12 April 2012

Keeping up in IT

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

The other day @jwgoerlich posted the following on twitter:

Forbes: 7 in 10 IT departments need to expand their skills base to keep up with cloud trends. http://onforb.es/HIXNQE

to which I replied:

Let me fix that-> 7 in 10 IT departments need to expand their skills base to keep up.

So the question arose, "What's the hold up on IT departments and skills development?". I don't have experience with large IT shops, so my opinion may be way off base (feel free to correct me in the comments) but I'll give it to you anyway.

IT departments are viewed as a cost center and the obvious thing to do is to cut costs by minimizing or eliminating training.
Most business owners do not realize how important IT is to their business and how important it is to maintain equipment and skill sets. I worked with a small community bank whose disaster recovery plan included processing transactions manually for two or three days until they could get the core system up and running. While this is an extreme case, it is obvious this bank was out of touch with the importance of IT and the IT budget reflected this.
It's 2012 and IT staff across the country still spend a large portion of their time teaching user basic computer skills and fixing problems that users should be able to solve on their own. By the time they finish training users and doing routine maintenance there is no time to spend on learning new skills. When I was a sysadmin, by the time 5:30 hit I was completely shot. I didn't want to go home and learn something new.
If a lack of budget and time were not enough, IT staff are forced to deal with technology that was once only available in large IT shops. Ten years ago the IT department had to know how to deal with Windows 2000, Windows XP, and Active Directory; an MCSE would take you a long way. Now the typical IT department is dealing with Server 2008, VMware, Linux, storage networks, and information security; an MCSE is only the beginning.

If we want our IT departments to expand their skills we need to recognize the importance of the IT department and the importance of training. We also need to expect every user to have a certain level of computer knowledge and troubleshooting skills.

I threw this together in a hurry so I hope it makes sense. Feel free to tell me I'm crazy in the comments.

tags: information security careers - infosec careers - thoughts