One of my clients was looking for a new security administrator and asked me what characteristics I would look for if I were doing the hiring. I'll bet that many of you conjure up a picture of a rather nerdy, very paranoid, non-risk-taking person who takes great joy in telling people, "No! That's against our security policy!" I'll admit that I've met some security administrators who actually do resemble that person. But is that what I look for when hiring a security administrator? Not exactly. The following is a discussion of the characteristics I look for.
Has Security Expertise
If a person has experience in OS/400 security, that's a tremendous advantage, but what is more important is that the person be grounded in security principles and concepts and understand their importance. One example is the concept of "least privilege"--that is, giving users only the capabilities required and access only to the applications they need to perform their job duties. Security administrators need to understand security terminology such as identification, authentication, and authorization. They need to understand and appreciate why auditing is important. I would rather hire someone who is well-versed in general security principles and concepts and has no OS/400 experience than someone who knows OS/400 security features but understands none of the general security principles. People who are well-grounded in security principles can always learn the specifics of implementing those principles on OS/400.
If you are looking for a career change and have no security experience, I suggest that you study the basic security principles. The IBM iSeries Information Center has general security information under the Security -> Basic Security topic.
Enjoys Investigation Work
Several aspects of the security administrator role involve investigation. Sometimes, especially when a company is tightening its security implementation, an error occurs, and the security administrator has to be willing and able to dig through audit journal entries and job logs, cross-referencing the iSeries Security Reference manual and other reference material to determine the cause of the error and the appropriate fix. Steer clear of the security administrator who hates investigation and wants to always take the easy way out. This administrator might give users *ALLOBJ special authority to avoid future security issues or change the *PUBLIC authority of all objects on the system to *ALL so the "jobs will run and I won't get called in the middle of the night."*
* Actual quote from a former administrator. Note that I said "former."
Has a Good Sense of "Smell"
A good security administrator knows how to apply the old saying "If something smells fishy, it probably is." Administrators need to have a "sense" or "feeling" that tells them that a situation needs further investigation or a request doesn't sound "right" or the details of a report don't make sense. A security administrator who takes everything at face value and never asks questions is not an administrator I want on my staff.
Is Willing to Stick to Corporate Policy
A security administrator has to be familiar with the corporate security policy and be willing to comply with it as well as understand its implications for his or her job. For example, if the policy states that requests for new user access must have the area manager's signature, the security administrator must be willing to follow that procedure and not circumvent it--even for friends.
Also, the administrator must be willing to not be swayed by external influences. I heard of an administrator who did not follow the policy for allowing programmers access to the production system. He allowed the programmer to request access via a phone call rather than a management-approved email form because "her voice didn't sound like she had evil intent." The programmer received access to the production system and subsequently introduced a severe performance issue. Did she intend to do evil on the production system? Probably not. But whether the intent was there or not, "evil"--that is, a performance issue--was introduced because the administrator was coerced by the sound of the programmer's voice.
Doesn't Have to Be Popular
If a person's self-worth is fed by being popular, then that person is not cut out to be a security administrator. Face it, taking a stance on security--as many administrators must do--often does not win popularity points with end users and certainly not with programmers. Security administrators have to say no to many requests, deny access to files containing sensitive data, and tell people they cannot have as much power as they are asking for. I remember walking through one of the IBM Rochester Labs feeling as though I had a big target painted on my blouse. And since it was deer hunting season at the time, it was not a good feeling! We were imposing a rather stringent policy that affected how OS/400 programmers were going to have to write programs, and it wasn't a popular policy. I had to take satisfaction in knowing that my team and I were doing the right thing. Had my sense of self-worth been fed by popularity points, I would have starved to death.
Is Willing to Learn
The field of security is rapidly evolving. New technology, new regulations, and new threats appear almost daily. Someone who wants to implement a security solution and sit on it--rather than re-evaluate the solution on a regular basis and evolve it as new technology permits--is quickly going to be behind. Numerous avenues exist for staying current: newsletters, magazines, Web sites, and formal courses. Whether the administrator's preference is to subscribe to technical publications or to research specific topics or to sit in a classroom, the information is available to keep a security administrator technically up-to-date. If a person is not willing to learn and stay abreast of current issues, security administration is not the profession to pursue.
Wants to Be Proactive
Security administrators must be willing to keep up with current issues and take proactive measures to ensure that their organization is protected and is in compliance with new laws or regulations well before a compliance deadline. I worked with another (former) security administrator who ignored my warnings that steps needed to be taken to secure the company's files containing private data. Because of this administrator's inactivity and unwillingness to learn and keep current, the organization is now scrambling to get its security implementation into compliance.
Huge amounts of money can be saved by taking proactive steps. Think how much is saved by taking a proactive Anti-Virus (AV) stance rather than taking action after the virus has spread throughout the corporation. Keeping current with the latest security issues and taking mitigating steps is far more appropriate than waiting until the problem has affected your system.
I've mentioned characteristics such as security expertise and a willingness to not be "popular." However, in my opinion, the most important characteristics are a willing spirit and an investigative nature. Someone with a willing spirit will overcome a lack of security knowledge by digging into every resource possible to gain the necessary knowledge. Someone who is willing to investigate--better yet, enjoys investigation--can be taught what to look for.
Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and offering the recently released software, SkyView Risk Assessor for OS/400. Carol has over 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 Security, to be released early next year. Carol can be reached at email@example.com.