By Don Eijndhoven
The ever ongoing debate about quality IT staff once again received a nudge, this time by an article of J.Oquendo.
In his article he takes another brutally honest stab at the Industry by pointing out that the new Shady RAT attacks aren't that new and would have been easily caught by capable personnel.
I agree with that view very strongly and would also like to point out that Shady RAT is really no different than Night Dragon in that both attack waves used techniques that have been known for a decade or more. Obviously someone is asleep at the wheel, but who?
In several articles I've seen about this topic, I have seen in-depth descriptions of the observed failures of the staff itself as well as the certifications that should have tested their skills.
These seem to me to be symptoms rather than a cause, and one that I don't see in many other industries.
Most industries have some kind of self-correcting function built in. In the Medical profession there is a Medical Board that reviews its members and is able to punish shoddy work.
Lawyers can be disbarred by the Bar Association in their district. A bad carpenter may well find himself nailed upside-down to a wall if he doesn't pull his weight during a large construction project. All of these are examples of Peer Review. What makes the IT industry so different?
Two major differences immediately came to mind:
- Cost of mistakes are hard to quantify (or even detect) in IT and;
- Line- and Project management are much less skilled in IT than other industries are in theirs.
Cost of mistakes are hard to detect and quantify
Compared to other industries, mistakes made by IT personnel aren't always obvious. Systems may keep on working and may even work properly when its poorly configured. If a system does crash, its often very hard to quantify exactly how much damage there is and what it has cost the company.
If a surgeon makes a mistake, the effect is often immediate (e.g. a patient keels over). If a construction worker makes a mistake, a building may collapse. In either case a problem is usually clearly visibly detectable and peer review takes place. Lack of visibility and immediate effects inhibit such peer review in the IT industry.
Line- and Project Management personnel are not sufficiently skilled in IT to manage its staff
The fact that IT is still somewhat of an ethereal topic to most people is reflected in the poor choices made when hiring management personnel. You wouldn't believe how often I've heard it said that 'IT managers don't need to know IT, they just need to manage the people'. This is just plain wrong.
Yes they need to be skilled in managing people, but they also have to make regular professional judgement of the quality of work provided by the staff they are managing. Virtually every other profession does this better than we in the IT industry.
I believe this has a lot to do with the fact that there are less IT-savvy managers to begin with and so management accepts second-best as its defacto standard. There also seems to be less promotion from the ranks than in other industries.
Maybe the stigma of IT personnel having less social skills (think Geek or Nerd) has its part in this problem, I don't know and wouldn't care to judge its veracity. What is evident is that there aren't nearly as many well-educated (in IT!) CIO's as we should have.
We need those proper CIO's to hire proper IT managers, who in turn hire proper personnel instead of the pseudo-specialists that are so often the topic of negative discussion.
Of course you could say that its up to the IT professionals to get themselves skilled, but we've tried that and it doesn't work. And why would they? Many of them skate by excellently with a minimum of effort because of that 'peoplemanager' with the bachelor degree in napkin folding you thought would do just fine (and wasn't he cheap!).
As an organization, try the following:
- Stop assuming that 'any bachelor/master degree' will suffice for an IT position. The higher up the manager is going to be, the more skill you can ask for the position. That includes the CIO position! Although their knowledge has to be scoped broader, it must still be present and relevant.
- Promote from the ranks where possible. The pecking order in an IT department is established fairly quickly and its almost always based on skill and knowledge. Leverage that information in getting the right people promoted. If you choose right, they'll be perfectly capable of hiring their own replacement.
- When hiring technical personnel, have each applicant vetted by your best tech(s), even if it is a contractor. Listen to their advice.
- Don't let certifications dazzle you. Many certifications don't mean much anyway. Look to match certifications with practical experience and you'll fare better.
- Remember: If you pay peanuts, you'll get monkeys. If you don't have money, find other ways to entice new personnel such as exciting projects or nice perks.
- Recruiting agencies often play it fast and loose with matching your needs to their staff. Don't assume their personnel is any better - verify! Remember: You're paying a premium and deserve quality. Ask them about the training their staff receives. If they're any good, it should be at least a periodically recurring thing. I know companies that demand an x-amount of study a year per employee.
Cross-posted from ArgentConsulting.nl