second nature. 
The real issue is writing small. 200-400 words become more difficult, but there is a trade off in all things.




Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: Yousef Syed [mailto:yousef.syed () gmail com]
Sent: Sat 12/05/2007 7:16 AM
To: Craig Wright
Cc: security-basics () securityfocus com; null_zero () hotmail com; david.a.harley () gmail com
Subject: Re: HR and management - Was: CISSP Question



Hi Craig,
Most of what you state about HR departments and the way that IT/Sec
interacts with them is quite sound and it would be really great if
things did run that way.

My views of HR staff is based primarily upon mine and my colleagues experiences.

In smaller companies, the hiring and main interviewing tasks are
performed by the managers seeking to staff a project or team etc.
Following this, HR step-in to finalise the hiring process and sort out
all the legal issues and verify references etc. (I'm not going to
discuss all the other tasks that HR perform).

I see problems of varying degrees occuring in the larger
corporations/consultancies.
In a large proportion of these corporations, IT is generally
considered a menial task or a service to the business that is carried
out by the geeks, while the real business is carried out by the
businessmen - this image is worsened further by the outsourcing of
these IT functions to India/China etc... I.e. Our worth to the
corporation is devalued.
Furthermore, in large corporations you generally havepigeon-holed
roles like Junior Software Engineer; Software Engineer; Senior
Software Engineer; Team Leader; Manager... etc as cardboard-cut-out
roles that HR just seek to fill. These generics are piled into
corporations as bodies and are randomly picked off for various
projects. Or they seek to fill some bodies into the Helpdesk etc.

So as much as I'd like to see IT departments and their managers
telling HR what they require, I don't see it happening in practice and
nor do I see any signs of the status-quo changing.

I believe that ALL IT persons would do well to learn a little about
the business that they work in - even if they are working in an IT
business. But not only don't I see that happening, I see the opposite
- Software Engineers being stopped from taking security courses or OS
courses because HR say it is outside their career-path; even though
their managers have encouraged it and requested it. (and yes, I have
seen this occur and heard of it happenning in many LARGE corporations)

So my somewhat cynical view of HR depts has been developed over
10-years work in numerous Fortune 500 corps and Consultancies. As yet,
I'm not high enough up the food chain to make any changes. :)


ys

P.S. I've broken off writing this about a dozen-times, so please
forgive the disjointed appearance or if it came across as rude.