Root Causes 338: CLM and Your Career as an IT Professional

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

October 23, 2023

In this follow up to our episode on CLM and the IT skills gap, we now discuss how CLM matters to individual IT professionals and can help progress careers and improve work life.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanWe want to follow up. We very recently published an episode where we discussed certificate automation - Certificate Lifecycle Management - and the IT skills gap. And I think it would be fair to say that we tried to explore how managers of IT organizations with their certain pool of resources that they have and limits on those pools of resources can be thinking about certificate automation to enhance their overall company success and productivity. There’s another side to that coin that we didn’t get into because it was going to be too much for one episode but I think you and I were both keen on to follow up on it pretty quickly which is certificate automation or Certificate Lifecycle Management and your career as an IT professional. Right, Jason?

Jason SorokoExactly, Tim. We are talking right now to people who are in the field. You are probably a Linux Administrator, a Windows Server Administrator. You probably do a lot of tasks.

Things like certificate installations. You know, probably a tiny part of your job but they do take time and they are risky as all heck and you might be doing these certificate installations into intranet systems or even test systems and the scariest one of all, of course, if your main - - absolutely, your main webservers.

Which if those things go down or if they are misconfigured, it’s a bad, bad day for everyone and, of course, as always, who does the weight bear down on? It bears down on exactly this audience we are talking to right now, Tim. The folks who are at the front line of being Administrators.

Tim CallanI talk to a lot of people who have to live in this world. I know you do too, Jay, and one of the common themes I hear is the sense of – what do I want to say? – anxiety. A sense that at any given moment disaster might come crashing down on us. And that it will not be predictable or foreseeable and that it could occur at any time. That I could be, you know, it could be the weekend and I could be fishing on the stream or at my kid’s sporting event and all of the sudden my phone is ringing because everything went to hell. Or I might wake up in the morning and before I have a chance to get my coffee I find out that everything went to hell. The people responsible for certificates just sort of live in this world all the time.

Jason SorokoThey do. Operations people, back in the day when pagers were on people’s belts, those are the folks who were carrying the pagers. Now, of course, there’s all kinds of different ways to be messaged.

Here’s the thing, Tim. What we are talking about is these are the people under the operational crunch. These are the people who are on call to keep the lights on at all times and there’s not a lot of mercy. It’s just get the lights back on ASAP, and there’s another habit some of these people have. This is not everyone but there’s a habit that I’ve seen in that there’s an interesting sense of job security, Tim, that comes from every one of these tasks. As much as it might be the bane of your existence to do a lot of these tasks, you maintain doing them because, well, that’s your job.

Tim CallanAnd because I think sometimes there’s this sense of, well, we need to have these things. If we don’t have these things, the whole business shuts down so when I’m doing this work, I get to feel like I’m important and I’m indispensable.

Jason SorokoThere’s no doubt, Tim, that there is - - I’m gonna liken this to something much more physical and tangible to everybody else who hasn’t played this role and that is, if you are a carpenter and you have actually built something, you know, a house, you know, from everything down from a little birdhouse all the way to an actual house, it doesn’t matter. There’s a sense of purpose and there’s a sense of look what I accomplished and it is something you can see and touch and it made a difference in somebody’s life, and you could be so good at it you could be called a craftsperson.

Tim CallanRight.

Jason SorokoYou absolutely could.

And I truly, truly belief that a lot of people who work in IT and are administrators – just like we’ve talked about – you people are craftspeople in the sense that even though it’s something only you see most of the time. The fact that the lights are on people just take for granted.

But you know what it took and you know that when you did the job, you did Step A, B, C, D and E all the way to Z and then you didn’t get an error message and everything just works. There is the same human reaction that a carpenter has to building the house, to completing an IT task in many cases and that’s why it’s not just job security, it’s also there’s this feeling of satisfaction of having done it with your own hands.

Tim CallanI get that. I do. But we need to talk about the other side of that coin, to what degree are we limiting ourselves and our own ability to build our skillset and build our value by doing things by hand when perhaps there is a more efficient and safer and more reliable way.

Jason SorokoTim, I’ll make it tangible to the audience who is listening here. This is very specifically the people who are Administrators and Ops people but then I’m also gonna make it tangible to the CIOs and CFOs who are costing this stuff out. And let’s start with for you who are let’s say a Linux Administrator or Windows Server Administrator, you have done something like take on the job of look at your spreadsheet every day and say, hey, is there a certificate expiring on webserver somewhere within my realm of responsibility.

Tim CallanRight.

Jason SorokoYou might say to yourself, oh, yeah, geez, today, X number of days the expiring of the certificate, hey, glad I caught it. I’m going to now procure another certificate from wherever I’m supposed to do that from and then I’m gonna get the cert and then I’m gonna put it to where it needs to be. I’m gonna install it and then I also have a webserver, uh, basically a part of the job is also to configure the webservers to make sure that the certificate is used properly and then there is a testing procedure and away you go.

Now, if it’s the first time you’ve ever done it, if it’s the first time you’ve ever done it and it’s the first time you’re doing it on an individual server, that could take you the day.

Now those of you who have done it hundreds at times would laugh at me and say it doesn’t take it day. You’re right. But think about a person who is absolutely brand new. And, Tim, I actually went through this exercise with some of my colleagues who don’t live in the technical world and they’ve never lived in the Ops world and I said to them, do it. Install a cert manually. And you know what it took them? It took them most of a day.

Tim CallanI believe it.

Jason SorokoNow, if you are handy at it and you do it every year, right, with a one-year certificate, it’s gonna take you between an hour and two hours and that includes your testing time and other things like that. It includes the time it takes to actually go get the cert, move the cert to where it needs to be, fill out the CSR information, figure out which CSR tool you are gonna use. I mean I could go through all the steps, Tim. In fact, maybe one of these podcasts, we will go through every single step and we’ll talk about it.

But I’m saying right here, we’ve timed a lot of people over the years - - somebody who is sharp, you know, it’s on average an hour. I would say to stretch it to two hours isn’t hard to imagine for a manual renewal. And certainly, two hours, that would be incredibly fast to set up a brand new server. That’s pretty quick.

Now, we are not talking about using ACME. We are not talking about using any automation. We are talking about a manual process that would happen every year with a one-year certificate at this point in time.

Tim CallanAt this time, right now.

Jason SorokoHere’s the perspective, Tim, from the administrator standpoint and that is, hey, that one hour that you could have automated out. Right? In other words, take that same hour and automate with ACME for example.

It would take about the same time. Automated out with ACME and then guess what? You are not having to do that hour every year or, hey, at some point, Google may force it to every 90 days. At some point down the road. Which means you are doing this every, you know, 60, 70, 80 days. So, that’s a lot of hours if you add it up. That’s a lot of hours.

Tim CallanJason, you touched on an interesting point here. You talked about, look, the first time you do this maybe it takes you the better part of a day but as you learn it, maybe it’s pretty lickety-split and it’s taking you less than an hour to get it done. Ok. I think about this in terms of skills now; in terms of a marketable saleable career skills and I say, alright, I’ve built my direct certificate management and installation and server configuration skill sets. Good for me. This is a good thing. I can add value to an employer. I can add value to an operation. It seems to me that figuring out how to implement and operate a robust, successful, managed certificate automation process – probably more words in there than I needed – would be a somewhat different set of skills and it would seem to me that the person who has that first set of skills and then develops the muscles for that second set of skills has increased their level of value to a company. Their employability, their saleable, their overall ability to drive career progress. Do you see where I’m going with that? It’s like I can be somebody whose abilities and, you know, demonstrable abilities and useful job skills are stagnant or I can be somebody where those job skills are progressing and increasing and I feel like that second set of people probably has better prospects in general. What do you think of that?

Jason SorokoOh there’s absolutely no question that that’s how you want to progress. So, with what you just said, Tim, that might be the perfect segue into now addressing the CIO, CISO, CFO type people. The people who are managing, you know, the Directors of IT, the people who are managing these people and I guarantee nobody worth their salt is gonna let, you know, the most junior person who has just started do these tasks. In other words, not just the - -

Tim CallanYou mean because the risk is too high? Because if it goes wrong, everything fails?

Jason SorokoPrecisely. And that person who is the person you trust is exactly the kind of person you would prefer to be developing their skills constantly and becoming better and more valuable to themselves and to the company.

That is your prime candidate. The person you would trust to do these manual things - - I mean, trust me, there’s not much to be learned from an IT standpoint. It is a standard set of procedures. It’s rote work. It just needs to be done precisely and this person should not be spending that time doing that manual procedure. They absolutely should be building the systems for change management for your company. They should also be - - you know, take that hour or two or five and be learning, you know, the scripting language which allows, you know, if it’s in Windows maybe it’s PowerShell. If it’s in Linux, there’s all kinds of languages – you know, Bash, all the way to various other automation languages you could be using like Python, etc., etc. Right?

Tim CallanRight.

Jason SorokoAnd those are the things that you put on your CV and you are proud of. You don’t put on your CV, oh I modified Apache for the billionth time in the same way.

Tim CallanAt the same time if I find myself doing a lot of rote work perhaps automating my rote work is my path to doing that more interesting stuff. Perhaps I can go to my management chain and say, look, I’m the perfect person to automate this and put an automated form in place because I know it better than anybody and then you get a chance to have those new experiences, to have those new accomplishments on your resume, to have those new stories you can tell and you just transition from what you already know better than anyone else. What a great launching pad to take on these new kind of initiatives that aren’t really what you are doing in the day-to-day.

Jason SorokoTim, I’d love to give a pro tip to our administrator audience right now. Here’s a pro tip to those of you who haven’t done this. Honest to goodness, you can become the hero of the company in a flash if you were to take on Certificate Lifecycle Management as a discipline and to take on even just one pillar of that. Even if you have just manual processes and you’re able to do discovery with a Certificate Lifecycle Management system and you find an unmanaged certificate that’s a ticking time bomb – wow! You have just proven huge value for yourself in terms of the skillset of knowing that that exists and knowing how to do it and then putting it as part of your change management system. Like how did that cert get there? Get to the root cause of it. Change a process and then envelop that rogue process – we’ve talked about rogue certificates before, Tim.

Tim CallanUh-huh.

Jason SorokoThe process of taking rogue certificates and enveloping that into proper change management. You know what? That’s a job for these people. If you are a Linux Administrator, Windows Server Administrator, and one of your tasks is to renew certificates, my goodness, discovering rogue certificates with Certificate Lifecycle Management – I’ll tell you what, that’s a better hour spent.

Tim CallanYeah. I think this might be a productive place to plant your flag, right? If you start automating aspects of certificate management and life gets better, then that kind of is gonna by default become your territory. That’s something you can keep doing, you can keep building, you can keep expanding on so that maybe once, maybe yesterday if you were the certificate installation guy now all of the sudden you are the CLM guy and you can just be that. In so many organizations if we take on a task and we succeed at it, then it’s ours forever. That’s a very common thing that occurs in companies and you could see that for a lot of people happening in this scenario.

Jason SorokoTim, I would say to people are cutting the checks for this position, you might think to yourself, well, I’m solving my outage risk on my webservers by having this operations professional manually do this and my operation professional says to me that, you know, they like to have their hands right on the cert because of the fact that they know it got installed.

What I would say is it’s way better to have true visibility to your certificates and true automation of this. Let computers do what they do best which is to automate these certificates and modify these webserver configuration files and all the steps of getting the certificate from the CA – all the stuff. Again, we are gonna go through what all those steps are and just say those steps are best left to a computer. There’s other types of management that these professionals should be doing and the dollar I spend on them in a manual process versus the dollar I’m spending in this automated world, I’m getting a lot more out of that person in the automated world for the same dollar.

Tim CallanFor the individual, you know, in the long view, this feels to me like this kind of attitude probably is going to lead you much more to where you really want to be. That the more I’m willing to move with the times, use the best method, embrace automation, embrace new techniques, the more I’m always going to be working on the best work and the most interesting work and frankly, the highest valued work. And that, you know, if we foster this attitude toward certificate management, then we can apply that same attitude toward other things and that that’s just how IT professionals thrive and succeed.

Jason SorokoOh my goodness. You are so right, Tim. You are so right. Think big. Think of your future. Think of using tools that give you productivity. If you really want to use the cruel cold word on this, it is productivity and you’ll have much higher productivity using automation tools.

Tim CallanSo, anyway, this is part and parcel. We took this top-down look from the management perspective and in that way you think it’s a very compelling argument. I also think it’s compelling if you are actually the one sitting in the chair and that’s what we wanted to talk about today. I think you agree. Right, Jay?

Jason SorokoIf you are sitting in that chair, think about the skillset that you want to have not the one that you are forced to do. Resist this urge to be the craftsperson of building with your own hands and be the craftsperson who is putting in something that is automated so you can move onto something else. That something else is always gonna be better than just doing a manual install of the cert. Believe me.

Tim CallanYeah, I like that. Do the work you want to do or grow into the work you want to do as opposed to the work that you are forced to do today.

Jason SorokoIt’s the opposite of shameful to automate yourself out of the parts of the job that don’t have that productivity quotient. Think - - you know what? For those of you who are incredibly technical – and I know a lot of people are listen to this podcast – think a little bit more like a business person and think about the productivity of doing it better and more automated. You will make yourself a more valuable employee overall and that’s the right mindset to have throughout your career.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!