November 12, 2011
I was asked recently whether I thought that, eventually, System Administration would require regulation, similar to how engineering and medicine require regulation.
This isn't an easy question to answer, even though I think about it quite a lot. I think the right answer (as much as any answer can be "right") is that, yes, eventually some of us may hold positions that need to be regulated in the future, but in my opinion, it's for the best. Here's my answer:
Yes, some regulation is absolutely necessary in certain segments of the industry.
There is a very good (but very hard to read) book called Risk Society written by Ulrich Beck that caused something of a paradigm shift in the engineering mindset in the 90s.
To oversimplify, society (and the world it exists in) has become complex to the point that you can not engineer risk out of the equation.
This idea is supported by the findings of people like Sidney Dekker in The Field Guide to Understanding Human Failure, who performs what could be considered root cause analysis of surgical and aeronautical accidents. The systems that he deals with are now complex to the point where there is no single root cause, because failure is an inherent operational condition of the environment. In other words, asking why something failed is exactly like asking why something didn't fail - it was the end result of an impossibly complex web of interrelationships, all of which culminated in the eventual success (or failure) of the system.
There are a lot of scenarios where the tasks undertaken by system administrators do have life or death consequences, and in order to architect those infrastructures with adequate resiliency, a lot of education is necessary.
The path of a lot of system administrators from amateur to professional resembles that of a child who is exceptionally gifted at building erector sets being hired to construct a pedestrian bridge. Then, if the bridge doesn't fall, the kid gets to build bridges designed to handle interstate traffic.
I don't write this to disparage the upwardly mobile system administrator who has learned on the job, acquired a high skill level, and is successful in the systems that they engineer. Someone who does that should be justly proud.
When you start considering the potential loss of human life in such a system, however, you start to realize that "best effort" learning isn't enough, particularly when there is no test to establish a safe knowledge level.
Why should you require a degree in civil engineering to design and implement a traffic control system, then not require the slightest test of the people who administer the IT infrastructure that it runs on?
No, I anticipate that in the future, "critical infrastructure" administrators will have certain requirements laid on them for the benefit of everyone who uses the system. The difficult decision will be where to draw the line.
What are your thoughts? Can you see the need to pass a test (or series of tests) to become a "Critical Infrastructure Administrator"?