Re: RE: present day admin skills

[George Capehart <capegeo () opengroup org>]

"Robin S.Socha" wrote:
> * George Capehart <capegeo () opengroup org> writes:
> > On Thu, Jan 10, 2002 at 08:52:15AM -0500, R. DuFresne wrote:
>
> George,
>
> > > [...] I have little sympathy for these situations folks talk themselves
> > > into being hired for.  It boils down to a point of passing the buck and
> > > not taking responsibility.
>
> [...]
> > What we have here is a failure of management.  What I mean is this: If
> > the managers of the sysadmins that are described in this thread a) had
> > a clue about what skills their people needed to have and b) provided
> > leadership and actually developed the skills of their people, this
> > problem wouldn't exist.
>
> Chicken. Egg. Problem. Let me tell you, why:

Yep.  Certainly is a problem.

> > If managers know what skills the people in their department need,
> > they should hire the people with those skills.  If people with
> > those skills are not available, then they should get training for
> > the people they have or hire those people whose skill sets come
> > closest to those required and then get training for them to fill
> > in the gaps.
>
> Food for thought. Imagine an international consultancy. Imagine this
> consultancy being in the risk consultancy business for more than 20
> years. World market leader. Great consultants. Happy clients. Arrive the
> 90s. Miss business opportunity. Stick to what you know and do best
> because "computers are not a risk $MILITAY_UNIT or $INTELLIGENCE_SERVICE
> people deal with". Arrive 2000. Big bucks. Clients wanting full service,
> integrated solutions, *one* team of consultants for the whole risk
> management business.
>
> Panic. Recruitment. Helplessness.

Well, sounds like a *big* management problem to me.  Sounds like a bunch
of fat, dumb and happy partners not paying attention to what was going
on around them and understanding how the world is evolving . . .

> > The manager who hires unskilled people should be fired.
>
> The manager in question may have been very successful for many years in
> related, yet non-computer-related fields. Information security has not all
> that very much to do with computers if you think about it. Countermeasures
> to industrial espionage don't, either. But suddenly[1], there are attacks on
> clients that *are* computer-related, and the company wants to help these
> people. What is the management supposed to do? You don't use subcontractors
> for projects in which people's lives are at stake. The client won't let you,
> anyway. Sowhat do you do? You hire someone who fits your team, fits the
> clients, and then *hope* that he can deliver what is in his CV - which may
> or may not have much to do with the problem at hand other than "sysadminning
> large corporate networks for 10 years".

So, instead, clueless as you are, decide to take the bull by the horns
and chance screwing it up beyond all recognition by fielding a team that
may or may not have the skills to deal with the problem?  Sounds like
bizarre decision-making to me . . .  Yet another management problem. 
Now, it would be different if the manager went to the customer and
said:  "You know, we've never done anything like this before and we
don't have a clue what we're getting into, but I'd like to try it
anyway."  Then, if the customer says:  "OK, go ahead" then everything's
fine.  Having been on the customer side of exactly this scenario several
times, with "international consultancies" that have been in the "risk
consultancy business" for years, I would be *very* surprised if that was
the case.  It insulted my intelligence and those organizations didn't
get any more business from the projects I managed from then on . . .

> > The manager who doesn't see to it that his/her people get the training
> > they need to keep up with the requirements on their job as it evolves
> > should be fired.
>
> Some things cannot be trained. Running a secure Unix firewall for a
> large corporation with a heterogeneous network of vulnerable machines
> running $CRAP_OS_OTW is nothing you learn in seminars (at least not in
> Germany, believe me!). It has to be learned on the job.

Yes.  Apprenticeship has been an accepted way of learning highly skilled
jobs since the middle ages.  It really works.  That's why having
experienced people with mentoring skills in an organization is so
important.  There is no skill or knowledge base of which I am aware that
does not take time, effort, practice and extended use and feedback to
acquire.  A five-day seminar in database design does *not* turn one into
a database analyst.  A one-semester course in C++ does not turn one into
a C++ programmer.  Yes, you're right, skills are developed on the job. 
But that gets us back to the original issue.  It is management's
responsibility to understand what skills his/her people need and either
hire them in or get them training.  Yes, extended training/experience is
needed to be good at anything.  It's *still* management's responsibility
to be sure that his/her people have the skills they need . . . That
means the manager has to:  1) know what skills are needed, 2) be able to
tell whether the people on the team have those skills, 3) if not, do
something about it.  It becomes a whole different set of management
problems if:  1) the manager *does* know what skills are needed, 2) *is*
able to tell whether the people on the team have them, 3) tries to get
help for those who need it and, 4) gets shot down by upper management .
. .

> > The manager who doesn't mentor his/her people should be fired.
>
> Consider this: You are a manager. Not a line manager, mind you. A
> manager. Your task is to run a profit centre. With shareholders on
> your back. You know fsck all about computers (certainly not enough to
> qualify as a firewall superadmin who know $OS because you've actually
> worked with it for > 10 years). Now what do you do? How do you expect
> to find the right people for the job? How are you supposed to mentor
> your people?  We're not talking about "let's get some Win2k boxes
> with Checkpoint and we're, like, totally secure". We're talking about
> ground-breaking work for international clients running multi-billion
> businesses. And these clients do *not* want $FOREIGN_COMPANY because
> they trust yours. Ummmmm... problems, eh?

Yep.  One way is to buy a company/people that do have a track record of
being successful in doing what you need to have done.  Especially if the
alternative is to knowingly get into something about which you and your
staff are clueless.  IMHO, at best that borders on negligence. 
Sometimes the Right Answer (TM) is "I appreciate your interest but this
falls outside our area of expertise and we feel like we would be doing
ourselves and you a disservice by attemtping to do this."

> > Problem is, that manager is only going to be held accountable for the
> > shape of his/her staff if *his/her* manager has a clue about what is
> > going on.  And so on all the way up the chain.
>
> Well, one gets promoted up to the level of your maximum incompetency that
> your company can still bear. There is no real solution for this problem

Now you've hit the kernel (sorry :->) of the problem.  It's *still* a
management problem.  It doesn't *have* to be the case that, once the
Peter Principle has caught up with someone that they have to stay in
that position.

> unless you are already excellent and have managers who fully understand
> what their staff are supposed to do. In the computer industry, this is
> rather unlikely. I have difficulty following recent developments in Unix
> firewalls. But I have clients who run 15 different OSes and approximately
> that many different firewall suites. Now what?

No one can know everything.  Nothing is ever perfect.  I deal with this
problem, too.  What has worked for me is to parcel my universe into
three parts:  the part I know well and will continue to develop my
expertise in, the part that I know enough about to stay out of trouble
in and "the deep end of the pool."  It is my policy that if I have to do
something that I've never done before, I will not do it without access
to and mentoring from someone who *is* good at it.  I will not
jeopardize my customer or my reputation.  I am very comfortable with not
doing something I know nothing about.  I am very comfortable telling a
customer or a potential customer that they need to get someone who knows
more about it than I do.  That has worked for me.  My customers know
that if they ask me to do something that I'm going to do a good job. 
They also know that if I don't feel like I can do a good job that I'll
recommend someone else to them.  Keeps the customers coming back . . .


> > I've seen this to one degree or another in every organization in which
> > I have worked, and since I'm a consultant, I've been in a few . . .
> > Seems that it's not as bad in smaller companies as it is in larger
> > ones . . .
>
> That may or may not be true. One company I know quite well is a) world
> market leader in business risk consultancy, b) small, and has c) massive
> problems recruiting IT security and InfoSec consultants. Because they
> almost don't exist in Germany. You can't take some 18-year-old hippy to
> a board - they won't buy he's good.

I don't see how an 18-year-old anything can be good . . .  ;->

> It's not only a consultant problem - it's a client problem as well. The
> grey suits expect consultants to like nice and smell good. The best people
> I know in IT security look like shit and smell like rabid beavers.

Then they deserve what they get . . .  

> > iff the right leadership is in place at the top.
>
> It never is.

Very rarely, at best . . .

> > Larger companies are doomed.  Too many layers of people with whom the
> > Peter Principle caught up.
>
> Well, mass execution of the International Middle Management Proletariat has
> been considered many times before. It's an appealing thought, particularly
> if you're a conslutant and want your bosses $COMPANY_CAR. Usually, though,
> it's won't solve too many problems.

Agreed.  I'm not necessarily recommending clearing out layers of
management.  From a purely people-management perspective, done right,
one person can only manage twenty or so people.

> > On the surface, this might not seem to have much to do with security,
> > but it does.  "People" is one of the Defense-in-Depth triad.  Bottom
> > line is that lack of security is as much a problem with management as
> > anything else . . . IMHO.
>
> It's both, I think: today's managements (40-60) unable to relate to
> computer problems *and* clients expecting magic dust being sprinkled on
> their networks by men in black.

Bingo!!

> BTW, I found a way to streamline our recruiting process. It's called
> Public Relations. It may be hard to believe, but InfoSec isn't much of a
> deal in German business newspapers. I wrote an article that addressed
> the problem. We had launched a job ad before and the people who showed
> up all sucked. Interestingly, we got some really good applications after
> this article. May have been luck, but I think that some HR people are
> simply looking in the wrong places.

That's a tough problem.  All they can do is look for what they've been
asked to look for.  Plus, they most probably do not have the background
to really do anything more than look for buzzwords on a resume.  The
problem is that the person that might have exactly the skills that are
needed my not get to the interview because:  1) they didn't know about
the availability of the position, 2) the position may not have been
accurately represented to the public, 3) the "right" buzzword might not
have been obvious on the resume, 4) the HR person may not understand the
requirements . . . and so on.  Frequently, one doesn't really discover
the true "fit" between a candidate and a position until the interview
process.  Unfortunately, also frequently, the best "fits" don't make it
to the interview process . . .  It's very likely that your article got
the attention of the the best "fits" and they were able to tailor their
applications to your needs.  Sounds like you've found a solution to some
recruiting problems.  ;-)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards