Slashdot Mirror
Why Should I Trust My Network Administrator?
Andrew writes "I'm a manager at a startup, and decided recently to outsource to an outside IT firm to set up a network domain and file server. Trouble is, they (and all other IT companies we could find) insist on administering it all remotely. They now obviously have full access to all our data and PCs, and I'm concerned they could steal all our intellectual property, source code and customers. Am I being overly paranoid and resistant to change? Should we just trust our administrator because they have a reputation to uphold? Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
If it was really a worry, why outsource it in the first place?
You could mandate on-site support only, but you will get charged out the yang for it.
If you're concerned, ask them to carry a performance and fidelity (aka surety) bond.
That's the service they are offering. If you want someone to be on property so you can look over shoulders, hire an IT staff.
Either that, or learn to do it your damn self.
Obviously you want to find someone reputable, and bonded, but you're never going to get to a point where you can have a network infrastructure that is secure from the people who do your network infrastructure.
I've had enough experience with paranoid managers who hysterically insist that I'm reading their email, or their online banking passwords and crap like that. You think that some schmuck who is working fixing problems remotely really gives a crap about the plans for your Facebook-killer? Think that they care about your boring ass emails? You think they care about your customers??!? Are you kidding? You obviously don't sell networking, so what would be in it for them? Selling a customer list is like selling a used phone book.
No outsourced company is going to send a person to your building every time there is an issue, and frankly, you don't want them to because they'll charge you out the ass for that sort of service. Even if you did decide to pay the price for in-person service, anyone who is out to screw you will be able to screw you while you're watching them over your shoulder, because you won't know what to look for.
If it's really that important to you, bring it in house. And, word of advice, if you do bring it in house, don't treat the guy like a criminal or he's going to start reading your email.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
At some point, you're going to have to trust SOMEONE
Can you trust your Significant Other not to get all stabby when you are in bed sleeping?
Can you trust the drivers on your commute route not to suddenly get out their guns and start shooting at you?
It's all risk management. If you have super-important data, then don't farm out the management to someone you don't trust. If you have regular data, then farm it out to basically anyone.
SH*T happens... but if you are paralyzed with fear that bad things are going to happen because nobody is as trustworthy as yourself, you aren't going to be leaving your house.
For the same reason you trust your accountant.
Tell me, do you trust your sales people with your customer database? In my experience, they're the ones to watch.
That is an incredibly dumb question.
You should trust him because, as the manager of the startup, it is within your area of responsibility to ensure apriori that the people you hire to do this are trustworthy, or you are simply not doing your job and you should be fired and replaced with someone who can. Since your company is already on a path for doing outsourcing, I am sure your job could be outsourced to someone more competent in Bangalore.
-- Terry
I do a lot of remote support for my customers.
I also make sure I get face time with them.
Learning the work-flow of a company is very important when it comes to administering their network.
If the company you are hiring doesn't schedule regular visits than i wouldnt trust them to work in your best interests.
I'll add this as well. audit them periodically. Hire another company to check up on them.
My customers do this and I've received good feedback from the customer and the auditor.
Ursula Andress, Catherine Deneuve, and Charo, twice...
Seriously? You're thinking about this now AFTER they've put the whole network up with all remote access enabled?
What the hell makes you think they can't steal all your crap in person? Even if you assigned someone to watch every move they make it would be difficult for novices to even be able to recognize data theft happening as they watched if it happened through a command-line interface.
I would guess that it costs less to outsource this sort of work than to try to keep your own full time IT staff employed. I might be wrong though.
Palm trees and 8
If you think watching over their shoulder of a person that you aren't sure you trust will make a difference...it probably won't. If they're bent on stealing stuff they just put in a back door in the 4 seconds you're not watching them like a hawk and probably wouldn't catch anyway. You should probably back and decide how much of a risk it is to outsource the admin gig to begin with. If your files are that valuable maybe your business model should afford somebody you can trust and see on the payroll with stock options. Perhaps you need two admins. One the outsource company that obviously would have technical abilities you don't have, but maybe another one that you do trust that at least has minimal abilities to at least monitor for anything unusual?
Do you trust your bank with your money? Even though they don't keep it at your business and you can't stand behind them and watch what they do with it? Your fortune is at stake. Why do you trust them?
Do you trust your grocer to give you clean, fresh meats? Even though you can't go in the back,
see how they're stored and watch them being cut? Your health is at stake. Why do you trust them?
Do you trust your pharmacy to give you the correct medication? Even though you dropped the prescription off, will pick it up later and don't know the look of one pill from another? Your life is at stake. Why do you trust them?
I trust I've answered your question.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
They're stealing your IP while you're goofing off on slashdot.
You seem to be conflicted. You don't want to have inhouse IT, but you want them there and available anytime you need them onsite. I think you first need to determine which is important: reduced costs of outsourcing (And all the issues that goes with it) or the improved service of inhouse (and all the issues that go with that)
Even if they're onsite, are you going to have someone paid to stand over their shoulder and watch? if so pay that person to do the damn work for ya.
To be honest your probably safer with an outsourcing company since no sane company would risk their reputation by stealing your "zomg important" secrets.
Nobody should trust their BOFH.
Sadly, it just happens to be the case that we can't live without them, but trustable as a group, they are not.
Trust people, not jobs.
NO SIG
If you are so worried about it then have them sign a contract that stipulates they won't do what you're worried about them doing. I've done consulting for the SMB market. We did the majority of our support remotely. We were constantly busy taking care of clients and didn't have the time or the inclination to try to steal from our clients. Look at it this way, if your consultant leaks your super duper secrets to your competitor, and you go out of business, where does that leave them?
And you come to slashdot to ask that question?
Start by hiring someone with real business talent to run it for you because you sound like your own worst enemy.
IF YOU CAN'T TRUST THE PEOPLE YOU HIRED THEN WHY DID YOU HIRE THEM?
Seven puppies were harmed during the making of this post.
...just hiring a real network administrator? Honestly, it's an employers market right now. There's lot of people who have been recently laid off who would kill for a job right now...probably even for a below-average salary.
It is certainly harder to trust an offsite guy, for monkey reasons(can't see the look on their face, body language, that sort of thing) if nothing else; but I'd be curious to know if you have any reasonable grounds to believe that you could detect malfeasance in person.
An atttacker, even a modestly skilled one, given the level of access an admin would need, could do all sorts of terribly serious things in the blink of an eye, whether or not you are watching him. When I'm wearing the admin hat, I routinely run executables on numerous client PCs, manipulate server settings, write and run scripts that gather all sorts of data, make backups, and so forth. Are you really going to be able to see the difference between me tarring the contents of your OMG_Sourcecode directory for backup and me tarring for backup && sneaking a second copy somewhere? And, if you are that good, why are you hiring me to sit there while you watch me, when you could just do it yourself?
If you are paranoid enough, you can use some sort of intrusion detection/exfiltration detection setup, with shell logging, and firewalls, and disabling usb mass storage devices, and uniquely barcoded hard drives, and cavity searches, and so forth; but somebody you trust will have to build that as well.
Obviously, going to Shady Bob & Pradep's House 'o Discount Outsourcing is a bad plan; but so is hiring Shady Bob to work onsite. I'm less sure, though, that there is a significant security difference between offsite and onsite people of otherwise similar levels of cheapness and shadiness.
the cleaners have physical access to your everything. what contract did you sign with them? you know, to minimize your risk, you should outsource your IT to the cleaners. they already have physical access to everything, so it's not much of an extra step to let them maintain your systems too. they're even in the office on a daily basis. if you have any IT issues, just leave them a note!
Yup, you're a "manager", that's for sure. The post was about data access trust, not whether they're doing the job. Do you think an audit report is going to say sniffed network, copied browser caches, installed key loggers?
You really need to ask yourself if you want a professional or a peon? You write your question as if you want someone you can piss on, that tells me you want a peon. Heck, you'll save money on the peon, you can get one from any local technical college, they might even know what they're doing.
If you want a professional and don't want to pay for one, your outsourcing some part time work. You get a portion of a professionals time, that makes you a part time customer, a small fry for the outsourcing company. They are essentially offering a courtesy to you at all to work on your network in the off chance your company grows as this will leave them in a good position.
The bottom line is that professionals that live in your country need to be trusted, they have to much to lose. Most professionals will undergo a background check one to every two years. No professional is going to destroy their livelihood by leaking something like your customer list. No professional is going to risk going to prison or getting sued for crossing the line as long as they live in the same country as you. They will lose their ability for references. Outsource to India and the like and all bets are off, there's no reputation to maintain.
Really, the question is why would your customers trust your company, and is a professional service really any different?
The biggest problem is that the vendors you are talking to are being honest and setting your expectations and you don't like what your hearing. Your about to discover how every extra service has an additional charge and you'll quickly bury yourself in extra fees in the event your company does grow. If you want to position yourself for growth and don't want to be sunk under a slew of fees you should hire a professional in house and then trust them to do their job.
You say "Or should we lock them out and make them administer the network in person so we can stand behind and watch them?"
Given that you aren't administering your own network, I'd guess that you don't have the skills to do so. Would you know trouble if you saw it?
Would you know enough to see them setting up a remote service that they could get back into? Would you know enough to catch them copying sensitive files from where-ever they live to some staging directory, then later copying that directory off to a flash drive, or to some external server? Would you be able to catch them downloading a root kit and installing it?
In short, given that you don't have the experience to admin your own gear, do you REALLY think "standing behind them and watching them" is going to do anything but waste your time?
And IF you have the skills to admin your own machine, but want to outsource that due to some idea of "I have better things to do than this" - you have the time to stand behind them and watch them do the work, does that not imply you have the time to do the work?
Like others have said: If you are concerned, make them put up a bond.
www.eFax.com are spammers
I own a company that does outsourced IT support. Were it us, I wouldn't insist on being able to do remote support - but you'd pay so much for on-demand on-site support you'd be better off hiring someone in-house to do the job instead. The reality is that (were it us) we'd be coming in to your office periodically (depending on your size, from maybe once a month to as much as a couple of times a week. And most of the routine requests you will make we'd take care of by logging in remotely to deal with them for you. In most cases, we can log in and handle it a lot faster than we can free up enough time in someone's day to get them over to your office.
That's the reality of outsourced IT. You can get very good coverage that way, and any good company will give you face time with whomever is handling your account. I've got a lot of clients that trust my employees (and me) with their keys, passwords, and all the lot. I've got professional liability insurance, and a reputation that's even more important to me. If we were the company doing your support, I'd gladly sign an appropriate document guaranteeing we'd keep your data private.
I'm not pimping for my company (you're probably nowhere near where I work - else I would likely have been contacted as one of the firms bidding) but most companies like mine work that way. That's how we can do good work and still be affordable. But the reality a lot of these posters have pointed out stands: if you can't trust an IT company to handle things for you, then hire an admin in-house.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
A few weeks ago I read an investigative report on repair shops in Britain. Aside from over charging and finding non-existant problems they looked at and copied information off the computers that were being serviced. Have reason to trust anyone that you give that kind of access to. Then trust, with as much verification as is economical and doesn't unduly make the service provider think that you don't trust them, since unwarranted distrust chips away at the relationship.
I'm unclear as to why you think having them work onsite is more secure. The statement "administer the network in person so we can stand behind and watch them" implies that you have network skills at least as great as they have. In which case the watchers can do the work themselves.
Would you really notice if I ran a batch file that planted a trojaned your computer and uploaded your SAM file(s)? I doubt it. Your IT guy knows everything; that is just a fact of life. Hire a professional and it won't matter. Or you can hire Geek Squad level. Just plan on those "private" pictures of your wife to be added to his personal collection.
I also suspect that you might be hobbling yourself in other ways. (Unless your are geographically isolated or have a non Mac/Windows environment) there is a large number of consultants who will do on-site work. I know; I'm one of them. You will pay more, but there are some situations that require hands-on support. It is very hard to replace a power supply over a VPN connection.
Good luck, and I'm glad you're not my client.
Such a service should be bonded, by an outside bonding company. It's the surety bonding company's responsibility to run background checks on the contractor's employees, and to pay up if they steal. (They'll try to get the money back from the contractor or the employee.) Banks carry surety bonds for their employees.
Here's a contract for network administration services with a bonding clause.
I worked in IT for about 15 years, and always held that if a company doesn't trust its network administrators for a justifiable reason, then those people shouldn't be the network admins.
Remote/local doesn't matter. If they are not trustworthy and you can document why, then don't make them your admins. If they are, then don't worry about it until they do something to violate that trust. And if they do violate that trust, then go after them guns a-blazing (figuratively, not literally, OBVIOUSLY).
Most network admins want to be trusted - and need to be. Being untrustworthy is the kiss of death in that entire career path.
As others have said, local or remote doesn't matter. In-house or outsourced doesn't really matter. You need to accurately assess their trustworthiness and then deal with it in an appropriate manner.
Insanity is a gradual process; don't rush it.
There seems to be an assumption that you can "keep an eye" on an on-site network administrator, and that's why you can trust them.
How would you tell if they were up to no good? Will you be looking over their shoulder constantly?
I have worked in medium size IT shops (appro 100 people), and have seen the system admin team all stand around a computer as they go through their manager's CV (they had left it on there home drive). This was practically outside the manager's office, but you can't be everywhere at once.
Maybe you assume that you will only hire trustworthy people, but how can you tell if you can trust someone just by working with them?
Personally, I think the bigger risk to your operation will be if you hire a bad sysadmin.
Owen.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
There is some data that a sysad, whether internal or external, should not be trusted with.
Basic system administration should be required for business and management degrees, enough to maintain the disconnected key server and the separated subnet that handles all the most sensitive data.
Small networks are not that hard.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Whether it's an "insider" who works for your agency or an outside contractor, it doesn't matter: either way you have to trust somebody.
The only solution that makes sense is an audit trail that records file transfers and can't itself be modified - which is a real bitchkitty to implement. Does anybody know of any decent products that cover both servers and workstations?
It's interesting that the realization comes after the ink has started to dry on the proverbial paperwork.
As others have already pointed out, you have to choose what you are willing to put up with. No solution has zero issues or problems, just different ones.
In all cases, your risk of data/ip theft? Greater than zero. It will never be zero, short of you getting all copies and all peoples who have had contact with it and lock them in an underground room for all eternity.
* Presumably, you have some form of agreement(written contract) with the outsourced IT group. If you don't, you should _address_ that issue.
* You should have insurance for your company, so that in the event of fraud, theft, etc... and your business goes belly up, you have the means to cover your debts.
* You should be just as equally concerned about data loss as you are about data theft. Ie, make sure you have enough copies of your data/IP.
Regardless of whether you have in-house staff or outsourced staff, you should have some means of auditing your environment to address and reduce the risks involved. If nothing else, it will give you visibility into the types of areas of knowledge that someone other than your IT admin would know and be able to pick up the pieces should one of the problem scenarios appear.
Assuming you decide you are happy with your current support situation, get them to produce a human readable run-book for you, so that should they go out of business, bail, or otherwise default on the agreement, you will be able to bring someone in to take over. Schedule time for someone other than the primary support person to use the runbook to perform downtime/maintenance tasks/etc with the runbook. If there are any issues or problems, have the outsourcing company update it. Make it part of the understood and written agreement. You want to be able to rebuild, in the case of any failures.
Quick summary:
- validate/verify terms of agreement with existing IT support partner
- affirm creation of run-book with support partner and verify that it is valid and up to date with regularly scheduled DR/maintenance tasks
- have an on-site "intern" learn the tasks and serve as your in-house backup IT resource. Presumably, this person can also do double duty, if they happen to be a coder/content developer/PM with prior admin experience, etc. That person is your plan "B". This makes the runbook that much more important.
- NDA(s) and the legal expertise on retainer will help alot in terms of enforcement and collection on damages, but it will not prevent theft.
- Know what your company's plan "B" is in case of theft. Should you be segregating your information? Should you be encrypting your communication? Is the fact that some of your coders are bringing in USB flash devices and bringing work home a problem in your mind in relation to remote IT support?
There are plenty of issues and potential areas for IP theft/leak/sabotage to occur.
Legal agreements will help you when dealing with another company entity, but those legal agreements will do precious little if the theft/release of your IP causes your business to go down the drain.
Winged Power Photography
I can tell you right now, and administrator is going to tell you right where you can tar it if you stand over his shoulder while he's trying to work. I've been an admin for a long time and I've dealt with people like you and it always comes down to the same thing:
Either you will trust me to do the job you hired me to do or you can find someone else to do it. Being administrator inherently means I will have access to all your base. The fact that I'm a professional doing a job I was hired to do means all your base are not belong to me. Irritate me by hovering over my shoulder all day and that will change.
It is a mistake to think you can solve any problem with just potatoes.
My response is one of many just like it, but bottom line is you HAVE to trust your network admin. Whether he's on site or off, he has access to your stuff. And frankly, I don't care if anyone walks in and sees what I'm doing randomly, but outside of a performance evaluation, the day anybody steps into my office and starts watching what I'm doing is the day I quit.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
You used the past tense. Therefore I see that you've already made the decision to do this and have executed on that decision. The agreements are signed and the admins are working on managing your systems as I write this. A lot follows from this having already gone down. In other words, this detail important to clear up before proceeding because there is a large difference between something you have not yet done and something you have already done and now have to live with.
Of course they all do. Look at this from their perspective: many organizations hire them to do what you hired them to do. None of these IT admin firms have the staff to do things in-person (as you later contemplate threatening upon the firm you hired) where people expect explanations and instruction while they do what you hired them to do (which, by the way, makes everything take at least twice as long). If you wanted teachers to train your staff, you should have hired said teachers. If you wanted something different, you should have considered this before you contracted with them. Be here now. Best to focus on where you are now and proceed from that point realistically.
Your so-called intellectual property isn't the issue here, you've crossed that bridge. Your issue is you have post-commitment jitters about something you apparently didn't think through. Since you've already inked the deal, it's time to trust your new partners and understand that you don't have the power to "lock them out" in any way that wouldn't constitute a breach of contract or at least erecting circumstances that make them want to get rid of you as clients. You don't have the power to "make them administer the network in person so we can stand behind and watch them" nor would they likely want you to do that. You need to think ahead this time and consider the ramifications of being watched; I'm almost sure you wouldn't want to work that way because hardly anyone wants to work that way. Why would you think they'd want to work that way? You've described nothing unprofessional or bad on their part, so you have no cause to treat them as you describe.
Chalk it up to a lesson about thinking through the details before commitment.
Digital Citizen
I am a remote administrator for dozens of companies. I have been doing this for many, many years. My business success is directly dependent upon your business success. I have a vested interest in every single one of my customers growing and flourishing in business. As such, I only recommend solutions that are justifiable in direct, easy to understand terms.
You have proprietary information? So what. So does every other company and government agency I do work for - all of which is done remotely. Only on rare occasion do I visit on site.
If you cannot place your trust in the people holding your admin password, then administer it yourself. Otherwise be prepared to pay 2-3 times more for simple administrative tasks.
I'm sure I have access to tons of proprietary information, sensitive information, etc. but so what - I'm an honest guy. If I see the stuff, my first reaction is do we have this properly protected? I know the first reaction in a criminal mind is "What can I do with this?". Criminals don't usually want to work for a living.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Here's a thought: If you hire an admin, you have ONE person who might potentially steal your data. If you outsource to a company that has 500 people who have the ability to remotely connect to your systems, you now have 500 people who might potentially steal your data. The chance of having one bad egg in 500 is much higher than having one bad egg out of 1.
Either you trust your sysadmins or you don't give them the access they need. Administrators require access to all of your files, your network traffic, your email, your financial data. Not all of the admin staff needs it, but at least one of them does need some access.
The problem with outsourcing is you are treating sysadmins like janitors, a necessary evil farmed out to the lowest bidder. Where the reality is the function is a critical professional appointment which requires vetting, just as you would your accountant and lawyer.
POKE 36879,8
Knife crimes are reported sensationally in England but it's false that knife crimes are increasing dramatically -- see here for example. Knife crime has remained relatively stable over the past decade, most recently actually dropping by 15.7%. Maybe you're confusing knives with umbrellas?
You don't outsource to a random idiot -- that's step one. Welcome to referrals. Ask a friend, or a competitor, whom they've used. At least that way, if the IT guy screws you over, he loses more than just you.
Second, hopefully you have NDAs with your clients. Those NDAs undoubtedly say that you have to have an equivalent NDA with your contractors. So make your IT guy sign an NDA.
Third, "stand behind and watch him"? Are you nuts? Not only are you not going to actually do that, but if you did, are you going to read every command? Are you going to understand them? You can watch a magician, or other slight-of-hand artist as much as you want -- most of them depend on your trying to pay attention.
Bear in mind that there's nothing to stop an angry local administrator stealing/selling data, and being more intimately involved with the company's business activities, he probably knows better where to look.
But, I'd suggest not outsourcing if posssible for a different reason. It normally doesn't work. The lack of local site knowledge is hugely detrimental to knowing wtf is going on. I was with a large aussie mining company that tried it - after 18 months they couldn't get away from the outsourcer fast enough. Main problems are that there is usually no continuity in who deals with a problem, no sense of personal responsibility, no problem ownership, and any admin who gets a clue at the outsourcer leaves and gets a real job as soon as they can.
You'll end up dealing with muppets who either don't care, have no clue, or both.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
This suggestion above is equivalent to proposing that managers have to learn electrician skills to wire the most important room in the building, for fear the paid electricians might sabotage it, or they have to learn locksmith skils to key the locks on the most sensitive file room, because they can't trust locksmiths not to share a copy of the key or sneak in one night.
The simple fact is the management of key systems should be entrusted to skilled IT professionals whose primary responsibility is maintaining consistent, operational, available systems.
That doesn't just mean setting up systems and forgetting it, it also means implementing secure backups, monitoring audit trails, managing the complex access controls, monitoring system logs, and correcting problems.
Make sure that you have a document to describe how to take back the network in case you decide to fire the IT staff. I used to work in this area, and I provided this to my clients even if they didn't ask for it. If I were looking to outsource, I'd certainly make sure that I had the ability to rip it back. Even if I trust the outsourcing company completely, which is requirement #0 in my book, I want to make sure that my company stays my company.
Very little IP is like the formula for Coke, if it's valuable it's probably being used and modified on a daily basis. IP that changes like that needs to be backed up, offsited, secured, etc. This is all things that an IT department exists to enable for the business. Not only that but as the GP mentioned it's not like IT is the only people who have access to your IP, anyone who is working on it is going to need access to it and few ideas can be modularized to the point where a single leak is insignificant. The only way a business can really protect itself is to hire good people and provide them with enough incentive that they don't want to trade your IP to someone else.
As far as the poster is concerned, if you are that paranoid learn how to operate your firewall and lock them out when they are not specifically working a ticket, or have a different third party manage the firewall. Have the consultant do their work through something like Webex where the session can be recorded for review, that way you can checkup on them without having to sit there in real time and watch. Personally I wouldn't work for you as an employee or a consultant, but for enough money you will probably find someone willing to placate your sociopathy.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It's kinda funny, I joked about this very same idea, that the $2.00/hour outsourcers might be intentionally raping our servers for profit. Then the next day one of my support clients had that exact thing happen to him... one of his developers in India decided to create a bunch of email accounts and spam off of them. I have to admit, it makes perfect sense: he probably made more money selling spam runs for a few days, than a week of regular salary, plus he's not going to get into any immediate trouble... I'm not going to fly over there and beat the tan out of him, he just lost one smallish contract - big whoop.
It's not about "you get what you pay for", and certainly not a racially charged disconnect (at least not in my case), it's just the risk vs reward balance that's tipped against us. Globalization is a double-edged sword. White collar crime is just as big a problem in western societies, but we do it bigger and badder. As an American, if someone offered you $100 a day to sacrifice one of your clients, you'd probably tell him to blow you. In India, $100 might be equivalent to $1000 to us, maybe more. I don't know about you, but in my neighborhood if you want to make $1000 a day you either have to sell your ass, or sell gobs of crack and blow. The incentives vs risks aren't on the same scale at all.
I'm not saying we should treat all outsourcers as hostile crooks, we have plenty of those right here at home, on the payroll even. We just need to approach it sanely. If you underpay someone, they are more likely to fuck you over - that much should be common wisdom in the business world. It's the dirty side-effect of living in an entitlement culture.
-Billco, Fnarg.com
Sounds like the poster has inflated notions about the importance of his data. Most of us couldn't care less about what is in the company network, and if we looked, we would probably be mentally soiled. Maybe at Microsoft where you could copy down all the latest Windows releases (woo-hoo what a thrill). On the other hand, I worked for an outfit that had us read an employee's email to see if he was talking to other employers (he was) and we were assured that snooping on employees email was legally acceptable. Can't trust anyone, huh.
Here's the thing. If I own a company, I trust my accountant not to embezzle from me and the rest of my staff not to slack off every time I turn my back because I sign their paycheck. I'm paying them good money to act in my company's best interest. Does it work 100% of the time? Obviously, no, because sometimes accountants do embezzle from companies.
However, if I outsource such functions, suddenly, I'm trusting someone who is ethically and financially beholden to someone else with the keys to my kingdom. Ideally, my company's interest and my outsource partner's interest are aligned, and everyone is happy. Many times, this is the case. However, if there ever is a conflict in interest, it is altogether reasonable to expect the employee to not act in your interest, but the person's who signs his paycheck. That's what I would expect from my own employees, and it's what I expect of outsourced employees.
Here's a concrete example. My company has already outsourced all of its first-level and second-level support to a help desk service provider. It worked well enough that now, it is considering outsourcing all of our third-level server support (i.e. the guys with the root passwords to all of the systems) and possibly even our architecture and engineering teams. Personally, I think that this is asking for trouble.
Why? Because with us on my company's payroll, it is in our employer's best interest to have the environment in peak working order. We respond to issues as quickly as possible, and we do extra work to make sure everything is in tip-top shape. If we get outsourced, however, suddenly the equation changes. Now, it is is our employer's (the outsource company's) best interest to have the environment working only just well enough to not lose the contract. If we have all problems solved within, say, 50% of our contractual service level agreement, that's a pretty good clue that our staff can be cut by 50% and still meet our service level agreements. It's in our best interest to solve every problem right at the last second. If the company we're working at doesn't like it, well, they'll have to negotiate faster service level agreements, and of course, that's something my employer can charge a lot of extra money for.
Extra work to make sure everything is working great? Hah! If anything, we should be working to make sure everything isn't working so great, but again, just barely come under our contractual agreement. The worse the company we're supporting is hurting (while we're still meeting our legal obligations), the more they'll have to spend on additional services and support.
Laughably, our server environment is a mixed-vendor environment, and the company they're probably going to outsource to is one of the two main hardware vendors we use. Of course, they're negotiating supporting both hardware platforms. Now let's say that the service level agreement to have a down server is four hours. If it's hardware vendor A's server (and I'm working for hardware vendor A as a contractor), I'll jump right on it. If it's hardware vendor B's server, even if it's just a minor little configuration tweak, I'm going to wait until three hours and fifty-nine minutes to get it back up and running. Six months later, when the higher-ups are talking to each other, hardware vendor A (who I'm working for) goes in and tells my former employer how much better vendor A's servers are to support than vendor B's, and how my former employer needs to dump vendor B's server and use vendor A as their exclusive hardware provider, even though in reality, it's entirely possible that vendor B clearly has the better hardware.
I could go on, but hopefully I've made my point. I honestly think our management either hasn't thought of these types of issues, or they just don't care, and they're hoping to
Exactly!
If anything, we should be teaching electricians, sysadmins, secretaries, and the like management skills, and going without managers. Costs would be lower, proficiency would be higher, and people would want to come to work on Monday!
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Data is valuable because management thinks it is valuable.
Bribing people to be ethical is probably more effective than attempting to force them to be ethical, but both approaches have limits, and the limits hit a lot earlier than managers want to believe.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Money can buy off the 'looking for other opportunities, including selling your data'.
Why do you think people that handle sensitive government information generally have their finances looked at? If you're hurting for money, you might try and pawn something you have access to.
True, some people will just take the money -AND- sell your crap.. some people will also take almost no money, but still not sell your crap.. what you're trying to buy is some insurance and CYA factor.
As for Managers -needing- to learn IT. .I think it's dumb.. IT mangers should know IT.. but does a Accounting Manager need to know IT? no.. they do need to be able to communicate their needs and concerns effectively to the IT manager, and the IT manager needs to know enough to relate those needs/concerns into their 'IT world equivalents', and make sure some relevant things are taken care of too (the Account mgr might not realize that some information should be encrypted in case of data-theft, that's the IT managers job to point out and bring to the table)
You cannot make someone an expert in everything; there simply isn't enough time or desire to do it... welcome to Specialization.. it's sort of why the human got as far as we have.
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be