Tuesday, May 20, 2008

Should Administrators be licensed?

We live in a world where there are licenses and certifications required to do just about anything. I carry around 5 or 6 every day, but none of them for IT.

While we have professional certifications in the IT business we have few requirements for having and using Admin rights on servers and end user workstations. With data leakage becoming more of an issue every day it would seem appropriate that Admin rights come with a requirement to be licensed to use them. While nine out of every 10 people you ask will tell you that data leakage is centered around non-malicious activities, it is the one in 10, the malicious one, that is the most damaging and costly. It is usually pulled off with help from inside the enterprise and it is usually someone that has admin access rights. Doesn't it make sense that we know who we are giving these rights to, and then require them to be bonded to do their job?

I am not into burdening people unnecessarily but we have gotten to the point in IT where it would make some sense to stand up and say to everyone who entrusts personal data to us "You can trust me to do the right thing." Don't want to be required to have your background checked and live up to a professional code of ethics? Give up your admin rights then.

Enterprises are being required to spend millions of dollars on software and appliance based security tools to prevent data leakage and other malicious activities. Those costs are being passed on to all of us as consumers with little being provided in return. Perhaps we can offer some additional value to the equation.

2 comments:

Mike Doyle said...

Interesting idea.

I think that to a degree this is happening through certifications. Companies are looking for certifications in key I.T. specialties and, in turn, employees (or potential employees) are "getting certified". Some certifications are increasingly required e.g. CISSP in Security, PMP in Project Management).

Personally I believe these are good trends both for companies and for employees.

aic said...

I thin that professional certifications are a good thing so long as the certification process has some teeth to it. One of the main issues around this concerns the licensing or certification authority and the requirements surrounding it. You need to ensure that there is a valid method of vetting the administrators.

CISSP requires that you have worked in the field for a number of years before taking the exam. Microsoft certifications are available to anyone who can read a book and pass a test with no practical experience. Both are "certifications" but I would have more faith in the abilities of the CISSP professional.

As an employer, would you rather have someone with 15 years of experience and no certification or someone with one year of experience who is "certified." I think that in many cases, merely passing an exam doesn't qualify someone to be
an expert in an area.