Tech

I suppose I really should begin with an apology for implying that Specialists are "playing dumb," or even being dumb. It wasn't really my intention to make that broad stroke implication, but now that I seem to have made it (at least in rereading my own wording) I can't bring myself to correct that statement. I have had far too many experiences in having to go behind a so called specialist to clean up their messes, whether it is in an SQL implementation, PeopleSoft, Lotus Notes, or any number of other industry sub-fields.

That is not to say that all IT Specialists, or Experts, are bad; I have managed to gain a lot of knowledge from many, and even had a few just blow my socks off with their skill set. All and all it seems as if there is a 25/25/50 ratio when faced with a professional so-labeled. About 25% are those who really know what they are doing and make their specific field look like child’s play, the next 25% are capable and handle their own for that application, and the last 50% seem to get by because everyone else is afraid of the voodoo magic associated with that specific application (PeopleSoft is a big one here).

Specialization came about mostly as a division of labor sort of thing, but in the IT field (as well as others) it is now grown into an Information Security issue encompassing the mighty order of Segregation of Duties. Aside from complete SoD being a realistic impossibility, the main problem is that the "bottom" 50% of specialists (and even the next higher 25%) might know enough about their own application to keep it running for the most part, but they don't know enough about the system as a whole to be truly effective.

The reason I consider this a problem is that you wind up with a lot of finger pointing between departments for issues that should be relatively simple. Buggy servers taking a week to be repaired because each sub-department has a different view of what is wrong, or even worse, tries to fix the problem as if the problem really did exist in their area, thus adding more instabilities. I've heard enough IT Directors and Managers complain about this to know it is not just a personal pet peeve of mine.

Now here's the solution, and believe it or not it deals with taking Segregation of Duties even further, and will make your infosec even more secure as a result. "What? That's insane!" you say. I know, if SoD leads to specialization and specialization leads to people too narrowly focused to "be all they can be," so to speak, then how can more SoD fix it. Well, we learn from the other high priority information security area... Finance/Accounting.

Responsible CFOs and Finance Directors all divide up job duties and responsibilities among their workforce, but the very best add the twist of job rotation. A.K.A. cross training. The primary reasons being that people get too relaxed once they handle the same thing for too long and tend to make mistakes (ask any Aviation Structural Mechanic, Safety Equipment (AME) in the Navy about that), more importantly they get to know the accounts (people, not numbers) too well and are more inclined to bend or break rules as a result. So they get rotated on a semiannual basis, or there about. It helps make each person a more valuable employee (cross trained), increases accountability (new eyes catching old things) and enhances SoD (and thus infosec).

If Information Technologies applied the same practice (and some companies might already), periodically rotating a single specialist out of their department and into another for a set length of time, the benefits would be enormous, and not just to the company. Project teams become more versatile, the employee would be increasing their skill set (which contrary to some people's belief, actually promotes employee retention) and the employee would become even more capable in handling the specialist role they already fill. For a company with even small departments of specialists, not rotating people on a regular basis really is being dumb.

If you have worked in a company larger than 100 people you most likely have run across someone with an "I Love Me" wall, and if you have seen one, you know what I am talking about. I am not referring to the recent college graduate who reverently hangs their diploma on the wall out of their well gotten sense of pride, but more of the person who has it hanging there five years later. That same person who manages to find a need to frame every little accomplishment, every certification, every news clipping, every award, every picture with someone who might even vaguely qualify as a celebrity.

I'm not a psychologist (I've only been analyzed by one on TV), but there seems to be only a few types of people with the need to create such a shrine to self. As mentioned, recent graduates will sometimes do this as a sense of pride, it might be their first license or a college diploma, but it generally does not last very long. The second are a type that have historically been handed everything, although they will always claim having earned it all, and will post their placard as a way of saying, "I'm better than you because I have this." The third is someone who springs up in middle management far too often, those who use their well framed walls as a shield, a way of deferring questions over their own incompetence by the sheer volume of credentials adorning their office walls (killed a couple potential interviews with that one, didn't I?).

You have likely had the opportunity to meet all three types of office space decorators if you have been in the workforce for a while. You might even have been, or still are, one of those people. Eventually, if you are very very good and eat all your spinach, you might run across the fourth type. These are the people who are generally low-key, do good work, don't make much of a fuss and almost never need an attaboy, but they are arrogant, and always happy to take those needing it down a couple notches. I know this type well, I am definitely one.

Perhaps it was my prankishness, perhaps it was just being fed up with dealing with the second and third types listed above, or perhaps it was just because I could; but one day I had enough and decided to create the true "I Love Me" wall. For most people they saw it as a bit of an over eccentric sense of accomplishment, the second and third types congratulated me on having such a masterful wall, but a few people "got it." Mostly, they were IT people who have been around for a while and recognized the joke in having Packard Bell certificates hanging up on my wall (the four at the far left). Oh, I rotated certificates in and out of the wall from time to time, even had to expand it once, but there was always at least one Packard Bell certification hanging amongst the rest. What does this have to do with "tech" you might ask? Well I assure you there is a segue here, someplace.

A few years back I had written an article for the online publication Workitecht by Dennis Faust. While Workitecht is no more, I feel the article still holds up a few years later and thought I might share it with anyone looking for a light read. And what better way to announce an article about certifications in the IT profession than to show off my very own "I Love Me" wall full of certificates. So I give you Certification Killed the IT Professional, uncensored and with full grammatical errors. Enjoy.

Once I set out on something I move forward in a very fast pace. Information is absorbed at alarming rates, options are weighed and a decision gets reached. Were my brain possessed of a gag-reflex I am certain it would explode within hours of beginning any project with the sheer volume of data that is force-fed into it. Of course a good chunk is lost minutes after it is processed, but not before a decision is made on the information. Thanks to the Information Age that we live in, I don't really have to worry about holding on to all of it anymore, which makes decision making move even faster.

When it came to creating a weblog of my own I went at it with the same, not-so-reckless, abandon. I consulted with friends, viewed websites, read the propaganda, looked at other weblogs and even took a look at the products offered directly through our web host. And then I stopped, took a breath and went over to the SANS Institute website. All the weblog scripts and engines and backends I could remember at the time were sent straight into their search bar. Unfortunately for me, all of them returned results, and relatively recent ones at that.

If you are not familiar with the SANS Institute, they are IT when it comes to IT Security. Training, articles, research, advice, certification; they are the people you go to in order to get the information you need about IT Security. So when articles came up in my search for my weblog choices, I was a little put out. Each of these news blurbs contained some sort of recent exploit or loophole in the security of the web application, which is not generally a good thing for any application, let alone one sitting open to everyone on the Internet. The more exploits that show up, the more you will likely want to find a different program.

So I began looking further, refining my search and looking at security as part of the key ingredients for my new weblog application. Some how, on page 87 of my google search or so, I came across an interview type article about Stefan Esser leaving the PHP Security Team. Well, I needed a break from the search so I read it. While the article was informative, it was that glorious shining link pointing to this man's, this PHP Security Guru's weblog: http://blog.php-security.org/

Should you not have guessed by now, Stefan Esser uses Serendipity for his weblog. A quick check over at SANS and a few other security related sites revealed to me what I already knew, this is a pretty secure piece of coding. There was one entry from version 0.7-beta1, but I am good with that.

After looking through the Serendipity website and installing a test of the software on the Proverbs server, I was hooked. Easy to setup, easy to use, customizable beyond belief, a ton of plugins, very nice layouts and it hit the marks for security. For me, however, the best part is the affirmation that I get to keep "Serendipity" as my favorite word.