Skip to content

I.T. Specialists

I suppose I really should begin with an apology for implying that Specialists are "playing dumb," or even being dumb. It wasn't really my intention to make that broad stroke implication, but now that I seem to have made it (at least in rereading my own wording) I can't bring myself to correct that statement. I have had far too many experiences in having to go behind a so called specialist to clean up their messes, whether it is in an SQL implementation, PeopleSoft, Lotus Notes, or any number of other industry sub-fields.

That is not to say that all IT Specialists, or Experts, are bad; I have managed to gain a lot of knowledge from many, and even had a few just blow my socks off with their skill set. All and all it seems as if there is a 25/25/50 ratio when faced with a professional so-labeled. About 25% are those who really know what they are doing and make their specific field look like child's play, the next 25% are capable and handle their own for that application, and the last 50% seem to get by because everyone else is afraid of the voodoo magic associated with that specific application (PeopleSoft is a big one here).

Specialization came about mostly as a division of labor sort of thing, but in the IT field (as well as others) it is now grown into an Information Security issue encompassing the mighty order of Segregation of Duties. Aside from complete SoD being a realistic impossibility, the main problem is that the "bottom" 50% of specialists (and even the next higher 25%) might know enough about their own application to keep it running for the most part, but they don't know enough about the system as a whole to be truly effective.

The reason I consider this a problem is that you wind up with a lot of finger pointing between departments for issues that should be relatively simple. Buggy servers taking a week to be repaired because each sub-department has a different view of what is wrong, or even worse, tries to fix the problem as if the problem really did exist in their area, thus adding more instabilities. I've heard enough IT Directors and Managers complain about this to know it is not just a personal pet peeve of mine.

Now here's the solution, and believe it or not it deals with taking Segregation of Duties even further, and will make your infosec even more secure as a result. "What? That's insane!" you say. I know, if SoD leads to specialization and specialization leads to people too narrowly focused to "be all they can be," so to speak, then how can more SoD fix it. Well, we learn from the other high priority information security area... Finance/Accounting.

Responsible CFOs and Finance Directors all divide up job duties and responsibilities among their workforce, but the very best add the twist of job rotation. A.K.A. cross training. The primary reasons being that people get too relaxed once they handle the same thing for too long and tend to make mistakes (ask any Aviation Structural Mechanic, Safety Equipment (AME) in the Navy about that), more importantly they get to know the accounts (people, not numbers) too well and are more inclined to bend or break rules as a result. So they get rotated on a semiannual basis, or there about. It helps make each person a more valuable employee (cross trained), increases accountability (new eyes catching old things) and enhances SoD (and thus infosec).

If Information Technologies applied the same practice (and some companies might already), periodically rotating a single specialist out of their department and into another for a set length of time, the benefits would be enormous, and not just to the company. Project teams become more versatile, the employee would be increasing their skill set (which contrary to some people's belief, actually promotes employee retention) and the employee would become even more capable in handling the specialist role they already fill. For a company with even small departments of specialists, not rotating people on a regular basis really is being dumb.

Trackbacks

I Am. When? on : Application Security

Show preview
As part of the requirements to maintain my CISM designation I regularly attend ISACA e-Symposium events. These web events are held once a month and while, to be completely honest, my primary purpose of attendance is the 3 cpe received, I do tend to learn

I Am. When? on : House

Show preview
I know I am a little behind in the times, but a few weeks ago I discovered the Fox television show House. To be honest, it was actually the reruns on USA. I've known about the show since the first commercials started appearing on the Fox network during

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options