What Would You Demand From Your IT Department?

ZombieLine asks: "The IT department at my company (approximately some 500 people) is showing signs of incompetence, and has been ignoring knowledgeable user input for about a year. Additionally, they haven't been able to sell needed changes to senior management. Unacceptable server down time, maxed network storage, and no backups systems have hit the bottom line, and those on top are starting to notice. We users are staging a revolt to make IT more responsive to users by creating a group from the company divisions and IT to discuss needs and solutions. What would you put in our charter?" What services and responsibilities would you demand out of your IT department?

First thing to demand - an SLA

[Olmy's+Jart]

You need to map out your requirements and then formulate them into an SLA, a Service Level Agreement. Then get your management to agree to it and take it to the barganing table. Make it clear that this is what they (the IT department) will be measured and evaluated against. If they can't agree to it, then get them to counterproposal. But, what ever you do, get it in writing in the form of an SLA, with the bosses on board... The particulars about what services and what responses and what responsibilities you want from them are details that go into the SLA. Once you hash out the details, get them locked into that SLA, though...

What are we starting with?

[Conception]

"Unacceptable server down time, maxed network storage, and no backups systems have hit the bottom line, and those on top are starting to notice."

I don't know your situation... but maybe more money is needed for people, equipment, etc etc. You can demand all you want, but if you don't pony up the resources... *shrugs* You get what you pay for.

No Brainer

[moehoward]

This is beyond a no-brainer. I actually doubt the authenticity of the story based on how the real world works. Or maybe the poster is really in a 25 person company or something.

Anyway, here is how it works. Your department has IT needs. These needs are written down. The IT department has guaranteed services it provides. These are written down. Your department takes a budget "hit" to pay for an internal IT department. These are the givens.

Now, if IT does not provide services you NEED/REQUIRE (like backup, duh), then you go to the whomever is above both departments (COO, VP of division, president...) and you show the mismatch. This is not a complaint, just a reason why you are increasing your budget next year to get the services you need to succeed.

Of course, you are keeping a log of all incidents that are occurring and a log of down time and a log of costs to you as a result, etc.

Look, business people are not idiots. The 3 previous paragraphs I write above are beyond no-brainers. Why is this stuff so non-obvious to today's geeks??

It sounds like your company has other issues...

[mrscott]

It sounds like your company has other issues beyond an unresponsive IT department. You indicated that IT has been unable to sell necessary changes to senior management. Are you positive that senior management agrees that changes are needed or that they actually understand the seriousness of the problem? You might find that IT feels that their hands have been tied and have nowhere else to go since senior management isn't helping them.

A group of users making "demands" of the IT department is somewhat inappropriate. Yes, the IT department exists to help users with their work, but their priorities are set by senior management. If you plan to create some kind of IT Steering Committee, I would recommend a few things: (1) Lose the attitude -- all you'll do is put the IT folks on the defensive (and remember, since you're not in their group, you may actually have NO idea what priorities have been laid out for them by senior management); (2) Get the blessing of senior management before you try this; (3) Make sure at least one or two high-level people attend your meetings and buy-in to what you talk about.

Treat the IT folks like human beings. They may have perfectly good reasons for dismissing what you consider reasonable ideas. Perhaps they're seriously understaffed so that great desktop Linux rollout one of your users is convinced is the right idea just doesn't pay off for them, for example.

This may be Senior Managements Fault

[baggins2002]

--No Backup Systems
--No Storage Space
These sound like budget issues. Do you think that if the IT staff, just tries really hard or is competent that they can just create File Storage and Backup Systems out of thin air.

Re:What would you demand from your IT users?

Pet Peeves:

Users who think the network drives are for their personal music, picture and video collections.

From the non-tech perspective

[Dukeofshadows]

As a non-technical person with enough engineering friends to get to this site and have an iota of what might be reasonable to expect from IT professionals, here's my list of expectations:

-Security of data: obviously no data is *absolutely* secure if the computer is connected to the net, but enough security that I could feasibly work with medical records and HIPPA-privledged information without constantly worrying about crackers. For those of you who don't know what HIPPA is, imagine a very protective law about patient confidentiality that can result in serious jail time if it is violated.

-Continual access (within reason): If there are natural disasters, power outages, or personal emergencies, then certainly one can't reasonably expect 24-hr access. At almost any other time, however, I'd like to be able to turn a computer on at the workplace and not worry about downtime or have to call someone to fix the system (as my colleagues and I do now).

-Work ethic: Nothing pisses me off more than lazy people, especially those who try to use technobabble to hide incompetence. If there is work to be done, then I'd like to dial up the local expert/employee and know that the problem will be fixed *quickly* and efficiently. Certainly there will be problems that require more time than others and nothing runs smoothly all the time, but no one should have to brook crap from employees who pad schedules. If there are problems, say so and at least *try* to explain them, don't go into geekspeak/technical language in hopes that I don't understand and give up and let them go back to (insert game here).

-Keeping me informed of new tech without trying to be a salesman: Not every new upgrade is worth getting and keeping up with the Joneses can be prohibitively expensive. Sure, new tech is very cool and I'd like a wireless device to use around my office to tie labs/patient data together, but that doesn't mean it's worth constantly annoying the boss for tech upgrades

-Honesty: Don't overcharge me or bend/stretch/break the truth with me. Medical professionals *seem* to be a prime target for fleecing among computer folks and I've heard horror stories about people paying several times market rate for upgrade and basic tech services. If you work for me, please be honest about all systems or equipment. If I've made a poor decision and there's new data, say so. If there's a better program/hardware setup out there and I'm not familiar with it or am being blindsided by the saleswoman, make mention of it. I don't have the time or patience to micromanage, if your job is technical material than I rely on your expertise and expect to be able to trust you and your decisions.

That shouldn't be too much to ask and is what I will expect of any technical employees I'd hire once I graduate and get a practice up and running a few years from now.

Re:From the non-tech perspective

[GuyverDH]

- Security: How much of that data gets into hard copy that end-users leave lying around their cubicles, or is displayed on screen when users get up and walk away from their desks without *locking* their systems. How many people *share* userids and passwords so that they can login as each other *just in case* they forget their own passwords, or someone else can do their work for them.
Security is a two edged sword... To increase security - you the end user get the following. All traffic is encrypted. All fields that display sensitive information are invisible, unless you move the mouse pointer over it, and click (hold the click to see the info). All screen savers are locked on blank screen (no user customizable fancy dancy screen savers) - and set at 1 Minute, maximum - no user ability to change / reset this. All user systems have USB disabled, no cdrom drive, no floppy drive. All passwords must be a minimum of 8 characters long, have at least 2 numerics, 2 symbols, 2 capital letters and 2 lower case letters. Zero repeat characters, and no character can be used in the same position more than once in 16 months. Passwords must be reset every 28 days - no exceptions. All users must pass basic computer literacy / ability tests. You fail the test, you're fired. Internet access is restricted to Intranet and *approved* work related internet sites. Usage is monitored, and reviewed by supervisors monthly. Users must face the entrance to their work environment, with their monitors facing away from the entrance. Spot checks will be done to see if anyone has passwords written down, if they do - they're shit-canned. Anyone caught sharing / using someone else's password is fired - no questions asked. Supervisors caught logged in as one of their employees are also shit-canned. Supervisors have the ability to review their people's work, without logging in as the user.
- Continual access - Users get as much access as the business areas are willing to provide. IE - Continuous access costs money. Get the IT areas the money, they will get you the access. Clustered servers with snap-shot capable databases / filesystems are not cheap. Nor are the test servers needed to allow for full regression testing of each patch / update for every system in the office. All of these things must be provided for to get you your *full time access*.
- Work Ethic - Nothing *PISSES* me off more than lazy end users who say "can't you just?" or
"quick question" - especially when I've already answered the question 15 times previously. Nothing is ever as *simple* as you think it is. With today's systems that are interconnected at levels previously not even dreamed of - taking that simple table offline so you can *refresh* the data, causes 13 other business areas to sit idle until that data is made available again.
- Keeping you informed - While not every new technology is great, there are sooo many new technologies that *could* make your life easier, if only you could get over this *fear of change* you seem to have. Change is good - without it, we'd all be dead.
-Honesty: I've never stretched the truth, nor have I overcharged. However, the reverse is also true - don't ask questions like - "Honestly now, isn't it *physically* possible to do x/y/z?" Even when it's physically possible to do something you want, doesn't mean it's the right / correct / intelligent thing to do. Since it's our job to be technical, and *know* these things, let us do our jobs - without butting in with your inane prattling.
Remember - as a computer analyst, we are expected to be right 100% of the time, and aren't allowed to *experiment*. As a doctor, you are expected to be right 100% of the time - however, with computers if the *patient* dies - nothing but information is lost.

Re:What would you demand from your IT users?

[shaitand]

"you have not seen how busy a competent IT technician is"

A competent IT technician has just enough time on his hands to learn new technology and retain sanity. A competent IT technician does not give users access to anything that could cause unpredictable consequences and makes sure that the systems they do have access to don't have problems in the first place.

An IT guy who is constantly running from place to place is the result of one (or more) of three things.

1. An understaffed department. Your IT guy is not working the floor in a retail outlet, if he's on his feet or crawled under a desk most of the day you need more IT guys.

2. An imcompetent IT guy (or IT decision maker causing IT guys to perform IT tasks incompetently). When IT is done properly there are not fires everywhere to put out.

3. Incompetent users. Incompetent users are the types who keep the IT guys busy fixing phantom problems, doing user training, or bug them with water cooler talk that fails to recognize that IT guys don't like people or talk. Your IT guy does not care to tell you about the cell phone or digital camera on the market.

IT managment advice from untrained geeks roxorz!

[Madmongo]

lets pull this little ditty to bits...
"The IT department at my company (approximately some 500 people) is showing signs of incompetence, and has been ignoring knowledgeable user input for about a year.
Hmmm...well lets get to that 'incompetence' thing a little later.
But as for "ignoring knowledgeable user input for about a year"...lemme see, you've been harping on about something for a year to the IT department?
Well, what is "knowledgeable user input" anyway? "At my old company we used to..." or "my friend who is an IT genius says..."
Seriously, if you have a suggestion, detail it and submit it to the IT manager and cc it to your manager.
Berating some poor schmuck when he comes to help you format a word doc is not an effective change management strategy!

Additionally, they haven't been able to sell needed changes to senior management.
LMAO...but somehow you and your band of IT-vigilantes is going to change the world? Good luck!
So IT ARE going to management with suggestions, but are getting knocked back?
So somehow you equate managements lack of willingness to resource your IT department to be a failure of the IT guys lack of bargaining skills...not a boneheaded lack of foresight on behalf of your management team?
Wow...tough crowd...

Unacceptable server down time, maxed network storage, and no backups systems have hit the bottom line, and those on top are starting to notice.
GOOD! Now "those on top" need to find the money they should spent on protecting their investment in the first place.
You do realise that IT guys dont just down servers for no reason, dont you? You probably do...or you think they do it on purpose just to piss you off.
And while you're sitting around moaning about how long it's taking for you to be able to get back onto /. because of server downtime, they're running around like headless chooks trying to patch up an obviously ailing (underfunded?) system.
From your comments so far, I'm assuming you are not one of the "knowledgeable user's" you mentioned before.

We users are staging a revolt to make IT more responsive to users by creating a group from the company divisions and IT to discuss needs and solutions.
Yeah, you go girl!
Nice of you to harass IT some more. After all they have nothing better to do than sit in on your moanapolooza.
Why not form your little revolt and march on the guys that will have to OK and pay for your demands...oh wait, lemme guess...'cause if you did you'd get your ass fired!
Face it, you dont want a solution or you would go to the people who can effect change. You want to vent. Well, you have...does that feel better?

What would you put in our charter? What services and responsibilities would you demand out of your IT department?
Well, first up...I'd want suitably qualified and trained professionals in charge of the decision making process.
And as your "knowledgeable user's" are neither...I'd demand that they get trained or STFU.
Then I'd demand that the reasons for management knocking back IT requests be made public.
Im hoping the moment management have to front staff and explain why there will be "no increase in storage" or "no funds for disaster recovery" will be one of those life changing events for you...when you realise IT budgets have to be approved or people (like you) wont get what they want, so that you then take the fight to those with the money and leave your nerds to get on with keeping your sad little network up and running.

If you really want to help your IT department effect a postive change, quit harrasing them and take your fight to the people at the top who are ultimately responsible.
Find the guys that sign's off on the IT budget and ask them why server space hasn't increased to meet demand.
Because the answer is either your IT department is siphoning off $$$ to day-trade with, or there was nothing budgeted to allow for it.

You missed a biggie- $$$

[badriram]

Was their BUDGET cut years ago, and never brought back up.

A lot of people I know tend to blame IT staff for lack of space, lack of bandwidth etc. when problem was that IT dept could not afford to purchase equipment to upgrade a service, and they just tend to use all the budget to maintain status quo. Trust me all IT folks out there LOVE to push out new technology, increase storage, better networks, and reduce helpdesk calls. But a lack of staffing and money can put a damper in the best of IT staff in the world.

Re:how to remember a secure password?

[LordLucless]

No, the password criteria given above SUCK. 8 characters, 2 lower, 2 upper, 2 numeric, 2 symbol. There's too much information given away in the security policy about the composition of the password. Whereas a normal 8-character password would have around 90 possibilities for each letter, in this case, each character would have a maximum of around 26 possibilities - even less for some because numerics only have 10 possibilities. You really cut your password space down with overly-restrictive policies.

Of course, hard-to-crack passwords only matter in cases where it would be feasible for someone to try and brute-force the system without being detected and locked out. That's generally only possible against targets like encrypted files, not live system logins.

The only thing that is going to let people in to live targets via the normal user login (ie: Not through a bug/hole/exploit) is either easy-to-guess passwords (like spouse name, dog name, birthdate, etc - dictionary words are not necessarily easy to guess unless there would be some reason an attacker would be likely to guess the word) or through the user disclosing their password in some manner.

Of the two, user disclosure is more likely. Even with an easy-to-guess password, it's unlikely even a knowledgable attacker would be able to guess it in few enough tries not to set off any lockouts the system may have. In any case, you don't need to go to such a draconian level to prevent easy-to-guess passwords. Require two non-alphabetic characters in non-adjacent positions in the password, and you're pretty much safe.

The most likely route for password compromise is user disclosure, and there is no technical way to protect against that except for relying on additional, non-password security measures (keycards, biometrics, etc). You could try educating your users, but like that's going to work.

Re:What would you demand from your IT users?

[DA-MAN]

I like anyone to show me a 200gb SCSI drive for any price. The only SCSI drives I have seen recently jumped right from 146GB to 300GB flavors.

I bought 20 of these 300gb scsi monsters. At 1500 bucks a pop!

They wanted to upgrade an aging 20 node Single Athlon MP Cluster. I told em it'd be cheaper to buy new hardware than to upgrade them to 2 cpu's, quadruple the ram and add 300gb scsi hard drives.

Originally = 1xAthlon MP 1800, 1 Gig Ram, 1x76gig HD
Upgraded = 2xAthlon MP 2800, 4 Gig Ram, 1x300gig HD & 1x76gig HD

They didn't believe me. . .

When these old, out of warranty machines, started having all failures (mobo/power supply) it was my fault! Try as I could, I couldn't get replacement parts. The legacy parts, ATXGES (Non-Standard) power supply and discontinued mobo were nowhere to be found. . .

The guy who posted this "ask slashdot" probably knows more about his local IT department than I do. All I can say is that I got a reputation very similar to the posters IT dept. Incapable of keeping servers up, yadda yadda yadda, even though I had made it clear that this was NOT the way to go. Just because IT is in charge of it, doesn't mean they created the mess. . .

Re:how to remember a secure password?

[Mateito]

Thats because they are auditors and don't have a clue about security. Security is 95% psychology, and 5% technology.

A user password policy that is too restrictive means users will never remember them, and end up doing things like writing them on post-it notes and sticking them on the monitor.

A better solution is have easy-to-remember passwords (though not trivial passwords such as "password", the login name or "1234567890") and put in a 3-strikes-you-are-out rule and a hierachical user access policy - "need to know". Remember - 80% of attacks come from within. Don't trust your users.

Naturally, the root/Admin passwords for servers containing critical business data and de-encryption keys are long, complicated, regularly changed then written down and placed in an envelope in the corporate fireproof safe, along with the weekly backup tapes.

Re:how to remember a secure password?

[penix1]

"When the Nachi/Welshia worm got on our network we had to disable that rule. It tried account passwords so rapidly; every account that had a strong password and it couldn't get into, would get locked every 30 minutes. We couldn't unlock them fast enough."

You just illustrated what the users have been complaining about. Instead of cleaning your systems of the worm you are running around unlocking accounts. Leave them locked until you get the flipping worm off your systems THEN unlock those accounts. It isn't rocket science folks...

B.

Amid the attacks, an answer

[obtuse]

You're getting your head handed to you here and it may seem unfair, but by asking the question the way you did you demonstrate that you have no clue about actual IT responsibilities. Thus, it's impossible to take your idea of "knowledgable user input" serioulsly, much less your diagnosis of IT incompetence. Your IT department may be incompetent, but you have demonstrated that you are in no position to judge at present.

The answer to your question? SLA or Service Level Agreement.

It is reasonable to ask management what you should expect from IT. Find out what the SLA is or help create one. This will be a lot of work. You will encounter resistance, for no more sinister reason than that is hard. Just make sure this SLA takes into account senior management's requirements of IT as well. Perhaps IT incompetence isn't the reason management isn't providing the needed upgrades. An SLA provides some metric for performance. If the SLA is unsatisfactory, that is a matter to be taken up after performance against it is measured, but what amounts to a formal job description is a reasonable starting point.

There's good literature on all of this, and it's easy to find if you are interested in improving IT in your organization, and not just playing Napoleon. If you'd rather just whine and make everything worse, ignore everyone here and stage your little petty revolt. It will be easier, but if management has a clue at all, this will be a career limiting move for you. Cynically, either way, the SLA is the starting point.

I don't deny that IT can be incompetent, but it is rare in my experience. It occured to me that you were a troll, posting here. Regardless, there are others who really think IT is incompent because of their own ignorance, who would benefit from gaining a little insight into what IT is about.

If I worked with you, I probably would tell you this in person, and tell you who might have more insight into the actual priorites set for IT. I've had plenty of similar conversations with people over the years. It's just another part of the usual perception problem for IT.

A management problem - not a technical one

[peteforsyth]

At all three companies where I've been an IT worker, there has been a common problem: managers who are generally good managers - good people skills, organizational skills, ability to look at the big picture - but who advertise their "technical ignorance" to anyone who will listen. They let the IT department and all other departments know that they will defer to the IT department on technical matters.

So, you end up with technical decisions that serve the people who deal with technology, as opposed to serving the users who are doing the main work of the company, or serving the company's goals as a whole.

I'm not sure what causes effective managers to decide to take a different approach to technical issues than they do with others, but I'm convinced that's the root cause of the sort of problem described by the poster.

I believe top management - and department managers, following their lead - should be pressing IT managers to break down technical issues to the point where they can make effective decisions. When the IT manager says "it will take 3 months to set up a new mail server" and the sales manager throws her hands in the air, their boss should sit down with the IT manager and make them explain what the factors are that will make it take that long. And if it's too technical and they don't understand, they should SAY so, and make the IT manager explain it again. Until they understand. Then, they should say things like "what would it take to do it in 1 month?" and by that time, they should be informed enough to reject bullshit answers like "we need another $75k employee."

"technical ignorance" is not an excuse, when you have people on staff who are capable of educating you. And IT workers who perpetuate the myth that it's "beyond a non-technical user's understanding" merely for their own convenience should be...fired.

If your management doesn't see things this way, there's probably not much you can do about the problem.