Time
2 hours 39 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Welcome back to us and Security course. And in this lesson I'm going to talk about
00:05
comparison between role based and task Bates. The approach to asset security and security. Security in general.
00:15
So, um,
00:18
in this video, I will talk in detail about tasks. What tasks? I t security and it's the partner. Have to do
00:25
where the people performing tasks. And I'm talking about not roles but actual people how they behave and going to talk about differences between specialist and generalist approach.
00:39
So,
00:40
um, I mentioned before, but I talk about this off, See, team that task. So I t security in general, except following the regulations and then the legal requirements is to analyze risks
00:54
and to propose a similar solution. So, for example, to secure network from outside and inside the text to security, to storage, to secure endpoint devices.
01:04
And each of these general task has ah division of tasks that go below.
01:11
So this is what I t security does,
01:15
and I D, on the other hand, has to make sure that I t equipment supports businesses in with possible way.
01:23
And when it comes to security,
01:25
it's ah to implement security solution provide proposed by I t secularists of C team.
01:33
So sometimes you have the test. Soc team is actually part off i t. And not I t security and 90 Security is just there to do with regulatory requirements.
01:44
And then S O C. Team works for I t officer, chief fight information officer, whatever, which is not good. But
01:55
sometimes it it's simply set up like that. Sometimes companies grow organically, and these functions just are going to be placed. And if they are not pushed to do that in a different way by some regulatory body,
02:14
they do it tight like that usually.
02:16
What is the problem of this?
02:19
Um,
02:21
I t security usually proposes solutions, but the execution of the solutions is done by 80.
02:28
And here's the example. Can you imagine? You have a conference room,
02:31
and in that conference you only have to put power sockets on the wall.
02:38
And I'm somebody who is in charge of layout of that
02:43
room, and I'm saying, Okay, I need thes three sockets on these three positions on the wall I needed for I don't know, people plugging. I need to plug their in the future some some plasma screen are large. 60 inch TFT screens of people can look at it.
03:00
And also, if people come with their notebooks so they can plug in there now books, whatever.
03:06
And then I give the execution of its to somebody else
03:12
and the logical way to do it with me, too.
03:15
If I were, the arrow is showing its the
03:19
point in the room where the cable is coming from power cables coming from the outside.
03:23
And then I make a horizontal distribution close to the ceiling, and I put three words. It goes to each suck it. This is how it should be done.
03:34
Uh, but what happens if somebody does something like this
03:38
because they have budget restraints and then work to save cable?
03:43
This is definitely spending less cable than to do it horizontally in three verticals.
03:47
So,
03:50
um,
03:52
it should work
03:53
unless somebody wants to put the white board here,
03:58
which people usually do put in in meeting rooms.
04:01
And then they have a drill a hole for, or put a nail in the in the wall to hang this whiteboard, and then they
04:12
put the hole in the cable. They cause a short circuit and everything has to be done from scratch.
04:19
So this is example how once idea gets wrongly executed by somebody else who has different priorities. And this is the problem when you have different departments sitting and doing different jobs, unless you give exactly specific
04:39
way for them to execute it, they might execute it differently than what you intended execution to be. The problem is that if you do it in very much detail than these guys might get offended or these people might get offended because you're actually telling them how to do their job.
04:59
So let's switch to the whole idea of people performing tasks.
05:03
So hierarchical organizations tend to hire folk with specialists,
05:09
and the biggest problem happens when, after sometime people advance in there
05:15
positions
05:16
and from Focus Specialist Day,
05:18
usually advancing to management role.
05:24
Um,
05:25
specialists are not
05:28
focused on seeing the big picture
05:30
or thinking outside the box because their job is to focus on one task and to do it to really well.
05:36
And then, in some point, these people might reach a position in which thinking outside the box
05:43
and finding new solutions
05:46
is, ah, their primary goal.
05:48
And then the fatal, and I have seen that in reality and practice in practical company organizations many, many, many times.
06:00
So what? What do we have when we put Compare specialists versus generalist
06:08
is that specialists are usually excellent in performing there.
06:13
They're all
06:15
they're usually average or below average when they have to do something else. For example, if you have the network administrator and then hey has to feeling somebody who is doing
06:27
database management,
06:29
they
06:30
because their technical people usually engineers, they know something about it. But they will not do it very well
06:36
when they have to focus on problems outside
06:41
their jurisdiction. For example, if I'm network administrator
06:45
and for whatever reason I need to focus on, I don't know endpoint security, I will probably have low focus because this is just the annoyance to
06:59
Even if I'm told by my manager to do it, I will. I will not be able to focus on that
07:03
job very well.
07:05
Also, as I said, these people don't see a big picture
07:11
on the other side. Generalists are usually
07:15
I signed one role to do, and they're not doing it excellent, but they usually do it good, especially after some time,
07:23
but they're good in performing other roles. So if you have a general, if you have a team of four generalised and they're in charge off network administration and server maintenance and operating system on these servers,
07:40
they can interchange. They could do really good job, not excellent job, but really good job in any of these roles.
07:46
They have high focus on problems outside their jurisdiction because their jurisdiction is actually
07:53
so. For example, if one of the generalised is now in charge of meta demonstration, he can easily switch their focus to something else if the need arises
08:03
and they usually are good and seeing big picture.
08:07
So if you want to have organization in which you are 100% sure who to blame if something goes wrong, then the hierarchical structure is much better.
08:18
But if you need them organization in which people can adapt easily to the challenges off ever changing threat landscape, which is united security and acid security, something that is happening all the time,
08:35
then it is much better. Toe have teams off generalists and specialists who can even speech rolls from time to time. For example, this month I'm handling the network, our disk water and next quarter I will be handling soap service, which rolls of
08:52
it can be done in much, many different organizational ways.
08:58
And I have seen this
09:01
generalised based task based instead of role based organization, especially 90 security, especially in medium sized companies. So on and off course, if if they're not in heavily regulated verticals like
09:18
health care or finance. So if you're in finance than your structure is probably,
09:24
um,
09:26
and the way organized, I think security is probably defined by some regulatory body on on on a country level, and you have to follow day their instructions. But if you are just the normal ordering ordinary manufacturing company who fire between 5 600
09:46
and 1000 people,
09:48
you're much more. You have much bigger incentive to organize your your I t and the already security in the past, based instead off role based structure.
10:01
And then you have your much more flexible and much better in adapting to the
10:09
changing threats.
10:13
So in this video you have learned, what are the tasks that I T department I t Security Department has to perform
10:26
and how the people performing these tasks can have how they address their jobs
10:33
and what are the differences between specialist and generalist
10:39
kind off expert in the company?

Up Next

Asset Security Fundamentals

As a cybersecurity professional, it's often your responsibility to set security standards for your organization. In the Asset Security Fundamentals course, you will identify what types of assets need protection and the job roles that are involved.

Instructed By

Instructor Profile Image
Milan Cetic
IT Security Consultant
Instructor