Slashdot Mirror
Getting Company Owners To Follow Their Own Rules?
techmage writes "Recently we had an issue at our small company that resulted in the loss of a lot of important data. To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc. How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"
Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.
I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.
The World Wide Web is dying. Soon, we shall have only the Internet.
If they do -- shut up and work around it.
So you're going to take my laptop, back it up, reload it and give it to the next guy? I in turn will get someone else's formatted laptop?
Or are you just trying to say, "we lost a lot of data when someone's laptop failed without proper backup processes in place. So we've decided that everyone needs to regularly connect to the company network and back up their laptop. The owner's of the company never back up their laptop"?
Quite simply, you don't. I've worked at large banks that do not follow their own rules. IT cannot drive policy if C level executives do not want to follow the policy. If you can get auditors or examiners to force the policy to be followed, then it can work. Otherwise, IT cannot do anything. They will only be seen as chicken little and IT will lose what little standing they have at the company already.
They who have the gold make the rule.
Your responsibility is to recommend and record your recommendation, and do your job as you can.
In the end, it is "their" company, not yours. It's the way of capitalism. You don't like that? Change your job.
For what it's worth, I didn't mean any of this in sarcastic/offensive way. I am being sincere.
Flip it around and see how you would see things if you were the owner.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
See if you can assign a value to the data already lost because of their failure to follow the rules. We did a variation of this at Xerox ASD in the 70's and locked Charles Simonyi (yes, that Charles) out of "his" own source code.
"Do you want us to loose important data like last time?"
"No."
"Then stop doing that."
How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"
Tell them that they are shooting the company in the foot when they break company policies.
It's funny, every year we prepare for auditors, and all we have to do is show them that we have a policy, not that we actually follow the policy. It's really quite hilarious and yet sad at the same time. For instance, we have to show them that we are doing scans of our network looking for vulnerabilities, but all they want is a log with someones name and a date on it. They don't care what was found or that anything was done with the information that we found. They could care less. The sad thing is, the company doing the audit is a very large company. The truth is that most management could care less about policies. Password complexity? Sure, just don't assign it to the management. Screensaver locks after 10 minutes? There better be an exceptions group for the CEO and her secretary. It's really quite sickening really. It's amazing what you can get people to do for you when you're the network admin's boss' boss' boss.
You don't. You work for them. You make recommendations, but that's as far as it goes. They sign your pay checks, not the other way around. IT isn't a special part of businesses that get to tell the owners what to do. It doesn't work that way.
I don't respond to AC's.
Use the admin account (and shares; $C, $D, etc...) to map their hard drive remotely to a computer in the networking office. Then, use RSYNC (or SyncToy) to mirror the drive remotely. Once the initial backup is complete, daily or weekly jobs will progress quickly.
You really have to find a way to work around the guys who are in charge.
If you want to be a bit more nefarious, start the backup jobs first thing in the morning. When the boss complains his system is slow, do a backup/format/reinstall on his system. Now his system is magically fast again...
I'd rather you do it wrong, than for me to have to do it at all.
Just because I own a few shares of Best Buy doesn't mean I get any special treatment in the stores or edge in getting a job with them. If the owners don't follow the policy, they should be fired by the CEO. Of course, this doesn't work if CEO == Owner.
You've created a policy and don't have the owner-level execs onboard?
That's failure #1 right there. Good policy making for security purposes isn't "And IT saith THUS!". Operating in this kind of vacuum gets your enforcement NO PLACE. Fast!
You have to involve these people pretty much from the get-go. This way they understand why the policy is in place and have less self-provided incentive to circumvent it.
And yes, as others have said, a small amount of "horror story" can go a long way too. But only DURING the policy creation process. Afterwards, they look at it as simple justification of an arbitrary policy.
Right now you guys haven't got a leg to stand on.
Chas - The one, the only.
THANK GOD!!!
As I understand, the policy is about computers that are reused, and the prior data loss occurred because someone quit, and nobody bothered to preserve the data on his computer until it was too late.
If the owners of the company neglect this rule as they change their own computers, not much you can do or need to do. Just send them a few reminders, and if you hear nothing back, desist. It's their company after all.
The owners may want to do that if the computers were used for storing some confidential information. Such a backup cannot be stored on your shelf among books and other assorted DVDs. If the owners know what they are doing, they perform backup of those computers themselves, and keep the media at home.
You need to give up caring. Seriously, if they, as the owner(s), want to be idiots... well, so be it. Realize that (as with many business owners) they aren't really all that sharp, don't commit to this company any further than the short term, and keep your resume up to date for the time when they finally screw up really bad.
I've seen it all at this point. The small business owners that are smart, honest, and have reasonable common sense are few and far between. Your complaints don't surprise me at all; while I admire your dedication and desire to do the right thing, I think this is an exercise in frustration. Let them make their own mistakes, and maybe they'll wise up eventually. If they don't, don't let it be your problem.
It's a strange world -- let's keep it that way
Ask why they're not following the policies. If the policies are onerous (they usually are) then you're wasting your breath asking that they be followed. Instead, rearchitect the policies so that you maximize their effectivenes -short of- getting in the way of the work.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I mean you can't make the owners do anything. They own it, it is theirs to do with as they please. They could close up shop tomorrow for no reason if they wanted. So you can't force them to do as they should. Likewise, nagging them could be a bad career move. So the best thing is a CYA. Have something that says they understand the risks of not following the policy more or less. Then, if shit does break you should be covered. They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."
That's the best you can do.
Your network policies have to be convenient for the users (including the business owners). If the perceive something as being so inconvenient that they're tempted to circumvent it, you as the IT department are obligated to come up with something more convenient.
If the problem isn't one of convenience (but sneaking around and trying to actively evade backups), then you've got bigger problems.
What the parent said... if they won't follow the policy (and they don't have to). I don't know if the owners are straight shooters or not, so I don't know what happens if the SHTF. Will they pin the blame on IT? It'd sure be nice to have an email or written memo where they had signed off on the policy. It won't save you from getting fired if they're looking for scapegoats, but it might save your reputation while looking for another job.
Luke, help me take this mask off
What makes you think the owner's information should be available to you in the IT department?
Which brings up a pet peeve here, what is the deal with IT people who think they run the company? As an IT admin I spend most of my time figuring out how to work WITH people who bring in the cash. I spend my time asking people what I can do to make their job better rather than the usual "You should be doing X, Y or Z because I said so".
Our job as admins is to be there when crap hits the fan, and do what we can to prevent it when prudent. But most of my policies aren't based on the behavior of humans. That is asking for disaster, you plan around what you CAN control, remote backups are a cinch, password policies are a cinch, Cryptography is free, and all of these don't require user intervention. If the boss says he doesn't want to do one then you smile and say fine with me sir/madam just explain the consequences and let them decide if it is worth it. If they say yes then you do it, you don't fight them.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
I once worked for a company that had a direct competitor next door and didn't realize they next to each other and were sharing the same lunch room worker, who just happened to be the twin sister of the pricing manager of the shop I worked for. When we in the IT room figured out what was happening... we gave incorrect information to the women and drove our competitors into bankruptcy. For her involvement in the mess, that pricing manager was demoted. And because I had developed the pricing system to become efficient enough that they only needed one person operating it instead of two, that former pricing manager was laid off. Suddenly, the lunch room lady was able to spend double the time in the kit... wait a second, they're twins and the laid off worker was now cooking lunch!
Basically, your business-side staff have the keys to know what's going on with the business, and lunchroom chatter just could be intercepted. When they work in concert... that's trouble.
The story gets much much weirder after that, but that'd be TMI.
Use Linux ... oh, wait...
Emacs, that always works
Buy a Mac
Switch to Windows 7
Switch back to Window XP
Just quit and find another job
Keep a documentation trail to CYA
Smile and nod, smile and nod
You're doing it wrong anyway
Laptops? Nobody needs a laptop!
Backups? Nobody needs a backup!
Why is the CEO such a jerk? All CEOs are jerks
I worked at a company once with this exact same problem and here what I did: Nothing
I worked at a company once with this exact same problem and here what I did: Showed the CEO a better way
I worked at a company once with this exact same problem and here what I did: Got fired, so just shut up
I worked at a company once only we didn't have computers
Ask Slash-Dot, they'll know what to do
Everything you know is wrong, Just forget the words and sing along.
It has been shown (I can't google the study right now) that people in senior management have a much higher incidence of sociopathic and psychopathic behavior than the general population. If your management insists on rules for others that they don't follow themselves, and consciously flout, they may fall into that group. In that case, keep your resume and interview skills up-to-date.
Only if you find a way that does not involve requiring the user to do anything. "Auto something thingy", hey you're the IT guy figure it out.
Its their frigging company; that's why they're called the "owners". If they want to violate THEIR policies then they can.
If you're publicly traded and the policy in question has audit implications, there might be a plausible case that even the majority shareholders should follow along out of fiduciary duty.
if its a private firm though (which it sounds like it is), then the purpose of the policy is to protect the OWNER'S investment in data. If they don't want to take the time out to get their laptop backed up, that's entirely their prerogative as the OWNER. If they want to walk down to the computer room and start juggling chain saws, they can do that too.
Screw 'em. I fought the same fight for 18 years. Finally I would simply back up the necessary data myself and lecture them without mercy each time (about every 5 weeks on average) they opened a script-containing email or virus loading website. Then I would take my own sweet time cleaning the machine(s) and restoring the required data... Not that I'd dog it, of course, I just wouldn't kill myself to make sure the a-hole boss could check weather.com to see if he'd need an umbrella on the golf course... so he and/or his dribbling idiot sons (He only bought the place so that they wouldn't have jobs requiring paper hats and extensive use of the phrase "Would you like fries with that?") would have plenty of time to complain about people not following the rules (it was ALWAYS someone else's fault, ya know). Hard to believe I've been looking for a job for 3 years now, huh? [chuckle]
Understand that the owner(s) are a peer group and have their own dynamic. It's their company, not yours. If they liked following orders, they'd be employees not owners.
...
1. Identify the group dynamic (is there a 'holdout', and 'alpha geek')?
2. Identify the objections to your proposed solution.
3. Ask them what their ideal solution(s) would be for this problem.
4. Customize and provide a solution to them.
Don't
* rely on the owners having a conversation amongst themselves. If you want to meet with them, meet with all of them at once.
* rely on the owners to convince each other. They may be reluctant to engage each other.
* just talk to people that agree with you. If you do, you're certainly missing the core argument that will shoot down your idea behind closed doors.
You'll probably have to buy new gear and set it up. Desktops can be great. Most people don't like to take work home and lug laptops around anyway.
Here's some perspective. Owners are people too and their personality and circumstances vary. I've been in both roles. Be respectful of their time. Owners/entrepreneurs/execs are used to optimizing their own time and taking calculated risks. Find out why they don't follow the rules and don't get irritated at the answer.
I've broken rules and procedures (filling out time cards, backups, etc) when the "opportunity cost" was too high and it was my prerogative to make that decision. (I could complete my time card and expense report on time, or, complete the $4.5m deal on time but not both.
As sysadmin, I occasionally sidestepped my own IT security policies because that's often the prerogative of a sysadmin. (Unless he's focused on being more of an anal "rules-oriented" bureaucrat rather a pragmatic sysadmin.)
Other times I was the entrepreneur and my own IT guy built a stupid ineffective system of controls and I had enough background to know it was stupid, but needed to wait to raise it in a gentle (coaching/mentoring) way because the guy was a bit sensitive if you were blunt with him.
Sometimes owners are just jerks. Sometimes they just have a situation they have to handle and backups are the least of their worries.
I'm wondering...why do they have to do their own backups? Can't you set up something unobtrusive that performs incremental encrypted backups to the internet? Are they concerned about privacy, trade-secrets, etc? Only talking to them will give you a sense of the issue and the insight to find an appropriate solution. Sometimes the appropriate solution is to say "I'd really like you to be protected. If you fail...I will feel I've failed." ...and just leave it at that.
1) Thank you for trying to save me money. Your recommendations are welcome as I'm paying you for your expertise and opinions.
2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.
3) If it's a dumbass relative that thinks they can ignore the rules because they're family working in a family business (and they don't sign the checks) then I expect to see their name (and possibly mine if I'm doing it too) on the report of IT security scofflaws that you periodically (though infrequently) prepare for me.
In a company controlled by a single or few owners it is reasonable to recommend, cajole, suggest or encourage proper owner behavior, but if you dictate it and attempt to threaten (for instance by saying in a confrontational manner 'ok, but I'm not taking responsibility then') you are writing checks that your expertise may not be able to cash. As an owner it's important that my IT works right, but it's absolutely imperative that I don't lose control of the company. Don't make me think that you're trying to take it away from me or lord your technical expertise over me unless you have a VERY secure position.
Owners make policies not to avoid problems, but to avoid responsibility. They don't want employees to create risk -- because those employees are not able to be held accountable for those actions unless there is a policy. But owners get to dodge the policy and assume the risk -- because they are able to be held accountable, no matter what.
Rules don't apply to people who can change the rules at any time.
... what I do. Does that sound familiar? That's the way corporate executives think. They make the rules for OTHER people to follow, but their own obligation to follow them is very, very conditional.
Incidentally, we have the same problem in government. Same mindset, different venue.
They're breaking your rules. Or (informally) making a decision that your rules do not apply to them, which they don't.
I suspect that last bit is the problem.
The CEO being without his laptop for an hour while you "back it up" is a minor inconvenience for the CEO.
The CEO being without his laptop for several hours while you preemptively format it is absurd.
The policy does not respect the employee or their convenience. It aims for only expediency that serves the IT department. In that view the policy is unacceptable and should be changed.
Shoot them in the foot.
A past significant loss of data to a small company ought to be enough of an impression for the owners/partners to realize they at risk of repeating the event.
I would frame to my managers/owners in this way, "That vital data integrity, trade secrets, IP or other tangible assets are at risk" and the best way to know the exposure is to measure that risk via independent audit.
Business types ought to respond to such a line of argument as it makes dollars & cents to them in their world view. A business owners direction for independent audit should be seen positively not negatively. What owner does not agree to oversee his own enterprise? She can delegate the authority but not responsibility for it to be conducted. When any business fails, the creditors come after the owners not the workers.
It is when external regulators and/or .gov _order_ an audit that Business owners should tremble.
Managers are never to be end-run during audit. In fact they are vital to the audit process being correctly executed as auditing is actually a _management responsibility_. They must institute business direction to correct exposure to the business and report to owners that the risk was eliminated or is actively managed to the owner approved level.
Also from the worker side, asking permission to superiors for conducting a "Disaster Scenario" Drill is plausible. Exposing this risk and any others which are found in a formally written, non-biased, non sensational analysis submitted via management to the owners would be the conclusion of the drill. Management would see the errors 1st and institute business direction accordingly with owners who are briefed by these managers.
However not knowing the circumstances, I assume that it sounds like a serious virus outbreak as you mentioned a complete wipe& reload scenario.
1) Most likely the owners don't trust the IT guys with their machines and think they can do it themselves.
2) The trust issue could be well founded, in that their next big thing is not able to be "released" beyond their diligence, for fear of competition this outweighs the backup requirement.
3) Again they may not trust the IT department for past errs or hurt feelings your not aware of.
4) The trust issue could also be defensive in that they have data on them they want no one to "see", gain access into, or leak to other subordinates, media, family, or law enforcement.
If the owner & management team is dead set against independent audits and self drills, beef up your resume and get the heck out. They are playing fast and loose with the money and the business is tanking.
... Even if you own $1 million in BB stock, it won't make a difference how they treat you.
I know I'm being pedantic, but it would make a huge difference. That's 1/37.65 of their outstanding shares. People with that much stock become important during hostile take-overs. Granted, it would be very difficult to execute a takeover of Best Buy (apx 48% owned by one person). Besides, you don't buy that much stock in one company unless you have a major interest in it and are probably on first name basis with several C level officials. The stock ownership aside, the local store will definitely respond differently. (at least the second time around...)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It's all about letting it go, CYA, documentation, etc.
Here's an idea: sit down with the boss and ask him what his objections are to the policy. Perhaps, rather than dictating something that he finds inconvenient, invasive, or just doesn't like, you should engage him in the solution process. Chances are, if he has a hand in designing the solution, he'll participate in it.
I can think of all kinds of potential problems with your system. I'll pretend to channel your boss for a minute. Maybe I don't want to have everything on my computer backed up. (Perhaps he has a mistress, offshore accounts, cooking the books, records of skimming, concealing things from his wife's divorce attorney) Maybe I don't want to swap my computer that I love with one that you are pulling out of the pool. (I don't want the one that Scroggins has been using, that dude picks his nose, and then goes right on typing. And he types a lot.) Maybe I don't want to drop my computer off once a week for you guys to back it up. (I'm the fucking boss, why should I follow your schedule, punk)
So, if my channeling is correct, you give him a script that only backs up essential folders, and some thumb drives. And then you come collect his backed-up thumb drive once a week, leave a fresh one, and archive the backup onto the server somewhere, where it gets backed up for real.
cat
There are no rules.
The Department of Commerce had sensitive trade data hacked by the Chinese during a visit by a former Secretary of Commerce because he left it on a laptop in his hotel room on an unencrypted hard drive, against both departmental and federal IT policies.
The penalty for causing potentially hundreds of millions of dollars in trade damage - a scolding. And he still wouldn't allow his hard drive to be encrypted. It slowed his PC down too much.
The momentary convenience of one ....er uh... *important* individual... is worth risking millions.
WHY - because rules and ethics only apply to peons. Executives are "above all that". They are the bosses of the people who make the rules, and therefore don't have to listen.
Power corrupts. Q.E.D.
Email, it works wonders at keeping accountability. If they ignore you, let it go. After all, there are about a hundred tasks facing every business owner which are more important than every IT policy to come down the pipe.
"How do I get through to the bosses..."
Talk boss language to them.
Wait until one costs the company something through a computer failure and failure to follow the policy.
Fix the problem and present the machine back to them with a bill for the repair. Make sure to boost the price to cover any ancillaries such as your training, their training, their retraining, lost time to the company due to their down time, and any similar costs you can dream up. Keep copies.
Request a general meeting with the bossships. Present the data from the above repair, anonymized to protect the guilty. Compare the cost presented with the cost of following policy. Make sure to point out that they too stand to lose financially (ie not make even more money) if they or others cost the company money. Suggest that in order to protect the company they adopt the policy that such unnecessary costs be charged to the individual in the future.
For theft, adjust scenario as necessary as well as costs. For concominant data theft, do the same, as well as figure in cost to the company.
Or put together a 'what if' report based on a previous loss and present that at such a meeting, rather than wait until it actually happens. Feel free to pretend it did at the start of your presentation (with knowledge of at least one boss). Done this way you could make it look like the company was sunk and scare the bejeezus out of them.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
... to blame the user (the company owners in this case) instead of their own engineering impotency.
If you worth you salary, you should configure automatic background backups of their notebooks while the bosses are in the office.
If they are not in the office, backup to Amazon S3.
IT is not to nazy users around, IT is to *help* users.
Here, mod me down dumb IT morons.
This sort of thing was business as usual in a corporation for which I used to work. Something terrible would happen. Boss would ask the useless IT guys to implement a solution. Useless IT guys would pass it along to the programmers. Programmers implement the solution, write up procedures and policies in idiot-friendly language. Solution gets ignored. Repeat.
The corporation is now as good as dead, looking for new investors, and can't afford to pay me for my last week of work.
My advice: Find a new job.
It's done wonders for my stress levels.
No sig for you!!
Owners do not change - Rules do.
you have to find a way to get done what should be done without anoying the owners.
Its that seen but not heard thing.
Give them a new computer every 3 months - there is your backup.
TACT. As someone else on this topic is already mentioned not having upper management on board with the policy when it was created was the first mistake. At this point you must rely on diplomacy to get them on board. I speak from my own experience. I joined a company whose lone programmer had written a very convoluted web program in ColdFusion. As soon as I was able I was quick to disassemble the program into modular components that can be swapped in and out depending on the client's needs. I also instituted a test system (he'd been doing everything live). Said programmer was obviously my boss, but he got promoted out of daily operations. Of course this didn't stop him from attempting to make changes. More than once I found discrepancies between something that he'd inserted into the live system that was not mirrored in the test system. He simply had his own way of doing things and wouldn't change. At this point I had to employ tact and diplomacy. If nothing else at least suggested to him that he share what he's working on with the rest of the programming crews so that we know what areas to avoid and don't step on his code. By reversing the situation, he felt I was being deferential and complied. Good luck. You're going to need it.
Nitewing '98
Everything works...in theory.
If you are willing to wear a tie and conform to corporate culture, and thrive on having a large budget for compartmentalized IT functions and security and implementing corresponding policies, then work for a either Fortune 500 company or a government agency.
If you want the best of both worlds, then start your own company.
If you want the best of both worlds and further you do not want to risk capital, then take a time machine to the late 1990's.
Or, you could just be thankful you have a job at all in today's economy.
Frankly if you force them to become reality oriented you will be fired. Bosses hate that sort of thing. If you think about it deeply you will soon come to the reality that almost all business failures are due to the stupidity of top management. They get old, and lazy and they get promoted. Then their lack of sharpness causes companies to die. Some of them were probably fantastic starting out but that wears off and the better the original effort they made the faster they decline. I worked in one known company in which the president had gone senile and we had a girl assigned to call back everyone who called in to speak with him and let them know that he did not speak for the firm. Yet his power was such that he could not be confronted and removed.
"You pay me for my expertise and I recommend these rules. If something goes wrong with a PCs that was exempted from the rules, then I want you to remember this conversation." Then move on to something else more important.
I mean ya, if the owners are major assholes they could fire you anyhow, however such a thing can be useful. First, it may make them change their behaviour and if it doesn't it can help protect you. Reason is they are then presented with evidence that they were informed and indicated that fact. If not, it is easy for ego to interfere with memory and them to say "You never told me this would be a problem!" However with a document they are more likely to say "Ya, I screwed up, now what do we do to make sure this isn't a problem in the future?"
In any company, there is no 100% protection from being fired no matter what. However having good documentation can go a long way. People do not have perfect memories and often we remember things the way we wish they had been, not how they really were. Documentation can help prevent that.
Also you don't present it as a "This is just for you because you are assholes" document. Rather, it is a policy exception document. If someone wants to not need to back up their data, you have them sign a doc that says they know the risks, and perhaps have it countersigned and ok'd by a boss. In the case of the bosses, they just sign it themselves.
For serious, you work for them. If they want to fuck their own policy so be it. Just get it documented somehow. When they want to know why they lost data, show them the email where some higher up said he wanted to take the old machine that used to be the beancounter's to use for his daughter at college.
There might be times when a business owner wants to tell a lawyer "Nope, don't have this information/email/file anymore. No backup either." ..."
It would be a real laugh if you pipe in with "Actually,
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
I can't help think how you should give the bosses a special, exec-level option.
Say, a backup server they can connect to using SFTP from anywhere from the world and do the backuping themselves, especially if it's just for a half-written word document full of spelling mistakes.
Super secure, super special and super SSHish!
such ridiculous questions?
Seriously, dont you have anyone in real life and real world to ask such obvious questions?
Lao Tzu said that a sculptor makes a pot, but it's the empty space inside it that you actually use.
In a similar vein, any technical solution or process must be judged by how the users interact with it.
You're doing things wrong if you're coming up with the simplest technical solution and then trying to train the users to deal with it. You need to find what the users constraints (what they need, what's easy for them to do, what's hard for them to do, etc.) and treat those as the principle constraints of the problem.
This isn't a matter of asking for requirements (in general they don't know what to ask for) so much as it is a matter of getting to know people and coming to understand their strengths and weaknesses.
I worked at a small business for ~7 and a couple times this sort of situation came up.
It's clear your boss isn't convinced that this policy makes sense for his/her situation, otherwise he'd grudgingly agree to your "red tape". Is it just laziness (let's say "the bosses' personal cost/benefit") on their part or is there a legit business reason behind their decision? Sometimes its better to ask what's going on, rather than just assume.
But let's assume your boss has no real good reason.
Make sure you put your request in an email to make it a bit more formal and to leave a paper trail. A shrewd boss will realize what you're doing but that is part of the point; you are signalling that you take this seriously. But you don't want to be overly concerned about something that is non-critical. Make it friendly but firm. You want to be polite enough that the boss doesn't feel threatened or bullied, but firm enough so that they know you are serious and you have professional concerns. Make sure at a minimum that your email covers the basics: the reason the boss should really be doing X and that its impact on the company (or the risk borne by the company) is clear in the email. If you don't hear back, follow up with a 1-liner once a week later in case the boss was super-busy. Then let it drop; remember your boss's job is to gauge business risks and costs and cost/risk tradeoffs are what business is all about.
Some other words I've found helpful with non-IT bosses, which may be helpful for emails or verbal conversations are:
"It's my professional recommendation that we should"....
"At the end of the day, we'll do whatever you want, but I think we should..."
These both communicate that the boss is not dealing with arrogant IT or a power struggle, but they are neglecting the value of what they are paying for if they ignore your advice.
Good luck.
--LP
To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user.
first off this part of the policy is just dumb... I would not turn over my PC to an IT guy who told me he was going to reformat my drive after he thought he had backed up my data the risk of data loss with this scheme is much higher than just doing my own backups. If you want the owners on board:
1) Research what the accepted best practices are
2) Ask them what they think the backup schedule/policies should be.
2a) Come prepared to talk about the cost of data loss and backup failure rates
3) When they ask for your opinion don't give it. Tell them what the accepted best practices are and make them decide to follow them or set their own
second. Complaining about your bosses on slashdot using your real name is not a smart thing to do.
I have found the BEST WAY to make sure the Bosses do something is to tell their Admins, formerly known as secretaries. Explain to those people, if their bosses stuff doesn't get backed up and thus stuff gets lost, more than Your Job is at risk. They will make sure that it happens, if they have sneak them away from their bosses, or sometimes even rip them out of their hands. Those people are used to getting things done, sometimes in spite of their bosses.
Note - I'm not an anonymous coward, slashdot is just being real slow in getting my registration e-mail out to me. *sigh*
there is no point they will still flap around like they can do nothing wrong let the fuck up and suck it up
For me, it comes down to respect. I can't work for people with whom I don't share mutual respect. Life is too short to work for people who don't respect you and your work, and it's absolutely too short to work for people you don't admire and respect.
I have quit more than one job because my boss or bosses have proven through his or her or their actions that they either don't respect me, don't respect the workers, and/or that they are not worthy of my respect in return.
Your bosses believe they are better than the people who work for them. They believe that there are two sets of rules, one set for them, and another set for the workers. And, your bosses have proven that they don't care what the workers think of the double standard.
Bosses that don't model the behaviour that they expect from their workers are not bosses that are worthy of your valuable time, concern and effort. In essence, if management doesn't care, why should anybody? If your boss doesn't care about data security, why should you? They are demonstrating through their actions how they feel about the company, the policies of the company, and the workers at your company.
Bosses who aren't thankful EVERY DAY that they have loyal and concerned people/workers/employees doing their best for the company EVERY DAY don't deserve to have those people/workers/employees.
Your bosses have done you a huge favor. They have demonstrated that they don't value you and your work. Take this as a sign. You need to tidy up your resume and start searching for a company whose values match your own.
Curb your dogma.
Long time ago I worked at a large oil company in the UK as part of the tech. support group and we got a call from the CEO's office that he wanted some help to restore a spreadsheet. So we sent someone over to help out. The spreadsheet is on the CEO's laptop - big clunky thing in those days, one of the earlier IBM thinkpads - anyway, techie asks the big cheese whats up, big cheese says he has accidentally over-written a spreadsheet he has been working on and cant work out how to restore if from the backup. techie is reassured that the big cheese has been taking back-ups and asks for the backup copy, Cheese hands him a ring binder. Techie opens ring binder and finds inside about 30 or so A4 pages - on each page is a photocopy of a 3.5 disk. Techie looks carefully for a long while then asks the big cheese to show him how he takes a backup - so he does ... he pops out the current 3.5 he has in his laptop ..takes it to the photocopier outside the office and sticks it under the flap and takes a photocopy of it
the techie was there a very long time and to his credit handled the situation quite well ... but it took him quite a while to recover himself when he came back to our office.
I can just imagine how the conversation between the IT guys went wrong...
You can just warn them about the risks, all other's not in your power.
If you recommend an update to the standing policy to bring it in line with current practice, chances are that the review committee will realize that there is something seriously wrong with the current practices.
Or not, in which case the policy will be changed and your a55 is covered anyway.
Cheers!
Users don't care about the beauty of the system, they just need to get their stuff done, with the minimum inconvenience.
Your solution to the problem needs to not become an additional problem for the users. If it does it is not a solution, it is a compromise, an annoyance.
If people don't want to follow this policy, maybe it is too much hassle. You could get the authority to force them, but that doesn't really help them. It just makes them do it (or find ways to avoid it undetected).
Really try to find a way to handle the technical issues in a way that is least inconvenience to your users. If there just isn't, then go the policy enforcement route. But really, rethink the solution. There is no reason why people's jobs should be made unecesarally more awkward and annoying. The computers should require as little nursing by the users as possible. People can be lazy but sometimes people just don't have the time to be running errands for you that are not directly related to their jobs. If they won't comply, maybe it is just too damned inconvenient. Do they drop off the laptop or collect the kids from school? Everyone has busy lives.
If they need to be forced to comply, then try to find another way.
If you think you can do a better job, do it.
If you were blocking sigs, you wouldn't have to read this.
It sounds to me as if it may be too complicated to work with; or feels too intrusive.
In my job as systems manager those two issues are the ones that seem to be at the bottom of all circumventions of that kind of rules.
Simplicity: as the admin in chief, you have to listen to what the clients say; that is why I generally am against eg. "secure" passwords - they may be hard to crack, but the user will protest against them and do his damnedest to avoid them, which is only all too easy in most cases. It doesn't matter whether you feel that "nothing could be simpler" than whatever; if the user hates it, he will work against it. No amount of executive decisions and speaking in a thundery voice can make it happen if the users don't buy in to it whole-heartedly.
Too intrusive: I think most users feel rather possessive about their computer; in my experience even owners of UNIX accounts on a big server feels that way about their environment. What you describe sounds a bit like it is taking that away from them, which they will object to - and try to obstruct, ignore, circumvent. Again, it is not relevant that the company is the legal owner - theu user feels that way, and you have to work with them, not against them, to get them aboard any scheme.
All this may or may not be relevant to your situation, of course, but I have learned over the years that it is a lot easier if you get people to feel that they matter to the whole process. Especially if they are higher up in the hierarchy.
...why don't you do the backups over the network in the first place? You usually can't force your bosses to do anything, so you work around whatever they do.
Well said, but presumably any small business owner capable of thinking down the lines you've outlined is smart enough not to go against the expert he's paying anyway
It's been painful, but that's what I did. I warned of the dangers of not taking particular IT actions, watched them be ignored, and took the heat when there was pain as a result. The environment was unprofessional with the management appearing to have no ability to conceptualize the effects of a failure/loss or the sense to heed warnings of the risks of failing to follow IT recommendations.
I'm working harder and making less but am no longer in an environment where I have to wonder when I'm going to take the punches for a systems failure or loss of data as a result of my recommendations being ignored.
The only thing more dangerous than authority with no responsibility is being the one with responsibility and no authority.
If it doesn't bother you enough to quit then take the pay check and be happy :).
State publically "I disagree for those reasons, but it is your privilege to override me. Still, I have a duty to state that I am sure this is a bad idea." Make sure you have some sort of record of this act.
In case _that_ does not help you when shit hits the fan, you are working for the wrong company.
You can make them. Stand there ready to pick up their computer for backup.
Stand there.
Continue to stand there.
Continue to remind them that you need to back up their computer.
And stand there.
You should be thinking of more creative and easier ways to handle backup.
For example, if you don't have an Exchange Server you could switch the execs to IMAP. This way, at least their email is backed up on the server. (Also switch to Outlook 2007 to get their sent mail on the server).
Another way to handle backup is to give individual users a hard drive plugged into their docking station (you do have docking stations, don't you) and a couple of quick scripts to backup their Documents and Settings folders (no need to back up the OS.) There is also a great little add-in for Outlook pfbackup that will remind people to backup their outlook files. pfbackup makes it easy to backup an individuals outlook files (email, contacts, calendar).
You can also try enabling offline files for some directories. This way, when their machines are connected to the network the files will be automatically synchronized.
There are commercial backup programs that will launch automatically when connected (or at night) that will backup their files. Probably for a couple hunderd bucks you can solve the problem. I have to aggree with the exec that taking the machine on your schedule is quite unreasonable.
Execs are busy, have other things to consider. It's really your job to make it easy for them to backup.
Stop whining. Do your job.
refer them to William K. Black, who coined the term "Control Fraud"
Associate Professor of Economics and Law, UMKC
http://www.law.umkc.edu/faculty/black.htm
he's known for exposing fraud (& self fraud by owners) in banks, but covers private, non-profit, & government fraud, and also the combos (crony capitalism)
Great American Bank Robbery http://neweconomicperspectives.blogspot.com/2009/08/great-american-bank-robbery.html
Bill Moyers, PBS http://www.youtube.com/watch?v=Rz1b__MdtHY
Best Way to Rob a Bank Is to Own One [Control Fraud]
http://www.amazon.com/Best-Way-Rob-Bank-Own/dp/0292706383
http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=bill+k.+black
So you are hired to perform a professional service, and your brilliant sugestion is not to do the work properly but to follow the money?
What kind of "professional" are you? Not one I would want on a sensitive environment, since obviously you would not have the presence of mind to stick to security procedures.
There is certainly a problem if you don't bring on board of your suggestions the owners of your place of employment, but that is a problem of presentation. Part of the skill set of a Systems Administrator is to be able to convince people about why something is necessary and to ensure people will abide by what has been agreed.
Obviously you may have more problems enforcing the rules with people with political power in the firm, but that does not leave you of the hook from a moral, professional and most importantly, legal point of view when legality is relevant.
I have worked for big corps, and I am telling you in no uncertain terms that the CEO or majority shareholders, who earn millions per year, will not access my systems without following the procedures in place. This is actually a very easy case to make, since it would be for their own legal protection.
If you can't make a convincing case for your policies then you have to rethink them and to present them in a way that is attractive to the people that is being disruptive (i.e.: your ass will not go to jail)....
IANAL but write like a drunk one.
explain you need their laptop to install the latest version of PC-CRAP V6.0 Max+. Tell them they're first in the company to get the upgrade. too easy.
I'll see your hokum and raise you a boondoggle.
I had this discussion recently with a restaurant/bar owner, but it applies to any sort of privately-owned business. Simply put, the owners put up the money to start the company, and they ultimately reap the consequences for any mistakes. Therefore, they have the exclusive right to take risks with their company/money.
When you (an employee) take a risk, you're risking someone else's money (specifically, the owners'). So they make rules to prevent employees from taking such risks, and punish those who do. But when they take a risk, they're risking their own money; it's a very different thing from an ethical perspective. Of course, if there are multiple owners then they share the potential loss; but if they all agree about taking that risk, then it amounts to the same thing.
1. Help them understand your policies. i.e get a 'buy-in' to your ideas first, before you expect your policies are going to fly. Throwing rules over the fence is not generally appreciated, other than an attempt to save your ass.
2. When some breach happens, take that as an example and explain in a friendly manner to bosses. Explain related loss, both in terms of monetary and company reputation . Although do not wait for that to happen, you can always present an hypothetical case, that could happen to your company if certain procedures are not followed.
3. Bosses understand the money language. So try to convince in those terms. Loosing company reputation due to data breach, web site defacements, network break-ins etc, is another big card that you can play.
4. Additional policies and rules are always considered pain. So unless you attach some post-benefits to that pain, no one is going to buy
In short do your home work and be persistent till it happens. Do not expect it will go through in first shot.
I've worked in tiny and HUGE companies. In the small company I'm working at now, we're about to have all the Directors, Board and employees members sign a 1 page "Personal Responsibility IT Policy" that requires backups, encryption for stored and transmitted data among other common things. 1 of the Directors doesn't want to sign, but all the others (with IT background) are looking forward to it. Basically, they are all concerned that the non-IT person who travels the most isn't protecting company assets correctly.
Whether this changes any actual behavior is a different question. As the IT guy, I have to be available for all of them to ask questions and work through the implementations on their personal and company machines. C-suite people mix home and work all the time.
If there was something extra that wasn't a good idea, but one of the founders/Officers wanted it, I'd create a short "Risk Acceptance Letter" for them to sign. It says what they want, why it is a bad idea and what steps would be needed to fix it later. If they refuse, I don't do the work. Since the rest of the Directors are IT folks, they will back me up and my job is secure. In our company, we want people to stop each other from doing stupid things.
I learned this officer level signature stuff at .... wait for it ... AT&T. The signature isn't as much about protecting me - they really couldn't care about that. It is about holding 1 officer accountable to the others for requesting non-standard things. It is also a trail that the BoD can see - you know, that "permanent file" that follows you around when you do stupid things? Officers usually sign, but once in a while, they back down and do the recommended thing.
Probably a dirty word in these technical bits, but I'll say it anyway. Owners should be leading their business and the decisions they make. What they publicly do do impacts the morale and actions of all employees. I would probably suggest to each of them individually that a public demonstration of them following a new IT policy is a good way to cement its importance company-wide. This achieves two ends for you: getting the C's to follow-through on their original approvals and level-setting for everyone else.
I fully agree. Employers don't generally win unemployment compensation hearings, even when they are correct. In many cases, the employer has a policy to appeal ANY unemployment claim, just to set up a few additional hoops for the employee to jump through. Most of the time, the employers don't even show up for the hearing. As a result, the state labor department deals with a LOT of junk appeals. Even when the employer shows up, the burden of proof is upon THEM and most of the time, they aren't up to the task.
I know of a guy who was thrown out during some kind of bizarre purge. The company had a change in management and this guy was clearly not part of the plan. So the company tried to cobble together some sort of justification. However, their schedule for firing him did not allow for collecting enough excuses. The purge worked in such a way that the guy's boss had already been let go, so actual facts of the employee's performance were in short supply. What little they had was wrong.
So of course, the employer appeals the unemployment claim. The hearing is held and the employer is absent. After losing by default, THEN the employer appeals to re-open the case. The employee's witnesses are subpoenaed and the day of the second hearing arrives. By this time, the employer has engaged some kind of unemployment compensation management firm to try and win the case. Upon seeing the employee's counter claim and witness list, the consultant tells the judge, "Upon review, this case does not rise to the standard necessary to establish termination for cause. We withdraw our appeal."
Considering how routine these shenanigans are, is it any wonder the employers usually lose?
So I was working at a large defense company, and they had been dinged by the gov't for high-level management fraud. So part of the penalty was all employees that weren't managers had to take a mandatory Ethics class, run by... the managers.
Add in that the class included a Dilbert Ethics Game-- an actual, licensed Dilbert[TM] board game with little Dilbert characters and cartoons in it, where you had to move around and then answer ethics questions.
Oh, and it turns out you could win the game without correctly answering the questions, as my team figured out victory was based on position on the board, not score. And the only team that could have beat us took the high road, and when faced with one ethic question said "We know you want to hear answer A, but really, we would do answer B, as would any reasonable person."
I'm still not sure what lessons we learned.
A.
It's not just small companies. I've worked for very large firms where the ideas of data protection doesn't exist or rules are skirted for convenience. I'm waiting for a discussion with federal regulators one day about "special data servers" in closets because upper management wanted to have their own containment on their information even though the rest of the company's data is in well established data centers. CI
The only way this gets solved is via fiduciary responsibility laws. As officers of a company, owners and sr. management have the responsibility to insure that they have policies and that they follow them.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
When an owner won't follow policy, as an IT Guy, there's not often alot that can be done to initially correct the behavior, aside from gentle nagging. However, when some sort of data loss event comes to light, it's an opporunity to help correct the behavior. Don't engage in the trap of playing the "blame game." It won't win you any points or get you more influence. Instead, come along side the company owner, frown and sigh, and then say something like, "Well, let's see what WE can do to sort this out."
From there, you just have to do your best to come up with some solution sets. And if the real solution is spend several thousand dollars on data recovery, put that on the table. A company owner speaks in dollars and cents sometimes, and when they have to pay a penalty like that, they tend to be more open to listening to you, particularly if you're not terse about it, but rather more gentle with how you dicuss these sorts of issues with them. You're not advisaries, you're really partners in this. He wants the company to do well so he makes better profit margins, and you want the company to do well so they can give you raises and buy cool equipment and so forth.
After you rescue them from a disaster, or near-disaster, pose the question: "Hey, when can I schedule you in to get that backup we've been meaning to do?" And after they come in for that one, start making it a routine to just ask, "And when should we schedule you to come for the next one?"
I think you'll find, you still catch more flies with honey than with vinegar.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
Bosses are notoriously bad about following policies imposed upon them from underlings. The bosses have to institute and champion the policies.
In a nutshell, you do not have problems with IT policy not being followed, you have significant company management problems. You have to identify the correct problem to fix.
2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.
Of course, if you're a good manager you might realise that the only thing that bit of paper is good for is giving me some minor piece of mind against the possibility that you're a bad manager so you'll sign it to keep up my morale, instead of giving the "let's just make this bit of paper disappear and nobody gets hurt" talk that is exactly what a bad manager would do and makes me think maybe I should be looking for emplyment elsewhere... Besides, there's nothing wrong with CYA so long as it's not getting in the way of anyone doing their job (and believe me I've worked at plenty of places where it did).
All small business owner can think on the lines the GP outlined. Some may not be smart enought to put them on such friendly terms, but all of them will think those same toughts.
If they wanted to live with bureocracy and CYA politics, they'd work on big companies (or the governemnt). That is much easier.
Rethinking email
You have a couple different types of appeal you can make. They target different areas and you'll have to choose the best appeal for each boss.
1. Vanity - They're the boss. In theory they have access the most important data. They're also your most important customers and it might be a good thing to point out how uncomfortable you are with providing better service to underlings than you're able to give to the boss.
2. Safety - Much like car wrecks, computer security problems don't just happen to people who are careless, they also happen to people who get caught up in the wreck. Basically just a reminder that malware and zero day vulnerabilities can nail them even if they don't do anything wrong.
3. Convenience - When was their last backup? Outline what they can expect if their hard drive bombs.
4. "Platinum Plan" - S/he's the boss. Give them a USB drive and script up a regular backup. Or do it over the network. Kind of related to the Vanity entry.
My employer has developed hundreds of these type of rules (ignored after the first month) as a reaction to a single incident. And has lots of warnings signs in response to some fluke that seamed like a big deal at the time. This seams like one of those rules that may make sense for you, but is it only because you were involved at the time, or is it really the best solution? I am guilty of in-acting many a practice thinking it would save the world, don't take it personal if it is just viewed as a waste of time to others. Personally I would try to use the non-compliance to come up with a novel new solution (like a central backup-server) that would make me look favorable to both the manager and the users. Not make me look like one of the rule nazi's that IT gets looked down on for being.
Every so often reiterate the policy in writing to them and when they ignore it, they ignore it. It's their funeral.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Seems reasonable to me. I can quit anytime I want; why can't they fire me anytime they want? I'm selling them my labor. They're free to buy labor from whomever they want, and I'm free to sell to whomever I want.
What complicates it is the weird parental relationship we've set up in the US where employers provide health insurance. That should change.
Free market folks would say that any entanglements - where I can't quit because I need the insurance, or the company can't fire me because the law or a contract prevents it - serve to keep people in sub-optimal jobs and drain productivity, which leads to fewer and lower-paying jobs overall.
I'm not an economist and I'm sure there are counterarguments, but it seems pretty straightforward to me. It sucks when you're the one who is fired. But that doesn't make it immoral.
A lot of management that I have worked with do not see the forest for the trees. They break policy all the time in little ways, but, until they are held accountable for their actions and given consequences, they have little motivation to follow the rules (not all management is like this, I have been fortunate to work directly under some really good people who did thing right most of the time - we all make mistakes - we shouldn't do it all the time and on purpose).
If the boss is a decent guy/gal just mention it to them that we have a corporate policy regarding xyz. Don't mention they implemented it. Don't say the words 'against xyz' Your goal is to get them to comply. Not point out they are wrong.
The other avenue would be to talk to the Secretary/Administrative Assistant. Bosses don't want to listen to peons. That's why they are the boss. However, they will usually listen to their most trusted confidant - that is usually the Sect/AA. They point you want to make to the AA isn't that the boss is wrong (see a trend here?) it's to change their behavior to be in line with corporate policy.
If the boss is a bonehead - talking to them won't solve anything. If the transgression will torpedo the company, go look for other work.
In any event, none of these conversations should be in public (your not out to embarrass the dude) and be careful if you tell someone else that they don't go spreading it around.
Remember - you are trying to get them to stop what they are doing not get them into trouble.
Another avenue is to speak with whomever is incharge of security. In a small shop it may also be the CIO and a really small shop the CIO may be 'Frank - he fixes our computers.'
Ask the owner how you can make your the company policy flexible enough that it works for him too.
There's all sorts of hidden messages in that question.
If you want to do anything, do it in a positive way. Offer to back up their laptop when they have a long meeting in which they don't need it, or give them the tools to do it themselves, or something of that sort. It doesn't matter. Accept it if they decline. That is a positive move.
If there is no such way, don't point them to the policy unless you are a very tactful person. They know about the policy but it somehow hampers them. They probably figure it costs them more in time and business to follow that policy then not.
Are you responsible for policy enforcement? Probably not if you have to ask this question here. Inform someone who is responsible and let it be, unless you can do it in a positive way and not focused not rules.
Face it. If the owners don't want to follow your "pesky little IT policy" they won't. There is no authority figure who can force them to and nothing you say or do will make it so.
Best bet is to simply CYA. Send out memos with reminders of the policy and document every time you do it. When the inevitable happens and they come banging on your door, pitchforks and torches in-hand (i.e. threats of termination) show them the CD-R with all the documentation labeled "My CYA Disc (lawyer has copy #2)".
If you found a solution that would work, and it isn't. Then find a solution that does. Does everyone come to the office every week? If so, why not set up a back up process that backs up the changes via the companies network (wireless, or ethernet) automatically.
Give gifts of inexpensive USB drives to your laptop-wielding asshat managers. When they ask what it's for, just casually say it provides extra storage when they run out of backup space. When they say "back-WHAT?", be ready to take the opportunity to show them how they can help themselves...
Easy. The owners of the company are entitled to do whatever they want. You need to work with this and make sure they don't lose their data. This means shadowing them, watching how they work, and figuring out which directories you need to back up for each. How many people are we talking about, maybe 4 or 5?
You need to set up custom backup for them. It's not that hard.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
Wow youve never worked in a self-destructive company.
Excecs in this mode dont want to be bothered with the details. Thats what you are for. They are not going to write any policy, they are just going to assign it to someone downstream, namely you.
Nor will they will adhere to any rules or policies written by tiny underlings like you.
They own/run the company. They will do whatever they please.
The the owner(s) are afraid their IT people will back up (and document) their porn collections? Seriously, there may be very rational reasons they don't want you looking at their computers.
(A guy I knew quit a fairly good paying job when his boss, the owner, wouldn't allow him to put up any kind of firewall, specifically because he didn't want any logs of his porn downloading.)
True, once an employee is at the executive level, they have ridiculous power, and often do ridiculous things with no recourse.
The theory is supposed to be that if you are an executive, you are held responsible for the actions of the people under you.
The reality is that executives are never held responsible for anything, even if they are grossly at fault.
Honestly sometimes it's better when the execs are NOT involved because when they are they get this idea about how they want to revolutionize the company by adding a checkbox on this web page, which leads to countless meetings and generally turns into a gigantic project for no actual company benefit.
http://theoatmeal.com/comics/design_hell
Basically once you get promoted to royalty, the rules don't apply anymore.
Oh and by the way, feel free to cut IT staff, because they're just a drain on your bottom line.
Truth be told, if you're an American worker, you are expendable. You can be outsourced or replaced faster than you realize. Sure, the company might have some serious issues (of if you're a really bad IT guy, come crashing down because you took all the keys to the fortress that the company didn't even know existed). Generally, life goes on without you in that company.
You're best bet is to understand the reasons why your policies aren't working and rewrite them to work. If you can't get them to give you their machines for backup, write scripts to back them up when connected to the network (there are solutions out there that can do this for you, too).
If they don't want to spend the money or allow you to bog down their machines, negotiate other solutions. Sure, you're not going to get an ideal-for-you resolution. I'm not sure if you realize this, but the world doesn't revolve around IT. If something bad happens, it's never just one persons fault. Everyone is at risk. It's no different with automobiles, homes or the food supply for that matter.
CYA is only one necessary reaction when dealing with these types of situations.
Getting creative and working with the staff ensures you continue to have a job. It will also teach you about what types of questions your should be asking before declaring policies and that policies are really only guidelines when it comes to owners and high level managers.
If all else fails, it's time to move on. Do so before it gets ugly so you can get some good references. Everyone dies on a burning bridge.
Parmasean Cheese. It's what's for dinner.
"it is reasonable to recommend, cajole, suggest or encourage proper owner behavior"
No, it isn't. More to the point, it's not his job to do so.
If the higher ups will not support you. You can state your case and you are left hanging.
You can Nag periodically so no one can say the did not know when something goes wrong.
I am not sure what you expected as advice.
"We" created a policy.... Did the we include all of the owners? If not, did it include any of the owners? If not, who the hell do you think you are?
Seriously, an employee trying to make a policy for an owner looks a lot like a 2 year old trying to set policy for his grandparents. Not his parents... that isn't strong enough.
The art of managing "up" is difficult to learn and very hard to do. If you get caught doing it you may be fired of the spot for insubordination. The charge will stick.
One way to approach it is to keep track of how long it has been since *any* owners laptop has been backed up. After a month or two when you just happen to be talking to X (one of the owners) you say something like "What did it cost you when that data on Y's laptop was lost?". That might lead to an interesting discussion. Or, you might hear "None of your business" or "That is above your pay grade". No matter what, you can get a line in where you say something like "Well, in this economy we are all worried about our jobs and I wonder how it will affect the bottom line the *next* time it happens." Or maybe something more like "I'm worried about how it will affect the business the next time it happens". If you can work in some information based on knowing what was lost, that will help.
The idea is to get them thinking about how losing that data affected their personal income. You also want to do a bit of subtle divide and conquer, never never bring the subject up with the one who lost the data. That one has a strong emotional need to believe that there were no negative consequences of his actions. The one who lost the data will make sure that no up policy ever goes into effect. Only the other owners can change his attitude or over ride his decisions.
If you do the job correctly you will come off as a conscientious employee who gets "the big picture". If not, you'll be seen as an obnoxious worrier who thinks he knows better than the owners. More importantly, in a week or two one or more of the owners will tell you about this new policy they are putting in place... Don't even think about saying that you guys already thought it up. This is one where the more you can make them think they thought it up, the better.
OTOH, if you have already been making lots a noise about this, start looking for a new job. You may have destroyed you future where you are and, hey, when one of them leaves the crown jewels on a plane and you biggest customer goes to you competition you're going to be looking for a new job anyway.
Been there, done that... Got promoted, got fired, left ahead of the creditors... And, a few times I was one of the owners.
Stonewolf
They get to do as they please.
---- Booth was a patriot ----
If it is the "right" kind of boss - you say "Take me to lunch and i will tell you how to save the company from disaster...".
If not, start looking for a new job immediately.
Target their own computers and their home computers for a nasty lock up and lock out malware. When they come in whining like idiots - Mutter profusely about how you HOPE their interlectual property was backed up and protected by patents etc..., Mutter "Ooooooo this could be very serious, very very serious". Ask them how long has it been since they have backed them up..... Make lots of Tsk, Tsk Tsk noises..... And when they turn white, ask for a raise and extra to work over time.... Mutter lots more...... etc. Then when they piss off - order in pizza and a few DVD's and to a simple unlock..... and keep it up for a few nights, and then insist that they do timely back ups....
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
If they own the company, and following the policy is too burdensome, perhaps you need to take a look at the policy.
If its a backup policy, would another backup solution work better? Perhaps an automated instance of backuppc that will run at lunch every day (or before they get to work, or when the boss goes out to his chick on the side every Wednesday afternoon...).
The reality is that IT policies should be minimally invasive.
Wow youve never worked in a self-destructive company.
Assumption. WRONG.
They are not going to write any policy, they are just going to assign it to someone downstream, namely you.
I didn't say "make them write the policy". I said "involve them in it".
Also, I am, unfortunately, familiar with the "it's my stuff, but if I fuck it up it's your fault".
In those cases, I make sure that the person STILL participates. Even if minimally, and signs off on everything appropriately then try to find ways around their stupidity.
Oh, did I mention that I'm fully conversant in "cover your ass"?
Chas - The one, the only.
THANK GOD!!!
Get them to append the policy (they probably won't read it), to allow you to send remind emails and texts. Have the frequency ramp the longer they don't comply. Eventually they will give in, or fire you.
"Sometimes it's hard to tell the dancer from the dance." --Corwin Of Amber in CoC
Work up illustrative stories about Mr. Boss who left his computer on his desk and had the cleaning lady accidentally knock it on the floor, scattering the data into nothing. The company needed this data and spent 12 man hours (at $25/hour) recovering it because Mr. Boss hadn't backed up the data on his computer. I'd guess about ten such scenarios well-publicized by flyers in the hallways should do it.
Cranky educator.
I'd write them explaining that you're responsible for not losing data, but lack the authority to order the owners to take the necessary precautions. So please, could you clarify the priorities (you are the owner and have the right to set priorities, I wouldn't dream of stepping on your perogatives) by either giving me the authority to enforce the data retention rules or officially relieving me of the responsibility with regard to the relevant people's computers?
The reality of the situation is that unless they're breaking the law, the owners of a private company can do whatever the hell they want with that company, including drive it into the ground or smear the insides with their own excrement. It's their company and they can make whatever assinine decisions they like so long as they don't break any laws doing them(they can't steal from an LLC, burn the place down, shoot people, etc). Unless one of the other owners(if any) has a different opinion they can do what they like within reason.
It's not much different with a public company either, barring the fact that there are a few more laws which apply in regards to your behaviour towards other shareholders even if you own 99.9999% of the stock.
You can explain to them why they should follow the policy. You can report them to the relevant authorities if what they're doing breaks the law. Otherwise you're SOL.
Take a step back from the problem. If you have a well documented policy that no one is following, think about why that is. Maybe the policy is just too much of a pain in the ass for people to comply with and still get their jobs done. Maybe you need a different policy.
Anyone can sit around and complain about how stupid or noncompliant their users are. But seeing problems from the prospective of the user (or boss) is the difference between a good IT person and a great one.
In the case of backup, consider continuous protection solutions like mozy.com.
If you can determine the reason for their resistance to good policy, you could work to make it as painless as possible to comply. I can imagine a person would be unwilling to hand over their laptop if they feared the process taking too long, or surrendering privacy, or even exposing unethical or unlawful uses of the system. Obviously the last example opens up a whole different set of issues but it shouldn't be too hard to mitigate their fears in the other cases through education and/or savvy use of technology.