Top
Navigation
The Black Book of Identity Access Mgmt
This form does not yet contain any fields.
    « We’re all on the clock | Main | Quit your whining, you compliance crab »
    Thursday
    Aug162012

    Get the right security lineup

    DateThursday, August 16, 2012 at 03:33PM

    I’m in the excellent and crappy position of always having to learn new things. It’s excellent in that it’s never boring, and somebody else usually pays for it. It’s crappy in that I have to put in the time. I was the world’s best client-server programmer, and then we invented HTML. Dammit.

    Recently I tried recruiting some people to fill some open slots. One guy I talked to, a known quantity with a good background, is 15 years my junior. He told me it sounded good: more money, less travel, better hit rate, stock options. But he told me, “I don’t want to have to learn a new product set.”

    Ouch. Better insurance too. But oh, that learning curve.

    Two years ago, I visited a manufacturer where I had to explain federation to the guy in charge of the web site and authentication policies. And I also had to explain to his enablement guy what provisioning was. Incredible. Workflow? Adapters? Target systems? Roles? No kidding. Read a magazine or a blog sometime, pal.

    Three years ago, in St. Louis, I explained to a medical company how their LDAP queries, written by their consultants almost a decade earlier, worked.

    And more recently, while whiteboarding database security for a client, I ended up explaining to their db security consultant what SQL injection is. After that meeting, I was in the rental car with a colleague, and he remarked, “How do I get a job like that? Getting paid to not know my subject. Astounding.”

    And right at this moment as I type, I’m sitting in an airport, having just left a session where I attempted to fix somebody else’s wretched misconfiguration of a set of security tools. In the end, I’d have been better off installing from scratch. Somebody who didn’t know or didn’t care about what they’re were doing did something anyway, and left it in a state of awfulness.

    Anybody can call himself a Subject Matter Expert. I call myself the same thing, but not about All Things. I do what I’m good at, try to learn the stuff I want to be good at, and avoid the rest. Trust, but verify. You still you need to check references, ask the questions, and do the homework. Your security, your compliance stature, your reputation may depend on it.

    AuthorJeff the IAM Guy | CommentPost a Comment |
    tagged

    PrintView Printer Friendly Version

    EmailEmail Article to Friend

    Reader Comments

    There are no comments for this journal entry. To create a new comment, use the form below.

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Post:
     
    Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

    Notify me of follow-up comments via email.