Firewall Wizards mailing list archives
Re: RE: present day admin skills
From: George Capehart <capegeo () opengroup org>
Date: Sun, 13 Jan 2002 11:40:57 -0500
"Robin S.Socha" wrote:
* George Capehart <capegeo () opengroup org> writes:On Thu, Jan 10, 2002 at 08:52:15AM -0500, R. DuFresne wrote:George,[...] I have little sympathy for these situations folks talk themselves into being hired for. It boils down to a point of passing the buck and not taking responsibility.[...]What we have here is a failure of management. What I mean is this: If the managers of the sysadmins that are described in this thread a) had a clue about what skills their people needed to have and b) provided leadership and actually developed the skills of their people, this problem wouldn't exist.Chicken. Egg. Problem. Let me tell you, why:
Yep. Certainly is a problem.
If managers know what skills the people in their department need, they should hire the people with those skills. If people with those skills are not available, then they should get training for the people they have or hire those people whose skill sets come closest to those required and then get training for them to fill in the gaps.Food for thought. Imagine an international consultancy. Imagine this consultancy being in the risk consultancy business for more than 20 years. World market leader. Great consultants. Happy clients. Arrive the 90s. Miss business opportunity. Stick to what you know and do best because "computers are not a risk $MILITAY_UNIT or $INTELLIGENCE_SERVICE people deal with". Arrive 2000. Big bucks. Clients wanting full service, integrated solutions, *one* team of consultants for the whole risk management business. Panic. Recruitment. Helplessness.
Well, sounds like a *big* management problem to me. Sounds like a bunch of fat, dumb and happy partners not paying attention to what was going on around them and understanding how the world is evolving . . .
The manager who hires unskilled people should be fired.The manager in question may have been very successful for many years in related, yet non-computer-related fields. Information security has not all that very much to do with computers if you think about it. Countermeasures to industrial espionage don't, either. But suddenly[1], there are attacks on clients that *are* computer-related, and the company wants to help these people. What is the management supposed to do? You don't use subcontractors for projects in which people's lives are at stake. The client won't let you, anyway. Sowhat do you do? You hire someone who fits your team, fits the clients, and then *hope* that he can deliver what is in his CV - which may or may not have much to do with the problem at hand other than "sysadminning large corporate networks for 10 years".
So, instead, clueless as you are, decide to take the bull by the horns and chance screwing it up beyond all recognition by fielding a team that may or may not have the skills to deal with the problem? Sounds like bizarre decision-making to me . . . Yet another management problem. Now, it would be different if the manager went to the customer and said: "You know, we've never done anything like this before and we don't have a clue what we're getting into, but I'd like to try it anyway." Then, if the customer says: "OK, go ahead" then everything's fine. Having been on the customer side of exactly this scenario several times, with "international consultancies" that have been in the "risk consultancy business" for years, I would be *very* surprised if that was the case. It insulted my intelligence and those organizations didn't get any more business from the projects I managed from then on . . .
The manager who doesn't see to it that his/her people get the training they need to keep up with the requirements on their job as it evolves should be fired.Some things cannot be trained. Running a secure Unix firewall for a large corporation with a heterogeneous network of vulnerable machines running $CRAP_OS_OTW is nothing you learn in seminars (at least not in Germany, believe me!). It has to be learned on the job.
Yes. Apprenticeship has been an accepted way of learning highly skilled jobs since the middle ages. It really works. That's why having experienced people with mentoring skills in an organization is so important. There is no skill or knowledge base of which I am aware that does not take time, effort, practice and extended use and feedback to acquire. A five-day seminar in database design does *not* turn one into a database analyst. A one-semester course in C++ does not turn one into a C++ programmer. Yes, you're right, skills are developed on the job. But that gets us back to the original issue. It is management's responsibility to understand what skills his/her people need and either hire them in or get them training. Yes, extended training/experience is needed to be good at anything. It's *still* management's responsibility to be sure that his/her people have the skills they need . . . That means the manager has to: 1) know what skills are needed, 2) be able to tell whether the people on the team have those skills, 3) if not, do something about it. It becomes a whole different set of management problems if: 1) the manager *does* know what skills are needed, 2) *is* able to tell whether the people on the team have them, 3) tries to get help for those who need it and, 4) gets shot down by upper management . . .
The manager who doesn't mentor his/her people should be fired.Consider this: You are a manager. Not a line manager, mind you. A manager. Your task is to run a profit centre. With shareholders on your back. You know fsck all about computers (certainly not enough to qualify as a firewall superadmin who know $OS because you've actually worked with it for > 10 years). Now what do you do? How do you expect to find the right people for the job? How are you supposed to mentor your people? We're not talking about "let's get some Win2k boxes with Checkpoint and we're, like, totally secure". We're talking about ground-breaking work for international clients running multi-billion businesses. And these clients do *not* want $FOREIGN_COMPANY because they trust yours. Ummmmm... problems, eh?
Yep. One way is to buy a company/people that do have a track record of being successful in doing what you need to have done. Especially if the alternative is to knowingly get into something about which you and your staff are clueless. IMHO, at best that borders on negligence. Sometimes the Right Answer (TM) is "I appreciate your interest but this falls outside our area of expertise and we feel like we would be doing ourselves and you a disservice by attemtping to do this."
Problem is, that manager is only going to be held accountable for the shape of his/her staff if *his/her* manager has a clue about what is going on. And so on all the way up the chain.Well, one gets promoted up to the level of your maximum incompetency that your company can still bear. There is no real solution for this problem
Now you've hit the kernel (sorry :->) of the problem. It's *still* a management problem. It doesn't *have* to be the case that, once the Peter Principle has caught up with someone that they have to stay in that position.
unless you are already excellent and have managers who fully understand what their staff are supposed to do. In the computer industry, this is rather unlikely. I have difficulty following recent developments in Unix firewalls. But I have clients who run 15 different OSes and approximately that many different firewall suites. Now what?
No one can know everything. Nothing is ever perfect. I deal with this problem, too. What has worked for me is to parcel my universe into three parts: the part I know well and will continue to develop my expertise in, the part that I know enough about to stay out of trouble in and "the deep end of the pool." It is my policy that if I have to do something that I've never done before, I will not do it without access to and mentoring from someone who *is* good at it. I will not jeopardize my customer or my reputation. I am very comfortable with not doing something I know nothing about. I am very comfortable telling a customer or a potential customer that they need to get someone who knows more about it than I do. That has worked for me. My customers know that if they ask me to do something that I'm going to do a good job. They also know that if I don't feel like I can do a good job that I'll recommend someone else to them. Keeps the customers coming back . . .
I've seen this to one degree or another in every organization in which I have worked, and since I'm a consultant, I've been in a few . . . Seems that it's not as bad in smaller companies as it is in larger ones . . .That may or may not be true. One company I know quite well is a) world market leader in business risk consultancy, b) small, and has c) massive problems recruiting IT security and InfoSec consultants. Because they almost don't exist in Germany. You can't take some 18-year-old hippy to a board - they won't buy he's good.
I don't see how an 18-year-old anything can be good . . . ;->
It's not only a consultant problem - it's a client problem as well. The grey suits expect consultants to like nice and smell good. The best people I know in IT security look like shit and smell like rabid beavers.
Then they deserve what they get . . .
iff the right leadership is in place at the top.It never is.
Very rarely, at best . . .
Larger companies are doomed. Too many layers of people with whom the Peter Principle caught up.Well, mass execution of the International Middle Management Proletariat has been considered many times before. It's an appealing thought, particularly if you're a conslutant and want your bosses $COMPANY_CAR. Usually, though, it's won't solve too many problems.
Agreed. I'm not necessarily recommending clearing out layers of management. From a purely people-management perspective, done right, one person can only manage twenty or so people.
On the surface, this might not seem to have much to do with security, but it does. "People" is one of the Defense-in-Depth triad. Bottom line is that lack of security is as much a problem with management as anything else . . . IMHO.It's both, I think: today's managements (40-60) unable to relate to computer problems *and* clients expecting magic dust being sprinkled on their networks by men in black.
Bingo!!
BTW, I found a way to streamline our recruiting process. It's called Public Relations. It may be hard to believe, but InfoSec isn't much of a deal in German business newspapers. I wrote an article that addressed the problem. We had launched a job ad before and the people who showed up all sucked. Interestingly, we got some really good applications after this article. May have been luck, but I think that some HR people are simply looking in the wrong places.
That's a tough problem. All they can do is look for what they've been asked to look for. Plus, they most probably do not have the background to really do anything more than look for buzzwords on a resume. The problem is that the person that might have exactly the skills that are needed my not get to the interview because: 1) they didn't know about the availability of the position, 2) the position may not have been accurately represented to the public, 3) the "right" buzzword might not have been obvious on the resume, 4) the HR person may not understand the requirements . . . and so on. Frequently, one doesn't really discover the true "fit" between a candidate and a position until the interview process. Unfortunately, also frequently, the best "fits" don't make it to the interview process . . . It's very likely that your article got the attention of the the best "fits" and they were able to tailor their applications to your needs. Sounds like you've found a solution to some recruiting problems. ;-) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: present day admin skills, (continued)
- Re: RE: present day admin skills R. DuFresne (Jan 12)
- Re: RE: present day admin skills Frederick M Avolio (Jan 11)
- Re: RE: present day admin skills Drew (Jan 12)
- Re: RE: present day admin skills Frederick M Avolio (Jan 12)
- Re: RE: present day admin skills Darren Reed (Jan 12)
- Re: RE: present day admin skills R. DuFresne (Jan 12)
- Re: RE: present day admin skills Marcus J. Ranum (Jan 12)
- Re: RE: present day admin skills George Capehart (Jan 11)
- Re: RE: present day admin skills Robin S . Socha (Jan 12)
- Re: RE: present day admin skills George Capehart (Jan 13)
- Re: RE: present day admin skills Rich Kulawiec (Jan 16)
- Re: RE: present day admin skills George Capehart (Jan 16)
- RE: RE: present day admin skills vladimir bozhinov (Jan 12)
- RE: RE: present day admin skills Paul D. Robertson (Jan 11)