Does business really care about security? I once read a book that said, among other things, “You can never truly give money away.” The point it was making was that the act of giving has a certain responsibility – if you hand a large wad of cash to a charity, for example, you will want to know that the money is being spent wisely. A good theory perhaps, but it doesn’t …
"Perhaps, deep down, business management really does still see IT security as somebody else's problem"
That, in a nutshell, covers it.
Management never (and I mean NEVER!) is willing to accept guts & garters, down in the trenches, this is the real-world, hardware & OS reality ...
There is a reason that I won't accept a contract unless my business card reads "Senior Member of the Technical Staff" ... and I am authorized to fire senior management.
It would be interesting to see if there was any correlation between age and ability to cope with IT. These senior managers may well have experienced computers, at school, in the days of the BBC Micro, but many of the security issues started to emerge later.
I've known businessmen (one technically a pensioner) who've taken computer courses. They can see the advantage of learning more of the details. It's rare. And there's room to wonder about the value of generally available courses. But what is the knowledge baseline? And how many senior management might think "directory" rather than "folder"?
IT security doesn't belong on its own special pedestal. It is no different from any other type of risk management. The first example quote is completely wrong - the business needs to realise that typical rules about return on investment *really do* apply.
Balance probabilities and impacts with the costs of mitigation just like any other risk. Just like health and safety, fire and flood insurance, your biggest customer going bust or shopping somewhere else etc.
whilst i agree with you in principle, i do not think that most managers are able to judge what level of risk they are taking with IT systems as they are not technical & have no clue, in much the same way that i have little idea or interest in powerpoint presentations and would not expect to be consulted on matters of company finance, or whatever.
it's not that IT security needs to be on a pedestal or anything, it just needs to be done/looked after by people who have a vague idea of what they are talking about, which in my experience does not describe managers in general, although i'm willing to admit there may be a decent one somewhere.
Dead on! As much as management needs to understand that IT security threats are real threats, IT geeks desperately need to learn the principals of "risk management." Management won’t address any risk unless the potential failure is worse than the cost of implementation. Somewhere in there you also balance how likely a given failure is to occur.
Most Geeks by contrast are absolute purists. Fixing a security problem isn’t a business concern to them, it’s “the way it should be done.” Management needs to understand that IT security holes have real world risks with dollar signs attached to them. IT needs to understand that if a risk doesn’t have a dollar sign, then it might not need to be addressed. Even if that goes against “the way it should be done.’
IT isn’t religion, its business.
"IT isn’t religion, its business."
No, IT's not business. IT's a profession[1]. Business is also a profession.
In this day and age, where Technology is so important, large corporations (should) have separate Management and Technical advancement tracks. Good ones do. Don't confuse "Senior Member of the Technical Staff" with the (usually) more managerially inclined "CTO", although both should sit at the Board level. Don't get me wrong, both should have good managerial skills ... but the SMotTS is more of a hands-on the hardware kinda person, the CTO is a money man. Occasionally, you can find a single person to wear both hats, but it's rare.
[1] I think I'm channeling amfM ;-)
I have to disagree with you, sir. IT isn't a profession. It's a trade. Some exceptionally rare individuals treat IT as a profession, and really need to be called "Engineers," but by and large most of IT is a trade.
From a larger scale though, IT is business. It's almost a business within a business. If you are operating an IT department within your organisation, you are essentially providing a full suite of business services to the organisation, you are simply doing it with technology rather than wetware.
IT has evolved past "the application of technology to a problem" and has become "how to most efficiently solve business problems." To take IT from Trade truly into Profession, it needs to be business. All aspects. The individual applying the technology needs to be aware of the money and staffing requirements, and all other aspects of the business too. Traditional IT is where some individual is assigned the task of applying a technological solution to a problem.
That is no longer relevant in today’s market, as every possible technological solution is now a commodity offered by multiple vendors. IT is now the game of knowing the solutions available, from off the shelf to bespoke, the costs and the ramifications. It is about knowing where the right combination of software and hardware are the solution, /and/ it is about knowing where it makes more business sense to solve the problem with a warm body.
IT is business. It’s at the core of all business. It *is* the business in so very many senses. From analytics to business intelligence to problem solving and resource provision, IT is far more than the application of technology.
The application of technology simply isn’t a profession; it’s a trade. For us to play the game as professionals we have to move past this and accept that IT is the business.
A trade[1] *IS* a profession[2].
Might be a left-pondian/right-pondian translation error involving archaic class-based prejudice ... but from my perspective, a mechanic, carpenter, plumber or electrician is just as much a professional as a teacher, doctor or lawyer.
From merriam-webster:
[1] "3 a : the business or work in which one engages regularly : occupation b : an occupation requiring manual or mechanical skill : craft c : the persons engaged in an occupation, business, or industry"
[2] "4 a : a calling requiring specialized knowledge and often long and intensive academic preparation b : a principal calling, vocation, or employment c : the whole body of persons engaged in a calling"
In North America, or at least here in Western Canada, "Professional" is restricted to those occupations which have a legally recognised and enforced Professional Association. To refer to a “professional” here can mean one of two things, depending on context. The first is simply “that you are paid for you efforts in a given field.” From a legal and business perspective however, “professional” is reserved for those individuals who are employed in fields where others are barred from entry unless accepted by the relevant professional association.
Doctors, Lawyers and Engineers immediately come to mind, but there are most definitely other professions that enjoy legal protection.
To contrast, there are two other classes of occupation: technician and trade. Technicians go to school and learn their craft there. These are individuals who typically obtain a two-year diploma or undergraduate degree in their field, but who do not enjoy legal protection of their Professional Association. Dental Hygienists for example, X-Raw or Environmental Technicians, or certain programmers.
Tradespeople on the other hand generally learn their craft either from an apprenticeship, a one year certification at a post-secondary institution or industry certifications. This is where you find the plumbers, masons, and the vast majority of individuals working in IT.
The difference has nothing to do with “class” but entirely to do with education. TO break it down really simply for you:
Professionals have the longest required education. Apart for the training in their field, they are required to take many courses on professional ethics, and are held to a high ethical standard. Misconduct will see them barred from their profession for life. To be allowed to operate at all and use the titles as defined by those professional associations they must meet the minimum standards of that organisation in terms of knowledge of their field, experience and history of conduct.
Technicians have received quite a bit of formal training. They generally belong to a voluntary “technical society” that tries to ensure minimum competency standards. They don’t generally receive ethical training, but are required to take language and social training.
Tradespeople are skilled workers of their craft. (They are most emphatically /not/ unskilled labour!) Tradespoeple are not required to take language, social or ethical training. Instead they focus entirely on learning the particular trade which they have chosen as their occupation. Many trades also have voluntary trade guilds (in some jurisdictions, these are becoming less than voluntary) which attempt to ensure minimum levels of competency.
You might disagree with the breakdown of these terms, but it is absolutely standard where I come from. And by these definitions, most workers in IT are simply not professionals. They aren’t even technicians. They are tradespeople. One of the key notes about trades people is that they receive no formal management training. All professionals are required to take some as part of their profession, and even Technicians are exposed to a minimal amount of it. Tradespeople have no such requirement.
There are certifications a tradesperson can seek that prove they have taken this training separately. Getting your PMP (project management professional) designation is one way, but most tradespeople prefer to eschew formal training of any kind and rely entirely on the strength of their reputation.
The importance behind the categorisation is not that it tells you immediately about how valuable a given person is, but it indicates a general baseline minimum competency for any random sampling of individuals in that category. I can trust that any member of a legally protected professional association has received ethics training, as well as social training, languages and exposure to management training. I can trust any technician to be familiar with the absolute basics of management principals, while having a minimum of language and social training. I can trust a tradesperson to get a given job done.
The issue at hand here is that most IT folk are tradespeople, not professionals. They have zero management training and zero ethics training. They are problem solvers, not business thinkers. Of course there are exceptions to this, but they truly are exceptions. Most IT workers aren’t ready for management. They are perfectly fine workers if they are properly managed, and most often they are even perfectly okay to do a task without oversight of any kind. They aren’t however generally trained to fully understand where IT and the business interact, integrate and where they really and truly are in their own worlds. Experience can give that some IT workers, but not to all.
I can pick any random Engineer and put him in charge of a project. If he feels incapable of handling it, he is bound by his professional ethics to say so. Not saying so will have severe penalties for his career.
I cannot say the same of a random IT worker. There is nothing beyond a personal sense of responsibility to compel an IT worker to tell me if they are overwhelmed or unable to take on the responsibilities of management. Nor am I even assured they have been trained to be capable of managing a project.
IT is business; it’s fully integrated and part of any given business. Those who work in IT however haven’t caught up, and neither have our educational requirements, industry standards or reputation.
As a group, IT workers have earned their reputation as antisocial nerds. There are certainly those among us who aren’t, and who work very hard to surpass hold ourselves to the highest possible standards. Those individuals are still considered rare amongst our trade, rare enough that it’s not something that can yet hope to be called a profession.
Please note where I said "from my perspective".
Trust me, the concept of "trade" vs "professional" that you hold is archaic. Yes, I know what various laws have to say on the subject, but in today's world said laws need re-vamping. A master mechanic is every bit as much a professional as an engineer with a BS, sometimes an MS. If you don't believe me, try to become one. Before you ask, yes, I am. Along with a small handful of engineering degrees and an MBA, I'm a CDM and an OMC Master Mechanic[1]. And a CSLB licensed contractor (A, B and various Cs, a couple Ds). Why? Because I got tired of over-paying contractors when (re)building data centers.
I'm talking about people who actually build and use the stuff that is used day-to-day to make other people's lives easier ... I am NOT talking about flunkies watching late-night data backups, degreasing parts, schlepping shingles onto roofs, or mindlessly installing Windows on yet another so-called server, without any clue as to the details of what's going on behind the scenes.
[1] I grew up with a screwdriver in one hand and a soldering iron or welding torch in the other ... and a series of wrenches in my pockets. Having Uncles in commercial salmon fishing and logging (Fort Bragg, CA), and a father who was an electrical engineer in the then-fledgling SillyConValley will do that to a guy. Getting certified to wrench on boats & heavy equipment helped pay the bills when I was at school.
Thank you.
Very interesting debate, and what's behind it - namely taking responsibility. The best senior IT guys seem to be the ones who recognise the importance of being very good at technology, and not just trying to fit some imaginary business-oriented role. Meanwhile, the better businesses recognise that IT works best when it is treated as more than a tool. One of the toughest things as we all try to make sense of it, despite "what works and what doesn't" being relatively clear, is how to take a bad IT situation and turn it into a good one. I think this will remain a work in progress for at least as long as I'm in a job.
"I think this will remain a work in progress for at least as long as I'm in a job."
Probably. Just try to remember that I see *MY* job's primary goal is making (most of) my job go away. Back in the early days of auto racing, each car had a driver AND a mechanic on-board. I'm striving to take computing to modern mechanic-less racing. It's a work in progress. In today's computing, we're allowing the flashy air-heads to kill themselves without having to wonder where all the horsepower is coming from ... eventually, it'll all settle down into the hum-drum, boring, by-the-numbers world like F1 & NASCAR have.
Good thing? Bad thing? You decide ... Me, personally, I'm sick and tired of being the riding mechanic on other people's computers.
Hear hear!
The job of any good sysadmin is to put themselves out of a job. If you are doing your job right then you are automating so much you have nothing to do on the technical side. In my case, this has meant taking on more of a management role in addition to my technical duties. Over time, the regular daily maintenance of the network fell to my second-in-command with me personally taking on the management of IT and IT related projects, as well as retaining my speciality of convincing computers to do things they weren’t designed to do. If a problem comes up that can’t be solved “by the book,” or we need to design and implement something on an impossibly small budget…these have become my areas of specialty.
I hear what jake is saying about being nothing more than the mechanic on someone else’s network design. As much as I have designed my own network, there are certain constraints that are imposed on me that do tend to chafe. (Being forced to use Exchange or ISA server for example.)
I think the world needs both types however: a by the book admin and a MacGyver. My second-in-command at work is the perfect by-the-book admin; his abilities in rolling out a whitepaper network and not missing a single bit of minutia would never be questioned by me. It’s why we work so well together; I naturally think outside the box, and he naturally defines, reinforces and carefully paints the box.
Together there isn’t an IT problem we haven’t been able to solve. Maybe there are better dynamics, but so far “supertech with an unbelievable memory” combined with “project manager who hacks at things until they are solved” seems to work well for the “I have no bloody budget to do this” space.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
