back to article Want to kill your IT security team? Put the top hacker in charge

Managing an IT department at the best of times can be a struggle, and managing a security team has its own special challenges. But whatever you do, don't put an engineer, even your best, in charge, unless their people management skills are as good as their infosec knowhow. “All my staff are basically volunteers,” Mike Murray …

  1. Paul Crawford Silver badge

    Best advice

    "The biggest mistake he sees companies making is also one of the most common – finding the best team member and making them the boss."

    That applies SO OFTEN in science/engineering were the only option for a pay rise or other benefits within the company structure is to move in to some form of management. As a result many, many, companies end up losing a good engineer and gaining a mediocre manager.

    1. Anonymous Blowhard

      Re: Best advice

      "As a result many, many, companies end up losing a good engineer and gaining a mediocre manager"

      Absolutely; they should follow the football precedent and appoint a competent manager who may actually be earning less than his superstar players. This can be difficult for the organisation but if the manager feels he's in a better position than his peers (other managers) then it can work.

    2. Nick Kew Silver badge

      Re: Best advice

      ... because the one in the Suit must be the success, while being still at the sharp end of engineering at age 30 marks your career as a failure.

      I think this has been a big driver for open source communities over the years. A refuge from the corporate world, where doing the work you love doesn't mark you out as a loser.

      1. Anonymous Coward
        Anonymous Coward

        Re: Best advice

        How is being an engineer at 30 a failure? Tje young uns have to learn the ropes from someone.

        Im 33 and im a contract engineer. I don't manage a team but I do work directly with C level execs and financiers. I tend to advise on projects and bridge the disconnect between techies and muggles. You bring the muggles down to earth and you spend time understanding the engineering skills available for a team and provide insight into the technical abilities available to the powers that be.

        There is an engineering position above manager, you can be the engineer overseeing the manager and mentoring the juniors. Thats what I tend to do.

        Id say if you're 30 and not kicking around management pond scum you're a failure.

    3. Anonymous Coward
      Anonymous Coward

      Re: Best advice

      I had that, working at a large consultancy.

      They brought in tech specialist roles, which could still get promoted to higher pay grades, but remain technical... I stuck in the technical side, got promoted, then they scrapped the scheme and wondered why a techy wasn't good at finding new customers and managing big teams...

    4. Don Dumb

      Re: Best advice

      @Paul Crawford - "That applies SO OFTEN in science/engineering were the only option for a pay rise or other benefits within the company structure is to move in to some form of management."

      The problem is that many places recognise that this happens, unfortunately the solution (put forward by the management consultants of course) is to end up with complicated functional/matrix/etc management structures, these end up having their own problems. For instance, not clearly knowing who is responsible for what, allows people to get away with not being responsible for anything

      Even in academia, (certainly in the UK model), ultimately professors end up being merely people who manage and seek funding, rather than doing cleverwork and as no one wants to acknowledge this, they don't get any training and thus getting good academic management can be a lottery.

      There isn't an easy way around this problem. Shitty management courses aren't the answer but good management programmes (there really are some and they require time and investment) might be the least worst treatment, at least improving some people's skills. Unfortunately too many places seem to think that a bit of shitty management training will do and all that does is piss people off.

      1. Joe Werner

        Re: Best advice

        Oh yeah, academia. I'll quit that show: I'm a good scientist (cleverworker or whatever you wrote - cell phone makes commenting a mess!), but I have fuck all ambition to be a manager. If a university (or whatever) would hire me as an overingeniør (senior engineer) to do what I'm good at I'll take it. Unfortunately those jobs are 1) rare and 2) not in my "career path" (as they say...)

        A professor is nowadays mostly a mediocre manager (who used to be a good scientist) and that's not my motivation in this spiel.

      2. Robert Helpmann?? Silver badge

        Re: Best advice

        There isn't an easy way around this problem. Shitty management courses aren't the answer but good management programmes (there really are some and they require time and investment) might be the least worst treatment, at least improving some people's skills.

        Management is a skill. It take time, effort and energy to learn and grow, just like any other skill. It also requires a good knowledge of the people and projects being managed, so pulling someone up from the ranks makes sense to a certain extent, but is not enough on its own. One of my greatest peeves are managers who claim that they can manage anything simply because they are great managers.

        I've worked both tech and management (in IT security, as it happens) and have spent time in effort learning both skill sets. What I typically I see in promoting top talent is a general lack of experience on the part of upper management. The idea isn't new; the term Peter Principle has been around since 1969.

    5. B83

      Re: Best advice

      Spot on.

      One company I worked for, and will remain nameless, had a massive push towards management. Management was the ultimate goal where managers would be able to solve anything. When very technical, competent people realised they were do as much as the managers and asked for rewards they got nothing.

      I actually got bored of filling out leaving cards but it was the cost towards the Projects i.e. time and contractors to fill the gap, that made peoples eyes water. Had the rewards been handed out they would have been a drop in the ocean to what the eventual costs were.

    6. Tim99 Silver badge

      Re: Best advice

      Many years ago, when I was a UK Scientific Civil Servant, there were "special merit" promotions. Normally by the time you had reached the level of Principal Scientific Officer, much of your work was management/administration. Special merit grades carried on doing science stuff, without having to get involved with administratum. As I recall, a couple of staff in our small establishment were special merit PSOs - With one a Senior Principal Scientific Officer (roughly equivalent to a Colonel or Brigadier then); just as well because although he was one of the brightest people I have met, his lack of management/interpersonal skills were obvious to me, even as a junior staff member.

    7. BagOfSpanners

      Re: Best advice

      But don't make the worst team member the boss either, just to stop them causing problems, however much they want to be boss.

    8. Tom Paine Silver badge

      Re: Best advice

      A past employer brought in Towers Perrin. The idea is that senior engineering people can continue to be promoted /within a technical stream/ to levels equivalent to executive management with MBAs from INSEAD or Wharton. Seemed to work pretty well -- at any rate, senior technical people started buying big shiny cars -- but then a Big Yellow Bucket o'Fail borged us, fired HR along with the rest of the support staff and reverted back to the traditional US style "25 layers of mgmnt" Dilbert model.

      Sadly I've never seen it adopted anywhere else.

      I still think we should form the Amalgamated Union of Nerds, Geeks, Codemonkeys, BOFHs and Ancillary Trades, then strike. A week without sysadmins would bring any organisation - or government - to it's knees... sadly we're too busy having religious wars about systemd and containerisation to do it :(

  2. Don Dumb

    Well, yeah

    "For those managing security teams there are two key mistakes to avoid, Murray said. The first – an error he himself made early in his career – is to not manage enough and just trust that it’ll all work out. It’s tempting to think that such highly skilled individuals could work on their own, but guidance needs to be given.

    The other mistake is to go too far in the other direction – to micromanage and go fully corporate."

    This is true for *any* management - it's one of the key skills, knowing when to give guidance & support and when to trust in the skills & direction of team members.

    While lots of 'mgnt training' suffers from the idea that "anyone can manage anything", this is a universal skill. Albeit knowing how to do it in one area does not necessarily mean that someone can do it in another (despite what many MBAs claim).

  3. Christian Berger Silver badge

    So the obvious solution is...

    ... to create 2 posts. One which is a purely managerial position where you have a good manager. Then you create a second position where you have a good engineer, which assists the manager and has authority in all technical questions. Those people must be on an equal level and work closely together.

    Having one or the other is a recepie for desaster, but having both might work, if they can work together.

    1. Anonymous Coward
      Anonymous Coward

      Re: So the obvious solution is...

      Yeah, it's called "head of" and "team leader's".

      1. Christian Berger Silver badge


        So far I haven't seen such such beeing clearly managerial or technical, they still seem to be rather mixed.

    2. Halfmad

      Re: So the obvious solution is...

      This is how healthcare tends to handle clinicians. Sadly it doesn't extend beyond that so we end up with the best staff going into management and making an **** of it. Many of the dreaded NHS "Middle managers" I know were fantastic in their fields and the only option to progress was to move out of it into managing the staff working in that field.

      Then they themselves can no longer contribute anywhere near as much.

    3. Anonymous Coward
      Anonymous Coward

      Re: So the obvious solution is...

      I once worked for a consulting company that did exactly this. A project would have two "leads", a Project Manager who had authority over the infrastructure (scheduling, billing, etc.) and a Project Specialist who was the technical lead. Both would be on comparable pay scales.

      I was a Project Specialist. I'm a good scientist but I'm a lousy manager...

  4. Ol' Grumpy

    "Nothing is going to get your staff demoralized and moving on like making them fill out timesheets,"

    Most accurate thing I've read this week.

    1. Anonymous Coward
      Anonymous Coward

      @Ol'Grumpy "Nothing is going to get your staff demoralized and moving on like making them fill out timesheets"

      I loved filling in timesheets. All those things you can do to give grief to the people who think the numbers are not made up on the spot. Negative numbers, more than 24 hours in a day, random project codes, putting all your hours on the project with almost no budget left, submitting timesheets for future dates, using the "special executive" codes you aren't supposed to know, two completely different sheets for the same week, resubmitting the sheet from the previous year ...... so much fun to be had.

      1. Anonymous Coward
        Anonymous Coward

        hahaha, that's fun :)

      2. Vic

        All those things you can do to give grief to the people who think the numbers are not made up on the spot. Negative numbers, more than 24 hours in a day

        In a former job, they'd got SAP installed. It didn't allow any of those shenanigans.

        In fact, it didn't allow much. You worked 7.5 hours a day (which had to be put in as 7,5 - someone hadn't done the internationalisation) - no more, no less. A half-day holiday had to be 3,75 hours - no more, no less. The actual correlation to hours work was somewhat ephemeral.

        We had many layers of management there. The bloke at the top only ever seemed to interact with anyone else in the organisation in one way - to complain that timesheets hadn't been completed...

        That company is still in existence. But it is circling the drain. Can't think why...


      3. MaxRock

        Or when the timesheet software is so bad that it does this for you.

        When the threshold for employee exemption was approaching, HR made me keep track of my time - trying to figure out whether it was cheaper to pay me overtime or give me a raise - and nobody in my department had used that "software" before.

        It happily let me clock out when not clocked in and vice versa, had no problems claiming that I worked 31 hours on a single day because I clocked out past midnight and didn't press "the special key" and crashed if I had more than 8 clock-ins/outs a day (I clocked in every time I got on VPN while on call). My manager had to get some admin secretary to fix my timesheets because he couldn't figure it out.

  5. Nick Kew Silver badge

    Wise words

    This guy speaks wise words. Many of us could've told you the same. Knowing the theory is easy; putting it into practice is the hard bit. Kind-of like being an armchair prime minister, or armchair CEO. A lot of that only comes with experience, and careful avoidance of MBAs.

    And the advice applies much more widely: situations I've encountered include supervising a student project (Uni or GSoC), and mentoring an open source project.

  6. DontFeedTheTrolls

    Biggest problem I've always seen is the concept (especially in big organisations) that the Manager must get paid more than the staff.

    Good managers are worth a good salary, they don't need to be technical to get the best out of a technical team, but ultimately there is a ceiling for their salary as there is a reasonable quantity of competent man managers out there (OK, OK, there's a LOT of bad ones too, but there are some good).

    Technical experts are often scarcer and therefore salaries will be higher, something some companies fail to acknowledge.

    1. Halfmad

      The NHS sort of does this in my area, the trust has managers who are on a grade below some of the staff they manage as those staff are specialists in their area. Sadly this isn't the case in IT departments though.

  7. Dabooka Silver badge

    Not limited to Infosec engineers; this is sector agnostic

    I'm struggling to think of many sectors I've worked in where this isn't the case; often the best in the field is wasted in a management role or more often as not is terrible at it. Education (best teachers don't necessarily make good heads), sport (plenty of examples of good managers not being to kick a football for example) and construction.

    It's a bit worrying that various industries have cottoned on to this fact which has been well documented from the 50s and before. I appreciate many folk want the positions as it's seen as progression (and the money is usually better), but that needs addressing if you want to keep the best talent.

    1. Terry 6 Silver badge

      Re: Not limited to Infosec engineers; this is sector agnostic


      And some teachers ( I'm sure this applies in Infosec and know it applies in lots of other areas) sometimes start in the profession determined to be Headteachers from day 1. They have a plan for their progress. They may not be great teachers, but make bloody sure they have great contacts, use the right jargon, jump in and out of the latest new fad with exquisite timing. On the other hand, some rise up the ranks through good teaching and a willingness, possibly reluctant, to take a lead. Both can turn out to be useless as managers, but at least the latter group can be human. The former seldom seem to be. That is still probably better than a manager who is just a manager. - the type of individuals who used to sit in LEAs ( and probably now run Academy Trusts instead). Because they tend to focus on targets, test results, outcomes, schedules - all the suit pleasing proxy data- and not actually look at whether the kids are really learning stuff.

  8. lafnlab

    "The skill sets required to be a good security engineer bear very little relation to those needed for managing a department..."

    Reminds me of Robert Oppenheimer. He wasn't the best, most brilliant physicist, but he was respected enough by other physicists that he was able to get many to join the Manhattan Project.

  9. 2+2=5 Silver badge

    Speaking as a manager...

    No one disputes that most of the readers of this website are techies rather than managers so many of the comments come from a techy point of view, that is from those subjected to management rather than practising it.

    As a manager therefore, I feel that I can offer practical advice to you all ...











    1. Anonymous Coward
      Anonymous Coward

      Re: Speaking as a manager...

      Ha ha, sure, we're all working like crazy now... and you'll never know different because we know you management types go straight from the pub to the golf course on Friday afternoon :)

    2. Mahhn

      Re: Speaking as a manager...

      Reading IT security news is officially part of my job :) Keeping up on trends, current threats, exploits, fixes/patches, bla bla.

      However, I made the mistake of staying at a couple jobs for to long several years ago with bad managers (great co workers though). No more. I've had 2 okay and one great manager out of maybe 8. I will never put up with a less than good manager again, it makes work miserable, and effects your whole life.

      1. J. Cook Silver badge
        Thumb Up

        Re: Speaking as a manager...

        Jesus Horatio Christ on a bicycle, THIS.

        I have deep mental scars from the last manager we had here- I don't have proper words to articulate how bad he was in this character set. (or language, for that matter. The words I *do* have would awaken the Old Ones, and that's just bad news for everyone.)

        I consider myself a manager of machines, not people. (while my official job title is 'network administrator', in reality it's more like 'Systems engineer/Exchange engineer/AD engineer/Storage engineer'. Yeah, lotta hats there.) I've worked under a person who has a personality very similar to mine, and he wasn't that good of a manager, TBH.

    3. Fatman Silver badge

      Re: Speaking as a manager...

      <quote>GET BACK TO WORK NOW!!</quote>


      Is that you???

      Because if it is, then you have been hitting the LDS lately!!!!

      (For those of you who don't read CW's Shark Tank before they stopped allowing comments, this seems like Jim The Boss.)

      1. Steve Aubrey

        Re: Speaking as a manager...

        Fats, I miss Jim (and his alter ego from YOB). G+ just isn't the same.

  10. magickmark

    What would Simon say?

    "However, you do need to have the basics down, he said. If a staffer is trying to tell you a two-day job could take a month, you need to have the tech chops to tell them they are bullshitting."

    BOFH meet your New Manager.

    New Manager, meet the BOFH

    *stands back to watch the show*

    1. bombastic bob Silver badge

      Re: What would Simon say?

      Simon might get lucky. He might get one of THESE managers...

      (holding informal staff meeting)

      Hello, I'm [so and so], your new manager. My main experience up until now has been in sales and marketing, and everyone seemed to *FEEL* that I should fill the position of I.T. manager at this company.

      While most of you probably believe that I don't know anything about what you guys do here, let me assure you that you're ABSOLUTELY RIGHT. I don't know ANYTHING about what you do here!

      So here's what I'm going to do: you people tell me what YOU need to get things done, and I'll present that to my bosses. That way, if the requirements are expensive or not available for a long time, they will be fully up to speed on the entire situation, and may decide to cancel certain projects that aren't likely to get done, instead of making daily memos and phone calls asking why it's not done yet. And you'll be seeing equipment and software upgrades, too, as long as you give sufficient justification for it. My job will be to "interface" (as you I.T. guys put it) between upper management and you, to absorb the shock, mollify the anger, and keep the department running so you can leave early on Friday and go home right from the pub

      (and then Simon awoke to the alarm, realized it was all a dream, and called in sick so he could finish it)

  11. hellwig Silver badge

    Lots of things cannot be transferred

    Likewise, he’d be unlikely to take Lookout staff with him at his next job, because security staff setups are individual to each company.

    Replace "staff" with "procedures" and you have a real winner. Instead, every new manager has to come in and put their stamp on things. "This is how we did it at the old company" only makes sense if it was BETTER, not just different.

    Come on managers, you get the nice office and the good parking spot and the big paycheck, the least you could do is try to work with the existing processes in place. Only fix what needs fixing. No one else is interested in picking up your pet projects just because you're bored.

    1. Vic

      Re: Lots of things cannot be transferred

      "This is how we did it at the old company" only makes sense if it was BETTER, not just different.

      Even that's prone to issues.

      Things *might* have been better at the old company. $mangler will, of course, claim that it was better because of his input; it was his skill guiding the team that got the results. The team, however, might well tell you that they got the job done in spite of him...

      At one place I worked, there were two of us working for this one particular incompetent manager. We used to take it in turns to tie him up completely so that the other one could get on and work without this bloke's continual interruptions and "suggestions". So although it meant 50% of the team was running interference at all times, we actually got loads done...


  12. Anonymous Coward
    Anonymous Coward

    Manager vs. Techie

    You know that in a company "techie's" work their way up the chain and can become managers over time. Some take this on the chin and blossom, while others hate each day one after the next, and wish they were still "techie's"! In other cases they believe they are good managers while their staff are making voodoo dolls of their manager :s

    I once had a bad manager and i wished the ground would swallow me up, it was just the worst thing in the world!

  13. Sirius Lee

    Manifesto for the incompetent

    I've heard this bollocks so often. So the proposal is not to promote the guy who has invested his time and effort becoming the expert an instead promote the person who spent their time in the bar socializing. No, No, No. That breeds mediocrity.

    Of course if someone has no social skills whatever, putting them in a position where they are responsible for others is not going to work. But the idea that promoting the person with social skills IS the right solution contains its own fallacy. Managers are not just responsible for getting a competent performance out of the staff for which they have responsibility but also for allocating those resources. And you want the best IT smarts doing the allocation. The person who spent their time in the bar practising social skills instead of learning the business is not going to be best placed to make those calls.

    So you might argue that a social manager will use their social skills to create a committee of their best staff to decide upon that allocation. Done, right? No. Because that manager then has to advocate their managers a position it is likely they are not intellectually capable of representing.

    Big IT organisations have tackled this dilemma for decades and the right solution has never been to side step the expert unless that person wants to be side stepped. That is, get the person's buy in that they do not want a management career and instead offer them a fellowship career path.

    Please, let's have none of this trite pseudo-management nonsense summarised in a few paragraphs when the real world solutions require years long courses of study - which the socialisers will not complete because they are in the bar 'practising' their social skills.

    1. Vic

      Re: Manifesto for the incompetent

      So the proposal is not to promote the guy who has invested his time and effort becoming the expert

      And there is the problem in one sentence: this isn't about not promoting him, it's about not making him a manager.

      These two are only synonymous if management is the only form of promotion available - and that is why technology companies falter.


      1. Terry 6 Silver badge

        Re: Manifesto for the incompetent

        Well stated Vic.

        While managers are seen as being akin to executives and skilled professionals are seen as akin to the workers this is going to be an issue. I do wonder how much of this is a UK/Anglo-Saxon hang over from the 1950s thing. Some kind of blue collar/white collar view. You have to stop doing stuff (blue collar) and start telling other people to do stuff (white collar) to be respected.

      2. trapper

        Re: Manifesto for the incompetent

        Well said, Vic. The basic research on this was done long ago - see John Holland's work. Quick explanation at: An effective manager (good at his job and likes it) will probably have an Enterprising score as one of his three highest. He'll need enough Realistic/Investigative/Conventional to function in an IT environment, plus a high Social score because he'll be required to work closely with multiple people whom he cannot pre-select. A wonderfully good computer engineer, on the other hand, does not require either Social or Enterprising personality characteristics or any desire for those. He may actually be on the autism spectrum and still be a demon on the machines. Making him a manager so he can be paid more is a recipe for disaster. Here I am speaking about polar opposites - most are not that extreme, but certainly having only one path to high pay, respect, tolerance and organizational value - MANAGERIAL - is foolish. I strongly suspect that managerial types, like everyone else, simply value their own managerial tribe members most. Much of the above applies to any field of work, which is one reason why we have so many miserable square pegs in round holes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019