Tuesday, May 02, 2006

More Unrealistic Expectations from CIOs

I found another article containing unrealistic expectations for IT staff. It's in the 1 May 2006 issue of CIO Magazine, titled The Postmodern Manifesto. It begins this way:

The service-fulfillment model for IT is dying. A new philosophy of innovation and productivity is being born. Here’s what CIOs need to do to usher in a new age of IT.

Excuse me? IT as a service is already dying? I know plenty of shops who are only now jumping on the service bandwagon. I guess magazines like CIO have an incentive to write about whatever they consider to be "new," since people want to stay "on the edge." Let's see what advice this article provides.

The Postmodern IT Department will be smaller, more distributed and dependent on a tightly integrated supply chain of vendors. It will be in desperate need of multitalented specialists who have in-depth technology knowledge but who can also create new products and capabilities that businesspeople might never have envisioned.

Yuck. "Postmodern" is a horrible name. What comes next -- PostPostmodern? Here's another buzzword -- "multitalented specialists". Let's hear more about this in the sidebar, The Unexpected Rise of the Multi-Specialist:

While CIOs increasingly demand that their programmers understand the business, they’re also asking for a deeper knowledge of new technologies.

While everyone agrees that IT needs generalists today, a more accurate term might be multi-specialists. Programmers who remain solely programmers will have to be highly specialized and extremely skilled to survive against international competition. Meanwhile, other jobs in IT will require at least a solid grounding in programming, along with a strong specialization in other skills, such as project management and business process (probably both).

Let me get this straight. IT people are expected to be technical experts and business experts? We're supposed to "have in-depth technology knowledge" and simultaneously "create new products and capabilities"?

This attitude really bugs me:

"You can’t say, ‘I can manage but I can’t do,’" says Verizon CIO Shaygan Kheradpir.

Is that true, Mr. Kheradpir? As a CIO you obviously manage. Why don't you try configuring routers or firewalls for a day? How about analyzing security events or writing new Snort rules? Incidentally, you'll have to learn the new Snort rule language to do that. Can't do it? You give up? So sorry!

I think the people who write these articles and the CIOs who feed these unrealistic expectations should remember Adam Smith and his ideas of division of labor. You cannot expect someone, especially in IT, to be an expert in everything. "Multitalented specialists" is another term for "someone who can do the job of two or more people, allowing me to further cut my IT staff."

I spend almost all of my professional time staying current on issues involving network security monitoring, and I struggle like everyone else to make sense of the new threats, vulnerabilities, and assets which comprise the risk equation. I am happy to encounter a person who is at least competent in one specialty, and I am suspicious of those who claim expert knowledge of several areas simultaneously.

Incidentally, I briefly mentioned this same problem in January.


foQ said...

We seem to have a hard enough time finding SINGLYtalented specialists. That isn't to say we don't have some very talented folks here, but not enough. Now everyone is supposed to be a talented specialist in another area, as well? Double the pay, right? If not, see Adam Smith again and the invisible hand. The invisible hand with visible money somewhere else.

Anonymous said...

Multi-talented - yeah my favorite is job vacancy listings - they want someone to write apps, run the network, maintain file/print servers, be the DBA, and monitor the IDS....

They want a whole team of people, not just one person. Oh yeah, they also want to pay you $75k/yr in a major metro area.

PS I bet that Verizon guy couldn't tell you the first thing on how a router determines to forward an IP packet or what is found in an IP header. He manages, but does DO any technical work.

jbmoore said...

Same crap they put out after the dot.bomb - wanted system adminsitrator and DBA. Of course, I saw worse job ads for bioinformatics postdoc - must have Ph.D. in molecular biology with one specialty area, a B.S. in Computer Science or equivalent, knowledge of Perl, C, C++, and/or Java. Oracle or Microsoft SQL Server also preferred. Salary range: $20,000/yr. This was around 1996. Industry is easier, yet, it's starting to get crazy here as well.

Anonymous said...

As a newbie, I conjecture that we'll continue to see this attitude rise up a bit before the IT group naturally, and subtly backlashes against it and it resubsides. I think this is natural because for most companies, IT is not a profit-center. It is a place where profits get sunk in order to support the infrastructure of the company. It's a cost, and what do companies want to do with costs? Reduce them, of course. This ties into asking too much and having one person do the job of two people...those are concepts and phrases you hear passed around at managerial meetings to make everyone feel better...even if it means more stress and lower quality by the people down the stream. I think we'll have to see more burn-out and unrealized expectations of these CIOs who believe this stuff...and then they'll hopefully settle down back into the real world.


Anonymous said...

The article is a typical management rag pontification, but having a broad range of knowledge and at least somes outside of your immediate specialization is vital. I'd be suspicious of a "security expert" who could describe a buffer overflow, cross side scripting or an SQL injection but couldn't code examples of each.

A developer should have some project management and team leader skills. Likewise someone managing a team of developers should be able to code, at least to the level of a junior developer. Ideally everyone should at least have played around with the things people they interact with do... graphics design, system administration, documentation, security.

Obviously "multi-specialist" is a contradiction. You can only specialize in one thing, especially in rapidly changing technical fields. But being an expert shouldn't permit you to be utterly oblivious to every other aspect of the company.

Google encourages employees to spend 20% of their time on side projects to broaden their knowledge. Some companies have cross training programs.

Sadly there are plenty of CEOs who expect staff to have multiple skills or at least awareness but expect employees to accumulate it by magic. If a company really wants staff with broad skills they should set up programs and policies that help develop it.

010101 said...

You're witnessing a fashionable corporate mindset: IT is no longer an influencer of business strategy at the senior executive level but a 'necessary' G & A cost center and it is in vogue to maximize profit margin by continuing to reduce the operating expense of IT. As a result, executive strategists and bean counters are peddling the notion of the new IT hybrid - the Queen on the technology chess board who can move in all directions. While the mindset maximizes ROI, it minimizes technology innovation.

The root issue is that many CEOs and CFOs have little technology acumen and view IT service the same way they view dial tone - 'it's just there.' It is something expected without truly understanding the logistics of how the service is implemented, supported, or maintained.

Ultimately, the CIO's role is being marginalized from one who translates stratagy into technology to that of a garcon asked to serve an abundance of technology.

Richard Bejtlich said...

Anonymous -- it's cross-site scripting, not "side." I don't think coding is as important as you consider it, unless security programming is your job. Automation, yes. Security development, not so much.

JimmytheGeek said...

This kind of untechnical technical rag is why I drastically limit my subscriptions, even if they would be free. They cost time to recycle!

Typical template:

Get article proposal approved on $Buzzword.

Collect quotes from various people who assert that $Buzzword is vital.

Collect quotes from various people who assert that $Buzzword is overrated.

Collate and slant towards vital.

Submit artical proposal on $Buzzword++

Anonymous said...


(yes... cross site scripting. Thanks for point out my typo)

Regarding ability to code... how can you protect what you don't understand? I wasn't thinking of actually developing security apps, but rather being familiar with the languages the things we're supposed to be protecting are written in. Same for platforms. How can someone detect or prevent an SQL injection attack when they don't have at least a basic ability in SQL? How would you know that the string "eval(" in a form being submitted to a Perl or PHP app is suspicious without having gotten close to those languages?

With the new snort syntax, it looks like folks with experience in C have an advantage. But those who don't but do have a knowlege of variables, flow control, and boolean arithmetic will be able to pick it up pretty quick.

With a background in fundamentals you can understand root causes, maybe even write or adapt a few proof of concepts to get a better understanding of a particular vulnerability. For detection, maybe that allows you to write a more generic snort rule rather than one that only identifies one specific PoC, or write a more accurate one that gets fewer false positives.

From another perspective, apps have so many vulnerabilities largely because too many developers only know variables, flow control, and boolean arithmetic. How many web app vulnerabilities are the direct result of the coder not understanding that HTML forms can be edited on the client side or that "../../" means something special to Unix?

The article's idea of multi-specialists is absurd, but having an understanding and some ability in multiple fields... IMHO not so much.

Anonymous said...


Do CIOs read CIO?

If I want to read gibberish about the new agile organization, based on nothing but anecdotes, I'll subscribe to the Harvard Business Review.

Don't work yourself up over it.