Skip to main content

Who Makes a Better Security Administrator Between Developers & System Administrators (SAs)? How Do We Upskill Them?

I recently conducted a LinkedIn poll with the following question: “Who makes better security administrators: software developers or SAs?” The following image shows the outcome:

SAs, rather than developers, were chosen by an overwhelming majority (40/49), as the better option for security administration.


Verdict

Many information technology (IT) professionals agree that both SAs and developers can become good security administrators. They further agree that they both require extra training to broaden the skills gap required for the role. The latter (developers) require extra effort in areas: networking, operating system (OS) and application administration, whereas the former needs to bolster their database knowledge, learn general programming language structure, web application and services, and scripting – coding-centric skills so to say.

This is not to say that security administrators are a special breed of professionals, or that they are higher in hierarchy than SAs and developers, but that their skillset has just recently been recognized by organizations and that it requires some expertise from both ends to execute properly.


We could debate on whether security administration involves more tasks familiar to SAs than their developer counterparts - something I agree with from experience, especially in on-premise settings of largely traditional organizations. Nevertheless, in 4th industrial revolution (or industry 4.0 as they call it), developers are increasingly doing tasks previously performed by SAs in public cloud deployments – I’ll try to solidify this statement in the “developer traits” section of this article.


To avoid further confusion, I think both can be trained to become security administrators with a balance of coding and infrastructure skills.

Please read the sections below to determine why I say so…


Role Definitions

Perhaps some would say the question was a bit biased, or some terms needed elaboration (or put into context) for respondents to give an objective response. For instance, while the developer role might be quite clear to many people, what do security and SAs actually do? Isn’t this the same role in some organizations? Well, regardless of these questions, it would suffice to note that all respondents were actually IT professionals and understand these dynamics – so it would be safe to say they understood exactly what I was asking.

Nevertheless, below are some definitions:

  • Security Administrator – “…is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, an intrusion detection system (IDS), intrusion prevention system (IPS), antimalware, security proxies, data loss prevention, etc. A security administrator’s tasks commonly also include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords.” – CISSP Exam guide. This role is therefore one of the low level (but important) roles in security that largely configures and administers security controls dictated by higher level roles.
  • Systems Administrator (SA) – A number of NIST publications define this role as: “A person who manages a computer system, including its operating system and applications”. NIST also adds that SA responsibilities are similar to those of a network administrator – this is a common practice in many small and medium enterprises (SMEs).

Depending on the context or nature of your organization , these roles are either independent or combined. However, for highly regulated industries like banking and finance, it is advised to separate these roles for better duty segregation. In fact, the CISSP guide mentions that these roles must be separated, with different reporting lines so that security governance and reporting is not impaired.


Software developer – there are many definitions for this role, and quite frankly, among non-developers like I am, it can be easily misunderstood. From some searches online, the best one I found was from bls.gov , and it states: “Software developers typically do the following: Analyze users' needs and then design, test, and develop software to meet those needs. Recommend software upgrades for customers' existing programs and systems. Design each piece of an application or system and plan how the pieces will work together.”

The definition sounds software engineer-esque, right? In think so; but what I really meant by “software developers” in the question, and I believe/hope it’s what my fellow professionals believed, is basically anyone who codes for a living.


Security Administration Requirements

What are the common/acceptable requirements that employers seek in security administrators? Below, I break them down into 2 categories: common/largely accepted and outrageous/extreme.


Common (Accepted) Requirements

From experience, I have not come across a gold standard for security administrator skills requirements. Many organizations however come up with different requirements that suite their context and scope. Some common ones include:

  • A bachelor’s degree in an information technology (IT)-related field
  • Some work experience in lower-level IT or cybersecurity jobs eg service desk support, low-level systems administration, etc

Outrageous Requirements

While organizations need qualified individuals to fill security positions, I believe that many job adverts overstate security administrator job descriptions and requirements, and quite frankly, some of them are outrageous. Some organizations rightly state many (or “outrageous”) requirements commensurate to their size, maturity and pay; however, many eithers do not understand what the role entails or are just using the wrong role name to post the job advert. Some outrageous requirements I have seen include, among many others:

  1. Must have professional security certifications like CISSP, CEH, CISM, etc – these are expensive certifications and you surely can’t expect a junior security administrator to have.
  2. Must have at least 5 years’ experience in managing security –oh come on!
  3. Will develop IT policies, procedures, standards and guidelines – these are largely performed by high-level role holders (security managers, CISO, etc)
  4. Will plan, design and implement security controls – high level

Personally, I think low-level security roles do not require sophisticated qualifications. I believe in training and nurturing talent internally from a pool of interested IT personnel.


Developer Vs Systems Administrator Traits

What are the common traits observed/portrayed by the roles? Below are some traits by each role to help solidify the verdict above:


Developer Traits

Becoming a professional software developer takes years of practice to perfect. Developers have to learn many languages, depending on the organization or project being worked on, and be agile in terms of their adoption of new ideas, innovation or technology.

Their work also involves application of critical thinking capacities on many occasions so they can code the right logic. This is not to say that SAs do not have to think when performing their duties, they just have more day-to-day repetitive tasks than developers.

Unfortunately for developers, many security configurations require knowledge like computer hardware, networking and operating system (OS) knowledge – domains that SAs are familiar with. While coding requires knowledge of how to interact with, say: OS APIs, file/networking system manipulation, set up of development environments, etc, these are tasks that developer don’t do on a daily basis – setting up a dev environment may happen just once in a while, and the rest will be coding. This puts developers at a disadvantage when given assignments like firewall configuration, patch & vulnerability management, group policies, backup and recovery, etc.


Fortunately for developers, there is a growing trend of new forward-thinking, innovative and coding-based companies that largely use the cloud to host their systems, and employ a skeleton team of mostly developers – it is rare to find specialized SAs in these setups. One major advantage of the cloud is its ease of use – for instance, abstraction of very low-level details of system configuration (eg networks, hardware, etc) that enable anyone to manage infrastructure using code, SDKs and templates. Also, new concepts driving digital transformation such as DevOps, containerization, big data, AI and machine learning are heavily or more efficiently deployed in the cloud, and more familiar to developers – one could argue that we may reach a time where cloud service models of platform as a service (PaaS) and Infrastructure as a Service (SaaS) become the norm and we never need to provision servers ourselves, henceforth cutting out a number of tasks initially performed by SAs.


Systems Administrator Traits

Conversely, SAs have a strong background in administering networks, hardware, operating systems and applications. It is also common to find SAs managing databases and many other systems, as long as it does not involve coding – the one thing most SAs don’t want to do.


Traditionally, personnel in this role tend to be “averse to code” – like a colleague put it. So when an organization employs an SA, they may not get value in areas like source code review, APIs, databases, web application security, etc. Also, many system architectures still lack proper orchestration or automation to power agile developments that drive/speed up innovation/growth agendas. The common lack of or meagre scripting and coding skills by system administrators in this role could be one of the causes.


Common Traits

Have you ever tried to connect to an endpoint and realize a firewall is blocking the connection on a required port? How do you normally solve this problem? Well, if you simply turn off the firewall, then you’re not thinking like a security professional; but if you configure the firewall to allow the specific service/port while leaving the firewall active, then you’re the woman/man! Funny enough, many SAs and developers will simply turn the firewall off.


Clearly, what’s common between developers and SAs is that they are not security-centric, and they require training. Developers may need to bolster their hardware, networking and OS knowledge, whereas systems administrator need to learn some general programming language structure, script a bit more, gain database knowledge, among others. More importantly though, they both need to be trained to “think like security people”.


What we can agree on here is that the two roles are entirely different, and a require the right skilling and mindset change to turn them into security administrators.


David Kawaida is a technology enthusiast with expertise in on-premise and cloud infrastructure, security, risk and audit.



Comments

Post a Comment

Popular posts from this blog

CISCO Mobility Express - the answer for SME wireless!

I obtained my CCNA v3 recently and I must say it’s exciting to be officially certified! I say officially because I, like many people, have actually been configuring CISCO routers and switches in SMEs for some years now. In particular, I love wireless, and I have been setting CISCO wireless Access Points for some time, but mostly low end Linksys APs - not that impressive, huh? I work for a small to medium-size NGO that deals in health. And one thing that is rife in such organizations is the fact that they tend to hire one IT personnel to do all IT work – technical and user/help desk support. The common title is IT officer which basically means you do everything IT, and that includes setting wall clocks – see what I’m saying? I know I’m describing someone’s pain out there but enough of that for now. The reason I’m writing this is to state my love for CISCO Mobility Express, a feature that saved my day today. We recently acquired the Aironet 3800 series, a very impressive AP ...
Post a Comment
Read more