Slashdot Mirror
How To Thwart the High Priests In IT
GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."
While some people get the policies wrong, in general the idea of IT policies is a good one; the only way to support business policies is to allow for sensible IT policies to exist. If the IT policies don't serve the business policies, someone's not doing their job right, but that's not a problem with the idea of policies existing at all. If you want to "thwart" your IT people, you'd better have a damned good reason.
For every problem, there is at least one solution that is simple, neat, and wrong.
Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.
Nothing more to say.
Management make the rules, if management say no iphones, and you then thwart them.... you've gone against management wishes.... which can be disastrous for a job you like.
Of course Iphones in this example was simply that.
IT is overhead. It's a cost center. It generally does not generate revenue. Maintaining an infrastructure costs the company money. Every time you want to bring in your personal equipment, we have to figure out how to support it and that raises the company's overhead. Instead of making IT justify why we don't want to support your Widget Of The Day, why don't YOU justify to the company why you're increasing costs and then work to have that increase added to IT's budget so that we can actually afford to support your crap without having to divert funds away from things that the company has already approved?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I certainly understand that users want to use what is easy for them but they need to understand that they don't set policy. I listen to any reasonable requests and if they fit within our policy (or if it makes sense to change the policy to allow it) I will authorize their request. However, understand that I have been working in IT for over 20 years and know a thing or two that you probably don't. Its not a power trip, its my job, it is what they pay me to do. Employees need to understand that its not personal. If their request was denied I had a very good reason to do so. Get over it, move along.
Just saying.
none
Seriously? We don't want uncontrolled portable devices on our networks because we don't control them. We can't force-install AV software (if it even exists for your favorite no-name phone/player/tablet/whatever), we can't even do basic cleanup of them without your cooperation.
And that only describes them as a potential vector for attack. We also can't control who else has access to them, can't wipe remotely without your permission, can't keep you from leaving it, complete with the latest super-secret corporate strategy on it, in the bar at a random trade show.
Dislike of portables has nothing to do with controlling you, and everything to do with controlling and protecting what the company pays us to - Their IT infrastructure and digital IP.
It's the sort of stupid article you'd expect from an organization that is supposedly all about information technology, but is so backwards that they're endlessly pestering me to take a free subscription to their dead-tree edition. If their web site isn't even worth visiting for free articles, why would they think I want to spend the effort moving their magazine from my mailbox directly to the trash?
Help save the critically endangered Blue Iguana
Dear GMGruman,
Go fuck yourself.
Yours sincerely,
Pretty much every sysadmin anywhere that's been tasked with providing IT services to keep a business running as productively and profitably as possible, in spite of people like yourself.
The article starts by saying there are good IT people who help you and bad IT people who make things difficult. From there he just whines and whines about nothing. His only advice about "thwarting the high priests of IT" is to complain to the CIO. Of course everyone complains to the CIO about the tech staff, but he or she will apparently be dazzled by your insight that some IT workers are good and some are bad.
The only non-obvious thought in this article is referring to bad IT workers at the "High Priests of IT." However, it is only non-obvious because it is really stupid. And if you actually go around saying "the High Priests of IT" then you are a bigger dickhead than almost any IT guy ever met.
Democracy Now! - your daily, uncensored, corporate-free
IT is often the "prevention of information services department". User figures out a better way to do something, IT blocks it. Prescribed methods of doing things don't work well; user goes around them, IT blocks or complains to management. User wants something done, IT demands business justification and signatures from at least two executive VPs. User does it himself, IT finds out and makes him stop.
This was probably written by the dude who routinely roots his box (calls Dell to get the BIOS reset code, uses a bootcd, et voila) so that he can install PC anywhere because it's VITAL for his side business and he knows IT will say "no".
The article is complete flamebait, and many other posters have pointed that out.
The solution to home brew IT and people wanting to use their own devices is simple. Setup Citrix VDI or something similar. The Citrix receiver runs on everything.. iBlah, Android, web browsers, etc. The "cutting edge, tech savvy users" can use their lame devices, and all of the application code and information stays safe on the corporate network.
To flip the author's logic back around him, he suggests that users using their own devices are making things easier on corporate IT. They are empowering themselves at their own cost. Good for them. Let them pay for their Citrix licenses and infrastructure costs. If they really want to "partner with IT" and be an "IT ally" (to use the idiotic author's verbiage) , they can go ahead and come up with some funding. Nothing makes friends like throwing money around.
All right, Mr Gruman you have trolled and since I'm one of your bad guys I'm going to respond and enlighten you:
I have best practices that tell me to control these things that you want to let roam free. I also happen to have laws, and some of these laws have very large financial penalties or the possibility of jail time.
Mr Gruman, how many attorney generals have you had conversations with after someone went ahead and did what you wanted done? I'm willing to bet it's not as many as I have had and that you've never had to deal with the results of your company making the international news because someone decided to bypass IT.
Your insight into how to play dirty politics to get your "Toy" into the office shows your complete lack of an understanding of how the enterprise works. Is your department going to pay for the budget for the time needed to support your toys?
These code phrases are code for things like "mutli-million dollar fines", "angry attorney generals", "class action lawsuits", "criminal negligence", "security clearance", "ethics", "privacy" and other such things.
You see this is what happens when some petty ass whiny twit such as yourself goes to the CIO and says I want my toy and the IT department won't let me have it. The CIO comes to the IT department and says, "why won't you let this twit have his toy" and we're going to come back with something like "federal law, accountability, public relations disaster".
You know what Mr Gruman, I have never, ever lost that argument. When you take into account that regulation is only increasing the odds that I might lose that argument drop even further.
Now Mr Gruman, instead you should try the tactic of saying "IT Department, I want to use this toy for business purposes and not just as a toy, can you please look too see if we can?". You might have a perfectly legitimate case, and it might be very reasonable to do what you want, but you have to ask so that we can see if we can do that without avoiding nasty code words.
Just remember my code words can and have cost companies many millions of dollars when someone blew them off and ignored the IT department.
...but I stopped counting how many times the author recommended trying to cost people their jobs for actually doing them after the third time. I'd like to offer something more insightful in response, but I'm afraid I'm left with "What a smug asshole."
Proud member of the Weirdo-American community.
I don't think IT guys want to control your bathtub. They are more like want to prevent you to bring in your private jacuzzi to the 10th floor, when there is already a regular bathtub. And you are the reckless guy who causes flood on the floors 1-9 despite the plumbers' advice.
Patents Drive Free Software as Hurricanes Drive Construction Industry
A better headline might be: "Writer get pissed that IT guy called his new gadget a Toy."
While I'm sure he's got a good point that IT people should not talk down to other employees, he needs to hear a few horror stories to understand our concern about his new "toy".
I was brought in to trouble shoot a network that was completely down, idling over 100 workers. Naturally, the CEO called everyone who had any IT experience, so we had a crowd of upset and confused people. In short - it was a packet storm. What caused it was an employee bringing in his own device and connecting it to the network.
The employee wanted a wireless AP for his laptop, because he didn't like the Cat5 cable. The IT staff said "no", so he install his own Linksys. You see it coming - no encryption, default password, etc. Well, it was slower than the wired connection, so he figured he could get twice the bandwidth if he connected TWO Ethernet cables. The port he selected was connected to a different switch, and soon a packet storm erupted.
Yes, the IT manager made several mistakes, including buying non-managed switches. But the bottom line is the employee cost the company dearly for his "toy".
What's funny? The guy was bragging to his buddies about how smart he was, not knowing the IT manager, CEO and I were standing behind him. Fired on the spot he was.
Place nail here >+
Excuse the rant. Realistically, IT has a number of jobs:
1: Keep stuff running.
2: Keep stuff accessible by users.
3: Keep stuff secure. Yes, this can inconvenience someone, but better a teed off muckety-muck than a wholesale breach where all the goodies are stolen to an offshore firm.
4: Comply with regulations.
Do you know how many fscking regulations an IT department in a midsize company has to deal with? In a typical organization, you have to deal with Sarbanes-Oxley (either because your firm or one of your clients is publicly traded), HIPAA, FERPA, or many other laws? Then there are the stipulations put on a company by contracts, like PCI-DSS. Then there are things you sign with a client like vague crap like "all computers will have antivirus programs running on them". Yes, the bean counters sign that, but it really means that I have to license copies of McAfee for the multiple IBM Power Series 795s doing the back end database I/O just so that "t" is crossed, and "i" dotted. Yes, the chance of finding a virus on the AIX boxes is flat nil, but it keeps the customer happy.
If I'm in IT and cannot allow you to VPN in or use your precious iPhone to access Exchange mail without restrictive policies (like blocking the camera, long passwords for unlock, etc.), it isn't that I have a pogrom against your sorry ass, its because when you are at the bar drinking with your friends and you leave your phone unlocked (or even worse, jailbroken to get around Exchange policies, then left without a PIN) in the bathroom stall and report it lost, guess what department how has to report to the public about an unencrypted security breach as per California and other laws? Definitely not sales. Definitely not HR.
Also, users have a choice. Want local admin access to your desktop? All the critical company resources like Outlook will be on Citrix. This way, there is a definite barrier between a compromised workstation and the core functions of a company, such as the database with accounts payable, receivable, internal applications and lots else. Don't like that? A locked down policy where one doesn't get to choose even their screen saver is just two commands away.
Of course, on sensitive sections of the company like the finance department, the desktops are locked down 10 ways from Sunday, but there will be a Citrix application available on a remote server so you can do some personal Web usage and not risk completely tossing the company's salad if the Web browser gets breached, even if it is "just" that user account that gets nailed.
So, don't take it personal when an IT guy says no. We are not correctional officers who view you as inmates. In fact, we will bend over backwards to try to get not just what you need, but what you want. However, we won't bend over forwards.
Oh, and my OS bias? Whatever gives me the least amount of problems and keeps the pages/calls/texts off my cell. I've been in the business too long to give a crap about what Netcraft states.
Yep. There are a lot of incompetent IT people out there.
The problem is that most of the non-IT people are even more incompetent at IT tasks.
And management is not very good at managing.
The easy solution to this is to build a business case for whatever change you want and send it to your boss.
You boss then sends it up the ladder until it gets approved and IT makes whatever change you wanted.
It's all about money. It should be easy for you to show how you'd be more productive (in terms of $X) if you had item A at cost $B.
I have seen a lot of "foolish and stupid" IT policies. Which is why you need to communicate to the BUSINESS via the "business case" for the changes you want.
IT should be IMPLEMENTING the policies that upper management has decided upon.
If you don't like those policies then convince upper management that you'd be more productive (in terms of $X) by writing a business case for the change(s).
As for being fired, who cares? It happens.
I'd rather go into my next interview saying that I was fired for enforcing the policies rather than saying that I was fired because the systems were cracked and all kinds of company / personal data was downloaded.
Every other department that uses IT pays for it. Those who use more IT services, or otherwise cost the company money from their IT fuckups, pay more. Eventually, they learn to work WITH the IT department to lower their overhead costs so they can meet their budgetary targets. That means doing the kinds of things that the idiots best represented by the author of that article abhor: the things recommended/enforced by those "High Priests" as best practices.
I mean, yeah, there are bad IT people and departments out there, to be sure, just like there are bad users. Unlike bad users, though, bad IT people and departments don't last very long.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
The other reason to deny new and/or user supplied devices is the unwillingness to support every phone out there.
Yes, Android phones are largely the same and various versions of iPhone/iPad are largely the same. but it's wearing for IT staff to have to learn every new phone and its idisyncracies not jut to get it set up but to troubleshoot it when you're "sure" that the problem isn't your phone/carrier, but our network.
If IT doesn't jealously and rigidly enforce device standards, they end up supporting dozens of different devices regardless of a policy that says "bring in what you want, but you support it". Users whose phone has a bug, or are in a cell dead spot, or have some data plan missing will always claim that IT isn't letting them on the network and/or won't fix the issue on "the system" that is preventing them from connecting. IT has to take the device, troubleshoot it, and show that isn't the system causing the issue.
Users who don't know how to configure their phone will ask IT to configure it, if IT says they don't touch user supplied devices, the user complains that they aren't productive and IT is "asked" to fix the issue "just this once" so the user can start working. Repeat this 50 times and you now have IT supporting every user's phone or non-company supplied laptop. The exception(s) dwarf the rules.
Now that IT has touched it, most users think that IT can/should fix other issues that may have nothing to do with what was done in the first place-I've had users drop off laptops complaining that their anti-virus is slowing their computer down ever since we put VPN software or logmein on their computer, etc. So in proving our innocence, we find some resource sucking app that has been installed for years, or some new app that has long startup times, etc. and we have to explain that that's the cause and not the VPN software that runs without any issues on all of our computers and a couple dozen other non-IT machines.
User devices is nearly always a disaster and always a larger investment in time then made out to be. Companies don't want to hire a dedicated guy to troubleshoot user devices, but the same management expects a limited IT staff to "just this once" spend 2 or 3 hours troubleshooting some problematic laptop, or an hour and a half troubleshooting some vague issue on a phone that turns out to be carrier finickiness or another piece of software on that phone, etc.
I'd say that during normal working hours, we typically have 10 people and spend a minimum of 30 man hours per week dealing with user devices and many are repeats, don't listen to anything we say like when we tell them that it's not a surprise that they're brand new Android phone has shorter battery life then their old blackberry or flip phone and that it has nothing to do with Exchange ActiveSync. Some people have come to use with brand new phones they've had for a whole day or two, asked us to configure it, then return 2 or 3 days later to tell us that what we did is killing their battery. When we ask, they tell us that their old blackberry didn't need charging everyday, that this phone does and they imply that it must be us turning on activesync-nevermind that they didn't spend enough time with the phone to learn its battery life before getting us to set up activesync...
Then comes the users who switch personal phones every other month and expect to simply hand the phone to us so we can set up activesync, but don't give us the password OR don't have a password and get upset when activesync policy pushed from our server requires them to have a password. Two people in one department went form personal blackberry to htc droid to samsung droid to iphone 4 to iphone 4s in about 13 months. Each switch they expected us to export their contact list (which they explicitly chose not to sync with Exchange) and each time they expected us to waive the password policy for them. When we pushed back in the beginning, they complained and said they were OK with doing it themselves. They made no real effo
Don't rise to this asshole author's bait. He's a troll or he is ignorant, and the right answer is neither that people should nor that they should not thwart IT, and the right answer is neither that IT should smack them down nor that IT should give them everything they want.
The right answer is that the people who feel they need to thwart IT are a valuable resource. They are people who have a need that is not being satisfied. That need should be explored and a resolution found. Sometimes the answer is, "No, because it would not be safe / cost-efficient / legal." Sometimes the answer is, "There is already a way to do that, but not the way you are attempting to do it." Sometimes the answer is, "We should add that capability, because it will make the company more profitable."
The idea that it is all X or all Y is fundamentally rooted in "us versus them" mentality. It is a bullshit, douchebag mentality which is, unfortunately, actively fostered by assorted self-righteous nincompoops and the kinds of people who watch the UFC not for the display of physical prowess and grace, but because they like to see people hurting each other.
Don't rise to the bait. Users who are trying to thwart the system are a valuable resource. You want to plumb them to discover unserved needs, underserved needs, and opportunities to improve training. You also want to help them understand why they can't do certain things so that their frustration doesn't fester and become a morale issue.
It is easy to see why the author is a writer. He clearly would not operate well in a more team-oriented context.
Stop-Prism.org: Opt Out of Surveillance
just because YOU or the AV company hasn't head of one dosen't mean that it does not exist.
This is true even of viruses targeting approved platforms. No AV solution has perfect detection, save one: a fully capability-based environment such as Bitfrost, Android, or the Mac App Store sandbox.
It seems to me the test is whether it's actually reasonable for the whole job (in this case, all of the documentation) to be done by one person. If that's possible, in a sustained fashion, then it stands to reason that the other people on the staff shouldn't even be there. They're just wasted expenditures and they should never have been hired.
If, on the other hand, it is unreasonable to expect the entire job to be done by a single person -- in my opinion, the far more likely case, and why a team was hired rather than a single individual -- then it's up to every person on the team to act as a team.
In my experience, managers who are so afraid of delegating to their subordinates that they become a bottleneck for every item of work that passes through the department are one of the most insidious and damaging factors in any company.
As for preferring documentation "written by an expert," I think you might be mistaken and not realize it. In my experience, the guy who wrote a complex software system is often the last person you want to try to produce user documentation for it. His in-depth knowledge of the system makes it impossible for him to see the system the way an inexperienced user sees it. The job of a technical writer is to gather information from the developers and assemble it in a way that's comprehensible for users of all experience levels. Those who are truly good at their jobs will be able to produce documentation that's so transparent and comprehensive that you assume it must have been written by programmers, when it was not.
Breakfast served all day!
Or maybe he knows EXACTLY what the result will be.
Most networks/systems have "evolved" over time in an "organic" fashion. That is, things were added and then fixes where added to get everything to play together in a minimally acceptable fashion.
Now, if you can convince non-IT people that they're just as knowledgeable about IT issues as the IT people, that means that you can get a LOT of billable hours dealing with the impact of the new changes.
Say that Frank in Accounting "needs" a wireless router attached to the network so his new device (which doesn't support your standard for encryption/authentication) will work ... and it needs access to the Accounting servers ... because Frank "needs" it to work that way. That's a lot of re-design of the network and the servers and so forth.
So from a consultant/contractor point-of-view, this is a GREAT IDEA!!!
Just tell Frank that the IT department is being "bad" by refusing his perfectly rational and reasonable request and that he needs to work around them to maintain his productivity. Or get the IT department marginalized so that contractors can be brought in to do the work that the IT department is incapable of doing.
And I'm not talking about Hanes.
If you are dealing with the feds, the meeting the requirements of the Sarbanes-Oxley act is a fact of life. Failing to deal with the requirements can essentially mean the death penalty for the company because the feds won't do business with you if you are out of compliance.
The Act essential deals with setting up security and policies that prevent someone from being able to game the system. A Buyer can create a PO, but cannot perform A/P functions do pay the PO and cannot receive the product. Just a simple example.
But in my company, many, many people got their panties in a twist when we started taking away their ability to do things and requiring them to abide by policies and procedures. It can be a big culture shock to small to mid size companies that grow into a larger markets with the Feds.
One of the biggest headaches was enforcing the use of standard cell phones and disallowing the storage of data in the phones. Anything that comes onto premises, had any kind of connectivity with the network and then left the premises is now tightly controlled and locked down. All the laptops have encrypted hard drives and even USB drives are automatically encrypted when they are connected if they are not already. If you have dealt with sales people, you know they don't like that one bit. Shit, I can't even install and use iTunes or any other mp3 players.
So to the feds, this is a Big Deal and people can and have lost their jobs for trying to game the system because otherwise, the whole company could be dead, figuratively speaking.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
The same "we could be more efficient" could be said of many accounting policies. Gee wouldn't it be faster if the person who issued the PO could approve the receiving document and authorize payments?
Why do we really need to have competitive bids, I'm sure my brother-in-law will give a good price.
We don't need risk management to authorize credit for this customer--I'm sure they're good for it.
We can value these incredibly complex securities at a $1 billion.
Yes, lots of IT rules and requirements are PIAs, but in many cases they are global optimization versus local maxima.
There's always a way to get the data out. If you work with people most of them will work with you most of the time. If you set yourself up as an impediment, people will humour you with lies and work around you.
You may occasionally catch one, but most will keep it out of your sight.
My understanding is that Iran got the bad news from a personal flash drive.
I used to work for an organization that took securit very seriously because just one quick glance at our upcoming product would have enabled our competition to getbthe jump on us. even so the it people were constantly battling malware brought in on personal flash drives.
the solution another client used was to lock all the pcs in cabinets physically disconnected from the Internet. because I worked remotely I had to transfer a file to the clients network. I had to get someone who was trusted with the cabinet key to do that for me.
everyone had a second computer for web browsing and personal email. our work machines used Ethernet KVM extenders.
Request your free CD of my piano music.
"The technology that has been here for a long time and should have been thoroughly tested has security holes they didn't know before. Let's bring in this new and untested technology, because I don't know about any security holes in it"
Sounds good.
Wow. That really takes pretending to be ignorant so as to twist words to win an argument to a new low. If you can't work out that "my company" usually means "the company I work for" then you have a very low reading age and could not have possibly written the words above.
Why do you think this is so important that you will be so dishonest as to pretend to be so ignorant of very simple English usage just to make a silly point in an argument with a stranger?
Then to go furthur and built a strawman, soak it in fuel and set it on fire on such a fake misunderstanding? What is your real problem here?
Fearful underlings are, but far less often than most users believe. Many user requests for using their own devices are simply due to the users not understanding the problem. Example: Many industries have record-keeping requirements and data-retention requirements. When users store and process data on their own devices, these could be violated. Many industries also have data-security requirements. Except for users that are expert system administrators on their own devices, again, allowing users to process data on devices they administrate themselves is not a good idea and may even be illegal. That said, with a competent IT department, a user that is also a system administration/security expert will get added privileges. But these are the rare exception.
Most users have no idea what the risks are and allowing them to do their own risk management is not acceptable. Case in point: I am a security expert, but I doubt I could really make a current Android/iOS/Win Phone device secure. There is not enough access, not enough stability and not enough experience with these devices. Surprises may happen at any time and are a lot more likely than, say, on a stable Linux distro. Hence I would not even ask to be allowed to put sensitive data on such a device. And anybody that does is very, very likely does not understand the problem.
So, no, typically the problem is on the user side. IT departments could be more understanding and more clear about their policies, but that is also a staffing, budget and management problem. If IT always has to roll out the big guns to enforce a policy, it is not a surprise that they will get defensive.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Maybe you have never worked with stupid requirements that Feds enforce but I have. This stuff is life or death to company. People can and will get fired instantly for breaking it. So like others have said, it's not that we want to impede the user, we have no choice.
OK, I'll admit that when somebody says "my" X, there's an element of ownership being implied.
But most people understand that that just means "the company's X, which I'm responsible for".
Hence, stuff like "no pointing guns other that at the target on my range".
"no defacing of books in my library"
"if you want something from my maintenance dept., you'll have to check it out"
Most people understand the "my" just means "there's somebody actually responsible for this X, and it's not going to be a tragedy of the commons situation".
Perhaps he should have stripped all qualifying adjectives from the phrase: <del>my corporate </del> network. Then you get into a "network, which network situation":
Bush Rice China Hu Who Koffi Annan - YouTube
I'm not a lawyer, but I play one on the Internet. Blog
A process for regulating the discharge from a capacitor.
The formula for a doping compound that increases the efficiency of solar cell to 80%
A list of your customers and their feed back on your service or their future purchasing plans.
A spreadsheet of assay results from two years of mineral sampling.
All kinds of companies have I.T. departments and not all valuable information is source code.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
And if they get caught they will be fired...if they are lucky. Working around IT policies put in place to comply with government regulation for any reason looks suspicious. If the feds notice the results can be much, much worse. When I see violations to SOX or corporate policy I make it a point to inform the person violating the policy and their supervisor. I also send an email to my supervisor with the details of my observations and subsequent actions so there is a record that I did not turn a blind eye to the infraction. How it is handled from there is up to the person violating the policy and their superiors. I can't speak for other IT "dictators" but the way I look at it is if you get this office shut down it affects my job too @ss hole. As it happens I can see the old Enron building (now owned by Chevron) from my office. A constant reminder of just why SOX exists in the first place.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Who are your readers nowadays?
Bravo bravo, very well put.
I'd like to add a small tidbit.
If a user comes to our department with a request for a certain piece of software that does X, we might deny that request and offer an alternative since we already have a license for software Y or we researched it and found that software Y is easier to use, has fewer problems, etc. This goes for hardware too.
I consider it a point of principle to give the best service possible within the framework of our IT policies.
We do have to say no on a regular basis.
This is the sig that says NI (again)
are almost always perpetrated by top management? ;)
Your assumption is pretty off base. I think if you dug into it you would find that most accounting practices that causes problems aren't intentional and certainly aren't caused by upper management. As a company grows larger and consequently more complex, things will pop up in the books that would get the Feds to sock you even if it wasn't malicious.
My company, which primarily does manufacturing, had a situation recently made aware to me. We do perform internal fabrication for some of our final product so you have Parts + Labor going into that fab job. As an example we would be sending in $100 worth of labor and $1000 worth of parts and ending up with a final product worth $1250 instead of $1100. Chances are that everyone involved in the fabrication process weren't properly trained on how to move the material through our system and luckily we aren't required to follow SOX but that is a prime example of the kind of innocent crap that is going to get you screwed over. The malicious stuff, surprisingly, is less likely to be caught because the perpetrators of it are going to try to cover their asses on it. The innocent stuff is innocent so it's more likely to be left in the open.
"Lack of speed can be overcome. In the worst case by patience." --Znork
--
.nosig
My last big company IT job had 3 major departments, all of whom had their own IT ideas, and at least one with their own IT person who did some purchasing and install and config of PCs.
There was a lot of time where dealing with resource competition and fighting the departments over standards was such a distraction, I told my boss we should just not bother -- cut up the PC budget among departments and let them figure it out on their own.
IT would provide LAN for free, but internet would be metered with costs based on bandwidth required to provide at least 25% peak capacity (when we he 25%, we would add more).
Email would be per mailbox with storage charges over 5 GB. File sharing would be per 250 GB consumed. Departments would buy printers and supplies.
Basically, IT would become an internal ISP/cloud provider and nothing else. The user departments would buy the laptops/Macs they "need" and could go batshit on storage usage, since they would be paying for it.
Wow, I'm honestly surprised they haven't let you go already for making waves, but I suppose since it sounds like it doesn't happen that often at the company you're employed at, it's probably taking them longer to build a solid documentation case against you.
Where I work, I get written up if I do not report a SOX compliance issue that I come across. We have employees whose sole job is to ensure SOX compliance within the company, and it's not seen as "making waves" it's seen as making sure the company is compliant with government legislation that would otherwise shut the company down PDQ.
Ceci n'est pas un sig.