One of my clients was looking for a new security administrator and asked me what characteristics I would look for if I were doing the hiring. I'll bet that many of you conjure up a picture of a rather nerdy, very paranoid, non-risk-taking person who takes great joy in telling people, "No! That's against our security policy!" I'll admit that I've met some security administrators who actually do resemble that person. But is that what I look for when hiring a security administrator? Not exactly. The following is a discussion of the characteristics I look for.
Has Security Expertise
If a person has experience in OS/400 security, that's a tremendous advantage, but what is more important is that the person be grounded in security principles and concepts and understand their importance. One example is the concept of "least privilege"--that is, giving users only the capabilities required and access only to the applications they need to perform their job duties. Security administrators need to understand security terminology such as identification, authentication, and authorization. They need to understand and appreciate why auditing is important. I would rather hire someone who is well-versed in general security principles and concepts and has no OS/400 experience than someone who knows OS/400 security features but understands none of the general security principles. People who are well-grounded in security principles can always learn the specifics of implementing those principles on OS/400.
If you are looking for a career change and have no security experience, I suggest that you study the basic security principles. The IBM iSeries Information Center has general security information under the Security -> Basic Security topic.
Enjoys Investigation Work
Several aspects of the security administrator role involve investigation. Sometimes, especially when a company is tightening its security implementation, an error occurs, and the security administrator has to be willing and able to dig through audit journal entries and job logs, cross-referencing the iSeries Security Reference manual and other reference material to determine the cause of the error and the appropriate fix. Steer clear of the security administrator who hates investigation and wants to always take the easy way out. This administrator might give users *ALLOBJ special authority to avoid future security issues or change the *PUBLIC authority of all objects on the system to *ALL so the "jobs will run and I won't get called in the middle of the night."*
* Actual quote from a former administrator. Note that I said "former."
Has a Good Sense of "Smell"
A good security administrator knows how to apply the old saying "If something smells fishy, it probably is." Administrators need to have a "sense" or "feeling" that tells them that a situation needs further investigation or a request doesn't sound "right" or the details of a report don't make sense. A security administrator who takes everything at face value and never asks questions is not an administrator I want on my staff.
Is Willing to Stick to Corporate Policy
A security administrator has to be familiar with the corporate security policy and be willing to comply with it as well as understand its implications for his or her job. For example, if the policy states that requests for new user access must have the area manager's signature, the security administrator must be willing to follow that procedure and not circumvent it--even for friends.
Also, the administrator must be willing to not be swayed by external influences. I heard of an administrator who did not follow the policy for allowing programmers access to the production system. He allowed the programmer to request access via a phone call rather than a management-approved email form because "her voice didn't sound like she had evil intent." The programmer received access to the production system and subsequently introduced a severe performance issue. Did she intend to do evil on the production system? Probably not. But whether the intent was there or not, "evil"--that is, a performance issue--was introduced because the administrator was coerced by the sound of the programmer's voice.
Doesn't Have to Be Popular
If a person's self-worth is fed by being popular, then that person is not cut out to be a security administrator. Face it, taking a stance on security--as many administrators must do--often does not win popularity points with end users and certainly not with programmers. Security administrators have to say no to many requests, deny access to files containing sensitive data, and tell people they cannot have as much power as they are asking for. I remember walking through one of the IBM Rochester Labs feeling as though I had a big target painted on my blouse. And since it was deer hunting season at the time, it was not a good feeling! We were imposing a rather stringent policy that affected how OS/400 programmers were going to have to write programs, and it wasn't a popular policy. I had to take satisfaction in knowing that my team and I were doing the right thing. Had my sense of self-worth been fed by popularity points, I would have starved to death.
Is Willing to Learn
The field of security is rapidly evolving. New technology, new regulations, and new threats appear almost daily. Someone who wants to implement a security solution and sit on it--rather than re-evaluate the solution on a regular basis and evolve it as new technology permits--is quickly going to be behind. Numerous avenues exist for staying current: newsletters, magazines, Web sites, and formal courses. Whether the administrator's preference is to subscribe to technical publications or to research specific topics or to sit in a classroom, the information is available to keep a security administrator technically up-to-date. If a person is not willing to learn and stay abreast of current issues, security administration is not the profession to pursue.
Wants to Be Proactive
Security administrators must be willing to keep up with current issues and take proactive measures to ensure that their organization is protected and is in compliance with new laws or regulations well before a compliance deadline. I worked with another (former) security administrator who ignored my warnings that steps needed to be taken to secure the company's files containing private data. Because of this administrator's inactivity and unwillingness to learn and keep current, the organization is now scrambling to get its security implementation into compliance.
Huge amounts of money can be saved by taking proactive steps. Think how much is saved by taking a proactive Anti-Virus (AV) stance rather than taking action after the virus has spread throughout the corporation. Keeping current with the latest security issues and taking mitigating steps is far more appropriate than waiting until the problem has affected your system.
Best Traits
I've mentioned characteristics such as security expertise and a willingness to not be "popular." However, in my opinion, the most important characteristics are a willing spirit and an investigative nature. Someone with a willing spirit will overcome a lack of security knowledge by digging into every resource possible to gain the necessary knowledge. Someone who is willing to investigate--better yet, enjoys investigation--can be taught what to look for.
Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and offering the recently released software, SkyView Risk Assessor for OS/400. Carol has over 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 Security, to be released early next year. Carol can be reached at
Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale
|
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online