Slashdot Mirror
IT Departments Fear Growing Expertise of Users
flatfilsoc recommends a long article in CIO magazine on users who know too much and the IT leaders who fear them. Dubbing the universe of consumer technology the "shadow IT department," the article highlights the extent to which the boundary between users' workplace and home have broken down. It notes the increasing clash — familiar to anyone who works in a company with an IT department — between users' home-grown productivity boosters and IT's mandate to protect corporate data. The inherent tendency of the IT department to want to crack down and control technology that it doesn't supply should be resisted at all costs, according to CIO. The article outlines strategies for co-existence. It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM.
and there are always groups of individuals in every company that DO NOT fit the one-size-fits-all software/security model.
Some people/groups really need a sandbox to work in, without interference from good intentioned IT departments.
A virus spread wildly throughout my company recently because IT had thought to conveniently map some not so useful drives for everyone... guess how that virus spread?
IT needs to learn to provide and protect without being so intrusive as to hinder real work being done.
Sighhh
Support NYCountryLawyer RIAA vs People
Has always been the user who *thinks* he knows too much, and is out to prove it - usually causing problems, havoc, and destruction in so doing. You know, the kind of guy who gets pissed when you won't give them root/Administrator priveliges because he thinks he's a real big-shot. I've heard arguments as silly as "Well, I'm learning Linux on my own at home, so sooner or later, I'm going to know how to use it whether you give me root or not." Yeah, good for you.
It seems that every company I've worked for has had one. Maybe it's a small part of my personal castigation for the things I've done wrong. Who can say...
Oh, you're not stuck, you're just unable to let go of the onion rings.
I've met uncountable numbers of idiots when it comes to understanding technology. Guess what... many of them were peers in IT. In retrospect, it makes sense. I'd anticipated my move from college to a "real" job as a release from the world of idiots in the CS curricula. Finally, I'd get a chance to work shoulder to shoulder with people who knew.
Not so much.
I'd never considered where the rest of my university peers had to go -- into the same work force I entered -- duh.
In the non-IT universe I discovered many were also clueless around technology, as I'd expected. What I hadn't expected was there were many non-IT people who got it, who understood technology, and worked with it adeptly. Many "got it" more than my peers. Some of the most profound ideas and innovation I've seen in IT have come from nontraditional non-IT people.
I agree (without reading the entire article) with the summary and gist of the article -- IT does itself no favors ruling by fiat and instead should collaborate with users.
This doesn't dismiss bad things happening and messes created by users left behind for IT to clean up. People who mess up should help clean up, but my experience has been many IT people are equally inept and likely to make messes.
A degree and title in IT and CS means only that one has a degree in IT and CS, nothing more. It doesn't mean they're anointed and it doesn't mean they know more about technology than users.
...approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet--nearly all of them unwilling victims. (http://arstechnica.com/news.ars/post/20070125-87The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
The only reason some people get lost in thought is because it's unfamiliar territory.
Lock down usb ports.
Besides, no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.
They can fire you.
See, not so hard.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If you want complete control put the dumb terminals back. Otherwise let the creative users solve their problems and stand back. Sysadmins can still control access to sensitive data. If a user screws up a machine, slap the standard install image back on and try try again. There really is no reason for a PC "support" position
CIOs and IT departments limit and control software on their computers by taking 2 months to install MS Office on my desktop. I've had IT departments take 3 weeks to "install" software on my workstation, when all they had to was add shortcuts to my start menu and map the path to software on remote servers. It makes you wonder if they spend more time reading my email and slashdot posts than actual IT work.
Be sure to let Jimbo Wales know he's an idiot for doing it that way.
I'm not advocating Wiki methods for a nuclear missle silo, but I think a lot more companies can profit from a Wiki-type approach to (some) data than those that can beneift from an NSA "everything is top secret and must be locked down at all costs" approach.
Crow T. Trollbot
1. "My hard drive is howling like a panther passing a kidney stone. Every time I run chkdsk I lose a few more sectors. I've backed up all my work to the network drive. When you get a chance can you come and fix my computer?"
2. "My computer won't start. It's been making this squealy noise for about two weeks and then all of a sudden it just died. You have to come right now and fix it because all the annual budget files are on my desktop."
Which call would you rather get?
None of them can see the clouds; The polished wings don't care.
Yes, most corporate users surf the web at home.
Yes, most of their home machines are horribly infected with spyware, viruses, and other things I grow weary of cleaning up. I have friends who make their livings cleaning up home PC's. Most of them have "regulars".
I have no problem helping my advanced, capable users be more productive through technology. I will even grant local admin when warranted.
I have major problems letting my users chat with their friends on IM while surfing porn, watching last nights CSI on YouTube, and unwittingly sending out spam on behalf of a botnet (while trying to infect the rest of the network). Whenever we (and by we I mean management) loosen the reigns, this is what I find all over my network.
Giving your users admin/root (i.e. ticket to ride) trying to make your life (or their life) easier only tends to make both of your lives harder later on.
Top down corporate stragedy types really don't need to be worrying so much about individual users. Good IT staff with sufficient decision making authority renders this entire "concern" moot.
This sig was generated randomly by one million monkeys with Speak 'n Spells. . .
When I come across someone who I find reasonably able to fix problems, I sometimes
enlist their help on assisting their computer neighbors. I also find that people
who think they know a lot quite often mess up their computer even more and consequently
require my help more - That is okay, it keeps me employed. It is changing though
with users losing admin rights. They really cannot do anything as a standard user.
On UNIX computers, The users tend to be more technical (I find) but still require
assistance sometimes. Especially when they do not have root.
If IT locks down USB ports, I'm sure they'd have gone over the possibility that they could be locking out legit reasons and have planned for it. No IT department worth its carbon would lock down something that close to the user without preparing for the eventual onslaught of calls asking "Why is my USB drive is broken?!" ...that or their admin is a sadistic bastard and goes on unreachable vacation the next two weeks...
Letting users do whatever they want on company computers is a great way to have a lot of things go wrong very quickly. When you are at work, you are there to be working, not playing around on the internet, talking to your buddies, exchanging ims and emails an whatever else you could possibly be doing that has absolutely nothing to do with your job.
At my work, our computers are completely locked down and we cannot change anything, no matter how mundane. I personally thing this is great because I know that whenever I go to the computer, it will just work. If we could change things, I have no doubt a few of the employees would just have to screw with things and then when it didn't work, it would then screw up my job and cost the company a lot of money, not to mention cause my workers and I unneeded stress.
All this comes from someone who has several computers running from home with various operating systems doing various tasks. I could probably improve things at my work in regards to how tech is handled, but it is not my job. If I want to play sysadmin, I can do it with my own gear, on my own time.
If the company has decided that they are going to lock the use of unsanctioned peripherals, then the question becomes not, 'why doesn't my USB drive work,' but 'why are you bringing a USB drive in?'
"I use a Mac because I'm just better than you are."
As an IT tech, I have known users who knew their stuff, maybe 0.5% of the employees of any given company. And I have know techs who did not know their stuff, maybe 60%.
But all in all there are reasons why computers are locked down and there are reasons why IT mandates that "thou shalt not". Too many times there have been licensing issues where a know-it-all user with the ability to install software on their local box has brought in a package from home to install because they could get their work done better/faster/more colorfully with it than they could with the software that the company licensed. And when the project/document/spreadsheet that they created in that software can't be read or modified by any of the licensed software, they instantly become indignant and blame IT for not finding a way to convert their information. Contrary to popular mis-belief, IT does not have experience in EVERY piece of software out there. And when some disgruntled soul left the company they would let the anti-piracy folks know about the illegal installs.
And then there are the ones who download every bit of shareware/freeware/spyware in the known universe to their local box, turning their machine into a zombie or worse.
IT is usually mandated to keep the network running smoothly, virus and spyware free, and within the licensing agreements of the software that they have purchased. To do that they have to lock down the network, the computers and the user rights because the know-it-alls don't care about security, safety or licensing. They just want to run Weatherbug because they are too lazy to check into the WeatherChannel.
And then there are the users who listen to Internet radio (sucking down bandwidth), download illegal music and software (because it's faster than at home), and cruise the porn and game sites. Most users don't remember that the computer, network and internet connection still belong to the company that they work for and the aim of IT is to make sure that everyone can play and work together to the betterment of the company.
Give me a user who will work within the guidelines, request the software that they need to do their job and, at the end of the day, tend to their personal internet needs from their home computers.
It sounds all fine and dandy to allow the user to install all kinds of stuff on there machines. And without a company mandate with some teeth ( termination or write ups ) most people will install things on their own anyways. We have prevented people from having root access, but generally they figure out what the password is or someone in IT tells them.
The only problem with these sorts of users is the support they require when it turns out they don't know what they are doing. Any boob can install iTunes, but even the smarter ones start having problems trying to figure out why there machine crashes afterwords. Then IT is called and blamed.
I'm fine with having these users install whatever they want, just as long as they realize that when they have a problem of any kind of size ( word won't start ) I'm going to blast the machine. If they are smart enough to install all the extra software they are smart enough to put their data on the network or at least in one folder where I can copy it. If they say I lost all my MP3's I'm not going to have a problem telling them tough.
These same people don't have to sign the invoices for their expensive laptops, I do. It is company property and companies should have every right to tell individuals what they can and can't install. At the same time they cannot be so stubborn as to not allow for newer software to get added, even if it does pose some sort of risk. Instant messenger and those types of programs can greatly increase productivity if used correctly. If the employee is chatting with his wife, I'd rather he do that then go in the hallway and call him on his cell...chances are he is actually doing something in between the chat lines.
That said the company still has the right to monitor the person for any traffic going over their network. If the guy gets in trouble and they find that he chatted with his wife all the time it should be admissable in determining his dismisal. Everyone out there knows when enough is enough, those that don't usually end up without a job.
and I still say:
1) It's my property (well, the owner of the company is my boss, but I manage this data center)
2) On my property, it's my internet usage rules, as long as I'm fair about it.
3) I bear the full responsibility for stuff going boom (physically, financially or legally), so I have the full right to monitor and control network usage.
4) You can always go home and use IM and gmail if you want. I have no control over that (though one jackass company in Michigan certainly would want to).
I support SOX, though I admit we're not a publicly traded company...
--- Grow a pair, liberals... stop letting the Republicans bully you!
Because without physical security there is no security.
Locking down the PC so that the receptionist cannot move data to his/her iPod would also, logically, prevent the iPod from doing anything that s/he would want it to do.
Unless you configured an iPod specific rule. And security is broken by "exceptions".
Why would you assume he's posting from work? Not to mention he has a UK domain and it's late evening there.
This is not fear we have. I certainly don't fear the Software Developer that has good Unix or Windows knowledge. Hell, I'll try and learn a thing or two from those folks. However, we in IT have a job to do and we're trying to do that job with a couple of things in mind.
1. Keep the Lowest Common Denominator employee productive and not constantly working on their system(s). If you're a hot shot techie at home, you have to realize that IT needs to make things work for the non-techie employees as well as you. Admin Assistants are a good example. They don't know about SysInternals or Slashdot or Linux and they don't care. They do care about office applications working then they need them for that presentation their boss (sometimes your boss) is about to give or whatever else is their important issue of the day.
2. IT is not interested in how you do things at home and telling us that's how we should do it at the office. We're running a business, we're not running your little computing playground you have setup in your house. Hell, we have them too, but those solutions are not business solutions, they are home solutions and are different solutions that employ some of the same technology. It's an apple and an orange. IT is not really interested in how you have your computers at home on a certain switch or how you do backups or you telling IT how they should setup their network and what their problem is. Personally, I'm interested in talking to you about that for stuff and comparing it to what I do in my home, but not the business I work for.
3. IT places restrictions for good of the business and so that IT can focus its energy on a limited number of products. If IT let everyone just run what they wanted on their systems, IT would be a nightmare and the company couldn't get good quality people to do the job well. Everyone has products they like and favor, even the IT people, I certainly wouldn't want to work for a company where I had to support every anti-virus software in existence or every Linux distribution because it was the whim of the person who's office the system was installed. I want to see a buisness reason for supporting multiple Linux distributions or anti-virus software. IT makes business choices based on best practices and industry leading technology products. Well, at least IT tries to do this, in most cases.
On the flipside of the coin, the company where I work now has in it's IT policy that checking your personal email (Gmail, Yahooo Mail, hotmail, etc.) is not allowed. I don't get this, personally, but that's the policy and everyone scoffs at it. Also, IM is not allowed/supported, but there is a way around it that everyone uses.
Policy and practice by IT is there for the wide abuser IMHO. For example, an employee who puts 8 different firewalls, 3 anti-virus programs, and a slew of other non-work applications on his company issued laptop that has the company anti-virus and firewall. This person has the balls to call the help desk and complain that his laptop is performing like crap. Genius, uninstall 7 firewalls and two anti-virus programs and I bet your laptop performs a whole lot better.
I think everyone in any company should spend two weeks working in the company's IT group as part of orientation and I think seeing and hearing the issues first hand from that side of the fence will generate a different set of articles from this one.
"...the shortest distance between two points may be straight line, but it is by no means the most interesting."
The point of the article is not that you should or shouldn't try to lock things down. It is that that no matter how much you try to lock things down, your users will find ways to open it up to get their work done.
If you're smart, you'll figure out ways that you can both get what you want: Your security and manageability, and their productivity and ease-of-use. Handing edicts from on high is a pretty stupid idea. The point of the article is that you're not shutting down what they call "Shadow IT," you're simply driving it underground where it's harder to see and deal with.
But, you know, it's your property and your rules, so by all means, do with it what you will, and good luck with that.
Perhaps more importantly, smart users should love you. IT departments suffer because they don't forge relationships outside their department. While everyone else has friends and advocates at budget time, IT workers are viewed as interchangeable, even redundant. If you snub or ignore technically smart users, you're alienating the one outside segment that's even capable of understanding why you're needed.
Step into a huge movement. Don't Tread In Me.
If the receptionist is assumed to be untrustworthy, then they could just as easily install a real hardware keylogger in between the PC and the keyboard. (And that would be a lot easier to get than an iPod-disguised keylogger.)
I'm not saying that there aren't situations where barring anything that could carry data away is appropriate. It's just that IT types seem to hone in on the "security breaches" that they can shore up, to the greatest inconvenience of users, while ignoring glaring holes elsewhere. If you're going to tell the secretary that she can't charge her iPod from the USB port because of the risk of keylogging, I hope that the keyboard's PS/2 connector is superglued in, or the entire chassis is encased in a locked steel container. Otherwise you're ignoring an obvious avenue of attack (like these), but going after a highly unlikely one, even though the treatment for the unlikely one annoys the user more.
Most IT departments have so many security problems and vulnerabilities, it's hard to even know where to start. But rather than working through them in a rational way, they seem to begin with the premise that "anything that annoys the users in the name of security must be good." (Probably not their fault; it's probably an attempt to placate a PHB somewhere by making the security really obvious...)
It's ultimately a glass-houses issue. Before overt, draconian security measures are put in place, everything else ought to be locked up already. Otherwise, it just makes the IT department look like they're power-tripping, regardless of the real motivation. And in the corporate world, it's not good to make everyone else hate you. Particularly the secretaries.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This is a general observation that can be made regarding 'regulatory' departments that are concerned with security and legal compliance. Generally the rules are written down by someone senior, who uses common sense to reach what seems, at the time, a reasonable compromise and a practical approach. Next, they are handed down to a team of juniors, who enforce without understanding, because that is what they have been told to do. Through habituation, the regulations become Holy Writ and nobody is allowed to touch them --- a situation the original author(s) would probably have regarded as silly and dangerous. Finally, everybody formally adheres to the rules while circumventing them by any means possible, making a total nonsense of the original purpose.
This is by no means limited to IT. It also applies to finance or health care, or for that matter the US Constitution. It seems to a general human phenomenon. But it just seems that IT departments are more prone than others to the extreme aberration that I would call IT fascism: The belief that the ideal organization is regimented, uniformed, homogeneous, goose-stepping, controlled, and obedient; and that any exceptions need to be eliminated. Maybe the use of binary code stimulates binary thinking.
Of course, for any commercial organization, this can be a real killer in the long run. I've seen creativity and innovation totally stifled by regulation, until most people were so marinated in the status quo that they became completely incapable of independent decision-making, and the creative minds got frustrated and left. It's pretty much the reason why, if I were to make a SWOT analysis of our firm, I would classify much of our IT department under 'threats'. It's not because these people are of ill will, but the idea of trying, stimulating, or even supporting something new has become alien to them.
They are taking care of the daily business, according to present regulation, and they just can't imagine that there might be more to the job than that. To be fair, most of them are so far from the "frontline" that they no longer hear the din of the battle for survival.
I have worked in helldesk for..far..too long. Far far far too long. Er anyway. I have to say no I don't feel expertise of users. I fear users who -think- they are experts and really have no clue.
I have been recieving CIO magazine for a couple years, and I have come to think of it as a book of Humor. On occasion I find some of the articles interesting, but mostly just amusing. I don't fear my users, unless they can keep up with the learning curve, they will fall behind quickly after new products come out. Most Users don't want to know how things work, they just want it to work. On the other hand if you have a user that is trying to flex thier computer skills in your face, you can bet they are doing much more behind you. Watch those users.. this article may also be biased based on the the service/software the mention in it and those who buy ads in this magazine. After all, how can CIO say don't let users use Gmail, or IM's. I think thier sponsers would flip...
Ad eundum quo nemo ante iit!
From the posts in this thread, one gets the impression that there are rather a lot of places where IT people and other employees are locked in a state of permanent warfare, or at best uneasily living together in mutual disdain.
The curious thing is that rather a lot of IT people seem smugly satisfied with this. They are confident that they have everything "locked down" and that nothing can go wrong as long as they don't allow the users to do anything important -- whatever that means.
To me this seems the ultimate in IT nerdiness. It gets pretty close to programmers who exclaim that they "didn't change anything" when their product suddenly starts to misbehave -- only applied to people, who are even more unpredictable than even the most chaotic software product.
The reality is that if people hate you, they will find a way to subvert your systems, and IT won't know. People are resourceful. I strongly believe that a security system that is not supported by the people who have to live with it, will be valueless in the long run. People are your major threat and your strongest vulnerability, but potentially they are also your best line of defense. A serious outside attack is not unlikely to have a strong social engineering aspect to it.
I've met IT technicians who blithely assumed that outsiders could never guess an internal password, because their systems strictly limited the number of login retries and required frequent password changes. It never occurred to them that someone might entice out a password by putting on a lab coat and looking official, that people are rather stimulated to write down passwords if they have to change them too often and any mistake brings about a clash with IT, or that the use of incremental suffixes permits any outsider to predict the new passwords years in the future. They sought refuge in strict IT rules, but their psychology (and their logic) was all wrong.
Apparently, there is this curious notion in some places that IT is about managing machines. Curious, because any engineer in another field could tell the IT staff that a big part of effective support is dealing with people, their needs, expectations, and perceptions. An IT group that is just busying itself with keeping the hardware and software in a good state and not positively interacting with and educating users, is an IT group that is failing in its job.
Of course it is much easier to concentrate on the machinery and ignore or crush the users. Machines are far more predictable and easier to work with, and sadly a lot of IT people are still conforming to stereotype and not blessed with great social skills. But at the end of the day they should watch out for their own interest --- there is no future in being a glorified window(s) cleaner.
Any IT department that fears its users are learning too much is a goddamn shitty IT department. Seriously.
I'm an IT guy.. at an engineering firm. Pretty much everyone here is a 'computer guru' by todays' standards. So, for about 100 employees, the three of us 'IT guys' get to spend most of our time doing real engineering, programming, HMI design, drafting, etc. Our job is made much easier since we can give users full administrative control over their own computers/laptops (necessary in engineering anyway). We just 'lay down the law' in terms of what users are allowed to install and uninstall and we never have to take away privileges from people that know what they're doing.
So, for years, the entire network and seven servers is managed as a 1-10hour/week job for one of our three 'IT guys.' We secure the network and the servers.. and we don't even bother to secure the servers per user - we just have them making tons and tons of backups so if a user does remove/move files that are important, we just replace them with backed up copies from whatever date we want.
Having a smart userbase allows a 'smarter' IT dept. to spend less time on IT unless the IT dept. is a bunch of bumbling idiots who find it hard to stay ahead of the curve. It's really nice not to have users that need help just because they cannot map a drive.. or because they cannot install a different version of Industrial Software X because it is incompatible with Industrial Software Y.
--- We need more Ron Paul!
Just a few days ago I ran an entire meeting of 12 Powerpoint presentations from my USB drive because the network drive went down the very morning the VIP showed up to have his apple polished. I thought ahead, realized that our network goes down all the time is about as reliable as the Iraqi army, so I had the foresight to copy the files to my personal USB drive. No longer--now I'll just shrug my shoulders and the organization looks only as competent as we really are for a change. I'm actually ecstatic when they lock the computers down a bit more. Already my workplace has cut off webmail, much to the joy of all the workers who now can't be held responsible for not knowing about (and completing the tasking from) an email sent out at 10PM Friday. Lock everything down, please. Could you please take my printer? Who knows what sort of shenanigans I might get up to with that.
Give me a diskless workstation that only works during business hours, and make sure it's the only place from which I can access company data, and I'll buy you lunch for a week. Don't forget that company cellphones and blackberries and PDAs are also the spawn of Satan. Keep up the good work! We love you!