CERT

CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

A New Look at the Business of IT Education

Key Message: System administrators increasingly need business savvy in addition to technical skills, and IT training courses must try to keep pace with this trend.

Executive Summary

System administrators can no longer remain even a little isolated from the business mission. Instead, the trend is toward system administrators who actively support the business mission and can work within the constraints of policies, procedures, and top-level corporate governance.

In this podcast, Larry Rogers, a senior member of the technical staff at CERT, talks about the Survivability & Information Assurance Curriculum. Its goal is to train system administrators to manage technology in real-world situations from a business perspective, using cost-benefit analysis and risk analysis and working within policy constraints.

PART 1: FILLING A GAP

The Survivability and Information Assurance Curriculum was created in response to a perceived gap: the ability of system administrators to think beyond specific technologies.

After all:

  • Technology changes frequently
  • Technology doesn't always work correctly
  • The people who do best in their jobs are those who can react well to changes or unusual situations

So, the curriculum's goal was to teach adaptation skills and thereby increase resilience. It is designed to be independent of technology and instead focuses on 10 principles of survivability and information assurance.

The first course presents the 10 principles. The next course applies them to networking in general. The third course applies them to an enterprise network.

What types of students will benefit?

  • experienced system and network administrators
  • who want to know more and learn more than just technology
  • who have managerial potential and a business sense
  • who can think out of the box

Just because someone can make technology dance for them doesn't mean they have a real sense of the business mission. Students who are open to the idea of supporting the business mission likely will do best in the SIA Curriculum.

PART 2: CURRICULUM FUNDAMENTALS AND GOALS

So, what's in the course?

Communication skills: Speak in your manager's language — to achieve understanding, don't just say, "We changed a technical setting." Say, "We just made a change that will save the company five cents per transaction."

Many system administrators are no longer isolated in a back room. The most successful administrators likely:

  • speak in the language of many different people within the organization
  • understand the business mission
  • understand the way businesses run
  • can live within the constraints of policies, procedures, and governance

In the course, therefore:

  • Students talk to the instructor as though the instructor is the manager.
  • Students must live within the constraints of a policy and procedures manual.
  • Students have access to risk analysis data to help guide their decisions.

Some of the 10 basic SIA principles, in addition to communications, are:

  • Survivability: Make sure the business mission can survive in the face of attacks and breakdowns. Example: In the 1993 World Trade Center attacks, those companies that were survivable walked up to midtown Manhattan and continued their IT operations there. Some companies that were not survivable went out of business.

  • Everything is data: Data is not just the information created by an application. The application itself is data. So is the operating system that runs the application. Identify all of your data, and then protect it appropriately.

  • Even though everything is data, not all of that data has the same value: Put the most and best safeguards on your most critical data. There isn't enough time anymore to do everything everywhere.

There has been an evolution:

  • The system administrator used to rule the domain and dictate how the business worked, in a way.

  • Now the business is king and the technology is merely an asset to be used. It's like a pencil — you don't think about it, you just use it. A few people are involved in the details of making pencils, but most don't need or want to know about it.

Because of this transition, some of the best system administrators actually may come out of business schools.

PART 3: EVOLVING AND GAINING BUY-IN

There are challenges to acceptance of the SIA Curriculum

  • School administrators are still focused on technology.
  • Many students also are saying they want to learn about technology.
  • Businesses that hire students require them know about technology.

So is there really a role for the curriculum? Yes, but it is complementary.

There is no substitute for understanding technology. However, understanding business is also important.

So, system administrators should think about:

  • What's the impact on business?
  • What are the metrics of performance?
  • What does this cost?
  • What's the benefit?
  • Are we avoiding or reducing costs?

Resources

Survivability & Information Assurance Curriculum. Courseware description and download site.

Copyright 2007 by Carnegie Mellon University