cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lamont29
Community Champion

Separations of Duties

I see that the Department of Defense (DoD) has formally implemented the separation of duties between IT and Information Security. Now you’ll have to choose your track. I was blown away by this reality at a job interview. I was invited out to an interview for information security where we had a social night and were encouraged to bring additional resumes and visit other organizations within the company. I thought that it was only to my benefit to visit IT so long as I was there.

 

The hiring manager who received my resume was quite uninterested in me initially and he wanted to immediately pass me over to Security. I explained to this hiring manager that I did have IT experience. He began to ask me what he thought were very technical questions – all of which I not only answered, but where I could, I gave audit and security measures or solutions where appropriate. It’s my opinion that he was quite impressed since both of his areas were interested in offering me a job in IT. He was quite upset with the way that I wrote my resume “only to security” and not IT. However, IT is where I amassed all of my skills and lead to my current career in Information Security.

 

I guess it’s a sad chapter as I arrive to what I believe is the apex of my career. I honestly didn’t intend to come this far in Information Security, only to the detriment of my IT knowledge. I am from the old school of thought where they go hand-in-hand.  However, it’s understandable why government contractors and the federal government would take this approach. Confidentiality of the "CIA" rules the day in government and federal contractors must comply.

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
22 Replies
Baechle
Advocate I

Lamont,

 


@Lamont29 wrote:

There's that rule to keep your resume as simple as a couple of pages... a rule that I never bothered to adhere to. Mine has necessarily been four pages or more because I spent a great deal of time as an IT / Security Consultant and in the military spanning 30+ years. I don't document all thirty - just my last ten. 


It sounds like you have a more of a CV than a resume.

 

I have a similar problem because I had several positions for 2 or 3 years each, plus military reserve postings making the headers quickly overwhelm the space needed to list any major accomplishments or duties.

 

I've seen several folks submit a CV as a resume and it confuses HR and hiring managers.  Instead having a handful of tailored resumes for (a) a systems admin, (b) a network admin, (c) a security architect, (d) an IT manager, (e) a security manager, (f) etc. might get you further quicker.

 

I like my job but its truly geared for someone who's retired and on their second career (or banking additional retirement years for their pension).  Meaning that I'm stuck in a niche position with no advancement opportunity because I'm pigeonholed.  I must have applied for about 300+ positions in the last year or so.  It took me quite a while to get my writing style in line with HR/management expectations.  Once I did, I started getting practically every interview I applied for.  But it meant that I practically rewrote my resume every time I applied for a new job.

 

Sincerely,

 

Eric B.

 

 

Baechle
Advocate I


Brent,

 

I don't think you're going to see this die out.  In fact, I think you're going to see more of it.

 

@Beads wrote:

Having come up through the ranks of both IT and later Audit before tackling security I can only hope this practice is limited to the US Government or dies a quiet, if not well deserved demise.

 

A security practitioner or auditor, in my personal opinion, effectively do the required work without having a deep and practical knowledge base in IT, systems, networking or development. The idea offends me on so many levels. Leave it at that.

 

Cutting half our skills in half may be a great way to recruit people into the field but would hurt us, considerably, in the long run.


I agree with your assessment on a personal level. 

 

As a hiring manager, however I don't need a superhero with experience in everything; and I wouldn't pay for that.  If I need an auditor, then I need 30% of your skill set and I'm going to pay for that.  If I need an IT pro, then I need a different 25% (with 5% overlapping) of your skill set, and I'm going to pay for that. 

 

That you have another ~45% overlap with other areas of my business is a bonus but it's not a requirement - I can let a new hire cross train themselves, so I'm not going to pay for that.  Even if I did, and then I decided to actually and actively utilize all that knowledge and skill, I'm risking you crying burnout very quickly.  And then I've sunk my costs into a resource that is extraordinarily time limited.

 

Sincerely,

 

Eric B.

 

 

 

 

rslade
Influencer II

Since this thread is still going, I've just got to drop in:

This isn't about "separation of duties." This topic is about job descriptions.

Separation of duties is an important security principle, first established by the
Clark-Wilson model, and initially applied to programs, manadating that the agent
responsible for doing the task, is not the agent responsible for checking the task.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
We learn from experience that men never learn anything from
experience. - George Bernard Shaw
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

Obviously, the remit was IT security and not about the bigger business issues:  People, process and technology.

It also indicates a level of maturity within the organisation too and what the classify as a technical role and not one at GRC level i.e. a business role.   Bottom up approach it appears on the surface.

 

 

Markonweb
Newcomer II

As someone with 25 years in IT (with infosec as my focus for the last 14), I'm somewhat frustrated to see this trend in some industries. There has been a firewall between IT and the infosec department for most of my career but many organizations and agencies have adopted DevOps. Security as a bolt-on doesn't work in devops environments. Security needs to be involved throughout the SDLC phases of a system. It allows security requirements to be captured and prioritized in the sprint planning sessions and change control board meetings. With infrastructure as code and software defined networks, everybody is either writing code or is directly supporting coders throughout the lifecycle. 

Specialists are great but sometimes can be blind to where domains and organizational goals intersect. Seeing a problem through the lens of a different domain can often lead to creative ways to address issues. 

Admittedly, strong SoD with firewalls in non devops environments makes it easier to manage and control what gets put into production. It doesn't necessarily make it easy to support systems when the inevitable post-deployment problems occur. It takes a 'prevention' approach to developers making changes in production. DevSecOps has controls throughout the lifecycle and relies more on detective controls to prevent malicious acts in production. Activities need to be logged and monitored. Code reviews, static & dynamic analysis pre and post deployment are controls used to detect backdoors, insecure coding practices etc. 

The Phoenix Project was a fun read... I was that guy with the 3 ring binder earlier in my career but I'm now focused more on how security can support the organizational goals by working as an active contributor to the process of getting the next release out to customers assuming it satisfies the control thresholds. For the most part, I don't talk to others in the organization about security. Managing risk is something that everyone understands... when you frame something within the context of risk to the organization, it is easier to get buy in or sign-off on a risk-based, cost-effective approach to data protection.


Best, Mark
CISSP-ISSAP ISSEP ISSMP CAP CCSP CSSLP HCISPP SSCP CCISO CISM CRISC CISA FITSP-M FITSP-A FIP CIPP/G CIPP/US CIPM CIPT SCF CCSK ITIL-F Cloud+ Security+ AWS-SAA
CEMyers
Newcomer III

This is not really a question on separation of duties but where this member wishes to take his career going forward - IT or Security.  The member is correct when he says it is possible to have skills in both camps and there is some synergy in having skills in both areas.  The ability of IT personnel to appropriately deliver a roll-out in a secure manner could benefit from a skilled cyber technician assisting with build and configuration of a system.  It is also true that a good cyber security resource is strengthened by network and IT background knowledge and skills.  Where separation of duties is important is in the audit and monitoring requirements.  When we consider insider threat (the standard defence response of "we all were the same uniform" is unhelpful when we see examples of low ranking personnel with high clearance allowing free range to access any and all material and to remove them from site simply because they were "trusted").  The skilled administrator needs strong access to the system in order to perform the role for which they are employed.  That does not mean they have need to know or to access the data that system is protecting.  One of the valid mechanisms for controlling this is separation of duties supported by strong audit and monitoring functions which includes preventing privileged users from removing/altering logs.  Part of the IT function requires to access, and be aware of, log content.  There is no part of their function that needs them to remove or alter logs.  That function is performed by a security role rather than an IT role in order to both protect and control IT privileged users.  It is not a question of what people have the skill to do but to what extent should their functionality be reduced or controlled in order to provide security assurance on the system and protection of the individual in order to facilitate the IT function in a controlled and secure manner.

CEMyers
Newcomer III

The real lesson here is the Tailored CV.  A reviewer of your CV wants to know you can deliver on the job/person spec for the role you are applying for.  All the skills you have that tick the boxes for the person/job spec should be highlighted and at the top of your CV including your impact statement. All the additional skills you possess can then follow on behind in an added-value section showing you bring additional skills to the table.  It is important to the hiring manager that these are seen as enhancing the role not conflicting with or challenging its successful delivery. For an IT position I would be wanting a CV to demonstrate IT knowledge and skills. Whilst it is true these can come from a cyber experiences it is important to highlight the IT functions from those experiences rather than the security-specific functions, which, as an aside, it is worth mentioning you can also deliver and support. Remember if it is an IT job/person spec, then it is IT knowledge and experience the hiring manager wants to see.  The fact that you bring team leadership and management skills, and cyber (I still hate that word) skills is added value but not essential to the role necessarily.  There is also the danger that this puts you in the too expensive/too experienced for the role bracket.  As with all exams (and a job interview is an aural exam), it is important to understand the question and to answer that in the appropriate manner first and foremost.

usiddiqi
Newcomer I

I personally think IT and IS need to work together. IT admin doesn't have to be an expert in IS but should know enough to understand the importance of it. Similarly, IS professional doesn't have to know all the nitty gritties of sys admin, network admin, storage admin domains etc. but should have enough background knowledge to not look like an idiot when working with an admin. 

 

So essentially when an IS professional discovers a new threat, or comes up with a new security policy that needs to be implemented at system, network or storage level, they need to be able to explain the logic behind that decision to the admin and pros and cons of required change, and the admin person should be able to acknowledge the risk associated with not implementing the recommended change. 

 

This kind of collaborated effort has high chances of resulting in a well managed and highly secure infrastructure.

CraginS
Defender I

@rslade said,

"This isn't about "separation of duties." This topic is about job descriptions.
Separation of duties is an important security principle, "

 

To continue a discussion on what separation of duties really means for security professionals, hop over to the discussion 

Insider Threat Protection with Separation of Duties.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
CISOScott
Community Champion

In the federal government system, from an HR perspective, this IS about separation of duties. HR wants to separate the security "duties" from the IT "duties".  So the OP was correct and we can also agree that separation of duties can have multiple meanings, depending on the context and which department is using the phrase.

 

I think a more correct term for the cyber world would be isolation of duties. You want to isolate duties that, when combined with another duty, has the potential for undesired consequences or undesirable levels of power.