System Administrator vs IT security

MacGuffin

W Stewart wrote: »

When they hear that they can basically pass that responsibility on to an MSP instead of paying for inhouse training it usually seems to be the route that they take.

They are not passing responsibility of to the contractor, they are passing authority. Someone onsite is still responsible. I will bet everything in my pockets against everything in your pockets that there is a contract that states the security contractor does not have responsibility.

It may look like I'm splitting hairs here but there are very distinct differences between responsibility, authority, and capability. I will apologize if I've unintentionally used these terms incorrectly in prior posts. Responsibility means that one will be held accountable, that if something goes wrong the person responsible will have to answer why it went wrong. Authority is that one has been given permission to perform certain tasks by the person responsible. A person can delegate authority but they cannot delegate responsibility. Capability means that one is physically able to perform a task. Just because someone has authority to perform a task does not mean they are capable of performing that task.

These security contractors may claim they offer security but unless there are people onsite with proper authority, capability, and responsibility there is only an illusion of security. These security contractors will be given authority for certain security tasks but they might not be actually capable of providing it. They will never take responsibility. Responsibility may be offered but it can't be given, responsibility must be taken.

This is where I will actually get back on topic. Someone that shows capability for onsite security may find themselves taking responsibility for security. This also requires the corporation giving the person the authority to perform onsite security, without authority the person that is capable cannot be responsible. I'd recommend anyone that wants to be in IT to gain the skills to be capable in infosec. That makes you more valuable. That means a potential for more authority and responsibility, which generally translates into better pay.

W Stewart wrote: »

I'm not necessarily saying that companies are taking this route because it's more effective or that it's even the smartest way of doing things but companies are in-fact making these kinds of decisions because they don't see the practical side of it that you laid out above.

No disagreement here. Corporations will seek to lower costs everywhere they can, it is required of them by the stakeholders. What that means is that sometimes they will do things that are not necessarily wise. They will believe they are outsourcing security, but what they are actually doing is reducing or removing it. They might even claim they are delegating responsibility for security but they are not, security providers can not take responsibility because they are not stakeholders. A security provider can be made a stakeholder but then they effectively become part of the corporation, and its not truly an outsource operation anymore.

W Stewart

Before you read this long response and proceed to give me everything in your pocket, please take a look at this wikipedia article on SLAs.

http://en.wikipedia.org/wiki/Service-level_agreement

In the section on outsourcing.

"Outsourcing involves transfer of responsibility from an organization to a supplier."

The msp that we outsource security to takes responsibility for the services that they guarantee just like we take responsibility for the physical availability of the servers that our customer's are paying for. When you enter into an agreement with a service provider, there's typically a service level agreement(SLA) that define the responsibilities of both the service provider and the client. As a service provider you don't get to just say that you're not responsible for anything and still expect people to do business with you.

One of the reasons companies outsource is risk transference and so they have somebody to sue if shtf. The company they outsource certain services to usually takes on responsibility for the services that are being outsourced. Lawsuits can and have taken place when a company hasn't kept up their end of the deal. We couldn't just have a customer's server down for days on end and then say that it's not our responsibility. Likewise I'm sure any msp, security or otherwise has an agreement saying that they'll meet certain standards and they'll be held liable/responsible if they don't meet those standards that were agreed upon. Nobody is going to hand over management of their IT solutions to a company who could turn around and say they're not responsible for the services that they guaranteed otherwise there would be little benefit to outsourcing over in-house IT.

Now I'm not saying every security provider is going to get sued if they under perform and your network still goes down but they still have a responsibility that's outlined in that SLA and at a minimum they have to do that much. It's just a matter of what the SLA defines as a minimum requirement.

A security provider would also be considered a stakeholder in a company just based on the broad definition of what a stakeholder actually is.

"one who is involved in or affected by a course of action" or

"one that has a stake in an enterprise"

A stake can be defined as

"an interest or share in an undertaking or enterprise" or

"a wooden post to which a person was tied before being burned alive as a punishment."

Another partial example of a stakeholder from wikipedia

"For examples these are parents, children, customers, owners, employees, associates, partners, contractors, and suppliers, people that are related or located nearby."


But all of those irrelevant details aside, the point I've been trying to make and maybe haven't worded properly is that not every company has a dedicated security team of dedicated security professionals with the stack of security certifications you mentioned in an earlier post. Should every IT professional worth his salt be security minded? Of course. does it actually work out that way? Of course not. Plenty of professionals don't know squat about security and sometimes just having an admin who's security minded might not cut it. You might just need an expert on the subject of security if you're a large enough target for an attack. Small businesses who feel that they need that kind of expertise but can't afford a dedicated in-house security team will typically outsource their solutions and if they did have an admin who could somehow do the job of a whole security team by himself as well as his administrative duties than he'd probably be worth more than that company could afford to pay him. There's a market out there for outsourced security and that's why companies like stillsecure even exists.


Sorry for the extremely long posts. I just have a lot of time on my hands right now. Hopefully that will change in the upcoming weeks.

MacGuffin

W Stewart wrote: »

The msp that we outsource security to takes responsibility for the services that they guarantee just like we take responsibility for the physical availability of the servers that our customer's are paying for. When you enter into an agreement with a service provider, there's typically a service level agreement(SLA) that define the responsibilities of both the service provider and the client. As a service provider you don't get to just say that you're not responsible for anything and still expect people to do business with you.

That agreement does not define responsibility, it defines liability. You even admit to that in the next paragraph.

W Stewart wrote: »

Likewise I'm sure any msp, security or otherwise has an agreement saying that they'll meet certain standards and they'll be held liable/responsible if they don't meet those standards that were agreed upon. Nobody is going to hand over management of their IT solutions to a company who could turn around and say they're not responsible for the services that they guaranteed otherwise there would be little benefit to outsourcing over in-house IT.

Someone within the company will still be responsible. The person responsible for security will be the one that signed the agreement with the security contractor on behalf of the corporation.

W Stewart wrote: »

There's a market out there for outsourced security and that's why companies like stillsecure even exists.

No doubt. I agree that outsourced security companies exist and that they provide a valuable service. I'm saying that if something goes wrong the people that get held responsible is not the contract security company. Those contractors will hide behind their limited liability agreement and a kennel full of attack lawyers. If a small bank with outsourced security finds out that someone cleared out their customer's accounts either physically or electronically the customers are not going to be satisfied with some guy in a suit telling them the bank is not responsible, it's that good for nothing security contractor. The customers are going to hold the bank responsible because they chose the good for nothing security contractor. If the bank tries to go after the contractor then the attack lawyers get unleashed. The only way for the bank to shift responsibility, or exceed the liability defined in the contract, is to prove the contractor acted with malice.

A no one in a corporation can delegate responsibility. No contractor can take responsibility, at least not legally. They may be held liable, but that is something else.

W Stewart wrote: »

Sorry for the extremely long posts. I just have a lot of time on my hands right now. Hopefully that will change in the upcoming weeks.

Same here. Snow is too deep right now to get anywhere. I can only do so much from home. The sun should be out tomorrow and the roads cleared.

W Stewart

MacGuffin wrote: »

That agreement does not define responsibility, it defines liability. You even admit to that in the next paragraph.

Look up liability. the dictionary definition is being responsible for something by law. Yes someone on-site may also be held responsible just like a manager has to take responsibility for anything his employees do but when you're paying a security provider a ton of money to secure your system, you're not going to be pointing the finger at every employee beneath you who likely doesn't even have access to the firewalls or ips/ids. Still secure doesn't give us access to the firewalls because they're responsible for them.

definition of responsibility

"the state or fact of having a duty to deal with something or of having control over someone."

They have a duty to provide the services that are in their SLA. Their not responsible for every aspect of your business but they are responsible for providing the services that they're being paid to provide which in this scenario is management of your security devices. They don't need to act with malice. All they need to do is not honor their end of the agreement. Nobody would bother doing business with you if you could just choose not to provide the services agreed upon in your SLA and not be held accountable but I guess you might be able to consider that malice.

Either way the specifics of the english language doesn't matter. What I meant when I said pass off responsibility was risk transference which you should have learned is one of the reason businesses outsource services when you studied for your security+ certification.

W Stewart

Maybe the difference is you're referring to security as the general concept which includes everything down to end user education and protecting your own passwords. By nature you can't outsource that because everybody in the organization has to be on-board but I'm referring to security solutions that detect and mitigate network attacks and identify vulnerabilities in your network. The thing is, the latter is the type of thing usually referred to when contemplating an IT security career.

MacGuffin

@W Stewart
I'm done. We're going around in circles and I'm not even sure what you're arguing about any more. I thought I made myself clear, true security cannot be offsite. You obviously disagree with me on some finer points, and I don't care any more.

Here's the original question:

Everyone out there, do you think system administrator or IT security would be a better long term career for job security, pay, etc.

My answer is IT security. The primary reason I gave that answer is because security is a job that cannot be shipped offshore. Infosec cannot be shipped off to be done by cheap labor on the other side of the world, that means people that know infosec will always be in demand and be paid well.

I was going to go into greater detail but I realized I'd just be repeating what I typed out before.

dmoore44

Earlier in my career, I did a lot of sysadmin work - configuring servers, setting up domains, putting mailservers online, etc... While I was in school, I took plenty of programming classes (VB, C++, Java, Algorithm Design, and a few others). These experiences definitely help set me up for my current role as an INFOSEC Analyst. My job involves a lot of configuration auditing and vulnerability analyses - and while I have multiple tools at my disposal to help get the results I want, I still write a lot of scripts (Powershell and bash). So, knowing how a system is supposed to be configured, where to look for those configurations, and how to query a given system to get the results I desire would be next to impossible to learn without first having experience in configuring it all.

In hindsight, it would have been a good option had I went from sysadmin to netadmin, then over to INFOSEC. Once you start down the configuration auditing/analysis path, you start looking at more than just servers and workstations - I also have to look at other devices on the network... like routers and switches. And so I spend a lot of free time trying to bone up on a lot of the information that I passed over by not going the netadmin route.

geek4god

NSA to cut system administrators by 90 percent to limit data access



"What we're in the process of doing - not fast enough - is reducing our system administrators by about 90 percent," he said.

W Stewart

MacGuffin wrote: »

@W Stewart
I'm done. We're going around in circles and I'm not even sure what you're arguing about any more. I thought I made myself clear, true security cannot be offsite. You obviously disagree with me on some finer points, and I don't care any more.

Here's the original question:

My answer is IT security. The primary reason I gave that answer is because security is a job that cannot be shipped offshore. Infosec cannot be shipped off to be done by cheap labor on the other side of the world, that means people that know infosec will always be in demand and be paid well.

I was going to go into greater detail but I realized I'd just be repeating what I typed out before.

But your whole argument as to why security can't be shipped offshore is because the on-site system administrator has to know security as well. At the same time you're arguing that the op should take the IT security career path over the systems admin career path because security can't be offshore(because the system admin position that you're arguing against also has to be security aware).

I don't think the fact that you need somebody to physically secure a box makes infosec any less off-shoreable because you need somebody to reboot boxes and plug in cables as well but the actual skilled work that's in demand and pays well as you mentioned, can all be done remotely just like stillsecure remotely manages some of our customer's stuff. I think security won't be off-shored for different reasons such as gov regulations and issues with other countries not understanding some of those regs and the fact that you might not be able to take legal action in a lot of different situations but those are different reasons than the ones you outlined.

Maybe my demeanor comes across differently since I'm typing instead of talking in person but the purpose of my comments is not to refute your main point so much as to introduce a different perspective. I just like to look at all of the possibilities. It's not very likely but still possible and there's always that one business that's dumb enough to try it out at least once. You'd be surprised at the types of decisions some of these business executives make and a lot of times the technical people who try to talk some since into them are completely ignored and their advice discredited.

W Stewart

geek4god wrote: »

NSA to cut system administrators by 90 percent to limit data access



"What we're in the process of doing - not fast enough - is reducing our system administrators by about 90 percent," he said.

If anybody in those positions were doing real sys admin work then it wouldn't be so easy to automate their jobs. In-fact, a good part of a sys admins job is writing the scripts to automate some of the more routine tasks which if anything just puts helpdesk out of work. That tells me that either the guys are only sys admins in title but not in responsibility or the nsa is very over staffed and could have been doing more with less the whole time. That being said, I have heard that the government waste a lot of money paying two people to do one persons job but that's usually because it's so hard to fire full time govt employees.

bobloblaw

To the OP. Here's something short that I think tends to answer these types of questions:

The single most common thing you will see in InfoSec is that no one ever started in InfoSec. Everyone always comes from another primary background (Sys admin, network engineer, dba, etc.). This could change in years to come, but no one is going to expect someone to perform a security audit/pen test of their Windows domain when that person hasn't ran a Windows domain (same for auditing their network, unix systems, etc).

chickenlicken09

hey, thought this thread would be most suitable for my question. How do/did you guys make a sys admin cv look like a security cv?
e.g i recently applied for for a technology risk analyst role and was told i didnt have enough security experience. I understand as i work
as a sys admin role but is it a case of have specifics like the below on your cv to get to interview stage? Granted i didnt have these on it when i applied for the job but as a sys admin i have performed these tasks. Perhaps i didnt tailor my cv enough. Opinions?

- Enforce security policies throughout the network.
- Implement access controls over the network.
- System hardening
- Strong technical skills across infrastructure and security.
- Strong knowledge of I.T security principles.

NetworkNewb

eddo1 wrote: »

hey, thought this thread would be most suitable for my question. How do/did you guys make a sys admin cv look like a security cv?
e.g i recently applied for for a technology risk analyst role and was told i didnt have enough security experience. I understand as i work
as a sys admin role but is it a case of have specifics like the below on your cv to get to interview stage? Granted i didnt have these on it when i applied for the job but as a sys admin i have performed these tasks. Perhaps i didnt tailor my cv enough. Opinions?

- Enforce security policies throughout the network.
- Implement access controls over the network.
- System hardening
- Strong technical skills across infrastructure and security.
- Strong knowledge of I.T security principles.

More terms to get past HR....
- Risk management
- Firewall adminstration
- Vulnerability assessment
- Policy development

chickenlicken09

yes i need to throw these down on my cv.

chickenlicken09

can anyone else offer advice on what should be on my cv for a typical "security analyst" or "information security analyst" role?

Danielm7

eddo1 wrote: »

can anyone else offer advice on what should be on my cv for a typical "security analyst" or "information security analyst" role?

I made the same swap from sysadmin to security. I played up the security tasks as an earlier poster mentioned. Really stressed the idea that while I might not have used their specific software, anyone can learn software, I understood the fundamentals and how all the systems connected and worked together. If you haven't been in security specifically you can't just write a 100% security resume as it wouldn't be real, but just try to emphasize the security that you have done.