Re: Firewalls and IS Network bodies

[Bennett Todd <bet () rahul net>]

On Fri, Dec 12, 1997 at 09:12:09AM -0600, Biggerstaff, Craig T wrote:
> Those who have expertise in networking and security matters generally
> gained it through daily exposure to operational hazards, and are
> better equipped to recognize a flawed policy than policy makers who
> doesn't have to worry about the details.

The security admins certainly need to play an advisory role in helping
to form the policy; policy-makers are not likely to be completely
informed about the day-to-day minutia of internet security issues.

But by the same token, there's no reason to expect that a security admin
will also be a competant policy maker. In fact, I think it would be
astonishing and remarkable to find one.

A skilled policy maker knows enough about the needs of the different
affected groups, their wants, and their relative importance to hit the
appropriate balance for the organization as a whole, and a truly awesome
policy maker is also a good enough communicator to make everyone feel
happy with the results.

Setting good policy is a rare enough skill that it would be an amazing
combination to find it in a knowlegeable security admin. I just don't
see a profit in attempting to combine these two roles; it's hard enough
to find competent people to fill either of them alone.

-Bennett