Slashdot Mirror
Guerrilla IT, Embracing the Superuser?
snydeq writes "First it's letting users manage their own PCs and now it's sanctioning the shadow IT projects they do on the down low: 'You probably know them. They're the ones who installed their own Wi-Fi network in the break room and distribute homemade number-crunching apps to their coworkers on e-mail. They're hacking their iPhones right now to work with your company's mail servers. In short, they're walking, talking IT governance nightmares. But they could be your biggest assets, if you use them wisely. The reason superusers go rogue is usually frustration, says Marquis. "It's a symptom of the IT organization being unable to meet or even understand the needs of its customers," he says. "Otherwise, it wouldn't be happening." The solution? Put them to work.'"
We've actually moved away from this, fairly strongly. We work in a healthcare organization and having people develop applications on our servers can potentially cause huge issues. While it's possible to create little sandbox areas for them, it's an administrative hassle, and it's always hard to be positive their applications can't cross security lines or impact another application's performance. Then there's the support issues - who fixes their business critical application when they've left or are on vacation? It's like the days when people would make Microsoft Access applications for everything, and then it would be dumped in our lap.
Our reponse has been to staff up to meet customer demand and spent a lot of time bringing other IT folks up to speed on web development. It's worked out fairly well, and the number of times I've been called in to fix a Microsoft Access report or the like has dropped dramatically.
If you look back in history, people originally used computers together, sharing access, tips, and source code. Now it's all top down - someone dictates what you'll do and how you do it. You, as the unempowered user, receive prebuilt restrictions, prebuilt computers, prebuilt binaries. You can't tinker, you can't fix, and you aren't even supposed to poke around.
The problems of restriction in DRM, restriction in EULA, restriction by not providing source code, restriction in IT are all the same. Instead of educating users and providing them the ability to solve problems, IT mirrors large software companies and media companies, and removes any control, forcing them to be "stupid." When users can't even diagnose on their own, and are forced to run to IT for the most minor software install, the bureaucracy justifies itself. IT is necessary because it's been made necessary. Dumb down the users and they need someone to hold their hand. But create a community of educated and empowered individuals and people will share information.
In a community of empowered users people don't just share solutions, they create solutions.
"Put them to work?" I'm not about putting the beatdown on non-it tech guys, but I'm also not about giving them free reign. Isolate them from the bulk of the network, where their antics won't cause problems for the regular users, and impress upon them that they have a level of responsibility for their data and any problems that crop up with their projects. Make sure you bring their managers into the loop and impress upon them the problems that could crop up when their Access and Excel scripting guru runs amok, and then let 'em do their thing.
Oh, and wireless? I don't think so. Messing with network infrastucture is a cardinal sin, and any organization that doesn't have its internal network secured well enough to prevent someone setting up their own wireless inside the building needs to do some serious self-examination. Some things you just do not screw around with.
In my experience, the biggest problem is that the non-it power users don't have the same appreciation for security as the people whose job it is to make sure things are secure. Security is a pain in the ass; no question about it, and a lot of users view it solely as a pain in the ass, with their inconvenience rating much higher in their estimation than IT's "Unreasonable Paranoia". If you restrict those users too much, they're going to spend all their time trying to get around your rules...Same as a child will. But like a child, if you give them a certain amount of freedom inside the rules, then they're much more likely to be obedient. They will understand that the rules are there because they have to be, not just because you hate them and don't want them to be able to do what they want to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Agreed, it has been my personal experience that tier-1 help desk people are usually of the college intern type. While they may be knowledgeable overall it takes too much time to get things done. Why put in a support ticket, or proposal for a new software package when I can do my own fixes, write my own apps, or use a FOSS to get things done quicker and more efficiently.
This is far different from giving me admin status over the network. I think it also boils down to tow different kinds of people, some of us were brought up on computers using best practices, doing things by the book, making sure things never go wrong, etc, but a lot of us were brought up challenging how things work, and trying to go against the technology staus quo. There will always be conflict between these two types.
That's one thing I see a lot; a lack of communication between the users and IT. They need something, something that we could provide if we knew they needed it, but we don't spend any time up there, and they don't know enough to ask for it.
I've tried things like getting IT people invited to departmental meetings, cross-training the new guys in other departments...Whole lotta nothin has come out of that.
I think in the long run it's jsut going to require that the average user becomes tech savvy enough to know what to ask for, or we start hiring guys whose official role is like "embedded IT"; they work in other departments, but they report to IT.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I don't think that's true. Lots of people just want to screw around with things and get an ego boost out of flouting authority or trying to show-up the IT staff. You know, there's always going to be that guy who wants to install games on his PC, and figure out how to tunnel past the porn filter. Maybe it's because he wants those things, but also it's because he gets a kick out subverting the rules. Either way, it doesn't mean the IT staff isn't doing their jobs.
Perhaps, and sometimes like many things in life, the one size fits all, thou shalt do it only one way philosophy means that people are less productive, I've worked in shops were the monitor res. was set to 800x600 and god help you if you bumped it to 1024x768 or used smaller fonts to get more than 18 lines of text on a screen. So corp. IT is like everything else there are the anti-social dicks, and there are the people who bend the rules to get shit done.
I laughed at the weak who considered themselves good because they lacked claws.
Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.
I'm in favor of allowing the leeway, but its a two way street. When someone like that screws their machine, it's usually not pretty, and it's not the sort of thing that can be easily fixed. I'm happy to restore an old image if you asked me to make one. I'm happy to recover files if it's possible.
But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing. I always make this stuff clear when a manager requests these sorts of permissions for one of their people. We support the standard configuration, once you deviate from that, all bets are off.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Bad attitudes like yours always crack me up. Why? Because, with the exception of the mainframe administrators, it is exactly the kind of user you are complaining about that CRATED YOUR JOB. No, I don't mean users. I mean those Arse-scratching chimps that think they are superusers. The PC in the work place is a direct result of people trying to get computing power under the radar of the mainframe administrators. So, if people had followed your advice 30 years ago, you wouldn't have a job.
Let's start with the name "Rogue Super User". No such thing. Why?
First, a "Super User" is an oxymoronic term. I'd use "Intelligent User" or "Educated User", but since my own local breed of that group trashed his laptop this weekend and dropped it off on my desk to fix, those two terms stick in my throat. Perhaps "Emboldened User" wold be acceptable.
Second, a "rogue" is someone who cannot be kept in line or operates outside of the norms of the organizations. Since any User who installs apps on their PC is technically "rogue", this would imply that all users fit into this category since any brain-dead git off the street can install the Yahoo! tool bar. Doesn't quite make them "Super" though, does it.
Begin with a better term than "Rogue Super User" and maybe I'll listen, until then, be gone with you.
As to what's being used, specifically, I couldn't tell you. I just know I've seen the trouble tickets when they pop up. I'm in "Client Services". The Network Services team is responsible for what I described.
BTW -- There is no need for students/faculty to be installing AP's as the campus is fully saturated. Yes, there are weak spots, but if the students/faculty even bother to report it (something we have a huge issue with, in some buildings), we add AP's or adjust/change antennas to correct the issue. So... A little innocent wi-fi hack crashed network in several buildings?
That's a good reason to do an audit of your network structure. It should not be that easy to crash.
And if they are that flaky - just imagine someone hostile trying to bring down your network.
bork bork bork!
Agreed,
I allow users to be a local admin or power user on their machine for two reasons:
Important for me:
1. We are STRICT about A/V and system updates.
Important for them:
2. Users often times (when given a laptop) start to use the laptop as their primary machine. They will use it to do their taxes, do all their online shopping/browsing/webmail etc. and use it for entertainment etc... It consumes too much of my departments time dealing with little complaints about apps like IM FTP webex etc...
The user should have some freedom over their day-to-day environment.
It is my job to ensure IT has done due-diligence with AV and filtering and *EDUCATION* on how to keep a machine clean for the users.
I've been a developer since the days that 8" floppies were the network. Currently I'm working on performance improvements for a data warehouse product. Our in-house network is running at 100M, but our customers usually use the product on 1G in order to get acceptable ETL performance. The two test servers were next to each other in the same room. I put in an IT request to set up a 1G connection between the two machines. The response I got was "our network is 100M, can't do it." After repeatedly explaining them how it could be relatively easily done without upgrading the whole building to 1G, and getting the same response, out of frustration I finally went to my boss and said, "here's an $80 switch we could buy that could get it done." We ordered the switch and are now happily operating a collection of machines in that room on 1G to each other. Our IT department is clueless about developer needs-- they assume all employees are only using CRM and office apps. Seems to me the solution ought to be a separate isolated network for the developers that they can hack on to their heart's content, but I suspect few IT departments have the savvy to figure that one out (ours certainly doesn't).
I suspect that most of the developers here have found it necessary to work around our IT department in one way or another. All of us have admin rights on our desktops which is an absolute must for us-- I'm doing things like shutting down and starting up services all the time, installing and uninstalling software, creating users, tweaking settings. I'd be down waiting for IT actions constantly if I had to do all that through them, and I'd bet much of the time they wouldn't understand what I was asking for and couldn't figure out how to get it done anyway.
From the other side, the problem with people just like you is that when you leave, your replacement will not be hired for his ability to write apps or use FOSS. So the IT department will no doubt get a call from your now irrate manager or replacement demanding that IT support your systems.
I've seen this so many times within my own organisation, departments or teams have their IT guy who have historically done all the IT for them, doing a fine job of it. Then they leave, then the IT department have to pick up where this person left off, inevitably requiring a time consuming migration back to the corporate standard systems. If this arrangement is fully supported by appropriate management such that the replacements job requirement is such that they should have appropriate IT knowledge, the problem with this is that you were probably a 1 in 1000 candidate, finding a qualified competent solicitor (or whatever) who knows drupal inside and out is pretty rare.
Jason
In the two examples cited, I could easily see situations where it'd be reasonable to say 'stop it or you're fired'. Setting up a random WAP that nobody in IT knows about can result in random people in the parking lot having access to your network, and storing company mail on an ipod is a massive breach waiting to happen - the only reason blackberries are allowed most places is because they can be bricked remotely.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
However, a very large number of users within the organisation use Macs. Some of these are self-funded, others are paid for by their departments. The one thing in common is that we support each other, have a wiki page with most configuration and want as little to do with IT as possible.
In the year I've been using my Mac (some have used theirs for years and years), I have to say it's worked exceptionally well. It's not for everyone. Some are content to tow the line and use their Lenovos.
IT turn a blind eye to the several thousand (and growing) of us. In fact, they support us in some ways (mostly secretly and below the radar). It's universally acknowledged that those employees who are itchy to use Macs instead of Windows and self-support are more productive than they would be were they forced in to a corp. IT environment.
The same goes for the very large linux community within the organisation too.
Now there's one hoopy frood who really knows where his towel is!
Sometimes rogue is the only way to go, especially when the IT organization is huge, monolithic, and anything but "IT at the speed of business".
In our situation it was also a reporting issue. Basically we (I) were tasked with doubling the number of countries we reported for. The process in place already required 2 full weeks of work (often with lots of unpaid overtime). The work couldn't start until the end of the month and had to be done by the 15th. Adding new people would have been stupid and it wasn't an option anyway. We were put in a position that if we "followed the rules" we'd either end up working 20 hour days for 2 weeks, or we'd simply fail to get our work done.
Our corporate IT group was willing to consider a more automated database solution... but after 4 months of meetings they wanted millions of dollars and said it would take more than two years to complete. This was a non-solution.
We then, with the help and advice of another "rogue" developer in the company, went to an external local company who built a very nice solution for $25k. Not only were we able to handle the doubled reporting workload, the actual workload itself went from 2 whole weeks each month to just a few hours a month. We did another round of development, spent another $25k, and folded in two other very time-consuming and error-prone processes into the tool (they only happen 3 times a year).
A few months ago I ran into the IT director that helped propose the multi-million solution and he asked how we were doing. I told him we got a great solution and he asked me to schedule a meeting to show him what we came up with. When the meeting was over, he basically picked his jaw up off the floor and expressed how amazed he was at by the tool and how disappointed he was that the IT organization in our company (a Fortune 500 BTW) couldn't accomplish anything even close to it.
To be fair, our IT organization is very good at huge capital improvement projects that take years to complete. Unfortunately they have no capability to support more tactical solutions that help keep the business going until the big project is going. They are unable to grasp the idea that sometimes you need to make temporary bandaid solutions that will be discarded when "big project xyz" is done. "It's just a waste of money and resources" is their usual response - but they seem to have no concept that the business is hampered and profits are not earned because the lack of any tool, even a temporary one, inhibits the business. You don't need to buy a car to get from the airport to work - sometimes it's okay to spend money on a taxi. IT wants to tell us we can't take the taxi because they're building a car for us - we just have to wait at the airport for 2 years or walk.
But as you suggested, we had buy in from our own director (who was able to shake loose the money for the rogue development) and ultimately, the VP in our "chain of command" is pleased - the quality of our reports has improved dramatically (because we eliminated so much manual work) and we're able to support the additional countries, along with even more detailed/graphical reports.
There are some in the IT group that don't like what we're doing. But my response to them is always, "Let me know when you can provide us a reporting system that does this, this, this, and this and we'll be glad to switch to it". "Oh, well, we can't do that, that, and that..." and they then leave us alone.
I worked as the regional it director of a financial services firm which dealt with stocks, bonds, and securities. This meant we fell under the regulatory umbrella of the National Association of Securities Dealers (among others). They are a quasi-governmental agency and have absolute power (no appeals) in their sphere.
The deal that made me lock down everything was this little policy the NASD has of fining IT staff directly. Not the company, not the department...me. Personally. Starting at $100,000 and going up for security or privacy breaches.
That'll make you think twice. Oh yeah, any publicly traded companies officer (C level) can be sent to JAIL for violating certain IT regulatory policies.
So yeah, there is a reason for the control.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.