Why IT design skills are important, and how to measure them
February 29, 2008 3 Comments
The comments on my earlier post about the MS Security Design exam 70-298 prompted me to add some more general thoughts.
I agree with the comment made that the design exams do generally seem easier in some respects than the straight technical ones, as you don’t need to know the same level of detail of exactly how to do something in terms of making choices in a dialogue box.
On the other hand, the MS design exams do expect you to be able to take in, digest and interpret a load of business and technical requirements (some of the latter may only be implied from the former, some will be explicitly stated). The breadth of this is where the challenge lies in the real world, although the exam will often lead you in the right direction, rather than a blank sheet of paper on which to write an IT security plan. The nature of a computer-based exam does not lend itself to open questions; it would be very hard to make any kind of meaningful sense out of your answer to “How would you improve the security of the data for this organisation? (answer in no more than 200 words)”.
The other difference between these sort of exams and a real-world scenario is that in order to ensure there is a completely correct answer the requirements do not conflict. Sometimes one requirement might “trump” another, but will never directly oppose it. You won’t have the CEO saying that staff must not be required to carry anything for two-factor authentication while the CIO says all data must be encrypted and secured using smartcards. The reality of business is that overcoming these sort of conflicts is often the first hurdle for an IT manager to address through listening, discussion, understanding and education.
From a hardcore, old-school, hands-on technical point of view, this exam is not particularly challenging. It is really easy to say “just build a PKI infrastructure with subordinate CAs on every site, auto-enrol machines using Group Policy and then use IPSec to manage all access to secure data” – actually implementing such as plan is a bit more than an afternoon’s work, though!
Seeing the whole picture, understanding which bits of provided information are important and which less so, and knowing what can be done technically to address the needs is a different type of skill than the attention to detail needed for the technical exams. Much of this is learnt through experience, rather than from books. Reading widely around the subject at hand (security in this case, or Active Directory or Exchange design at enterprise level for those exams) and getting a feel for it from others is just as important.
In some ways, this design exam is a more realistic measure of your real ability to do this type of work than some of the technical exams. How many times have you had to learn some detail for an exam (such as the switches available for some command line tool), knowing that you have almost zero chance of ever needing that particular fact in your environment, and that if you ever did you would be able to look it up in minutes (most probably with a simple /?). Knowing that the tool exists, and the situations where it is used should be enough, and there seem to be too few exams which acknowledge this.
This learning of detail for its own sake is the reason why for me the 70-270 XP exam was one of the hardest to learn for. I have never done, and very likely never will do, an unattended (scripted) installation of Windows XP. I have used sysprep many times, creating “gold images” for cloning using tools such as Ghost, but never written an unattend.txt file. Yet for the exam I had to learn all the switches, what the files were called and where they were saved, and which one “won” if their configurations conflicted. To me, understanding the benefits and weaknesses of a variety of deployment methods is more important – should I be cloning? using RIS? writing unattend files and creating bootable install media? what advantages does Ghost multicast have over RIS? what disadvantages? how about SMS or SCCM? If I decide to use unattended installation, I can easily use reference books and internet resources to get the detail of how it is done. Knowing it is the right tool to use in the first place seems to me the bigger challenge.
In the end, I believe the design and technical exams share the same separation of skills as those of an architect and a builder. The architect needs to understand the building methods available and the benefits and limitations of them in order to be able to choose the appropriate ones for the required design to fit the customer brief from a two-bedroom house to a skyscraper or shopping mall. In doing so he will need to have some awareness of a whole range of trades such as building, plumbing, glazing, insulation, as well as understanding wider issues such as planning and environmental regulations. A builder has to implement the design through a deeper working knowledge and experience of actually laying bricks, pouring concrete or fitting steel structures together. A good builder will also be able to see the bigger picture and offer alternatives if his experience tells him that a better choice exists. The builder may also need to have some feel for where the plumbing will go or how the roof will be attached, but would not be expected to install the heating system or wire the alarms.
An IT team needs good builders, but without an architect who also understands the bigger picture, they will never get successful end-results, and somehow you have to be able to identify who has these skills and who does not.