Tasks vs. Roles Part 1

00:00

Welcome back to us and Security course. And in this lesson I'm going to talk about

00:05

comparison between role based and task Bates. The approach to asset security and security. Security in general.

00:15

So, um,

00:18

in this video, I will talk in detail about tasks. What tasks? I t security and it's the partner. Have to do

00:25

where the people performing tasks. And I'm talking about not roles but actual people how they behave and going to talk about differences between specialist and generalist approach.

00:39

So,

00:40

um, I mentioned before, but I talk about this off, See, team that task. So I t security in general, except following the regulations and then the legal requirements is to analyze risks

00:54

and to propose a similar solution. So, for example, to secure network from outside and inside the text to security, to storage, to secure endpoint devices.

01:04

And each of these general task has ah division of tasks that go below.

01:11

So this is what I t security does,

01:15

and I D, on the other hand, has to make sure that I t equipment supports businesses in with possible way.

01:23

And when it comes to security,

01:25

it's ah to implement security solution provide proposed by I t secularists of C team.

01:33

So sometimes you have the test. Soc team is actually part off i t. And not I t security and 90 Security is just there to do with regulatory requirements.

01:44

And then S O C. Team works for I t officer, chief fight information officer, whatever, which is not good. But

01:55

sometimes it it's simply set up like that. Sometimes companies grow organically, and these functions just are going to be placed. And if they are not pushed to do that in a different way by some regulatory body,

02:14

they do it tight like that usually.

02:16

What is the problem of this?

02:19

Um,

02:21

I t security usually proposes solutions, but the execution of the solutions is done by 80.

02:28

And here's the example. Can you imagine? You have a conference room,

02:31

and in that conference you only have to put power sockets on the wall.

02:38

And I'm somebody who is in charge of layout of that

02:43

room, and I'm saying, Okay, I need thes three sockets on these three positions on the wall I needed for I don't know, people plugging. I need to plug their in the future some some plasma screen are large. 60 inch TFT screens of people can look at it.

03:00

And also, if people come with their notebooks so they can plug in there now books, whatever.

03:06

And then I give the execution of its to somebody else

03:12

and the logical way to do it with me, too.

03:15

If I were, the arrow is showing its the

03:19

point in the room where the cable is coming from power cables coming from the outside.

03:23

And then I make a horizontal distribution close to the ceiling, and I put three words. It goes to each suck it. This is how it should be done.

03:34

Uh, but what happens if somebody does something like this

03:38

because they have budget restraints and then work to save cable?

03:43

This is definitely spending less cable than to do it horizontally in three verticals.

03:47

So,

03:50

um,

03:52

it should work

03:53

unless somebody wants to put the white board here,

03:58

which people usually do put in in meeting rooms.

04:01

And then they have a drill a hole for, or put a nail in the in the wall to hang this whiteboard, and then they

04:12

put the hole in the cable. They cause a short circuit and everything has to be done from scratch.

04:19

So this is example how once idea gets wrongly executed by somebody else who has different priorities. And this is the problem when you have different departments sitting and doing different jobs, unless you give exactly specific

04:39

way for them to execute it, they might execute it differently than what you intended execution to be. The problem is that if you do it in very much detail than these guys might get offended or these people might get offended because you're actually telling them how to do their job.

04:59

So let's switch to the whole idea of people performing tasks.

05:03

So hierarchical organizations tend to hire folk with specialists,

05:09

and the biggest problem happens when, after sometime people advance in there

05:15

positions

05:16

and from Focus Specialist Day,

05:18

usually advancing to management role.

05:24

Um,

05:25

specialists are not

05:28

focused on seeing the big picture

05:30

or thinking outside the box because their job is to focus on one task and to do it to really well.

05:36

And then, in some point, these people might reach a position in which thinking outside the box

05:43

and finding new solutions

05:46

is, ah, their primary goal.

05:48

And then the fatal, and I have seen that in reality and practice in practical company organizations many, many, many times.

06:00

So what? What do we have when we put Compare specialists versus generalist

06:08

is that specialists are usually excellent in performing there.

06:13

They're all

06:15

they're usually average or below average when they have to do something else. For example, if you have the network administrator and then hey has to feeling somebody who is doing

06:27

database management,

06:29

they

06:30

because their technical people usually engineers, they know something about it. But they will not do it very well

06:36

when they have to focus on problems outside

06:41

their jurisdiction. For example, if I'm network administrator

06:45

and for whatever reason I need to focus on, I don't know endpoint security, I will probably have low focus because this is just the annoyance to

06:59

Even if I'm told by my manager to do it, I will. I will not be able to focus on that

07:03

job very well.

07:05

Also, as I said, these people don't see a big picture

07:11

on the other side. Generalists are usually

07:15

I signed one role to do, and they're not doing it excellent, but they usually do it good, especially after some time,

07:23

but they're good in performing other roles. So if you have a general, if you have a team of four generalised and they're in charge off network administration and server maintenance and operating system on these servers,

07:40

they can interchange. They could do really good job, not excellent job, but really good job in any of these roles.

07:46

They have high focus on problems outside their jurisdiction because their jurisdiction is actually

07:53

so. For example, if one of the generalised is now in charge of meta demonstration, he can easily switch their focus to something else if the need arises

08:03

and they usually are good and seeing big picture.

08:07

So if you want to have organization in which you are 100% sure who to blame if something goes wrong, then the hierarchical structure is much better.

08:18

But if you need them organization in which people can adapt easily to the challenges off ever changing threat landscape, which is united security and acid security, something that is happening all the time,

08:35

then it is much better. Toe have teams off generalists and specialists who can even speech rolls from time to time. For example, this month I'm handling the network, our disk water and next quarter I will be handling soap service, which rolls of

08:52

it can be done in much, many different organizational ways.

08:58

And I have seen this

09:01

generalised based task based instead of role based organization, especially 90 security, especially in medium sized companies. So on and off course, if if they're not in heavily regulated verticals like

09:18

health care or finance. So if you're in finance than your structure is probably,

09:24

um,

09:26

and the way organized, I think security is probably defined by some regulatory body on on on a country level, and you have to follow day their instructions. But if you are just the normal ordering ordinary manufacturing company who fire between 5 600

09:46

and 1000 people,

09:48

you're much more. You have much bigger incentive to organize your your I t and the already security in the past, based instead off role based structure.

10:01

And then you have your much more flexible and much better in adapting to the

10:09

changing threats.

10:13

So in this video you have learned, what are the tasks that I T department I t Security Department has to perform

10:26

and how the people performing these tasks can have how they address their jobs

10:33

and what are the differences between specialist and generalist