Slashdot Mirror
IT Departments Fear Growing Expertise of Users
flatfilsoc recommends a long article in CIO magazine on users who know too much and the IT leaders who fear them. Dubbing the universe of consumer technology the "shadow IT department," the article highlights the extent to which the boundary between users' workplace and home have broken down. It notes the increasing clash — familiar to anyone who works in a company with an IT department — between users' home-grown productivity boosters and IT's mandate to protect corporate data. The inherent tendency of the IT department to want to crack down and control technology that it doesn't supply should be resisted at all costs, according to CIO. The article outlines strategies for co-existence. It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM.
and there are always groups of individuals in every company that DO NOT fit the one-size-fits-all software/security model.
Some people/groups really need a sandbox to work in, without interference from good intentioned IT departments.
A virus spread wildly throughout my company recently because IT had thought to conveniently map some not so useful drives for everyone... guess how that virus spread?
IT needs to learn to provide and protect without being so intrusive as to hinder real work being done.
Sighhh
Support NYCountryLawyer RIAA vs People
Has always been the user who *thinks* he knows too much, and is out to prove it - usually causing problems, havoc, and destruction in so doing. You know, the kind of guy who gets pissed when you won't give them root/Administrator priveliges because he thinks he's a real big-shot. I've heard arguments as silly as "Well, I'm learning Linux on my own at home, so sooner or later, I'm going to know how to use it whether you give me root or not." Yeah, good for you.
It seems that every company I've worked for has had one. Maybe it's a small part of my personal castigation for the things I've done wrong. Who can say...
Oh, you're not stuck, you're just unable to let go of the onion rings.
I've met uncountable numbers of idiots when it comes to understanding technology. Guess what... many of them were peers in IT. In retrospect, it makes sense. I'd anticipated my move from college to a "real" job as a release from the world of idiots in the CS curricula. Finally, I'd get a chance to work shoulder to shoulder with people who knew.
Not so much.
I'd never considered where the rest of my university peers had to go -- into the same work force I entered -- duh.
In the non-IT universe I discovered many were also clueless around technology, as I'd expected. What I hadn't expected was there were many non-IT people who got it, who understood technology, and worked with it adeptly. Many "got it" more than my peers. Some of the most profound ideas and innovation I've seen in IT have come from nontraditional non-IT people.
I agree (without reading the entire article) with the summary and gist of the article -- IT does itself no favors ruling by fiat and instead should collaborate with users.
This doesn't dismiss bad things happening and messes created by users left behind for IT to clean up. People who mess up should help clean up, but my experience has been many IT people are equally inept and likely to make messes.
A degree and title in IT and CS means only that one has a degree in IT and CS, nothing more. It doesn't mean they're anointed and it doesn't mean they know more about technology than users.
It takes a lot more than "I know how to build a computer .. and i play WOW all the time so i'm leet" to run an IT department. I welcome the smarter users; as long as they arent all wearing my tinfoil hat.
I don't work in the IT dept at my current employer, but I spent a number of years in the trenches before working here. Just today, I was causing fear, loathing, angst, and gnashing of teeth to one of our local IT folk. I told a young lady that I was going to ghost the hard drive from a little used computer onto a USB stick. Then take the hard drive and add it to my PC since I needed more space for my music collection. She was very nervous and thought I might actually do it. I was just giving her crap, but then again; if I need space I might...
Using the Freedom of Speech while I still have it.
http://www.cio.com/archive/021507/fea_user_mgmt.ht ml?action=print
Kilroy was here.
I'm sick and tired of IT departments that try to control everything I do when I know perfectly well that WeatherBug and WinFixer are the right tools for the job. I am a smart and knowledgeable IT consumer, and I've been using these fine products at home for some time now. Why not at work too?
As a software developer outside of the IT department (I'm under direction of the Engineering group), I get this all the time. I get the run around, exclusion from important meetings, no say in things I have a large stake in, put at the bottom of the priority queue, and sometimes even people working to throw roadblocks in my way.
I've always been a fan of decentralized IT - a core group working to "keep the lights on" and seperate groups providing services embedded in the groups they're providing services to, responsible to the managers of the groups who use the tools. Meetings still happen with the needed staff, but someone is a few cubes down the hall or at least on the same floor to answer questions and get feedback.
The Doormat
If you're not outraged, then you're not paying attention.
I would be 7 kinds of mad if anyone was using gmail and IM in my office.
We work with NATO restricted data. *Everything* requires appropriate handling. E-mail is carefully fenced and the IM service is encrypted.
But even if you aren't a company with such a strong need for data protection... well actually there is no such thing. At the very least you have financial data and client information on your systems. Losing some of that stuff is considerably more harmful than restricting people to company provided communication tools.
Anyone placing data that hasn't been cleared for release (even by the very informal process of being sent out on purpose) onto services run by people with whom you have no contract and no reasonable expectation of integrity is, frankly, no better than the idiots who don't back up their data and are then surprised to find out that MTBF is not a guarantee. After all if your employees are using gmail et al you don't even know what data you *have* let alone what steps you need to take to protect it.
Beep beep.
...approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet--nearly all of them unwilling victims. (http://arstechnica.com/news.ars/post/20070125-87The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
The only reason some people get lost in thought is because it's unfamiliar territory.
Lock down usb ports.
Besides, no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.
They can fire you.
See, not so hard.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Is the day hundreds of callcenters close down their Level 1 support. I always thought it funny to have columns and rows of people that do nothing but open the documentation the users have and read it to them over the phone. Since the phones are still ringing, I think this announcement is still quite a bit premature.
Be sure to let Jimbo Wales know he's an idiot for doing it that way.
I'm not advocating Wiki methods for a nuclear missle silo, but I think a lot more companies can profit from a Wiki-type approach to (some) data than those that can beneift from an NSA "everything is top secret and must be locked down at all costs" approach.
Crow T. Trollbot
Reading your email and your slashdot posts IS our actual work.
Signed,
Your IT Department
P.S. You're fired.
What?
This is your network admin, please come to my office. I have something to discuss with you.
whether you like it or not.
In the US, Sarbanes-Oxley places some strict requirements on data retention for publicly-traded companies. Employees choosing to use IM and gmail, could cause those requirements to be circumvented.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I've been a user that is locked into crazy setups. The traveling consultant at client sites who's PC is setup to be managed from the corporate network. At one point, I got tired of the insanity, took a ghost image of the machine they gave me, and installed linux on the machine (and then restored the ghost image in a vmware session).
But here's the thing, I don't ask for support from the IT department because I'm the odd guy. I know they can't support me. What annoys me (as the one who helps other IT departments manage lots of PC's) are the people that install various applications that cause our automated installs to fail. 90% of the machines are managed with little to no effort. It's the 10% that cause days of work while we try to figure out which of the 20 apps you installed is breaking our install tool.
And for all those against IM and email lockdown, I've been to trading companies where that's the law. They get in trouble when they don't have logs of what people said on IM, email, phone calls, etc because that's how they catch insider trading. Of course for every sensible rule, I've seen 10 that make no sense at all. As has been said before, the USB key should force companies to reevaluate their policies.
This is kind of interesting, from the article:
"When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it."
Sorry, no. When you find out that people have broken the rules, you write them up or you fire them, depending on the severity of the situation. What if the rule that was broken was someone carting around an unencrypted "backup" of a customer database on a thumbdrive, which he lost? Where I work, that's three major rules broken right there. If that happened, that person would be fired immediately.
Corporations aren't stupid. Hidebound, maybe, and slow to change, but if something is forbidden, there is usually a really good reason for it. Also, IT does not run the company, in most cases. Follow the chain of command up high enough, and you'll find IT's bosses. If you have a tool that you need or want, then petition for change. Don't do an end-run around the guys that are trying to keep you working, you're only going to hamstring yourself in the end.
The major problem is, people are making their decisions based on commercials or salesmen that promise an easy, 100% reliable solution to an existing problem. Then they run to IT to complain when the product doesn't perform the way it was supposed to. This makes extra work for an IT department that is probably already overworked. You want to play with toys, play with them on your own gear, not the corporate gear.
That said, a wise CIO is going to pay attention to what the employees say they need to find out:
a): If they really need it
b): If there isn't something better or already in-house that can fill that need
c): Is it safe to use, and what are the support requirements.
The important thing then is to tell the end user, No, you can't have that because of: ___, and give them an actual reason, instead of just telling them "against policy"
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
1. "My hard drive is howling like a panther passing a kidney stone. Every time I run chkdsk I lose a few more sectors. I've backed up all my work to the network drive. When you get a chance can you come and fix my computer?"
2. "My computer won't start. It's been making this squealy noise for about two weeks and then all of a sudden it just died. You have to come right now and fix it because all the annual budget files are on my desktop."
Which call would you rather get?
None of them can see the clouds; The polished wings don't care.
Yes, most corporate users surf the web at home.
Yes, most of their home machines are horribly infected with spyware, viruses, and other things I grow weary of cleaning up. I have friends who make their livings cleaning up home PC's. Most of them have "regulars".
I have no problem helping my advanced, capable users be more productive through technology. I will even grant local admin when warranted.
I have major problems letting my users chat with their friends on IM while surfing porn, watching last nights CSI on YouTube, and unwittingly sending out spam on behalf of a botnet (while trying to infect the rest of the network). Whenever we (and by we I mean management) loosen the reigns, this is what I find all over my network.
Giving your users admin/root (i.e. ticket to ride) trying to make your life (or their life) easier only tends to make both of your lives harder later on.
Top down corporate stragedy types really don't need to be worrying so much about individual users. Good IT staff with sufficient decision making authority renders this entire "concern" moot.
This sig was generated randomly by one million monkeys with Speak 'n Spells. . .
When I come across someone who I find reasonably able to fix problems, I sometimes
enlist their help on assisting their computer neighbors. I also find that people
who think they know a lot quite often mess up their computer even more and consequently
require my help more - That is okay, it keeps me employed. It is changing though
with users losing admin rights. They really cannot do anything as a standard user.
On UNIX computers, The users tend to be more technical (I find) but still require
assistance sometimes. Especially when they do not have root.
And if the "screwed up" machine was infected with a malware which keylogged and/or sent information (such as client personal information/transaction records/ssns/ccard numbers) or perhaps medical records to some PC in Denmark BEFORE you restored from that image?
If IT locks down USB ports, I'm sure they'd have gone over the possibility that they could be locking out legit reasons and have planned for it. No IT department worth its carbon would lock down something that close to the user without preparing for the eventual onslaught of calls asking "Why is my USB drive is broken?!" ...that or their admin is a sadistic bastard and goes on unreachable vacation the next two weeks...
We should love smart users. If they come up with their own solutions to problems, they're de facto developers. If the business is run well, good workers will succeed and advance while poor workers fail and leave the company. In time, we'll have evolved a class of competent users, even experts, and have application development in the hands of everyone, along with the skillset to actually make decent software. It's a long way off, and maybe a pipe dream, I know, but don't squash the dream. Please.
You see? You see? Your stupid minds! Stupid! Stupid!
Letting users do whatever they want on company computers is a great way to have a lot of things go wrong very quickly. When you are at work, you are there to be working, not playing around on the internet, talking to your buddies, exchanging ims and emails an whatever else you could possibly be doing that has absolutely nothing to do with your job.
At my work, our computers are completely locked down and we cannot change anything, no matter how mundane. I personally thing this is great because I know that whenever I go to the computer, it will just work. If we could change things, I have no doubt a few of the employees would just have to screw with things and then when it didn't work, it would then screw up my job and cost the company a lot of money, not to mention cause my workers and I unneeded stress.
All this comes from someone who has several computers running from home with various operating systems doing various tasks. I could probably improve things at my work in regards to how tech is handled, but it is not my job. If I want to play sysadmin, I can do it with my own gear, on my own time.
If the company has decided that they are going to lock the use of unsanctioned peripherals, then the question becomes not, 'why doesn't my USB drive work,' but 'why are you bringing a USB drive in?'
"I use a Mac because I'm just better than you are."
As an IT tech, I have known users who knew their stuff, maybe 0.5% of the employees of any given company. And I have know techs who did not know their stuff, maybe 60%.
But all in all there are reasons why computers are locked down and there are reasons why IT mandates that "thou shalt not". Too many times there have been licensing issues where a know-it-all user with the ability to install software on their local box has brought in a package from home to install because they could get their work done better/faster/more colorfully with it than they could with the software that the company licensed. And when the project/document/spreadsheet that they created in that software can't be read or modified by any of the licensed software, they instantly become indignant and blame IT for not finding a way to convert their information. Contrary to popular mis-belief, IT does not have experience in EVERY piece of software out there. And when some disgruntled soul left the company they would let the anti-piracy folks know about the illegal installs.
And then there are the ones who download every bit of shareware/freeware/spyware in the known universe to their local box, turning their machine into a zombie or worse.
IT is usually mandated to keep the network running smoothly, virus and spyware free, and within the licensing agreements of the software that they have purchased. To do that they have to lock down the network, the computers and the user rights because the know-it-alls don't care about security, safety or licensing. They just want to run Weatherbug because they are too lazy to check into the WeatherChannel.
And then there are the users who listen to Internet radio (sucking down bandwidth), download illegal music and software (because it's faster than at home), and cruise the porn and game sites. Most users don't remember that the computer, network and internet connection still belong to the company that they work for and the aim of IT is to make sure that everyone can play and work together to the betterment of the company.
Give me a user who will work within the guidelines, request the software that they need to do their job and, at the end of the day, tend to their personal internet needs from their home computers.
At the company, many of the users were technically savvy, and more importantly, the process associated with IT was prohibitively complicated. It would take too long to get an IT project approved, and so people would use readily available tools (Excel and Access were the big ones) to develop solutions that met the need.
I'm sure everyone knows that in the health insurance industry, data privacy is extremely important, so yes, the IT department had some valid concerns about meeting government regulation, but to be fearful of an educated and motivated user that needs something and is willing to invest their time to get it...that's stupid.
This type of alarmism is your typical FUD that arises when a bunch of established people get jittery about where their paycheck will come from when they feel that someone is threatening the usefulness of their job by doing the things that they used to do. I have one response to that.
The model-T Ford.
Yes, all those horse and buggy people were pissed. The smart ones just rolled with it and became mechanics and made fortunes in the automotive industry. And here, too, all that is really required is to say, "OK, what are the new services that we can provide now that we have successfully built tools easy enough that the end-user can use them productively for basic development and analytic tasks?" Guess, what? There will be many more jobs that grow out of millions of educated users all over the world learning to use Excel and Access, etc.
At the health insurance company, what I could clearly see that our VP of IT could not, was that the efforts of our business people were doing an amazing job of forcing the IT process to become more efficient and less complacent. In other words, it demanded that IT actually earn their paycheck, and that IT explore the new responsiblities that they could take on with their considerable technical skills, in order to better serve a new and more educated customer (technically knowledgeable business users).
Fear arises because people are God damn lazy. "But I like doing what I've always done. Doing new things is hard. I have to actually learn to do new things. Oh, I just can't possibly see what we will do now that users can do things with data. Oh, why! Why did we give them a power tool that empowers them to go to Home Depot and then rennovate their house themselves, oh why???" Well carpenters haven't gone out of business and neither will IT people...not the proactive ones at any rate.
The tools will get better and the end user will be able to do more, which means there will be more new business requirements that need specialists to assist the business user, and so on. It's been this same process for generation after generation, and every there are a bunch of alarmists crying doom, and every time new opportunities arise from the changes and the economy experiences a net positive growth.
IT's mandate to protect corporate data
Here we have the single point that makes this entire FP one big strawman...
Yes, IT takes some measures to protect corporate data, both from inappropriate access, and from erroneous (or malicious) deletion.
The bulk of this "clash", however, involves two points - Maintainability, and the difference between personal and corporate liability.
Maintainability... Given a network of dozens, or even hundreds, of users, homogeneity means everything. If it takes an extra 15 minutes to solve a five minute problem because each user has their own bizarre configuration and preferred tools, you've wasted three quarters of my time vs just using the tools provided. And speaking of "provided", IT simply doesn't have the time to check each and every machine daily for pirated software. "Oh, but just fire anyone that has pirated software"... Yeah, sure, at up to 50k per violation and the need to replace a presumeably qualified (if careless) employee - Not an option as a default policy.
And I haven't even mentioned that people expect support from IT on anything and everything they can find on their machines... Guess what? I don't know everything. I can fix and teach Outlook, ThunderBird, Netscape, Eudora, Calypso, Elm, Pine, and perhaps a few dozen clones thereof, but I still won't have a clue how to fix your problem with FooMail; and even if it works similarly enough to one I do know that I can walk right through it, I won't know that until you've already wasted the time it takes me to visit your office (times two, since presumeably neither of us will get anything else done in the meantime).
As for liability, take the GMail example... In many companies (anything healthcare related, anything publically-traded, and just a good idea in most cases) you have legal minimum retention times for email; On top of that, since those emails count as a liability, you want to enforce that same period as a maximum retention time as well. GMail makes both impossible - You can't guarantee the legal minimum, and you can't automagically delete mail after that time. For that matter, you can't even guarantee that you'll ever again have access to a terminated-for-cause employee's email five minutes after security escorts them out.
You also need to worry about the motivation for using third-party email... If a company provides its own email server with no unreasonable content or size filtering, why would employees use GMail for work-related material?
The same applies to IM (though admittedly far fewer companies host their own IM than host their own email).
I (and most IT workers) don't seriously give a rat's ass what you do on your office computer - Your productivity only matters to you and your manager. I really don't care if you want to play Solitaire all day long. So this has nothing to do with control. But when I get reprimanded (or worse) for letting a random user get the company fined tens of thousands of dollars or under criminal investigation for unknowingly hosting kiddie porn, yeah, you can bet the farm I'll choose "lock your machine down" every time.
It sounds all fine and dandy to allow the user to install all kinds of stuff on there machines. And without a company mandate with some teeth ( termination or write ups ) most people will install things on their own anyways. We have prevented people from having root access, but generally they figure out what the password is or someone in IT tells them.
The only problem with these sorts of users is the support they require when it turns out they don't know what they are doing. Any boob can install iTunes, but even the smarter ones start having problems trying to figure out why there machine crashes afterwords. Then IT is called and blamed.
I'm fine with having these users install whatever they want, just as long as they realize that when they have a problem of any kind of size ( word won't start ) I'm going to blast the machine. If they are smart enough to install all the extra software they are smart enough to put their data on the network or at least in one folder where I can copy it. If they say I lost all my MP3's I'm not going to have a problem telling them tough.
These same people don't have to sign the invoices for their expensive laptops, I do. It is company property and companies should have every right to tell individuals what they can and can't install. At the same time they cannot be so stubborn as to not allow for newer software to get added, even if it does pose some sort of risk. Instant messenger and those types of programs can greatly increase productivity if used correctly. If the employee is chatting with his wife, I'd rather he do that then go in the hallway and call him on his cell...chances are he is actually doing something in between the chat lines.
That said the company still has the right to monitor the person for any traffic going over their network. If the guy gets in trouble and they find that he chatted with his wife all the time it should be admissable in determining his dismisal. Everyone out there knows when enough is enough, those that don't usually end up without a job.
and I still say:
1) It's my property (well, the owner of the company is my boss, but I manage this data center)
2) On my property, it's my internet usage rules, as long as I'm fair about it.
3) I bear the full responsibility for stuff going boom (physically, financially or legally), so I have the full right to monitor and control network usage.
4) You can always go home and use IM and gmail if you want. I have no control over that (though one jackass company in Michigan certainly would want to).
I support SOX, though I admit we're not a publicly traded company...
--- Grow a pair, liberals... stop letting the Republicans bully you!
Because without physical security there is no security.
Locking down the PC so that the receptionist cannot move data to his/her iPod would also, logically, prevent the iPod from doing anything that s/he would want it to do.
Unless you configured an iPod specific rule. And security is broken by "exceptions".
This is not fear we have. I certainly don't fear the Software Developer that has good Unix or Windows knowledge. Hell, I'll try and learn a thing or two from those folks. However, we in IT have a job to do and we're trying to do that job with a couple of things in mind.
1. Keep the Lowest Common Denominator employee productive and not constantly working on their system(s). If you're a hot shot techie at home, you have to realize that IT needs to make things work for the non-techie employees as well as you. Admin Assistants are a good example. They don't know about SysInternals or Slashdot or Linux and they don't care. They do care about office applications working then they need them for that presentation their boss (sometimes your boss) is about to give or whatever else is their important issue of the day.
2. IT is not interested in how you do things at home and telling us that's how we should do it at the office. We're running a business, we're not running your little computing playground you have setup in your house. Hell, we have them too, but those solutions are not business solutions, they are home solutions and are different solutions that employ some of the same technology. It's an apple and an orange. IT is not really interested in how you have your computers at home on a certain switch or how you do backups or you telling IT how they should setup their network and what their problem is. Personally, I'm interested in talking to you about that for stuff and comparing it to what I do in my home, but not the business I work for.
3. IT places restrictions for good of the business and so that IT can focus its energy on a limited number of products. If IT let everyone just run what they wanted on their systems, IT would be a nightmare and the company couldn't get good quality people to do the job well. Everyone has products they like and favor, even the IT people, I certainly wouldn't want to work for a company where I had to support every anti-virus software in existence or every Linux distribution because it was the whim of the person who's office the system was installed. I want to see a buisness reason for supporting multiple Linux distributions or anti-virus software. IT makes business choices based on best practices and industry leading technology products. Well, at least IT tries to do this, in most cases.
On the flipside of the coin, the company where I work now has in it's IT policy that checking your personal email (Gmail, Yahooo Mail, hotmail, etc.) is not allowed. I don't get this, personally, but that's the policy and everyone scoffs at it. Also, IM is not allowed/supported, but there is a way around it that everyone uses.
Policy and practice by IT is there for the wide abuser IMHO. For example, an employee who puts 8 different firewalls, 3 anti-virus programs, and a slew of other non-work applications on his company issued laptop that has the company anti-virus and firewall. This person has the balls to call the help desk and complain that his laptop is performing like crap. Genius, uninstall 7 firewalls and two anti-virus programs and I bet your laptop performs a whole lot better.
I think everyone in any company should spend two weeks working in the company's IT group as part of orientation and I think seeing and hearing the issues first hand from that side of the fence will generate a different set of articles from this one.
"...the shortest distance between two points may be straight line, but it is by no means the most interesting."
The point of the article is not that you should or shouldn't try to lock things down. It is that that no matter how much you try to lock things down, your users will find ways to open it up to get their work done.
If you're smart, you'll figure out ways that you can both get what you want: Your security and manageability, and their productivity and ease-of-use. Handing edicts from on high is a pretty stupid idea. The point of the article is that you're not shutting down what they call "Shadow IT," you're simply driving it underground where it's harder to see and deal with.
But, you know, it's your property and your rules, so by all means, do with it what you will, and good luck with that.
If the receptionist is assumed to be untrustworthy, then they could just as easily install a real hardware keylogger in between the PC and the keyboard. (And that would be a lot easier to get than an iPod-disguised keylogger.)
I'm not saying that there aren't situations where barring anything that could carry data away is appropriate. It's just that IT types seem to hone in on the "security breaches" that they can shore up, to the greatest inconvenience of users, while ignoring glaring holes elsewhere. If you're going to tell the secretary that she can't charge her iPod from the USB port because of the risk of keylogging, I hope that the keyboard's PS/2 connector is superglued in, or the entire chassis is encased in a locked steel container. Otherwise you're ignoring an obvious avenue of attack (like these), but going after a highly unlikely one, even though the treatment for the unlikely one annoys the user more.
Most IT departments have so many security problems and vulnerabilities, it's hard to even know where to start. But rather than working through them in a rational way, they seem to begin with the premise that "anything that annoys the users in the name of security must be good." (Probably not their fault; it's probably an attempt to placate a PHB somewhere by making the security really obvious...)
It's ultimately a glass-houses issue. Before overt, draconian security measures are put in place, everything else ought to be locked up already. Otherwise, it just makes the IT department look like they're power-tripping, regardless of the real motivation. And in the corporate world, it's not good to make everyone else hate you. Particularly the secretaries.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This is a general observation that can be made regarding 'regulatory' departments that are concerned with security and legal compliance. Generally the rules are written down by someone senior, who uses common sense to reach what seems, at the time, a reasonable compromise and a practical approach. Next, they are handed down to a team of juniors, who enforce without understanding, because that is what they have been told to do. Through habituation, the regulations become Holy Writ and nobody is allowed to touch them --- a situation the original author(s) would probably have regarded as silly and dangerous. Finally, everybody formally adheres to the rules while circumventing them by any means possible, making a total nonsense of the original purpose.
This is by no means limited to IT. It also applies to finance or health care, or for that matter the US Constitution. It seems to a general human phenomenon. But it just seems that IT departments are more prone than others to the extreme aberration that I would call IT fascism: The belief that the ideal organization is regimented, uniformed, homogeneous, goose-stepping, controlled, and obedient; and that any exceptions need to be eliminated. Maybe the use of binary code stimulates binary thinking.
Of course, for any commercial organization, this can be a real killer in the long run. I've seen creativity and innovation totally stifled by regulation, until most people were so marinated in the status quo that they became completely incapable of independent decision-making, and the creative minds got frustrated and left. It's pretty much the reason why, if I were to make a SWOT analysis of our firm, I would classify much of our IT department under 'threats'. It's not because these people are of ill will, but the idea of trying, stimulating, or even supporting something new has become alien to them.
They are taking care of the daily business, according to present regulation, and they just can't imagine that there might be more to the job than that. To be fair, most of them are so far from the "frontline" that they no longer hear the din of the battle for survival.
I have worked in helldesk for..far..too long. Far far far too long. Er anyway. I have to say no I don't feel expertise of users. I fear users who -think- they are experts and really have no clue.
At a previous company we were very flexible and provided everything we could for users, especially remote users: OWA, VPN, wireless, SSL-VPN, Terminal Server for those legacy apps that no one could do without, etc. et al. We held a pretty secure ship, filtered only what was legally necessary and monitored traffic/e-mail only when requested by HR.
Regardless we still had this Shadow IT. Typically it was the guy who ran his own network and Exchange server at home telling us how we should run things, how he should have two monitors even though no one else had that and that he should be allowed unfiltered internet because it made him more productive.
Then there was the time the top salesman left his laptop at home, connected to our VPN, his son used it and it began attacking our firewall with a SQL slammer worm. One time can be forgiven, but this was the third time in a year that this occurred.
IT was thrown under the bus on these accounts and others.
Mr. Know-it-all got his second screen and caused a chain reaction of others crying for them and costing the company a sizable chunk of change.He also won having the internet opened up for sports and games. IT watched productivity drop as non-business internet usage climbed.
Mr. VPN received a third "warning" in his HR file, but IT had it's hand slapped because we hadn't really educated him on how to use his laptop, the VPN or the update programs. This in spite of us producing a document signed by the guy that stated "I understand IT policy and proper use of issued equipment and the network."
Back and forth this struggle has continued for the past 20+ years I've been in IT. For a few years, we're heroes. We implement technology and methods that allow businesses to grow and profit at the speed of light. We save businesses from going under when disaster strikes because we backed up the data. Then for the next few years we're the villains. We don't implement the latest technology just because the CFO said not to spend any money. We're thrown under the bus because an executive sent an illegal e-mail and IT had the nerve to have it backed up and accessible for the legal system.
The longer I'm in IT, the more I wish I'd have learned a real skill like cooking or carpentry.
I have been recieving CIO magazine for a couple years, and I have come to think of it as a book of Humor. On occasion I find some of the articles interesting, but mostly just amusing. I don't fear my users, unless they can keep up with the learning curve, they will fall behind quickly after new products come out. Most Users don't want to know how things work, they just want it to work. On the other hand if you have a user that is trying to flex thier computer skills in your face, you can bet they are doing much more behind you. Watch those users.. this article may also be biased based on the the service/software the mention in it and those who buy ads in this magazine. After all, how can CIO say don't let users use Gmail, or IM's. I think thier sponsers would flip...
Ad eundum quo nemo ante iit!
From the posts in this thread, one gets the impression that there are rather a lot of places where IT people and other employees are locked in a state of permanent warfare, or at best uneasily living together in mutual disdain.
The curious thing is that rather a lot of IT people seem smugly satisfied with this. They are confident that they have everything "locked down" and that nothing can go wrong as long as they don't allow the users to do anything important -- whatever that means.
To me this seems the ultimate in IT nerdiness. It gets pretty close to programmers who exclaim that they "didn't change anything" when their product suddenly starts to misbehave -- only applied to people, who are even more unpredictable than even the most chaotic software product.
The reality is that if people hate you, they will find a way to subvert your systems, and IT won't know. People are resourceful. I strongly believe that a security system that is not supported by the people who have to live with it, will be valueless in the long run. People are your major threat and your strongest vulnerability, but potentially they are also your best line of defense. A serious outside attack is not unlikely to have a strong social engineering aspect to it.
I've met IT technicians who blithely assumed that outsiders could never guess an internal password, because their systems strictly limited the number of login retries and required frequent password changes. It never occurred to them that someone might entice out a password by putting on a lab coat and looking official, that people are rather stimulated to write down passwords if they have to change them too often and any mistake brings about a clash with IT, or that the use of incremental suffixes permits any outsider to predict the new passwords years in the future. They sought refuge in strict IT rules, but their psychology (and their logic) was all wrong.
Apparently, there is this curious notion in some places that IT is about managing machines. Curious, because any engineer in another field could tell the IT staff that a big part of effective support is dealing with people, their needs, expectations, and perceptions. An IT group that is just busying itself with keeping the hardware and software in a good state and not positively interacting with and educating users, is an IT group that is failing in its job.
Of course it is much easier to concentrate on the machinery and ignore or crush the users. Machines are far more predictable and easier to work with, and sadly a lot of IT people are still conforming to stereotype and not blessed with great social skills. But at the end of the day they should watch out for their own interest --- there is no future in being a glorified window(s) cleaner.
Any IT department that fears its users are learning too much is a goddamn shitty IT department. Seriously.
I'm an IT guy.. at an engineering firm. Pretty much everyone here is a 'computer guru' by todays' standards. So, for about 100 employees, the three of us 'IT guys' get to spend most of our time doing real engineering, programming, HMI design, drafting, etc. Our job is made much easier since we can give users full administrative control over their own computers/laptops (necessary in engineering anyway). We just 'lay down the law' in terms of what users are allowed to install and uninstall and we never have to take away privileges from people that know what they're doing.
So, for years, the entire network and seven servers is managed as a 1-10hour/week job for one of our three 'IT guys.' We secure the network and the servers.. and we don't even bother to secure the servers per user - we just have them making tons and tons of backups so if a user does remove/move files that are important, we just replace them with backed up copies from whatever date we want.
Having a smart userbase allows a 'smarter' IT dept. to spend less time on IT unless the IT dept. is a bunch of bumbling idiots who find it hard to stay ahead of the curve. It's really nice not to have users that need help just because they cannot map a drive.. or because they cannot install a different version of Industrial Software X because it is incompatible with Industrial Software Y.
--- We need more Ron Paul!
1982 called. They wanted to tell you that some people now have PCs and aren't using the mainframe like they're supposed to.
Just a few days ago I ran an entire meeting of 12 Powerpoint presentations from my USB drive because the network drive went down the very morning the VIP showed up to have his apple polished. I thought ahead, realized that our network goes down all the time is about as reliable as the Iraqi army, so I had the foresight to copy the files to my personal USB drive. No longer--now I'll just shrug my shoulders and the organization looks only as competent as we really are for a change. I'm actually ecstatic when they lock the computers down a bit more. Already my workplace has cut off webmail, much to the joy of all the workers who now can't be held responsible for not knowing about (and completing the tasking from) an email sent out at 10PM Friday. Lock everything down, please. Could you please take my printer? Who knows what sort of shenanigans I might get up to with that.
Give me a diskless workstation that only works during business hours, and make sure it's the only place from which I can access company data, and I'll buy you lunch for a week. Don't forget that company cellphones and blackberries and PDAs are also the spawn of Satan. Keep up the good work! We love you!