Dear Mr. Brandon Allbery,
I thank you for your attention to detail and your correction.
Sincerely,Harvey Rothenberg
On Thursday, December 18, 2014 7:29 PM, David Lang <[email protected]> wrote:
> I'm currently exploring the intersection of #sysadmin / #infosec[1] a
> bit. There is obvious overlap, yet at many companies the two camps also
> frequently end up at loggerheads. I'd like to collect some feedback
I've been doing infosec for the last 20 years, and doing a lot of sysadmin work
along the way.
The biggest reason for the two groups to end up at loggerheads is just
different
priorities and resource contraints.
If security has to tell ops to do something, and then ops has to figure out how
to do it on top of all the work they already have to do (which almost always
already exceeds the manpower available by a significant amount) they are going
to be grumpy. It's especially bad if their bonuses depend on them completing
their assigned work, and that assigned work doesn't allow for the security
issues.
The security folks get grumpy because they don't see problems getting fixed.
All to frequently, security people end up taking a "do what I say, not what I
do" approach to things. This is a pet peeve of mine. 'pentest experts' in
particular tend to take the attitude that the rules don't apply to them if they
can figure a way around them
Many times ops people resist improving the security of anything because there
is
some other way to get it (they don't get the idea of fixing some things now and
other things later)
In good organizations, the security people live by the rules that they set, and
there is time set aside in the schedule planning to be able to do security
work.
The best sysadmins understand security and the best security people understand
operations, but such people are rare. The most important thing is the ability
for the two sides to talk and disagree on the priority of things. If either
side
can override the other at will, it's going to be a disaster.
It's valuable to have the two teams report to different management (for
example:
if security reports to the ops manager who's bonus is based on service uptime,
security concerns are likely to get low priority until there is an incident
that
causes an outage), but this split just emphisises the difference in priorities.
This can be especially troublesome if the security group reports to management
that doesn't understand the technology (reporting to legal is common, and
senior
lawyers aren't likely to be keeping up to date on datacenter technology)
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
