Slashdot Mirror
How To Thwart the High Priests In IT
GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."
While some people get the policies wrong, in general the idea of IT policies is a good one; the only way to support business policies is to allow for sensible IT policies to exist. If the IT policies don't serve the business policies, someone's not doing their job right, but that's not a problem with the idea of policies existing at all. If you want to "thwart" your IT people, you'd better have a damned good reason.
For every problem, there is at least one solution that is simple, neat, and wrong.
Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.
Don't care supporting home made IT solutions, just get the boss to buy it all for me so I know how to use it
Nothing more to say.
Management make the rules, if management say no iphones, and you then thwart them.... you've gone against management wishes.... which can be disastrous for a job you like.
Of course Iphones in this example was simply that.
The whole point of restricting devices is to prevent any conflicts that block productivity, and that's from the network ops side. From the security side, devices are blocked to prevent extrusion attempts as well as to prevent vulnerabilities from being introduced.
It has nothing to do with power tripping; it has everything to do with making sure the network doesn't fall apart. It has everything to do with making sure no one breaks into the organization and runs away with trade secrets or, worse, PII.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
IT is overhead. It's a cost center. It generally does not generate revenue. Maintaining an infrastructure costs the company money. Every time you want to bring in your personal equipment, we have to figure out how to support it and that raises the company's overhead. Instead of making IT justify why we don't want to support your Widget Of The Day, why don't YOU justify to the company why you're increasing costs and then work to have that increase added to IT's budget so that we can actually afford to support your crap without having to divert funds away from things that the company has already approved?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I'm all for this, so long as all concerned realize I'm no longer responsible for keeping everything working. Here's my pager, keep the paychecks coming!
I certainly understand that users want to use what is easy for them but they need to understand that they don't set policy. I listen to any reasonable requests and if they fit within our policy (or if it makes sense to change the policy to allow it) I will authorize their request. However, understand that I have been working in IT for over 20 years and know a thing or two that you probably don't. Its not a power trip, its my job, it is what they pay me to do. Employees need to understand that its not personal. If their request was denied I had a very good reason to do so. Get over it, move along.
Hi:
I'm a technical writer who has, on occasion, been up against an SME for whom nothing is right. My current fellow has five distinct levels of 'no.' It doesn't matter what the question is, he'll start with one of them and work his way through the list. None of our user or technical documentation can be done by anyone but him. (Don't worry, he checked with himself and he verified this.)
The reason is fear. He has a need to be the unimpeachable expert whose wisdom cannot be challenged. The result is user hostile documentation written to serve one function: to demonstrate how intelligent the author was. I swear he must have taken writing lessons from a Vogon.
The thing is, he knows his stuff but cannot abide actual teamwork. Ergo, he's fear driven.
Just saying.
none
Seriously? We don't want uncontrolled portable devices on our networks because we don't control them. We can't force-install AV software (if it even exists for your favorite no-name phone/player/tablet/whatever), we can't even do basic cleanup of them without your cooperation.
And that only describes them as a potential vector for attack. We also can't control who else has access to them, can't wipe remotely without your permission, can't keep you from leaving it, complete with the latest super-secret corporate strategy on it, in the bar at a random trade show.
Dislike of portables has nothing to do with controlling you, and everything to do with controlling and protecting what the company pays us to - Their IT infrastructure and digital IP.
It's the sort of stupid article you'd expect from an organization that is supposedly all about information technology, but is so backwards that they're endlessly pestering me to take a free subscription to their dead-tree edition. If their web site isn't even worth visiting for free articles, why would they think I want to spend the effort moving their magazine from my mailbox directly to the trash?
Help save the critically endangered Blue Iguana
Dear GMGruman,
Go fuck yourself.
Yours sincerely,
Pretty much every sysadmin anywhere that's been tasked with providing IT services to keep a business running as productively and profitably as possible, in spite of people like yourself.
The article starts by saying there are good IT people who help you and bad IT people who make things difficult. From there he just whines and whines about nothing. His only advice about "thwarting the high priests of IT" is to complain to the CIO. Of course everyone complains to the CIO about the tech staff, but he or she will apparently be dazzled by your insight that some IT workers are good and some are bad.
The only non-obvious thought in this article is referring to bad IT workers at the "High Priests of IT." However, it is only non-obvious because it is really stupid. And if you actually go around saying "the High Priests of IT" then you are a bigger dickhead than almost any IT guy ever met.
Democracy Now! - your daily, uncensored, corporate-free
Have you ever stopped to consider that maybe you are, in fact, wrong? Have you ever stopped to consider that you may be making stupid requests where "no" is the only reasonable answer? Have you ever stopped to consider that maybe the documentation you're producing isn't up to standard?
Business teamwork isn't about making everybody feel good. It's about getting the job done. Sometimes the job is in fact best done by one person who really knows his stuff. Often times this person will have to waste a lot of his time shooting down stupid requests and ideas from teammates who don't have their shit together.
As an end-user of software systems, I much prefer the documentation written by the expert. What you consider to be "hostile documentation" I consider to be explicit, detailed and factually-correct. In fact, I get far more pissed off when I read documentation that was clearly put together by somebody who wasn't an expert. Maybe it reads more like a novel, but it often isn't as helpful because such documentation is rife with factual errors.
IT is often the "prevention of information services department". User figures out a better way to do something, IT blocks it. Prescribed methods of doing things don't work well; user goes around them, IT blocks or complains to management. User wants something done, IT demands business justification and signatures from at least two executive VPs. User does it himself, IT finds out and makes him stop.
you are either less than 2 years at your first job out of college or you are a complete IDIOT! You clearly are hoping to start a flame war with the 85+% of the slashdot population that is IN IT.
This from the "Smart User" blog. Well played, with the oxymoron. By virtue of the profoundly deep understanding of the environment he is redressing, I can only assume the author is a member of these United States congress :/
It works for government and non-profit as well.
The simple way to eliminate IT roadblocks is like removing a node from a binary search tree: isolate and fire.
New Economic Perspectives
This was probably written by the dude who routinely roots his box (calls Dell to get the BIOS reset code, uses a bootcd, et voila) so that he can install PC anywhere because it's VITAL for his side business and he knows IT will say "no".
It's already been covered how stupid it is to think a company only has IT policies as a power trip. But beyond that, do you really think it's appropriate to view your coworkers as "enemies" who need to be "thwarted"? It's bad enough that the "CRUSH KILL MAIM!" rhetoric has broken into politics, do we really need it in the workplace next?
...services but refuse to follow-through after the fact?
I am the network admin/server admin/helpdesk manager for a small online-based college (not private but part of a state system). Our department is moving to a new building in February or March so, of course, I wanted to order a single server to provide file, print, antivirus, WSUS, DHCP, and other necessary services for our office. We are well-positioned to grow in the next five years (which is our lease period for the new place) so a single server should be sufficient while allowing for additional capacity later on.
Of course, our central IT department insists that they will provide these services to us. Our new director is onboard with this (anything to save a few bucks I guess) despite my repeated warnings and lamentations of the lack of support and follow-through that central IT has always had. This is the same central IT who gives us 6 hours of notice before a 20 minute non-emergency web outage in the middle fo the week. This may not seem like much but when you are completely online-based AND registration is in full swing the outage is less than ideal. This is the same central IT that takes 4 hours to make a permission change on a share that only a few of us access (negating the need for change management). This is the very same central IT who lost an entire communications server because the backups were corrupt and they had it configured to run RAID 0 on two drives. And yes, this was a production server.
So earlier this week when I put in my request to have access for WSUS, DHCP, etc. with a month and a half of lead time for them to figure things out I was told that they have several high-priority projects that they are working on now and cannot do this until February 1st.
I am compiling a list of issues already but I am not looking forward to the stares and glances I'll get from my coworkers when the server goes down or "maintenance" is conducted without warning at 2:30 on a Tuesday afternoon. Our CIO can't manage to extract herself from a paper bag let alone an entire IT shop. The next few months are really going to be quite painful methinks.
I'm just sick and tired of the big IT departments that insist on providing services but no/slow support. All it is for them is a control issue and it drives me nuts. I think the last straw was when the tech ops director told my boss that "anyone in [citking's] position would ask for one just to have as a toy." This is why I sometimes hate my job.
"This food is problematic."
The article is complete flamebait, and many other posters have pointed that out.
The solution to home brew IT and people wanting to use their own devices is simple. Setup Citrix VDI or something similar. The Citrix receiver runs on everything.. iBlah, Android, web browsers, etc. The "cutting edge, tech savvy users" can use their lame devices, and all of the application code and information stays safe on the corporate network.
To flip the author's logic back around him, he suggests that users using their own devices are making things easier on corporate IT. They are empowering themselves at their own cost. Good for them. Let them pay for their Citrix licenses and infrastructure costs. If they really want to "partner with IT" and be an "IT ally" (to use the idiotic author's verbiage) , they can go ahead and come up with some funding. Nothing makes friends like throwing money around.
All right, Mr Gruman you have trolled and since I'm one of your bad guys I'm going to respond and enlighten you:
I have best practices that tell me to control these things that you want to let roam free. I also happen to have laws, and some of these laws have very large financial penalties or the possibility of jail time.
Mr Gruman, how many attorney generals have you had conversations with after someone went ahead and did what you wanted done? I'm willing to bet it's not as many as I have had and that you've never had to deal with the results of your company making the international news because someone decided to bypass IT.
Your insight into how to play dirty politics to get your "Toy" into the office shows your complete lack of an understanding of how the enterprise works. Is your department going to pay for the budget for the time needed to support your toys?
These code phrases are code for things like "mutli-million dollar fines", "angry attorney generals", "class action lawsuits", "criminal negligence", "security clearance", "ethics", "privacy" and other such things.
You see this is what happens when some petty ass whiny twit such as yourself goes to the CIO and says I want my toy and the IT department won't let me have it. The CIO comes to the IT department and says, "why won't you let this twit have his toy" and we're going to come back with something like "federal law, accountability, public relations disaster".
You know what Mr Gruman, I have never, ever lost that argument. When you take into account that regulation is only increasing the odds that I might lose that argument drop even further.
Now Mr Gruman, instead you should try the tactic of saying "IT Department, I want to use this toy for business purposes and not just as a toy, can you please look too see if we can?". You might have a perfectly legitimate case, and it might be very reasonable to do what you want, but you have to ask so that we can see if we can do that without avoiding nasty code words.
Just remember my code words can and have cost companies many millions of dollars when someone blew them off and ignored the IT department.
...but I stopped counting how many times the author recommended trying to cost people their jobs for actually doing them after the third time. I'd like to offer something more insightful in response, but I'm afraid I'm left with "What a smug asshole."
Proud member of the Weirdo-American community.
(This is my second comment to criticize this article. But I can't help it, because this article sucks.)
Okay, so he's saying that if IT doesn't you to do something they are bad "High Priest of IT", you should complain to the CIO.
His advice represents a horrible deficit of office political savvy. For example, hasn't it occurred to the author that policies are usually set by the CIO himself? So if the CIO is an asshole, he'll just agree with you that the person you are complaining about is bad and do nothing for you (since you already assigned blame elsewhere, he doesn't need to do anything for you). If he is decent, then he'll feel a need to defend his employee, so he is still less likely to do anything for you.
So wouldn't it be better to explain to the CIO what you want to do and why you want it, instead of complaining about an employee? This is more likely to get you what you want. And even if the CIO can't give you what you want he or she is more likely to find half-measure to appease you. This also means that IT will be more agreeable with you in future, because you aren't a whiny asshole.
Democracy Now! - your daily, uncensored, corporate-free
I know how to break into one in about five seconds. They're an enormous security risk, and I'm not an "enemy" because I don't think they belong on my network. If Apple wants to made a ruggedized iPad designed to hook safely into a domain based corporate network, then I'll consider that a business machine, but until they do, I'm going to call the iPad what is is - a toy. Period.
Occasionally living proof of the Ballmer peak.
The article is about dealing with IT admins to whom management has punted the responsibility of making the rules. Such punting results in the IT department becoming a self-reinforcing institution interested more in preservation of its own power than in serving the company's needs. When research and development spends weeks waiting for procurement authorizations while payroll cuts checks to them to sit on their hands, management has become mismanagement.
I don't think IT guys want to control your bathtub. They are more like want to prevent you to bring in your private jacuzzi to the 10th floor, when there is already a regular bathtub. And you are the reckless guy who causes flood on the floors 1-9 despite the plumbers' advice.
Patents Drive Free Software as Hurricanes Drive Construction Industry
so they don't take the blame and have power to say no to some stuff like who bring in their own smartphones and other stuff that people like a CEO think is some thing at home is cool and want it at office. Even if some thing that is for home use and does not fit well in enterprise use or people with there own PC's that you can't control stuff like AV software some may even say I have windows antivirus 2012 and I payed $50 for it so I am good.
An intelligent person, so not you, would have compared an IT department not with a plumber, but with a fire department. Of course, they are assholes too, which only want to spoil your fun and feel great by forbidding you to smoke in several places.
...and I am sure I don't have to explain to anyone here why.
I get the feeling that this article was written after Galen Gruman (the author if you didn't take a look at the article) brought in some "shiny new toy" couldn't connect to the network or some network resource and the expected IT to come rushing to his side to support a technology that they are not supposed to and don't have the time to and so they didn't. The enemy? Seriously now. I would suggest anyone and everyone here worth their salt in IT write a nice email to Galen Gruman explaining why he is the enemy. I cannot recall reading a more BS article in recent memory.
Brought to you by Carl's Junior.
A better headline might be: "Writer get pissed that IT guy called his new gadget a Toy."
While I'm sure he's got a good point that IT people should not talk down to other employees, he needs to hear a few horror stories to understand our concern about his new "toy".
I was brought in to trouble shoot a network that was completely down, idling over 100 workers. Naturally, the CEO called everyone who had any IT experience, so we had a crowd of upset and confused people. In short - it was a packet storm. What caused it was an employee bringing in his own device and connecting it to the network.
The employee wanted a wireless AP for his laptop, because he didn't like the Cat5 cable. The IT staff said "no", so he install his own Linksys. You see it coming - no encryption, default password, etc. Well, it was slower than the wired connection, so he figured he could get twice the bandwidth if he connected TWO Ethernet cables. The port he selected was connected to a different switch, and soon a packet storm erupted.
Yes, the IT manager made several mistakes, including buying non-managed switches. But the bottom line is the employee cost the company dearly for his "toy".
What's funny? The guy was bragging to his buddies about how smart he was, not knowing the IT manager, CEO and I were standing behind him. Fired on the spot he was.
Place nail here >+
Excuse the rant. Realistically, IT has a number of jobs:
1: Keep stuff running.
2: Keep stuff accessible by users.
3: Keep stuff secure. Yes, this can inconvenience someone, but better a teed off muckety-muck than a wholesale breach where all the goodies are stolen to an offshore firm.
4: Comply with regulations.
Do you know how many fscking regulations an IT department in a midsize company has to deal with? In a typical organization, you have to deal with Sarbanes-Oxley (either because your firm or one of your clients is publicly traded), HIPAA, FERPA, or many other laws? Then there are the stipulations put on a company by contracts, like PCI-DSS. Then there are things you sign with a client like vague crap like "all computers will have antivirus programs running on them". Yes, the bean counters sign that, but it really means that I have to license copies of McAfee for the multiple IBM Power Series 795s doing the back end database I/O just so that "t" is crossed, and "i" dotted. Yes, the chance of finding a virus on the AIX boxes is flat nil, but it keeps the customer happy.
If I'm in IT and cannot allow you to VPN in or use your precious iPhone to access Exchange mail without restrictive policies (like blocking the camera, long passwords for unlock, etc.), it isn't that I have a pogrom against your sorry ass, its because when you are at the bar drinking with your friends and you leave your phone unlocked (or even worse, jailbroken to get around Exchange policies, then left without a PIN) in the bathroom stall and report it lost, guess what department how has to report to the public about an unencrypted security breach as per California and other laws? Definitely not sales. Definitely not HR.
Also, users have a choice. Want local admin access to your desktop? All the critical company resources like Outlook will be on Citrix. This way, there is a definite barrier between a compromised workstation and the core functions of a company, such as the database with accounts payable, receivable, internal applications and lots else. Don't like that? A locked down policy where one doesn't get to choose even their screen saver is just two commands away.
Of course, on sensitive sections of the company like the finance department, the desktops are locked down 10 ways from Sunday, but there will be a Citrix application available on a remote server so you can do some personal Web usage and not risk completely tossing the company's salad if the Web browser gets breached, even if it is "just" that user account that gets nailed.
So, don't take it personal when an IT guy says no. We are not correctional officers who view you as inmates. In fact, we will bend over backwards to try to get not just what you need, but what you want. However, we won't bend over forwards.
Oh, and my OS bias? Whatever gives me the least amount of problems and keeps the pages/calls/texts off my cell. I've been in the business too long to give a crap about what Netcraft states.
You have a problem because your funding model is broken.
Set up an IT shop where people can buy tickets which entitle them to support for standard computers as well as tickets which entitle them to support on the non standard latest widgets. Money comes out of their budget and goes to IT budget. Problem solved. They will have to justify to their own management why their widget is costing $2k per year to support vs $20 for an XTerm.
Same goes for network storage, backups, large email inboxes any resource. Let people pay, then the justification is their problem. No pay, no service. IT then only provides the services that the business needs and not those it doesn't, and those services automatically get the funding they need by the fact that they were purchased. Those people and departments which demand a lot of resources then automatically pay a lot of money and the services they need are properly funded.
Resource allocation on the IT side becomes trivial. People bought support for Widget X on the shop? You need people able to provide support, hey look, you got money too.
Deleted
When I worked in IT, we never had a problem with ANY customer who wanted to be "self-sufficient".
What we had problems with were the people who wanted to use their own notebook, tablet, whatever, with their own software, but then wanted us to support it when they screwed it up.
Yep. There are a lot of incompetent IT people out there.
The problem is that most of the non-IT people are even more incompetent at IT tasks.
And management is not very good at managing.
The easy solution to this is to build a business case for whatever change you want and send it to your boss.
You boss then sends it up the ladder until it gets approved and IT makes whatever change you wanted.
It's all about money. It should be easy for you to show how you'd be more productive (in terms of $X) if you had item A at cost $B.
I have seen a lot of "foolish and stupid" IT policies. Which is why you need to communicate to the BUSINESS via the "business case" for the changes you want.
IT should be IMPLEMENTING the policies that upper management has decided upon.
If you don't like those policies then convince upper management that you'd be more productive (in terms of $X) by writing a business case for the change(s).
As for being fired, who cares? It happens.
I'd rather go into my next interview saying that I was fired for enforcing the policies rather than saying that I was fired because the systems were cracked and all kinds of company / personal data was downloaded.
Lets all go post our feelings here: http://www.infoworld.com/t/consumerization-it/how-thwart-the-high-priests-it-180296
I just love his title "smart user"
"If any question why we died, Tell them because our fathers lied."
Every other department that uses IT pays for it. Those who use more IT services, or otherwise cost the company money from their IT fuckups, pay more. Eventually, they learn to work WITH the IT department to lower their overhead costs so they can meet their budgetary targets. That means doing the kinds of things that the idiots best represented by the author of that article abhor: the things recommended/enforced by those "High Priests" as best practices.
I mean, yeah, there are bad IT people and departments out there, to be sure, just like there are bad users. Unlike bad users, though, bad IT people and departments don't last very long.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
This 'article' is clearly written by someone who's never had to even think about securing an office network. He's right, I don't want users plugging personal laptops into the network, or checking company email on smart phones that aren't PIN locked, or installing TeamViewer/GoToMyPC on their systems, or countless other 'toys' that put the company at risk for a little extra convenience. What he fails to mention is that circumventing these policies in a corporate environment can be cause for dismissal. If he worked at my company, his badge would already be revoked and his accounts locked out.
Flat out, this person is a threat to his employer, not a role model.
-- This sig is only a test. If this were a real sig it would say something witty. --
Don't rise to this asshole author's bait. He's a troll or he is ignorant, and the right answer is neither that people should nor that they should not thwart IT, and the right answer is neither that IT should smack them down nor that IT should give them everything they want.
The right answer is that the people who feel they need to thwart IT are a valuable resource. They are people who have a need that is not being satisfied. That need should be explored and a resolution found. Sometimes the answer is, "No, because it would not be safe / cost-efficient / legal." Sometimes the answer is, "There is already a way to do that, but not the way you are attempting to do it." Sometimes the answer is, "We should add that capability, because it will make the company more profitable."
The idea that it is all X or all Y is fundamentally rooted in "us versus them" mentality. It is a bullshit, douchebag mentality which is, unfortunately, actively fostered by assorted self-righteous nincompoops and the kinds of people who watch the UFC not for the display of physical prowess and grace, but because they like to see people hurting each other.
Don't rise to the bait. Users who are trying to thwart the system are a valuable resource. You want to plumb them to discover unserved needs, underserved needs, and opportunities to improve training. You also want to help them understand why they can't do certain things so that their frustration doesn't fester and become a morale issue.
It is easy to see why the author is a writer. He clearly would not operate well in a more team-oriented context.
Stop-Prism.org: Opt Out of Surveillance
... when IT departments were given unlimited resources to buy and support whatever anyone in the company wanted. You can't have it both ways - you can't consider IT as company overhead that should be squeezed for budget and headcount until they bleed *AND* also say that IT has to support any wild technology the rest of the company wants to use.
So - sure use anything you want - just don't call me for help when you want to integrate your wacky personal software with the ERP system and the data warehouse, or when the SOx auditor wants to know how your 2 TB USB drive that you have been using to store all the key business data is being backed-up.
How about this: Partner with me - give me the time, money and headcount to research the technology and how it will affect the existing systems. Take the time to understand the risks as well as the benefits, and don't assume that just because you saw it on a web site or a trade show, that the new technology is actually ready for use in the enterprise. Assume some of the responsibility for doing your own research on issues and how to resolve the inevitable problems - don't just throw it all over the wall and consider IT stupid for not instantly knowing how every SW/HW in the universe works. When you do find problems (and you will) consider that perhaps this new technology may not be perfect, it may not work as advertised or it may simply be the wrong solution - and instead of blaming IT for the situation - admit it's not working and work with IT to get rid of it.
Or, just keep being a complete dick and and see how that works for you...
just because YOU or the AV company hasn't head of one dosen't mean that it does not exist.
This is true even of viruses targeting approved platforms. No AV solution has perfect detection, save one: a fully capability-based environment such as Bitfrost, Android, or the Mac App Store sandbox.
Obviously this article is trash. However there are a lot of folks in the comments making some good points about how sometimes IT admins can be over-protective, too controlling, not understanding, etc. I have worked on both sides, first in IT then as a user engineer. When I was in IT, I helped my users. I would reach out to them, ask them if they needed something before they had to come to me. I made it my job to make their lives more productive - because that *was* my job. If that's all I'd done my whole life then I would right there with some of the people in this thread who are vehemently defending IT as if it can do no wrong.
However, being on the user side I can relate to those who rail against IT as well. My current company has a great department, one I'd be proud to work for myself if it paid more. But in the past, some companies I've worked for can't seem to administratively get out of their own way, from the CEO right down to the help desk staff and "marketeers." The IT staff was aggressively controlling for no reason, constantly wasted money on things we didn't need, and their personnel all banded together under the "WE ARE IT" banner, refusing to compromise. All requests, no matter how small, had to go all the way up the corporate ladder before they came back down again, just because one asshole wouldn't listen to reason.
Like anything else, there are good IT admins and bad IT admins. I understand why some people in this thread would fight for IT against this fact, because the article is unfair flamebait. But realize that not everyone is you. Some people are terrible at their job and some of those people work in IT. I have found Sturgeon's Law applicable to many situations, and judging from most "normal" users' attitudes toward their IT department it is no less relevant here. In the end though, hiring incompetent IT staff is a huge burden to a business, and those that care to select their staff carefully will do better than others. As for InfoWorld, I'm guessing they published this not because they view it as fact but because they're a shitty rag of a magazine trying to appeal to the lowest common denominator of readership to boost their numbers. I am curious as to why timothy allowed this to be posted.
An intelligent person, so not you, would have compared an IT department not with a plumber, but with a fire department. Of course, they are assholes too, which only want to spoil your fun and feel great by forbidding you to smoke in several places.
And maximum occupancy rules, safety inspections of various types, parking rules, etc all enforced by fire marshals. The fire department is in the prevention business as much as is feasible.
Or maybe he knows EXACTLY what the result will be.
Most networks/systems have "evolved" over time in an "organic" fashion. That is, things were added and then fixes where added to get everything to play together in a minimally acceptable fashion.
Now, if you can convince non-IT people that they're just as knowledgeable about IT issues as the IT people, that means that you can get a LOT of billable hours dealing with the impact of the new changes.
Say that Frank in Accounting "needs" a wireless router attached to the network so his new device (which doesn't support your standard for encryption/authentication) will work ... and it needs access to the Accounting servers ... because Frank "needs" it to work that way. That's a lot of re-design of the network and the servers and so forth.
So from a consultant/contractor point-of-view, this is a GREAT IDEA!!!
Just tell Frank that the IT department is being "bad" by refusing his perfectly rational and reasonable request and that he needs to work around them to maintain his productivity. Or get the IT department marginalized so that contractors can be brought in to do the work that the IT department is incapable of doing.
Plumbers must operate to a code. In most areas, for example, you can't connect the toilet outflow into the bathtub drain, pipes must have a certain minimum diameter etc.
This is pretty much what onyxruby (118189) rather eloquently outlined above.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
If IT's job is to protect the network, can't IT make the privileges finer grained to protect the network without interfering with legitimate R&D? You could allow unapproved computing devices to write to storage that is scanned on write with the device owner's credentials and mount unapproved storage devices (e.g. USB connected phones or CD-ROM media) with scan on read. E-mail servers, for example, should scan any attachments that the user sends (SMTP) or appends (IMAP). Scan any file written to the NAS.
And if you're worried about trade secrets or PII being copied in the other direction, that could happen with mere paper and pencil.
The plumber in your company doesn't want you pouring paint down the drain, OR emptying your 1,000 gallon aquarium into the office sink that happens to run to pipes shared with other offices.
He has multiple offices, departments, and fixtures to support, and has multiple best practices and laws to follow.
Yes, he's jerk for not allowing you to fill a 1500 gallon personal jacuzzi from the water feed shared by the rest of the office sinks, he's a recalcitrant asshole for not allowing you to install your own triple flush toilet in the bathroom, and he's real stickler about you connecting a high pressure pump to the cold water outlet because of the risk cold water being pumped into the hot water line and forcing cold water back to the boiler or hot water heater.
It's almost as if people who have to support large resource pools used by diverse areas are reluctant or opposed to individuals doing things that incur huge financial or labor costs and/or interfere with everyone else's use of those resources.
And I'm not talking about Hanes.
If you are dealing with the feds, the meeting the requirements of the Sarbanes-Oxley act is a fact of life. Failing to deal with the requirements can essentially mean the death penalty for the company because the feds won't do business with you if you are out of compliance.
The Act essential deals with setting up security and policies that prevent someone from being able to game the system. A Buyer can create a PO, but cannot perform A/P functions do pay the PO and cannot receive the product. Just a simple example.
But in my company, many, many people got their panties in a twist when we started taking away their ability to do things and requiring them to abide by policies and procedures. It can be a big culture shock to small to mid size companies that grow into a larger markets with the Feds.
One of the biggest headaches was enforcing the use of standard cell phones and disallowing the storage of data in the phones. Anything that comes onto premises, had any kind of connectivity with the network and then left the premises is now tightly controlled and locked down. All the laptops have encrypted hard drives and even USB drives are automatically encrypted when they are connected if they are not already. If you have dealt with sales people, you know they don't like that one bit. Shit, I can't even install and use iTunes or any other mp3 players.
So to the feds, this is a Big Deal and people can and have lost their jobs for trying to game the system because otherwise, the whole company could be dead, figuratively speaking.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Please explain who else should make the rules.
Management should make rules in broad strokes, leaving the details to IT departments, much as the U.S. Congress makes rules in broad strokes, leaving the details to administrative departments. But management's rules should also incorporate a means for appeal of counterproductive patterns of decisions on IT's part, and the article describes such an informal means for use when no formal means is available.
May I in return make the rules how a surgeon has to operate?
Yes you may, at a polling place. I'd explain further, but a flamefest over nationalized health care is off-topic.
Loss of life? Only in rare circumstances, agreed. But I have the distinct feeling, that for some companies loss of life would be more acceptable than having their trade secrets spread around. And a fire really might be preferable to some companies compared with a public relations disaster like when perhaps millions of user data leak into the wild. My comparison of IT administration with a fire department is not that far off. The work of a fire department also isn't always about saving lifes.
Really? What happens if a plumber, say in Chicago, works on your system and finds that there's been jury-rigged crap attached and it doesn't meet code?
Hint: You get a visit from city gov and are told that you *will indeed* bring your house plumbing up to code.
The same "we could be more efficient" could be said of many accounting policies. Gee wouldn't it be faster if the person who issued the PO could approve the receiving document and authorize payments?
Why do we really need to have competitive bids, I'm sure my brother-in-law will give a good price.
We don't need risk management to authorize credit for this customer--I'm sure they're good for it.
We can value these incredibly complex securities at a $1 billion.
Yes, lots of IT rules and requirements are PIAs, but in many cases they are global optimization versus local maxima.
There's always a way to get the data out. If you work with people most of them will work with you most of the time. If you set yourself up as an impediment, people will humour you with lies and work around you.
You may occasionally catch one, but most will keep it out of your sight.
I guess someone just denied him using his new toy on their work network so he got all huffy and puffy and wrote an article about what. What a child! Here's what I seriously just posted as a comment back on that site:
Clearly, you have no idea what you're talking about and are just mad that someone didn't let you use your new little toy. It's standard IT law that nobody can just bring in whatever they feel like and it's IT's responsibility to throw it on the network with no research, testing, or thinking about the consequences.
No, you're not putting an internet capable mini-fridge in your cubicle on the network after bringing it in without warning or asking ahead of time and yes, I'm going to call it a toy. And who knows if your fancy new android phone contains viruses because you thought it was a great idea to download anything with the word "free" in it from some rogue third party app store. And I'm not throwing your new tablet on the network just because you promise it's malware-free and not going to use immense amounts of data.
Seriously, what planet are you on right now? Because back on Earth, IT departments don't just throw things into their enterprise systems because some employee asks them to. Why would you even recommend they all do that?!
My understanding is that Iran got the bad news from a personal flash drive.
I used to work for an organization that took securit very seriously because just one quick glance at our upcoming product would have enabled our competition to getbthe jump on us. even so the it people were constantly battling malware brought in on personal flash drives.
the solution another client used was to lock all the pcs in cabinets physically disconnected from the Internet. because I worked remotely I had to transfer a file to the clients network. I had to get someone who was trusted with the cabinet key to do that for me.
everyone had a second computer for web browsing and personal email. our work machines used Ethernet KVM extenders.
Request your free CD of my piano music.
I'd say that's just becuase they don't know a lot about them. Back in the buggy OS9 days when Apples were supposed to be less stable I had a three month contract with a place that had a pile of PCs and half a dozen Macs. I didn't know much about Macs beyond the first model so read up on the things and played with a friend's Mac for a bit. Then in the three months the only request from a Mac user that I had was from a new employee that wanted to know the IP adress of the mail server. If things don't break the IT guys typically don't know much about it.
Some states have programs to give personal financial reweards to state employees who save the state money.
if that doesn't work go to the press.
Request your free CD of my piano music.
I can never figure out why some of my co-workers want to use their personal devices for work anyway. My personal phone is just that, personal. I can wish my employer would get rid of the Blackberrys and Windows XP, but until that happens, I'm not going to loose any sleep over it. When I travel on business, I carry 2 laptops, mine and theirs (and increasingly a tablet and the company laptop). That way I don't have to worry about any auditing that might reveal something I don't want my employer to know, even if it's just my bank balance stored in the browser cache.
I don't want to put my personal equipment on the corporate network either. While it would be handy to get on the WiFi AP at the office, it just doesn't matter enough for me to have anything I look at on my phone subject to review by the IT department. Besides, I'm at work.
"Well, good luck finding a judge that doesn't run a bestiality site."
Of course, they are assholes too, which only want to spoil your fun and feel great by forbidding you to smoke in several places.
At <software company that was acquired>, we smoked everywhere, and not just cigarettes. Once we were acquired by <large software company>, that practice was reduced, as was our productivity. Interestingly, the IT staff smoked (not cigarettes) with us: so, at a small company, they were enablers; at the larger company, they had different priorities. I prefer smaller companies; they can achieve more with less.
I feel fantastic, and I'm still alive.
that I would hand over to her my most valuable domain name to her in rerun for her packing up my stuff.
She wanted my domain because she gets the ad revenue from just one very popular article there, and had the idea that I had changed the password to prevent her from maintaining the article.
I did nothing of the sort. I told her I would be happy to remind her of the password that she and I agreed upon so it would be easy for both of us to remember.
but I was not willing to send it to her in cleartext email because of The Russian Mob. I suggested she call me instead. that phone call would last less than thirty seconds.
She refuses to call or to figure out how to use encryption. instead she is spreading lies about me.
I guess that makes me a High Priest of IT.
Request your free CD of my piano music.
"The technology that has been here for a long time and should have been thoroughly tested has security holes they didn't know before. Let's bring in this new and untested technology, because I don't know about any security holes in it"
Sounds good.
Wow. That really takes pretending to be ignorant so as to twist words to win an argument to a new low. If you can't work out that "my company" usually means "the company I work for" then you have a very low reading age and could not have possibly written the words above.
Why do you think this is so important that you will be so dishonest as to pretend to be so ignorant of very simple English usage just to make a silly point in an argument with a stranger?
Then to go furthur and built a strawman, soak it in fuel and set it on fire on such a fake misunderstanding? What is your real problem here?
Wait till your Owner/CEO/CIO gets a cease and desist notification from $MegaCorp just because one of the whiz bang employees left major holes in their home network. It happened to the company where I work, and fortunately I am not the engineer responsible for the network. We had a policy that allowed for the very "openess" you want. The network and systems engineers had warned the owners but they were "put in their place" because they were "preventing" money making employees from doing their job. In our case on a Friday evening one of the owners received a call at home from a BIG legal firm representing $MegaCorp informing him that he must immediatly cease distributing their copyrighted IP or face $MM in legal costs and loss of our "good name". Panic ensued and the network and systems engineers spent the weekend finding out what had happened, plugging the holes, and the following Monday trying to not say "I told you so". The moral of the story: We plugged the holes, re-wrote all security and systems policies. The "openess" is now gone, replaced with tightly controlled environment. Sales are up, profits are up, and no more threats from $MegaCorp. The offending person, well he had egg on his face and is now happily compliant with corporate policies and providing excellent service to his clients.
I own the company, so they either do as I say, or I fire them.
Hint: It would never happen as the plumber would likely want the opportunity to fix said code violation.
Got Code?
We recently had to setup security for those that wanted to use smart phones for email clients. We send lots of email regarding clients and recently became aware of state statutes where we would have to notify every person if someone lost their smart phone with 2 or more pieces of personal information in an email about a person. In an effort to allow the smart phones, but reduce risk we decided to use a policy management system that would give us access to wipe the phone if it was lost. Management did not want the risk of being finned for lost data, or the media debacle it would bring (remembering the VA debacle over lost laptops), but people wanted to use their smart phones. So we had to meet in the middle, people could still use the smart phones, but we still maintained control over the data. We have not fully opened up for remote work yet via laptops etc... as I cannot get approval to spend the money on the software to help with that, until then I am stuck between management wanting no risk and users wanting remote access. A rock and a hard place.
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
Fearful underlings are, but far less often than most users believe. Many user requests for using their own devices are simply due to the users not understanding the problem. Example: Many industries have record-keeping requirements and data-retention requirements. When users store and process data on their own devices, these could be violated. Many industries also have data-security requirements. Except for users that are expert system administrators on their own devices, again, allowing users to process data on devices they administrate themselves is not a good idea and may even be illegal. That said, with a competent IT department, a user that is also a system administration/security expert will get added privileges. But these are the rare exception.
Most users have no idea what the risks are and allowing them to do their own risk management is not acceptable. Case in point: I am a security expert, but I doubt I could really make a current Android/iOS/Win Phone device secure. There is not enough access, not enough stability and not enough experience with these devices. Surprises may happen at any time and are a lot more likely than, say, on a stable Linux distro. Hence I would not even ask to be allowed to put sensitive data on such a device. And anybody that does is very, very likely does not understand the problem.
So, no, typically the problem is on the user side. IT departments could be more understanding and more clear about their policies, but that is also a staffing, budget and management problem. If IT always has to roll out the big guns to enforce a policy, it is not a surprise that they will get defensive.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Maybe you have never worked with stupid requirements that Feds enforce but I have. This stuff is life or death to company. People can and will get fired instantly for breaking it. So like others have said, it's not that we want to impede the user, we have no choice.
I knew from the moment I read the words "my corporate network", there'd be a reply like yours.
Yet within his phrasing is the response to your post.
He didn't say "my" network. He said "my corporate network". Therein lies all the difference: it's the corporation's network. It's corporate (i.e., for the purpose of achieving corporate objectives). Also, he's responsible for it, hence the "my".
The network is not a happy commune, from each from his ability, to each according to his need, lol. Refer to the excellent post above which spells it out in black and white. The purpose of the network is to achieve corporate objectives (laid down by the corporation), not do watcha wanna do.
IT is not only information technology, a Toys R Us of gizmos for people who think they're still in high school or a college fraternity. It's also information security. As laid out in the post I linked, IT/infosec is responsible for enforcing corporation information policies.
As for CEOs: CIOs should man up. I could be mistaken but I think most CxOs are chosen with the consent of the board, so the CIO shouldn't be solely beholden to the CEO. The CIO should tell the CEO that allowing random devices violates corporate information objectives, and exposes the company and the CEO to liability, especially since the CEO has such far-ranging access.
I'm not a lawyer, but I play one on the Internet. Blog
OK, I'll admit that when somebody says "my" X, there's an element of ownership being implied.
But most people understand that that just means "the company's X, which I'm responsible for".
Hence, stuff like "no pointing guns other that at the target on my range".
"no defacing of books in my library"
"if you want something from my maintenance dept., you'll have to check it out"
Most people understand the "my" just means "there's somebody actually responsible for this X, and it's not going to be a tragedy of the commons situation".
Perhaps he should have stripped all qualifying adjectives from the phrase: <del>my corporate </del> network. Then you get into a "network, which network situation":
Bush Rice China Hu Who Koffi Annan - YouTube
I'm not a lawyer, but I play one on the Internet. Blog
I work in a small (~25 employees) R&D office, located nearly 1000 miles from corporate HQ. We have no full-time IT staff, but do have a couple of people with significant IT admin experience (though their current job descriptions don't explicitly place them in that area). We provide our own tech support, and clean up our own messes. In return, corporate generally leaves us alone. Everybody wins -- we can set things up in a way that is sensible for an R&D facility, and they don't need to fly somebody out every time something breaks.
If the plumber is working in a hotel, he doesn't confuse the guests with the owners. That network doesn't belong to you, it isn't your "bathtub", so your analogy is pure bullshit.
The world's burning. Moped Jesus spotted on I50. Details at 11.
A worse threat than the "high priests of IT" are the middle managers who polarize the workplace, teaching people to scheme to overcome management or other departments in order to stake out their own special "turf", often to the detriment of everyone. It occurs in physical space management, office furniture, catering, and contracting companies. In a recent environment I saw, there were _five different_ ticketing systems, only one of which included inventory management, and that department wasn't used by the shipping department because their staff had not been taught, and thus had rejected, the system with inventory management. So they wasted the time of their most important staff filling out and passing around Excel spreadsheets with no tracking of who added, or changed the inventory, of the equipment.
Wi-fi access was worse. There was a written policy banning wi-fi devices without encryption, and a security policy that relied on external firewalls and low internal security. Much of their internal software relied on this to operate. But a casual scan for wi-fi devices revealed unauthorized access points without passwords, inside the company firewall, at _numerous_ locations. The IT staff was actually _blocked_ by the VP in charge of security and told they'd be fired if they did "unauthorized" scans, because it set off alerts in the VP's very expensive and mostly unused "security management toolkit". That security VP was _not_ IT staff: they were an MBA who dressed well and did beautiful pretty flow charts and slides slides, but didn't understand the field.
This idiot is obviously some troll with an axe to grind because IT wouldn't let him have his way. If someone puts a personal device on a network that I am responsible for the security on and doesn't talk to me first, I will see to it that they are severely reprimanded. The second time they do it without permission I'll see to it that they are severely unemployed. And there will be no exceptions or excuses. So long as you work with me and add your device in a secure manor, I'll help you do it and support you. But on networks I am responsible for, its my way or no way. Again, no exceptions. And I make sure all company powers that be are aware of my feelings on that before I accept any client, and if they have issues with that policy they do not become a client because I am then unwilling to accept the responsibility for their security.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
A process for regulating the discharge from a capacitor.
The formula for a doping compound that increases the efficiency of solar cell to 80%
A list of your customers and their feed back on your service or their future purchasing plans.
A spreadsheet of assay results from two years of mineral sampling.
All kinds of companies have I.T. departments and not all valuable information is source code.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Having worked on both sides of the IT support fence, I like the plumbing analogy.
If the plumbers started mandating toilet times and protocols, and required you to get management approval for each piece of toilet paper you planned to use, a month in advance, then you have a problem.
If the company employees insisted on their right to relieve themselves in their offices, and demanded to know why someone isn't there in five minutes to clean up after them, you also have a problem.
If your IT department are blissfully ignorant as to the needs of the organisation, and there is no oversight of what they do, then you have a problem.
If your IT department are forced to jump on demand, and are never given the chance to address network security, stability, or backups appropriately because they are always supporting random device X that has nothing to do with the job (until data is lost, and everyone suddenly remembers that backups *are* needed), then you have a problem.
As with many things, there is a healthy balance between the extremes that a company should be aiming for. It's all common sense, and sometimes, it's not all that common.
Our worst problem IT people usually get an urgent call to the high power laser lab after which they are never seen again.
The rest we just frame for various national secutity violations, the severity proportional to their dickitude.
We have a couple openings, BTW.
"The IT dept's worst nightmare are employees who *think* they know better."
Yes, but then you have the reverse situation. Those of us who really do know better, and have technical jobs that need doing - fighting with the IT department's inflexible rules is one battle we just don't need. Yes, IT, I really do need another virtual server. Yes, I really do need to know if/when/how the IT-dept backs the thing up. If IT can't/won't answer the questions, that's an interesting and unique message all its own.
My personal, and most recent favorite: yes, I really need another network cable in my office. Oh, the local switch is full, well, how terrible, now: how are you going to solve that? You aren't going to solve it? I know I'm not allowed to hang a personal switch on the cable, but we're just going to agree that you won't see it, aren't we? Grrr...
Enjoy life! This is not a dress rehearsal.
And if they get caught they will be fired...if they are lucky. Working around IT policies put in place to comply with government regulation for any reason looks suspicious. If the feds notice the results can be much, much worse. When I see violations to SOX or corporate policy I make it a point to inform the person violating the policy and their supervisor. I also send an email to my supervisor with the details of my observations and subsequent actions so there is a record that I did not turn a blind eye to the infraction. How it is handled from there is up to the person violating the policy and their superiors. I can't speak for other IT "dictators" but the way I look at it is if you get this office shut down it affects my job too @ss hole. As it happens I can see the old Enron building (now owned by Chevron) from my office. A constant reminder of just why SOX exists in the first place.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Who are your readers nowadays?
Park an unsecured wireless router in a drawer and turn it on. Don't plug it into the network of course.
Yes, I know what you mean. As freelancer I worked in some startups and larger companies.. In startups very often the admins where enablers. The ones in larger companies, however, mostly knew what they were doing.
The issue of these policies is to rule out technical failures/incompetence.
If the employees lie their way around IT policies and get caught, then the company can protect themselves because the employee acted with bad faith.
You can't prevent data theft/loss 100% of times. But you can ensure that does not happen by mistake.
Why can't
Of course, the real problem is governments continually passing reams of unenforceable and abuse-able laws on corporate governance, freedom of information, copyright etc. in a naive attempt to fix whatever scandal they read about in the Sunday papers. For good IT managers these are a major headache and liability. For bad IT managers they provide a wildcard excuse for restrictions, power-grabs and empire building. The only people they don't affect are the actual crooks, who weren't planning on obeying the law anyway.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
"So just to be sure I understand this correctly, ... almost always perpetrated by top management?
;)
No, apparently you do not understand it correctly. The feds placed the restrictions and he's ensuring some dip-shit doesn't get the company shut down and everyone lose their jobs. Nor are these breaches of security "almost always" perpetrated by top management.
Spend money for software for remote work with laptops? You need very little money for this purpose:
1. A VPN, with a public/private keypair per user. Please use an open standard, or it'll be horrible for anything but windows. And then there's no software to buy, you can use free software.
2. full disk encryption that locks automatically after some inactivity, or at least the parts that contain user data. You can get this for free as well.
If anyone steals the laptop, the user data will be useless without the encryption key and you can just no longer accept his key for the VPN. Done!
So at work we have managed switches at the core of our network. Cisco 2900 and 3500 series, so not pieces of crap. They have STP enabled, of course, if for no other reason than there is some redundancy in our network and as such it is needed. The "no screwing up our network" is another reason.
Ok but those are only the switches to the rooms. Withing a room, smaller switches are used for multiple devices. As you might have guessed, these are unmanaged. Maybe not the best idea but it wouldn't be 10x the cost to provide all managed switches, it would be way more since we'd have to run new wire and all that from the closets.
The good news is Cisco switches have an additional trap, which is if they see themselves on CDP they know there is a loop and can shut the port off. The bad news is that isn't perfect.
So one of our research labs has quite a complex internal network setup. Or more appropriately they have a complete clusterfuck. However we aren't allowed to dictate to research labs. They created a loop one day, and the Cisco switch just didn't notice for whatever reason. STP was on, CDP was on and it was looking (maybe because they had a Cisco device in there which was responding) whatever the case the way in which they created the loop was something the switch couldn't see.
Thus the network got brought down by a broadcast storm. Now their port has special storm control setup on it and that has helped (no more than a certain percent of their packets can be broadcast or it shuts the port off for like 5 minutes).
Even when you have higher end gear and work to prevent problems with new devices being placed on the network, shit can happen. There isn't a magic solution.
Another one, that I've seen numerous times, is a rogue DHCP server. Someone plugs in a Linksys router or something that starts handing out DHCP and a bunch of people can't get on the net. Other than having a network that doesn't allow any device until it is registered (doing something like dynamic VLAN assignment based on MAC) I don't know how to prevent that. DHCP doesn't have any kind of security in it. Whichever server responds to a computer first, that's the info it uses.
Congratulations on being trolled by the author/submitter, Slashdot.
The this-is-somehow-a-new-development department.
Religion is what happens when nature strikes and groupthink goes wrong.
Bravo bravo, very well put.
I'd like to add a small tidbit.
If a user comes to our department with a request for a certain piece of software that does X, we might deny that request and offer an alternative since we already have a license for software Y or we researched it and found that software Y is easier to use, has fewer problems, etc. This goes for hardware too.
I consider it a point of principle to give the best service possible within the framework of our IT policies.
We do have to say no on a regular basis.
This is the sig that says NI (again)
Until it breaks. Then the IT guy/gal needs to stay late and help fix the problem. Sometimes (and here's where the IT worker hits the alcohol)... get this... they suggested not to do it in the first place. After a couple times of this happening, IT workers get bitter and angry and don't want anything new on the network.
You'd be amazed what "I'd like to use device X on the network. Here's a couple devices for you, paid for by our department. Would it be possible for you to take a look at them for a couple months and let us know what'd be safe?" will get you.
Ack!
In order to create a stable and productive environment, it's necessary to control the network. Every device connected to it becomes a part of that network. If the device is connected to an internal port not controlled by a highly restrictive firewall or gateway, the network becomes exposed and possibly compromised to any malware, exploit, or virus on this device. Any IT manager who is required to provide a secure stable network infrastructure can't do this without policy and procedure. Of course, some managers out of laziness or ignorance implement broad sweeping policies from templates because they see 'High Security in the label' and probably don't get that more security=less accessibility. You may not get, and are probably not responsible for maintaining a secure stable network. If a virus infects the network it probably isn't your problem. If you take a balanced approach to the issue, you may agree in the final analysis that the people responsible for the network have a good reason for denying unfettered, uncontrolled access to the infrastructure that many organizations can't make money without. It would be like giving you a set of keys and alarm codes to the building and saying, "Hey make a copy for your friends if ya wanna." This analogy, of course, hangs on the sensitivity of the data, and the importance of IT in your organization.
are almost always perpetrated by top management? ;)
Your assumption is pretty off base. I think if you dug into it you would find that most accounting practices that causes problems aren't intentional and certainly aren't caused by upper management. As a company grows larger and consequently more complex, things will pop up in the books that would get the Feds to sock you even if it wasn't malicious.
My company, which primarily does manufacturing, had a situation recently made aware to me. We do perform internal fabrication for some of our final product so you have Parts + Labor going into that fab job. As an example we would be sending in $100 worth of labor and $1000 worth of parts and ending up with a final product worth $1250 instead of $1100. Chances are that everyone involved in the fabrication process weren't properly trained on how to move the material through our system and luckily we aren't required to follow SOX but that is a prime example of the kind of innocent crap that is going to get you screwed over. The malicious stuff, surprisingly, is less likely to be caught because the perpetrators of it are going to try to cover their asses on it. The innocent stuff is innocent so it's more likely to be left in the open.
"Lack of speed can be overcome. In the worst case by patience." --Znork
There is a game I like to play in my office. What D-bag employee can I outlast now. After ready the article I think he would be at the top of my list. =)
As in most religions, it's the followers that turn people off to the religion. And Mac users are the worst.
1) The VPN we already have, the biggest price is the extra licenses for the Anti-virus. Most home users that bring in there laptops to me I have setup with free for home use AVs because they don't want to pay for McAfee or Norton, but somehow they still manage to not update them regularly (Like AVG's or Avira's update to a newer version) and end up bringing their laptop back to get the viruses removed and a newer version of the Anti-Virus installed. 2) None of the laptop users will allow me to install full disk encryption. They say having to use a password on their home computer is a pain, and I can't seem to get it through to them why it should be used.
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
There's always a way to get the data out.
Yes. So?
Surely you aren't making the rather childish argument that we should abandon all attempts to secure sensitive information just because it's impossible to do so completely. Right?
--
.nosig
My last big company IT job had 3 major departments, all of whom had their own IT ideas, and at least one with their own IT person who did some purchasing and install and config of PCs.
There was a lot of time where dealing with resource competition and fighting the departments over standards was such a distraction, I told my boss we should just not bother -- cut up the PC budget among departments and let them figure it out on their own.
IT would provide LAN for free, but internet would be metered with costs based on bandwidth required to provide at least 25% peak capacity (when we he 25%, we would add more).
Email would be per mailbox with storage charges over 5 GB. File sharing would be per 250 GB consumed. Departments would buy printers and supplies.
Basically, IT would become an internal ISP/cloud provider and nothing else. The user departments would buy the laptops/Macs they "need" and could go batshit on storage usage, since they would be paying for it.
In my consulting days I worked in a lot of places across several industries. The idealized IT department you describe, where its staff care about the underserved needs of the company, does not exist. Anywhere. They are either drones, or good but frustrated technologists enmeshed in a system that really wants drones, not creative thinkers and talented problem solvers. And the good ones are never, repeat, never the ones in charge of the IT department.
CIOs have budget and they spend budget. But what they really get evaluated on is whether the CMO's or CEO's email crashed before The Big Presentation (tm) or whether their laptop got infected with a virus and couldn't stream Netflix in the middle of the afternoon. That's it.
And to be frank, the vast majority of the pro-IT posts I've seen here are those which run Windows networks. In which case, you have instantly failed the productivity test so go ahead, lock down every aspect of that OS--then at least they can't knock you on failure to Gestapo the heck out of the system when it comes time for your annual review.
Or you can do what I do, which is to find old machines gathering dust in a closet somewhere, install linux, do what I need to do to get the job done, and submit the end product to IT for publishing to production via a thumbdrive or email to an inbox, which if we want to be honest is the only file server corporate America really uses.
All the comments about submitting requests and going through channels and evaluating this and evaluating that and proper this and proper that don't fly in the real world of deadline-driven delivery schedules (and what industry isn't like that these days?). It's pure fantasy.
Do what you can, with what you have, where you are.
Wow, I'm honestly surprised they haven't let you go already for making waves, but I suppose since it sounds like it doesn't happen that often at the company you're employed at, it's probably taking them longer to build a solid documentation case against you.
Where I work, I get written up if I do not report a SOX compliance issue that I come across. We have employees whose sole job is to ensure SOX compliance within the company, and it's not seen as "making waves" it's seen as making sure the company is compliant with government legislation that would otherwise shut the company down PDQ.
Ceci n'est pas un sig.
Funny how nobody mentioned that guy ;) http://search.dilbert.com/comic/Mordac%20The%20Preventer
Du kan glomma dina ensama stunder, du kan lita paa teknikens under - Wilmer X
Imagine if management can click over to a security-cam-style split-screen view of 16 telecommuting employees' desktop screens. Would that help give management a piece of peace of mind?
If those attempts actually make the data less secure then yes, of course we should.
If you make your security arrangements hostile to the users, you'll make the users hostile to the security arrangements and they'll undermine them.
Here's an idea: I thwart your use of esoteric shit (esoteric, defined as "not controlled by me and my team" in this case) for the following reasons:
* I have limited time and limited resources. Supporting your so-called smartphone, tablet, or other personal device costs me time, which in time costs me money. This isn't time I'd otherwise dedicate to your office-supplied machine; it's time spent above and beyond that, because it's different and requires manual settings.
* IT Professionals don't just use random shit, typically. We select our gadgets and tools on technical merit not how cool it is. That means we're rolling out laptops with a standard image which we have QA'd to some degree and know how they will perform. We do this so we don't have to deal with things like, for instance, Apple products which can't retain a wireless connection to save their lives or be managed centrally.
* Your crap introduces security problems above and beyond what is possible to regulate, short of running Snort on every switch port. In the past month, I have seen Android phones, Apple laptops, and Windows 7 systems which are "fully up to date" etc. running on 'secure' networks - and having malware of one form or another on them. In one such case it was a VIP's personal laptop, and the malware was both very intrusive and undiscovered by any of half a dozen antivirus/malware tools used to remove it. (I still need to isolate that forensically and submit it to 'the authorities' for inclusion... yet something else I'd not have "had" to do if it wasn't allowed).
* It usually goes like this: User wants to use Shitware Uberspunk to perform $office_task. They get manager approval, and everything goes fine. Then one of your (thoroughly planned) server/application/etc. rollouts breaks their very important program (or vice versa), and they're no longer able to "get work done". They bitch up the chain of command, and since stink flows towards IT when people don't want to deal with it, you ultimately need to find a workaround for their stupidity, even if the expectation was "no IT support" from the start. (Quickbooks crashing due to using Google Talk within IE is a good example of this, but there are a myriad others.) FWIW, shit 'cloud' services fit this mold pretty well, too.
I can understand that people want to have their cake and eat it too, but that's been the desire since forever. Cloud computing, mobile devices, etc. don't change this desire any, or make it any more obtainable: things still break; things are still incompatible; users still do stupid shit. The closest you're going to get is with a virtualized environment and remote desktops of some sort, allowing people to connect to them from a portal or mobile applications. We still can't do the modern equivalent of supporting Bonzai Buddy - on the contrary, we're more overworked now than IT has ever been before, and extra burdens often mean having to pick between "patch important systems for security" or "replacing aging hardware".
People who write shit like this (and think like this) should just stick to tort laywering and politics.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I see people come in to the office all the time wanting to get their toys on the network. I tell them "come back with something that doesn't' have a picture of a piece of fruit on it".
Did his IT professional tell him that he could not attach his root kitted iphone to the network? Did he get told that they lack the infrastructure to make an Xbox HPC cluster?
Sorry, I work in a very large environment that has had 3 years of shitbag cowboys doing what they want and what someone says to do and not thinking of how to have a functional and supportable environment. I'm not an IT priest, but I know what best practices are and build systems to those standards. Ever try to support 600 servers running 7 different distro's of Linux at what ever release level was available at the time? Mix in 4 versions of Solaris and of course 0 documentation on anything.
Want toys? Great, you support them on your own and not on my network!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Your assumption is pretty off base. I think if you dug into it you would find that most accounting practices that causes problems aren't intentional and certainly aren't caused by upper management. As a company grows larger and consequently more complex, things will pop up in the books that would get the Feds to sock you even if it wasn't malicious.
Nice straw man you built there, but I was actually responding to the ENRON reference in the original post by ArhcAngel by making the point that a good IT staff ensures compliance but ideally not at the expense of the major efficiency losses incurred by saddling the employees with technology that inhibits their ability to do their job.
To be clear, as somebody who has done consulting for various IT compliance regulation auditing preparations in the past, I completely understand that companies have to do it, despite the idiocy of the fact that if you try to reprimand a corporate officer that way, you're pretty much guaranteed to get canned so it really doesn't do anything except give the federal government a reason to come down on you for the stupid little things you mention while most of the time the higher level management who facilitate the major FRAUDLENT activities are guaranteed to be able to keep going until a news report comes out, the stock price tanks and the feds show up. :P
All that aside, however, what I have absolutely no patience/sympathy for are the admins who try to blame SOX and other compliance standards for not doing their primary job effectively, which is ensuring that they provide and implement the best technical solutions to meet as many of the individual needs of their fellow employees as they can as efficiently as possible.
I'm honest enough to admit I lie to myself.
Where I work, I get written up if I do not report a SOX compliance issue that I come across. We have employees whose sole job is to ensure SOX compliance within the company, and it's not seen as "making waves" it's seen as making sure the company is compliant with government legislation that would otherwise shut the company down PDQ.
Only if the people you're reporting aren't corporate officers, a.k.a. the people who facilitate/actually perpetrate most major FRAUDULENT activities. :P
I'm honest enough to admit I lie to myself.
You want your "device" on the companies network? Sure, either:
A. Sign this document that says you and you alone accept all responsibility for any problems related to the network and that you will receive no help from IT in getting your "device" to work.
B. Convince management to pay to send me on the training course required to correctly provide IT support and administer the "device" and amend IT policy appropriately.
I just loved this bit.
"After all, the chances the IT person knows how to do your job and what tool works best for you is close to nil. He or she has no basis for disparaging your tools in that way."
That statement works both ways you know, let me demonstrate:
"After all, the chances that someone without an IT background knows how to do your IT job is close to nil. He or she has no basis for attempting to undermine the companies IT policies by insisting that an untested and unsupported personal device be allowed access the company network."
Still, I suspect that the article was written to generate hits. I mean, nobody could write for an IT web site and be that stupid, can they?
The real problem is that users are morons and admins are bureaucrats of the worst kind.
None understand the other, so will likely impose their own will.
Users need to realize that their ipads (and any such walled garden device) are a source of grief in a workplace, even if you choose to ignore personal security.
Admins need to realize the whole concept of a locked down network is outdated and flawed. Same goes for antivirus. You can't keep the whole universe safe, but you can protect the things you care about. And those intelligent switches you cherish are also the main attack vector for intrusion, avoid if you can.
People with very little computer knowledge are the ones that should be locked down entirely, IMO to the point where they can't store any files at all, much less execute them, and don't have access to secrets. But labs, technical depts. etc. should be given free hands to shape their parts of a network. And no. companies do not need any all-pervasive policies unless you're a bureaucrat.
Personal anecdotal evidence suggests otherwise. In 10 years at a corporate headquarters of one of the largest corporations in the world ... only one instance of fraud was found, and that by a low level manager.
Ceci n'est pas un sig.
Hmm, well, there's a lot of trolling here for sure, but further down in the article he does make this point:
Here's an easy test: Is the standard proposed by IT higher for what you want than for what IT provisions? Take mobile -- if encryption or app revocation is required on smartphones, it should also be required on laptops that hold much more sensitive information. An honest requirement should be enforced equitably.
I'm not an IT guy, so I have no response to this. But his argument makes sense to me....
Uhhh, why? Are you responsible for the budget? What does it matter to you what software they use? Just because you think your choice is superior, based on your "objective evaluation" doesn't mean it is. I can argue that everybody should use the GIMP, but the graphic artists are going to want Photoshop. It's not my place to tell them they can't use Photoshop if that is what they prefer. Nothing wrong with making your recommendation, but at the end of the day it's just that, a recommendation.
But some IT plumbers would want to tell you what temperature your bathwater had to be. For safety, you know.
Personal anecdotal evidence suggests otherwise. In 10 years at a corporate headquarters of one of the largest corporations in the world ... only one instance of fraud was found, and that by a low level manager.
That's funny, I used to know somebody who had a similar anecdote to yours. He worked with a major accounting firm called Anderson...
Let me offer you a personal anecdote of my own which is that one of the things I've noticed is that out of all my friends and people I've met in various industries over the years, the biggest difference between the people I know who came out of situations like this relatively unscathed (be it from Enron or something as recent as Solyndra) and those that didn't, is that the people who didn't take a hit from it were the sort of people who never really trust the people running the companies they worked at.
I'm honest enough to admit I lie to myself.
If we already have a piece of software that does what the employee wants to do, then we are not buying other licenses, unless the employee can make a very good case that he needs product X.
I am not talking about the mainstream products like this, I am talking about smaller less important programs, like Copernic, etc.
This is the sig that says NI (again)
You obviously don't work in IT. :)
Rule 1. Don't trust the users.
Ceci n'est pas un sig.
You obviously don't work in IT. :)
Rule 1. Don't trust the users.
Oh I don't, but unlike management, I don't feel the need to keep them under continuous surveillance. ;)
I'm honest enough to admit I lie to myself.
U: "I need iTunes on my work PC"
IT: "Why would you even *want* to do this. Bring in your iPod."
U: "Full disk encryption is a pain in the ass, what with the second password. Please turn it off on my laptop."
IT: "You carry vast amounts of sensitive employee data on your laptop. And there's no second password. It's just the screen you enter your single password looks different."
U: "So?"
IT: "You've lost your laptop twice in the last 3 years. You leave it in your back seat. Even though we've told you not to."
U: "So?"
U: "I don't like X (the very expensive, very capable software package the whole rest of the team agreed to use, and be trained on at additional great cost). I used Y at my last job and I want to use that. I want you buy it. And I'll probably need some additional training."
IT: Checking records, user missed most of the training on X.
U: "I want to use KTBICS (known to be insecure cloud service) to share files amongst my team"
IT: "You're a finance group. Handling SOX related data. And we already have a corporate approved, secure service that does exactly the same thing."
U: "Well, we're already using the non-commercial free version of KTBICS to share the same data, so we don't see what the problem is."
U: "I want you to install IIS, SQLserver and .NET on my desktop PC for testing."
IT: "We've built a sophisticated, secure dev/test environment to do exactly this."
U: "I forgot about that. But since I have to deliver this week I won't have time to finish the project if I have to learn how to use the approved platform. So just install everything on my machine. And I'll need the Internet to have access."
IT: (check records...user blew off training on the dev platform, which would have allowed them to spin up everything they needed in about 5 minutes).
IT: "Ummm....When is your due date, and what IP addresses need access?"
U: "It's due this Friday. I don't know what IP addresses need access, so just let everyone in.".
U: "I don't want to use X. X is made by Microsoft, and I have moral objections to using Microsoft products. I want to use open source package Y." .NET applications on Windows Server 2008R2 in C# using Visual Studio with a SQLServer backend? Something made clear as far back as the job ad you responded to?"
IT: "If you have a moral objection to using Microsoft, why did you take a job on a team developing