topic Re: Separations of Duties in Career Discussions

Separations of Duties

Lamont29 — Mon, 09 Oct 2023 08:50:27 GMT

I see that the Department of Defense (DoD) has formally implemented the separation of duties between IT and Information Security. Now you’ll have to choose your track. I was blown away by this reality at a job interview. I was invited out to an interview for information security where we had a social night and were encouraged to bring additional resumes and visit other organizations within the company. I thought that it was only to my benefit to visit IT so long as I was there.

The hiring manager who received my resume was quite uninterested in me initially and he wanted to immediately pass me over to Security. I explained to this hiring manager that I did have IT experience. He began to ask me what he thought were very technical questions – all of which I not only answered, but where I could, I gave audit and security measures or solutions where appropriate. It’s my opinion that he was quite impressed since both of his areas were interested in offering me a job in IT. He was quite upset with the way that I wrote my resume “only to security” and not IT. However, IT is where I amassed all of my skills and lead to my current career in Information Security.

I guess it’s a sad chapter as I arrive to what I believe is the apex of my career. I honestly didn’t intend to come this far in Information Security, only to the detriment of my IT knowledge. I am from the old school of thought where they go hand-in-hand. However, it’s understandable why government contractors and the federal government would take this approach. Confidentiality of the "CIA" rules the day in government and federal contractors must comply.

Re: Separations of Duties

CISOScott — Mon, 02 Jul 2018 16:34:36 GMT

I too cut my teeth in IT. I feel it gives me a very good understanding in how tech works, but also to be able to architect security solutions with the currently available resources. When I come across security people with background in theory and very little hands-on experience, they normally (not always) are very rigid in their application of security practices and are not very flexible at all. I think it is a very big benefit to be able to know how IT works from a hands-on perspective. My advice to people wanting to succeed in IT security is to get some hands on experience, and more than just a once a week or once a lesson lab during your studies. I think that is one of the benefits of the CISSP is that they require you to have some experience in the field.

I see the separation as a natural evolution. I have been many places where there was not a dedicated security team. Mary did 10% security, Frank did 30% security, Joe was pulled into security roles when needed. IT security was spread out amongst many IT people, but no one person was declared IT security. This co-mingled approach did not allow for great reporting on the true IT security stance. Also the budget was co-mingled as well. It made it hard to fight for budgetary needs when the CIO controlled the budget for IT security as well.

Re: Separations of Duties

r3daction — Thu, 05 Jul 2018 18:19:32 GMT

I feel you on this one. Unfortunately, you are at a point in your career where your evolution through IT has cast a shadow on the IT things that got you where you are now in Security. I see it as a natural evolution as well, for larger organizations, where you can have two separate teams and two separate budgets. I hope that this resume reviewer now recognizes that a resume should be read and not gleaned and discarded because of keywords. Sounds like this person saw CISSP and immediately said this person only knows security.

Re: Separations of Duties

Lamont29 — Thu, 05 Jul 2018 19:00:06 GMT

Well this hiring manager evolved pretty quickly after he put in a little effort to investigate my systems skills. There's that rule to keep your resume as simple as a couple of pages... a rule that I never bothered to adhere to. Mine has necessarily been four pages or more because I spent a great deal of time as an IT / Security Consultant and in the military spanning 30+ years. I don't document all thirty - just my last ten. The HR filters could eliminate a qualified person based on what one may choose to leave off their resume. At the same time, not having enough information on the resume might encourage a hiring manager to move on from a viable candidate because that candidate attempted to follow the rule of two pages. SMH. It's crazy out there!

Re: Separations of Duties

r3daction — Thu, 05 Jul 2018 19:27:55 GMT

Right! You never want to feel you left something out, that may have gotten you in front of the right people. Also afraid that you may cause a tl;dr situation. Ugh!

Re: Separations of Duties

Beads — Thu, 05 Jul 2018 19:48:54 GMT

Having come up through the ranks of both IT and later Audit before tackling security I can only hope this practice is limited to the US Government or dies a quiet, if not well deserved demise.

A security practitioner or auditor, in my personal opinion, effectively do the required work without having a deep and practical knowledge base in IT, systems, networking or development. The idea offends me on so many levels. Leave it at that.

Cutting half our skills in half may be a great way to recruit people into the field but would hurt us, considerably, in the long run.

Re: Separations of Duties

r3daction — Thu, 05 Jul 2018 19:54:44 GMT

To understand what needs to be implemented one should be familiar with the technology. Security should be in some way a continuation of systems or network.

Re: Separations of Duties

billclancy — Fri, 06 Jul 2018 18:25:29 GMT

I'm in a similar boat with a long career in both IT and Cybersecurity. I made the leap in 2005 with a CISSP, and haven't really looked back.

Lately I find lots of IA folks who have no IT experience, and they seem to have difficulty understanding the business end of things, and the delicate balance between the two. They also often lack the understanding of the difficulties of scheduling maintenance with high availability and geographically diverse modern IT systems.

Re: Separations of Duties

jinxpuppy — Wed, 18 Jul 2018 17:49:43 GMT

When I started my career there was no exclusive security domain. Access management, security policies, anti virus, and firewalls was all the security there was.

I had to understand IT systems, protocols and technologies to be able to defend the infrastructure.
Security was not taught in colleges and most of my colleagues and I learnt on the job. Sometimes from our mistakes, sometimes from other peoples mistakes.

I understand the Segregation of Duties are required so that no one person is responsible for the custody, authorization and record keeping of an asset. I can't understand the need for SOD between IT and security though.
Match your resume and job description using https://jobscan.co
Disclosure: I do not make any money or get paid if you use it.

Re: Separations of Duties

Flyslinger2 — Thu, 19 Jul 2018 11:17:35 GMT

My last "gig" with a US Federal Civil agency was a real test of my patience. They were practicing this very thing to the point of wanting the IT staff to complete the IA documentation! I vehemently opposed that. The customer agreed but my contractor didn't. Needless to say I'm now much happier elsewhere and the current DoD customer is not practicing this mind numbing philosophy. Past customer is sadly saddled with the same contractor who is loosing work elsewhere also. Hmmmmmmm

Re: Separations of Duties

Baechle — Thu, 19 Jul 2018 16:46:46 GMT

Lamont,

@Lamont29 wrote:
There's that rule to keep your resume as simple as a couple of pages... a rule that I never bothered to adhere to. Mine has necessarily been four pages or more because I spent a great deal of time as an IT / Security Consultant and in the military spanning 30+ years. I don't document all thirty - just my last ten.

It sounds like you have a more of a CV than a resume.

I have a similar problem because I had several positions for 2 or 3 years each, plus military reserve postings making the headers quickly overwhelm the space needed to list any major accomplishments or duties.

I've seen several folks submit a CV as a resume and it confuses HR and hiring managers. Instead having a handful of tailored resumes for (a) a systems admin, (b) a network admin, (c) a security architect, (d) an IT manager, (e) a security manager, (f) etc. might get you further quicker.

I like my job but its truly geared for someone who's retired and on their second career (or banking additional retirement years for their pension). Meaning that I'm stuck in a niche position with no advancement opportunity because I'm pigeonholed. I must have applied for about 300+ positions in the last year or so. It took me quite a while to get my writing style in line with HR/management expectations. Once I did, I started getting practically every interview I applied for. But it meant that I practically rewrote my resume every time I applied for a new job.

Sincerely,

Eric B.

Re: Separations of Duties

Baechle — Thu, 19 Jul 2018 16:53:11 GMT

Brent,

I don't think you're going to see this die out. In fact, I think you're going to see more of it.

@Beads wrote:
Having come up through the ranks of both IT and later Audit before tackling security I can only hope this practice is limited to the US Government or dies a quiet, if not well deserved demise.

A security practitioner or auditor, in my personal opinion, effectively do the required work without having a deep and practical knowledge base in IT, systems, networking or development. The idea offends me on so many levels. Leave it at that.

Cutting half our skills in half may be a great way to recruit people into the field but would hurt us, considerably, in the long run.

I agree with your assessment on a personal level.

As a hiring manager, however I don't need a superhero with experience in everything; and I wouldn't pay for that. If I need an auditor, then I need 30% of your skill set and I'm going to pay for that. If I need an IT pro, then I need a different 25% (with 5% overlapping) of your skill set, and I'm going to pay for that.

That you have another ~45% overlap with other areas of my business is a bonus but it's not a requirement - I can let a new hire cross train themselves, so I'm not going to pay for that. Even if I did, and then I decided to actually and actively utilize all that knowledge and skill, I'm risking you crying burnout very quickly. And then I've sunk my costs into a resource that is extraordinarily time limited.

Sincerely,

Eric B.

Re: Separations of Duties

rslade — Thu, 19 Jul 2018 18:32:13 GMT

Since this thread is still going, I've just got to drop in:

This isn't about "separation of duties." This topic is about job descriptions.

Separation of duties is an important security principle, first established by the
Clark-Wilson model, and initially applied to programs, manadating that the agent
responsible for doing the task, is not the agent responsible for checking the task.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We learn from experience that men never learn anything from
experience. - George Bernard Shaw
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

Re: Separations of Duties

Caute_cautim — Thu, 19 Jul 2018 20:44:21 GMT

Obviously, the remit was IT security and not about the bigger business issues: People, process and technology.

It also indicates a level of maturity within the organisation too and what the classify as a technical role and not one at GRC level i.e. a business role. Bottom up approach it appears on the surface.

Re: Separations of Duties

Markonweb — Sun, 22 Jul 2018 17:07:17 GMT

As someone with 25 years in IT (with infosec as my focus for the last 14), I'm somewhat frustrated to see this trend in some industries. There has been a firewall between IT and the infosec department for most of my career but many organizations and agencies have adopted DevOps. Security as a bolt-on doesn't work in devops environments. Security needs to be involved throughout the SDLC phases of a system. It allows security requirements to be captured and prioritized in the sprint planning sessions and change control board meetings. With infrastructure as code and software defined networks, everybody is either writing code or is directly supporting coders throughout the lifecycle.

Specialists are great but sometimes can be blind to where domains and organizational goals intersect. Seeing a problem through the lens of a different domain can often lead to creative ways to address issues.

Admittedly, strong SoD with firewalls in non devops environments makes it easier to manage and control what gets put into production. It doesn't necessarily make it easy to support systems when the inevitable post-deployment problems occur. It takes a 'prevention' approach to developers making changes in production. DevSecOps has controls throughout the lifecycle and relies more on detective controls to prevent malicious acts in production. Activities need to be logged and monitored. Code reviews, static & dynamic analysis pre and post deployment are controls used to detect backdoors, insecure coding practices etc.

The Phoenix Project was a fun read... I was that guy with the 3 ring binder earlier in my career but I'm now focused more on how security can support the organizational goals by working as an active contributor to the process of getting the next release out to customers assuming it satisfies the control thresholds. For the most part, I don't talk to others in the organization about security. Managing risk is something that everyone understands... when you frame something within the context of risk to the organization, it is easier to get buy in or sign-off on a risk-based, cost-effective approach to data protection.

Re: Separations of Duties

CEMyers — Sun, 22 Jul 2018 20:10:12 GMT

This is not really a question on separation of duties but where this member wishes to take his career going forward - IT or Security. The member is correct when he says it is possible to have skills in both camps and there is some synergy in having skills in both areas. The ability of IT personnel to appropriately deliver a roll-out in a secure manner could benefit from a skilled cyber technician assisting with build and configuration of a system. It is also true that a good cyber security resource is strengthened by network and IT background knowledge and skills. Where separation of duties is important is in the audit and monitoring requirements. When we consider insider threat (the standard defence response of "we all were the same uniform" is unhelpful when we see examples of low ranking personnel with high clearance allowing free range to access any and all material and to remove them from site simply because they were "trusted"). The skilled administrator needs strong access to the system in order to perform the role for which they are employed. That does not mean they have need to know or to access the data that system is protecting. One of the valid mechanisms for controlling this is separation of duties supported by strong audit and monitoring functions which includes preventing privileged users from removing/altering logs. Part of the IT function requires to access, and be aware of, log content. There is no part of their function that needs them to remove or alter logs. That function is performed by a security role rather than an IT role in order to both protect and control IT privileged users. It is not a question of what people have the skill to do but to what extent should their functionality be reduced or controlled in order to provide security assurance on the system and protection of the individual in order to facilitate the IT function in a controlled and secure manner.

Re: Separations of Duties

CEMyers — Sun, 22 Jul 2018 20:23:10 GMT

The real lesson here is the Tailored CV. A reviewer of your CV wants to know you can deliver on the job/person spec for the role you are applying for. All the skills you have that tick the boxes for the person/job spec should be highlighted and at the top of your CV including your impact statement. All the additional skills you possess can then follow on behind in an added-value section showing you bring additional skills to the table. It is important to the hiring manager that these are seen as enhancing the role not conflicting with or challenging its successful delivery. For an IT position I would be wanting a CV to demonstrate IT knowledge and skills. Whilst it is true these can come from a cyber experiences it is important to highlight the IT functions from those experiences rather than the security-specific functions, which, as an aside, it is worth mentioning you can also deliver and support. Remember if it is an IT job/person spec, then it is IT knowledge and experience the hiring manager wants to see. The fact that you bring team leadership and management skills, and cyber (I still hate that word) skills is added value but not essential to the role necessarily. There is also the danger that this puts you in the too expensive/too experienced for the role bracket. As with all exams (and a job interview is an aural exam), it is important to understand the question and to answer that in the appropriate manner first and foremost.

Re: Separations of Duties

usiddiqi — Mon, 23 Jul 2018 06:43:45 GMT

I personally think IT and IS need to work together. IT admin doesn't have to be an expert in IS but should know enough to understand the importance of it. Similarly, IS professional doesn't have to know all the nitty gritties of sys admin, network admin, storage admin domains etc. but should have enough background knowledge to not look like an idiot when working with an admin.

So essentially when an IS professional discovers a new threat, or comes up with a new security policy that needs to be implemented at system, network or storage level, they need to be able to explain the logic behind that decision to the admin and pros and cons of required change, and the admin person should be able to acknowledge the risk associated with not implementing the recommended change.

This kind of collaborated effort has high chances of resulting in a well managed and highly secure infrastructure.

Re: Separations of Duties

CraginS — Fri, 03 Aug 2018 11:00:46 GMT

@rslade said,

"This isn't about "separation of duties." This topic is about job descriptions.
Separation of duties is an important security principle, "

To continue a discussion on what separation of duties really means for security professionals, hop over to the discussion

Insider Threat Protection with Separation of Duties.

Re: Separations of Duties

CISOScott — Fri, 03 Aug 2018 14:17:49 GMT

In the federal government system, from an HR perspective, this IS about separation of duties. HR wants to separate the security "duties" from the IT "duties". So the OP was correct and we can also agree that separation of duties can have multiple meanings, depending on the context and which department is using the phrase.

I think a more correct term for the cyber world would be isolation of duties. You want to isolate duties that, when combined with another duty, has the potential for undesired consequences or undesirable levels of power.