McAfee Secure

Technical Management

Exam: CISSP - Certified Information Systems Security Professional

Technical Management
Most variations are simply tweaks in the semantics; a different selection of words to be precise or as vague as needed, depending upon the level of detail presented. Rather than adding yet another definition to the fray, let us explore what can be inferred from the name.

Management means to direct resources. Resources, also referred to as assets, are comprised of people, money, time, and tangible things. A manager must ensure that all the resources combine in concert with one another to reach specified goals. In effect, the manager is a conductor of an orchestra in which each instrument has a unique role, yet depends upon the others to create the desired sound. Individual instruments enter the composition at different times, or play different notes or rhythms.

Each has a job to do, and coordination and timing are essential. If an instrument plays at the wrong moment, the entire audience knows it and finds it detracting, although it could be reasoned as statistically inconsequential (hey, the other 8000 notes were played correctly). Likewise, if the users of a completed information system cannot open their documents, there is no sympathy for the level of complexity or demonstrated technical marvel. A seemingly small oversight can completely derail success. But, if done correctly, the orchestra bows to a standing ovation. Unfortunately, the successful management of a project rarely ends in joyous, emotional applause, particularly if security is the key function being managed. Instead, there may be an endless number of critics stating how it could have been done just a bit better. Although every user is not an expert, it is the comments from all that ensure progress is never ending and improvements are continually made. If you want to be a technical manager for fame and public recognition, you may want to rethink your future. Public recognition of technical managers usually stems from major problems of a project or when security has failed. How many have seen the faces of NASA engineers behind the countless success stories of American space exploration? Yet compare that with how many times we saw the NASA managers explaining themselves on television after the shuttle disasters. That is the risk of technical management and the challenge before you as Information Systems Security Engineering Professionals (ISSEPs) - getting it right when the definition of "right" is very illusive.

A conductor follows a prewritten score, often composed and arranged by others. The conductor assures everyone knows his or her part, each instrument is in tune, and every note is played on time. This perfection is achieved largely through rehearsal - endless repetition until the performance is just right. Unfortunately, this analogy does not translate well to the technical manager. By this time, the technical manager would be replaced and the luxury of rehearsal (that is, doing the project over again to get it right) is rarely possible. There are no dress rehearsals as such. If an IT project is poorly managed, it will be evident at show time. In contrast to an orchestra, one of the issues with security engineering is that the results of a poor performance may not be revealed at show time. It may take months or years before the consequences of poor security design are known. Lacking a crystal ball to the future, we must rely on a sensible, systematic approach to identify and address the risks. The Information Systems Security Engineering (ISSE) process is rigorous and thorough, and making it a reality can be a challenge, but without it, security becomes a "best-guess" endeavor.

People, money, time, and tangible assets are all requisite ingredients but they serve different purposes. Money and time are consumed by people who work with, or use, tangible assets. Directing these resources includes predicting what resources are required, planning how to make the best use of them, ensuring they are used as planned, and redirecting them when plans change or results differ from expectations. In essence, the manager plans, directs, and controls the resources. The methods in which they do this are called processes. A model is basically a recommended set of processes or methods - it becomes the roadmap of how to get to a destination.