Security Basics mailing list archives
RE: HR and management - Was: CISSP Question
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Sat, 12 May 2007 08:29:18 +1000
Yousef, I agree that many firms have Personnel Departments in an autocratic model dating to the 1950's or earlier and have not come into the new millennium. IT is seen in firms as a menial task as we (the IT people) do little to change this perception. I work with Accountants and finance on a day to day basis. It would be nice if I could make them move some way to understanding the role of IT (and I will admit there is a small move over time), but I can achieve more by going their way and learning to speak in their language. Finance, HR and business groups all have their TLA's and technical jargon. As an example, I was in training this week for an Embedded Derivatives course. It is amazing how many industry specific technical terms that are used in finance. They think in their terms and we think in ours. As for the status quo, it can change. It takes effort and resilience. If it is outside your career path - invest in yourself. Take responsibility for your own future. I have never waited for my employer to pay for my training (even when I had my own outsourcing firm). As an example, my LLM (masters in law) which I am due to complete this year is funded through a prior pay rise. I took the time to get a tax office ruling that it was deductible and thus can have the money taken off pre-tax from my wages. I arranged with my employer for them to pay the Uni from each pay and as I did not see the extra money I can not miss it. This range of knowledge helps me find even more faults with how firms are running. The difference is that I no longer try to report just a problem, I present a solution. For instance, a listed international mining client that I was involved with for their SAP systems this week runs their Asia Pac systems from KL. They remotely access the servers. All records are thus in KL. Systems and security are ok, but they have an issue. Under the Australian Corps Act [Sect 289(2)] there is a requirement to notify ASIC if financial records are kept in a jurisdiction other than Australia. Rather than just stating this, I reported that this is the issue, and to fix it you need to submit ASIC form 313 - a 1 page form with the following info... With my main roles managing the IT team, consulting and related tasks, this may seem outside my responsibility. Maybe it is. However, next time I state an IT related issue, people listen. As I have demonstrated that I can communicate in their world and aide in theirs, they will give some leeway into mine. I started as a cynic as well and this was more than true a decade ago, but it is a path that leads to a dead end. I focus my cynicism in other ways these days ;). The steam engine was first patented in 1698. IT is analogous in many ways to the steam engine. Many today believe that the steam engine was the driving force to the industrial revolution. I would however disagree. Like IT, the steam engine was the precursor to the real revolution. The real impact was created when the steam powered train was invented. This invention changed the face of Europe, the Americas and the world. There are a few possible candidates for the train in my IT analogy, but they are not here as yet. We are in the time before that revolution. In the next 10-20 years changes beyond what we, let alone our parents and grand parents could imagine are set to occur. IT will be there as a keystone, but it is not the end. It is just a means; this is where most people fail to understand. For all I can say, though IT will be involved in design, a bio-informatics derived solution may come to replace many of our preconceptions of the world in a short time. The change will be something that most of us have no idea about, something simple and another thing that we can not fail to see when it is in place but can not comprehend now. Why this diversion, because IT is not the goal of business, it is an enabler. It is not an end in itself. We are the early engineers of a new age. It is of no use to simply design a better steam engine for the sake of it, rather what does it power? IT needs to work with business. For IT security to be effective we need to understand business. Business is about risk. All profit is created through risk. All evolution and the creative forces of society are through risk. Without risk we stagnate. However, we need to understand what the impacts are to assess risk. This means working with business and understanding their needs. We are not here to remove all risk, this never occurs - not even in front line military operations. We seek to reduce risk to an "acceptable level". If we accepted no risk, than there would never be any foreign military action, as people always die. Likewise in business, government bonds are used as the risk free rate. If your firm is making less profit than the risk free rate - than it has no reason to exist. It becomes a dead weight loss to society and over time the loss of investment which it creates costs jobs - not just to itself, but to the economy as a whole. What does this mean...? It means that unless business continues to cut costs, to think of new ways to save and scrimp, that they will stagnate. This means taking roles to outsourced firms and using foreign workers. They are people too. I have worked in India. There were a lot of highly skilled people there - they deserve the opportunity. Mostly though, increased trade means increased international wealth which flows back and creates new jobs in the original countries and in the end we all benefit. Getting to the originating point and thus concluding this circle, HR is also a function of this process. It is stated that you are not high enough up the ladder to influence management, I disagree. Get to know people in the firm, stand out. I may be though of as eccentric, strange, an enigma and many other less flattering terms - but I am remembered in firms I have worked with. More importantly, I get to make changes and influence people. To influence people within HR does not require that you have positional power or authority. We in IT have chosen a path that is not based on positional power, yet we fail to comprehend this. We are empowered through expert knowledge. If we wish to make an impact we need to look outside the boxes we started in and learn to relate to those how are not in IT. Start by getting to know people - have a chat in the morning. Learn something about the others in the firm and learn to communicate without being an "IT person". The only way we make a change is to drive change. Regards, Craig As a separate Post Script: There are numerous people on and off the list who fail to see value in a doctorate or even other post graduate education. Primarily and in more ways than it seems - one benefit of this process is to be able to sit and write a thousand or two words in a matter of minutes in a comprehensible manner. Having completed the creation of a dissertation of 80-100,000 words, a small note such as this becomes second nature. The real issue is writing small. 200-400 words become more difficult, but there is a trade off in all things. Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: Yousef Syed [mailto:yousef.syed () gmail com] Sent: Sat 12/05/2007 7:16 AM To: Craig Wright Cc: security-basics () securityfocus com; null_zero () hotmail com; david.a.harley () gmail com Subject: Re: HR and management - Was: CISSP Question Hi Craig, Most of what you state about HR departments and the way that IT/Sec interacts with them is quite sound and it would be really great if things did run that way. My views of HR staff is based primarily upon mine and my colleagues experiences. In smaller companies, the hiring and main interviewing tasks are performed by the managers seeking to staff a project or team etc. Following this, HR step-in to finalise the hiring process and sort out all the legal issues and verify references etc. (I'm not going to discuss all the other tasks that HR perform). I see problems of varying degrees occuring in the larger corporations/consultancies. In a large proportion of these corporations, IT is generally considered a menial task or a service to the business that is carried out by the geeks, while the real business is carried out by the businessmen - this image is worsened further by the outsourcing of these IT functions to India/China etc... I.e. Our worth to the corporation is devalued. Furthermore, in large corporations you generally havepigeon-holed roles like Junior Software Engineer; Software Engineer; Senior Software Engineer; Team Leader; Manager... etc as cardboard-cut-out roles that HR just seek to fill. These generics are piled into corporations as bodies and are randomly picked off for various projects. Or they seek to fill some bodies into the Helpdesk etc. So as much as I'd like to see IT departments and their managers telling HR what they require, I don't see it happening in practice and nor do I see any signs of the status-quo changing. I believe that ALL IT persons would do well to learn a little about the business that they work in - even if they are working in an IT business. But not only don't I see that happening, I see the opposite - Software Engineers being stopped from taking security courses or OS courses because HR say it is outside their career-path; even though their managers have encouraged it and requested it. (and yes, I have seen this occur and heard of it happenning in many LARGE corporations) So my somewhat cynical view of HR depts has been developed over 10-years work in numerous Fortune 500 corps and Consultancies. As yet, I'm not high enough up the food chain to make any changes. :) ys P.S. I've broken off writing this about a dozen-times, so please forgive the disjointed appearance or if it came across as rude.
Current thread:
- HR and management - Was: CISSP Question Craig Wright (May 11)
- Re: HR and management - Was: CISSP Question Yousef Syed (May 14)
- RE: HR and management - Was: CISSP Question Craig Wright (May 14)
- Re: HR and management - Was: CISSP Question Yousef Syed (May 14)