How To Thwart the High Priests In IT

GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."

Wow, what a stupid post

[Improv]

While some people get the policies wrong, in general the idea of IT policies is a good one; the only way to support business policies is to allow for sensible IT policies to exist. If the IT policies don't serve the business policies, someone's not doing their job right, but that's not a problem with the idea of policies existing at all. If you want to "thwart" your IT people, you'd better have a damned good reason.

Re:Wow, what a stupid post

[BlakJak-ZL1VMF]

^ This. The IT dept's worst nightmare are employees who *think* they know better.

Re:Wow, what a stupid post

Actually it's the job of IT to support the employees who are designing the products that bring in the revenue. It isn't the role of IT to dictate what those employees can use.

We had an IT guy for a while who thought he was a dictator. He lasted about a week before we replaced him with a guy who realized his job was to make OUR jobs easier. He's quite good at it, too - he actually does make our jobs easier, which makes everyone more productive. If he was going to tell us, "Sorry, you can't use X or Y", he'd be out of here in a week too.

Re:Wow, what a stupid post

Actually it's the job of IT to support the employees who are designing the products that bring in the revenue.

Right and wrong. IT's job is more than just facilitating the ability for engineers to do their job (not all companies even have engineers). It's about corporate security, regulatory compliance, and SLA compliance.

A good IT department will make compromises between all of these things. The business needs to be flexible enough to allow engineers, salesmen, etc. to be agile so as to be competitive in the market, but not to the point of anarchy where an untested/uncertified smartphone gets lost and results in sensitive data going into the wrong hands due to the lack of remote management of said devices, resulting in regulatory fines or competitive disadvantage. Similarly, any sane IT department is going to have a supported platforms/devices list. You cannot provide an SLA to the business on a device you've never seen and done any interop testing with.

Sorry, it's obvious you don't understand the challenges of a real business.

Re:Wow, what a stupid post

[jaymz666]

Creating solid policies that protect the network and the company from intrusion of just plain failing should always come before Joe sixpack employee hooking his iPad to the network.

It will often take some time to make sure that adverse affects will occur, or to sure up infrastructure. But very few IT people are gods on high, they want to help.

Re:Wow, what a stupid post

[jrminter]

if it's a device that you need for business purposes, the business will provide it for you. (Or should, if it's a genuine need.)

In an ideal world, yes. I really wish I worked in one. I work in an organization under "severe budget constraints" (unless you are senior management, then it looks pretty cushy to those of us in the trenches.) If we don't buy and use our own stuff, we have to limp along with "stone knives and bearskins" (thank you, Leonard Nimoy and Star Trek). Our choice is to work around IT or get hammered at performance review time for "not getting the job done."

Re:Wow, what a stupid post

[Tanuki64]

I am so glad I don't work in system administration anymore. Tools like you really were a pest. My first job was system administration. The person I replaced was a really good administrator. If good administrator means that he was liked by the rest of the company. Ok, when I examined the server I discovered a rootkit, some unknown outside party had access to this company's servers for month, but hey, shit happens. This is only a small problem as long as the employees were able to surf their porn sites. I built a firewall, cleaned the servers and all computers in this company and generally closed a whole bunch of security holes. What happened? Did I get thanked? Bah, a few weeks later I had a very inconvnient talk with the boss. Sure, I was the BOFH and the mobbing started. Everything worked under the old administrator, why can I idiot not keep everything as convenient as my predecessor? For instance he never forced anybody to use scp instead of ftp to get their files. And really all websites worked. I quit after about three month. Don't know what happened. Perhaps they were able to get their old, good administrator back. At least for a while. Because what I know, is that this company does not exist anymore.

Re:Wow, what a stupid post

[Hognoxious]

I'm inclined to agree. GP comes across as the kind of feckless twat who equates making everyone's job easier with doing everything they say and no questions asked.

I'll tell you whose job it doesn't make easier - the one who has to clean up the inevitable wreck that occurs when you take understanding the users (a good thing) a step too far and let them run the show.

Re:Wow, what a stupid post

[BlakJak-ZL1VMF]

This old argument... I know exactly what you mean, but if your productivity is being hindered by 'stone knives and bearskins' then surely this is something that management simply get to live with? When Management cease to support the employee, surely the employee should become a 'timecard-worker'....

if your productivity is high, they're going to think all is well. Let your productivity slide and when they ask why, point out to them how they're screwing themselves over with their stone-age conventions?

Sucks I know, but otherwise you're shooting yourself in the foot.

Re:Wow, what a stupid post

When was the last time you heard of a company getting fined or giving data to a competitor as a result of a data leak from a lost piece of computer equipment?

First of all, that was just a singular example of IT security. There are numerous other attack vectors that IT has to enumerate, assess, and control.

Second of all, the reason why you don't hear about it is, firstly, it's rarely a front page news story when $RANDOM_COMPANY loses a harddrive full of customer account information (unless it's a particularly large breach). Secondly, the actual fines (which are, for the most part, a recent legislative creation) are incentivizing companies to actually implement the proper IT policies such as device encryption and remote wipe / disable. So the problem is starting to be solved.

When was the last time you heard a salesman say they lose time to IT policies.

Not the first time I've heard "It's IT's fault" from underperformaing salesmen. I'm not going to say IT is always innocent, but I've been around long enough to seen the patterns.

I personally have had two clients because it's easier for them to outsource the work than it is to get their IT enabling that work to be carried out internally

Specific examples? I'm not saying you're lying, but I can't argue with vague generalities.

Re:Wow, what a stupid post

[jaymz666]

Did you miss the "help" part? If there is a need to get it onto the network then it will get on the network.

Joe Developer needs to build in time to his project for technical setup and issues if the infrastructure isn't already available to do what needs done, but IT doesn't know what needs to be done until they are made aware of it. They need to have some time to create the correct environment for that requirement to work correctly.

Bringing in a wifi router and hooking it up to your network jack is not the answer either,

Re:Wow, what a stupid post

[GuruBuckaroo]

If I am held responsible for the smooth uninterrupted operation of a network, then I will most certainly take ownership of it. If you think that the IT department contributes zero to the bottom line, ask yourself how that bottom line would look if your network had 50% uptime instead of 99% or better.

If you aren't willing to let your Systems Administrators take ownership of IT assets, you really need to go back to abacuses and legal pads.

Re:Wow, what a stupid post

[anonymov]

What's wrong with calling it "my network"? It's not much different from builder saying "my project", when he built it for the company, and developer saying "my program", when he wrote it for the company.

He built it. He's responsible for it's operation, security and availability for all users. It's his network, not in the ownership sense, but in the sense of being most involved in it. He _does_ know better.

And really, cut it out with "You're just a liability, do what I want" (or the other popular "IT is just modern plumbing") nonsense.

You will push your sales just well without plumbing - in fact, you'll probably do the sales just fine up to the knee in shit if it's holiday season and management tells you to.

You won't be able to do shit without functioning computer infrastructure in 99% modern office jobs and half of factory jobs.

That's why letting you use your iPad comes distant second after keeping the system oiled and running.

If you need it, prove to the management that it'll help you move more stuff - it can't be hard if you know what you're doing and what you want it to do. Then we'll be able to plan for your needs and research how to let your iPad on our net.

If you don't know, but have a gut feel it'll help you - again, tell the management. We'll figure it out with your management and tell you.

But "I need it because I need it and you must make it happen" doesn't work even with CEO. Really, CEO who knows what's best for him does come to IT to ask how to integrate his stuff in the network. It's not like "Do it in 5 minutes flat or else! And I don't care for security-schmecurity (which he himself approved as well, by the way)"

And surely, employees can have their Android and iPhones, if they don't mind it being set up for security compliance - again, after research and proper planning.

Re:Wow, what a stupid post

[Archangel+Michael]

When you call it "my corporate network", you have defined yourself as the exact IT staff users complain about.

Fine. When the CORPORATE network blows up, it isn't "mine", and I won't give a shit. How does THAT sound?

"My Network" doesn't imply "ownership" as much as it does "complete responsibility", which is why TWITS like you don't get it. "My Network" is something that I take a great deal of pride in. It is MY responsibility, and therefore it is MY network. It is like the sales guys getting all upset when another sales rep "steals my client". It isn't your client, it is the company. That isn't YOUR desk, it is the company's. It isn't your office, it is the Company's.

You get the point now?

Re:Wow, what a stupid post

[Compaqt]

Yeah, he is a gatekeeper, and he enforces corporate information security.

Do you give the same speech to the guy that keeps the actual gate (at the corporate parking lot entrance or front door)?

The guy at the gate is enforcing corporate physical security, under the direction of the facilities/security manager, who is working under direction of the company (in whatever form that company ownership and command is exercised in that particular company- board, proprietor, etc.).

Re:Wow, what a stupid post

When was the last time you heard of a company getting fined or giving data to a competitor as a result of a data leak from a lost piece of computer equipment?

Actually, I have my current job [at a large, prominent insurance brokerage] because my predecessor cost the company over a million dollars in fines when he lost track of a single backup tape by way of shipping in a manner that was explicitly counter to the company's stated policy... as defined by upper IT management just one month prior (specifically to avoid this exact type of mishap).

Confidential, personally-identifiable customer data is out in the wild, and that's not a good thing.

Sour Grapes

[MaskedSlacker]

Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.

Overhead

[Scutter]

IT is overhead. It's a cost center. It generally does not generate revenue. Maintaining an infrastructure costs the company money. Every time you want to bring in your personal equipment, we have to figure out how to support it and that raises the company's overhead. Instead of making IT justify why we don't want to support your Widget Of The Day, why don't YOU justify to the company why you're increasing costs and then work to have that increase added to IT's budget so that we can actually afford to support your crap without having to divert funds away from things that the company has already approved?

Re:Overhead

[jroysdon]

Except when your uber-important report or presentation or project or whatever is lost and when your laptop goes belly-up and you want to waste IT's time to try and recover it.

Yeah, the problem is these folks want all the freedom and none of the responsibility for maintaining their own gear.

How about when there is a lawsuit and all emails, IMs, etc., must be collected? Do you really want your personal laptop being inventoried for all of this? I think not. There is a good reason for a line between business and personal.

Yea..but users don't make policy.

[geekforhire]

I certainly understand that users want to use what is easy for them but they need to understand that they don't set policy. I listen to any reasonable requests and if they fit within our policy (or if it makes sense to change the policy to allow it) I will authorize their request. However, understand that I have been working in IT for over 20 years and know a thing or two that you probably don't. Its not a power trip, its my job, it is what they pay me to do. Employees need to understand that its not personal. If their request was denied I had a very good reason to do so. Get over it, move along.

Re:Yea..but users don't make policy.

[jbolden]

Except that your job and your policies can interfere with their job. By your logic they can break your policies, because it is their job and it what they get paid to do, its not personal; and you should get over it and move along.

Or maybe you need to try and figure out what unmet business need is driving the desire for a new device and meet the need so they don't even want the new device.

Welcome to Clueville, population: You

[pla]

Seriously? We don't want uncontrolled portable devices on our networks because we don't control them. We can't force-install AV software (if it even exists for your favorite no-name phone/player/tablet/whatever), we can't even do basic cleanup of them without your cooperation.

And that only describes them as a potential vector for attack. We also can't control who else has access to them, can't wipe remotely without your permission, can't keep you from leaving it, complete with the latest super-secret corporate strategy on it, in the bar at a random trade show.

Dislike of portables has nothing to do with controlling you, and everything to do with controlling and protecting what the company pays us to - Their IT infrastructure and digital IP.

Completely brain-dead

[ErikTheRed]

It's the sort of stupid article you'd expect from an organization that is supposedly all about information technology, but is so backwards that they're endlessly pestering me to take a free subscription to their dead-tree edition. If their web site isn't even worth visiting for free articles, why would they think I want to spend the effort moving their magazine from my mailbox directly to the trash?

Dear GMGruman...

[Richard_at_work]

Dear GMGruman,

Go fuck yourself.

Yours sincerely,
Pretty much every sysadmin anywhere that's been tasked with providing IT services to keep a business running as productively and profitably as possible, in spite of people like yourself.

On the money, whether BOFHs admit it or not

[russotto]

IT is often the "prevention of information services department". User figures out a better way to do something, IT blocks it. Prescribed methods of doing things don't work well; user goes around them, IT blocks or complains to management. User wants something done, IT demands business justification and signatures from at least two executive VPs. User does it himself, IT finds out and makes him stop.

I actually read the article...

[Angst+Badger]

...but I stopped counting how many times the author recommended trying to cost people their jobs for actually doing them after the third time. I'd like to offer something more insightful in response, but I'm afraid I'm left with "What a smug asshole."

A better headline, and a funny story

[MasterOfGoingFaster]

A better headline might be: "Writer get pissed that IT guy called his new gadget a Toy."

While I'm sure he's got a good point that IT people should not talk down to other employees, he needs to hear a few horror stories to understand our concern about his new "toy".

I was brought in to trouble shoot a network that was completely down, idling over 100 workers. Naturally, the CEO called everyone who had any IT experience, so we had a crowd of upset and confused people. In short - it was a packet storm. What caused it was an employee bringing in his own device and connecting it to the network.

The employee wanted a wireless AP for his laptop, because he didn't like the Cat5 cable. The IT staff said "no", so he install his own Linksys. You see it coming - no encryption, default password, etc. Well, it was slower than the wired connection, so he figured he could get twice the bandwidth if he connected TWO Ethernet cables. The port he selected was connected to a different switch, and soon a packet storm erupted.

Yes, the IT manager made several mistakes, including buying non-managed switches. But the bottom line is the employee cost the company dearly for his "toy".

What's funny? The guy was bragging to his buddies about how smart he was, not knowing the IT manager, CEO and I were standing behind him. Fired on the spot he was.

Nope...

Excuse the rant. Realistically, IT has a number of jobs:

1: Keep stuff running.
2: Keep stuff accessible by users.
3: Keep stuff secure. Yes, this can inconvenience someone, but better a teed off muckety-muck than a wholesale breach where all the goodies are stolen to an offshore firm.
4: Comply with regulations.

Do you know how many fscking regulations an IT department in a midsize company has to deal with? In a typical organization, you have to deal with Sarbanes-Oxley (either because your firm or one of your clients is publicly traded), HIPAA, FERPA, or many other laws? Then there are the stipulations put on a company by contracts, like PCI-DSS. Then there are things you sign with a client like vague crap like "all computers will have antivirus programs running on them". Yes, the bean counters sign that, but it really means that I have to license copies of McAfee for the multiple IBM Power Series 795s doing the back end database I/O just so that "t" is crossed, and "i" dotted. Yes, the chance of finding a virus on the AIX boxes is flat nil, but it keeps the customer happy.

If I'm in IT and cannot allow you to VPN in or use your precious iPhone to access Exchange mail without restrictive policies (like blocking the camera, long passwords for unlock, etc.), it isn't that I have a pogrom against your sorry ass, its because when you are at the bar drinking with your friends and you leave your phone unlocked (or even worse, jailbroken to get around Exchange policies, then left without a PIN) in the bathroom stall and report it lost, guess what department how has to report to the public about an unencrypted security breach as per California and other laws? Definitely not sales. Definitely not HR.

Also, users have a choice. Want local admin access to your desktop? All the critical company resources like Outlook will be on Citrix. This way, there is a definite barrier between a compromised workstation and the core functions of a company, such as the database with accounts payable, receivable, internal applications and lots else. Don't like that? A locked down policy where one doesn't get to choose even their screen saver is just two commands away.

Of course, on sensitive sections of the company like the finance department, the desktops are locked down 10 ways from Sunday, but there will be a Citrix application available on a remote server so you can do some personal Web usage and not risk completely tossing the company's salad if the Web browser gets breached, even if it is "just" that user account that gets nailed.

So, don't take it personal when an IT guy says no. We are not correctional officers who view you as inmates. In fact, we will bend over backwards to try to get not just what you need, but what you want. However, we won't bend over forwards.

Oh, and my OS bias? Whatever gives me the least amount of problems and keeps the pages/calls/texts off my cell. I've been in the business too long to give a crap about what Netcraft states.

Don't Rise to The Bait

[Bob9113]

Don't rise to this asshole author's bait. He's a troll or he is ignorant, and the right answer is neither that people should nor that they should not thwart IT, and the right answer is neither that IT should smack them down nor that IT should give them everything they want.

The right answer is that the people who feel they need to thwart IT are a valuable resource. They are people who have a need that is not being satisfied. That need should be explored and a resolution found. Sometimes the answer is, "No, because it would not be safe / cost-efficient / legal." Sometimes the answer is, "There is already a way to do that, but not the way you are attempting to do it." Sometimes the answer is, "We should add that capability, because it will make the company more profitable."

The idea that it is all X or all Y is fundamentally rooted in "us versus them" mentality. It is a bullshit, douchebag mentality which is, unfortunately, actively fostered by assorted self-righteous nincompoops and the kinds of people who watch the UFC not for the display of physical prowess and grace, but because they like to see people hurting each other.

Don't rise to the bait. Users who are trying to thwart the system are a valuable resource. You want to plumb them to discover unserved needs, underserved needs, and opportunities to improve training. You also want to help them understand why they can't do certain things so that their frustration doesn't fester and become a morale issue.

It is easy to see why the author is a writer. He clearly would not operate well in a more team-oriented context.

Re:That's simply not going to happen in this decad

[rabbit994]

Maybe you have never worked with stupid requirements that Feds enforce but I have. This stuff is life or death to company. People can and will get fired instantly for breaking it. So like others have said, it's not that we want to impede the user, we have no choice.

Things that you don't want "out there"

[sycodon]

A process for regulating the discharge from a capacitor.

The formula for a doping compound that increases the efficiency of solar cell to 80%

A list of your customers and their feed back on your service or their future purchasing plans.

A spreadsheet of assay results from two years of mineral sampling.

All kinds of companies have I.T. departments and not all valuable information is source code.

Re:That's simply not going to happen in this decad

[ArhcAngel]

And if they get caught they will be fired...if they are lucky. Working around IT policies put in place to comply with government regulation for any reason looks suspicious. If the feds notice the results can be much, much worse. When I see violations to SOX or corporate policy I make it a point to inform the person violating the policy and their supervisor. I also send an email to my supervisor with the details of my observations and subsequent actions so there is a record that I did not turn a blind eye to the infraction. How it is handled from there is up to the person violating the policy and their superiors. I can't speak for other IT "dictators" but the way I look at it is if you get this office shut down it affects my job too @ss hole. As it happens I can see the old Enron building (now owned by Chevron) from my office. A constant reminder of just why SOX exists in the first place.

Re:That's simply not going to happen in this decad

[gfreeman]

Wow, I'm honestly surprised they haven't let you go already for making waves, but I suppose since it sounds like it doesn't happen that often at the company you're employed at, it's probably taking them longer to build a solid documentation case against you.

Where I work, I get written up if I do not report a SOX compliance issue that I come across. We have employees whose sole job is to ensure SOX compliance within the company, and it's not seen as "making waves" it's seen as making sure the company is compliant with government legislation that would otherwise shut the company down PDQ.

Re:SOX Compliance

[rnturn]

Not that I completely agree with everything that IT management decides to do but...

If folks are using a network that doesn't belong to them and computers that don't belong to them either why aren't they just using the equipment that the company supplies and do the job they were hired to do? It is going to be extremely rare for someone's job to require the ability to install iTunes and manage music on MP3 players? (One has to wonder what will be the next "right" that's being denied to employees? Surfing for pr0n using the corporate network?) The monthly malware/patch meeting I attend has this discussion nearly every time it convenes. One has to wonder what business need is being provided by iTunes. It never fails to amaze me that people think that all the toys that they own need to work flawlessly on the corporate network. Stop calling that thing in your cubicle a personal computer. It ain't. Their workplace, their rules. Deal with it.

I can still remember when having one's briefcase/purse/bag/etc. inspected going into and when leaving the premises was standard procedure. A camera would have been confiscated immediately and removing anything required a manager's approval. (I needed to borrow a keyboard one weekend after mine had croaked and needed my manager's and his manager's approvals on the form that I needed to present to security on the way out of the building. All for something as benign as a keyboard.) Imagine the squawking that would occur nowadays if they started enforcing a policy like that with smartphones with cameras and/or multi-gigabytes of memory and having the ability to get onto the corporate network. Yeah, this was at a defense-oriented company but I've worked at financial firms with just as strict security.