Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Techies don't get security either
John Leyden, The Register 2005-09-15

Heads of information security functions are more likely to be business managers than techies in future as companies take a more strategic approach that balances IT security threats against business drivers. That's according to analyst house Gartner which predicts security will evolve into an element of a wider risk management strategy.

Comments Mode:
RE: Techies don't get security either 2005-09-16
Jeff Hotchkiss, UK
I'm intrigued firstly by Paul Proctor's implied assertion that a 'network person' is not a 'seasoned professional with real business experience', or secondly that being either of those somehow imbues a person with knowledge of security.

With regard to my first point, running and maintaining a large network requires not only technical expertise, but usually the ability to manage people, resources, and interact in business politics. One does not require a business degree to do that, although it might well assist in the longer term. Technical knowledge is a must however; one cannot manage or secure a network if one does not understand its inner workings.

With regard to my second point, it is often true that networking professionals begin by learning about actual networking and gain security knowledge during that process, sometimes as an afterthought, sometimes with due diligence. However, I would be equally dubious about hiring a person with a business degree into a position handling IT security.

To take at random a recognised expert in the IT security field, Bruce Schneier possesses no business degree. According to his University, he possesses two degrees, one in Computer Science, the other in Physics. He also runs his own business, quite successfully from what I have read.

It is not my intent to suggest that business degrees have no merit - far from it. My point is that a business degree might well give some additional empowerment in a role, but it is at best additional, rather than encompassing. IT security remains a techie's role by its very nature - however, a techie does not by definition a security expert make.

I would applaud the statement that 'security cannot be achieved by technology (alone) and needs to be built into a corporate culture'. I would also agree that risk analysis/management is an area that is probably under-developed.

However, I find it surprising that no-one is suggesting that investment in people (e.g. training existing technical personnel in risk analysis) is a valid option. That investment boosts the skills of an existing workforce and makes them feel valued instead of down-trodden. Statements like 'This will leave technical staff unable to rise beyond a certain position in their company unless they get a business degree' only serve to emphasise a divide between well-paid business people and poorly-paid technical people.

Why precisely some feel this divide should exist at all is a mystery, when both disciplines are required for a company to work successfully, and both should be rewarded equally.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11317/32468#32468
Techies don't get security either 2005-09-16
Tess Goodman







 

Privacy Statement
Copyright 2009, SecurityFocus