How To Thwart the High Priests In IT

GMGruman writes "You know the type: They want to control and restrict any technology in your office, maybe for job security, maybe as a power trip. As the 'consumerization of IT' phenomenon grows, such IT people are increasingly clashing with users, who bring in their own smartphones, use cloud apps, and work at home on their own equipment. These 'enemies' in IT are easy to identify, but there are subtler enemies within IT that also aim to prevent users from being self-sufficient in their technology use. That's bad for both users and IT, as it gets in the way of useful work for everyone. Here's what to look for in such hidden IT 'enemies,' and how to thwart their efforts to contain you."

Wow, what a stupid post

[Improv]

While some people get the policies wrong, in general the idea of IT policies is a good one; the only way to support business policies is to allow for sensible IT policies to exist. If the IT policies don't serve the business policies, someone's not doing their job right, but that's not a problem with the idea of policies existing at all. If you want to "thwart" your IT people, you'd better have a damned good reason.

Re:Wow, what a stupid post

[BlakJak-ZL1VMF]

^ This. The IT dept's worst nightmare are employees who *think* they know better.

Re:Wow, what a stupid post

it's not just a stupid post, it's a dumb shameless plug, look at the submitter and the article editor...

very, very lame.

Re:Wow, what a stupid post

Actually it's the job of IT to support the employees who are designing the products that bring in the revenue. It isn't the role of IT to dictate what those employees can use.

We had an IT guy for a while who thought he was a dictator. He lasted about a week before we replaced him with a guy who realized his job was to make OUR jobs easier. He's quite good at it, too - he actually does make our jobs easier, which makes everyone more productive. If he was going to tell us, "Sorry, you can't use X or Y", he'd be out of here in a week too.

Re:Wow, what a stupid post

Actually it's the job of IT to support the employees who are designing the products that bring in the revenue.

Right and wrong. IT's job is more than just facilitating the ability for engineers to do their job (not all companies even have engineers). It's about corporate security, regulatory compliance, and SLA compliance.

A good IT department will make compromises between all of these things. The business needs to be flexible enough to allow engineers, salesmen, etc. to be agile so as to be competitive in the market, but not to the point of anarchy where an untested/uncertified smartphone gets lost and results in sensitive data going into the wrong hands due to the lack of remote management of said devices, resulting in regulatory fines or competitive disadvantage. Similarly, any sane IT department is going to have a supported platforms/devices list. You cannot provide an SLA to the business on a device you've never seen and done any interop testing with.

Sorry, it's obvious you don't understand the challenges of a real business.

Re:Wow, what a stupid post

[BlakJak-ZL1VMF]

Agree with the other response; you apparently have the wrong end of the straw.

The IT dept support the _company_, not individual employees. If you want a tool that the company hasn't provided you, the right channel to go through is via management and the procurement process. Then your required tool gets a proper introduction-to-service and your IT guy is appropriate trained and ready to support it, rather than just having it shoved in his lap because it's the new toy you've just decided you 'need'.

if it's a device that you need for business purposes, the business will provide it for you. (Or should, if it's a genuine need.)

The influx of personal smart devices into business is great; but if you expect to connect them to my corporate network, you best be prepared to see them integrate into my corporate network requirements around security and support. I've seen policies from 'sure, but you support it' through to 'absolutely not' and the support guy's job is to enforce that policy. No more, no less. Oh and by the way, support guy rarely dictates policy, most especially in larger companies.

Re:Wow, what a stupid post

[serverglitch]

The submission appears to be by the same guy who wrote the article just trying to stir up attention with nonsense directed at a mostly tech community. Professional trolling from someone that wants more hits on his website.

Re:Wow, what a stupid post

[jrminter]

if it's a device that you need for business purposes, the business will provide it for you. (Or should, if it's a genuine need.)

In an ideal world, yes. I really wish I worked in one. I work in an organization under "severe budget constraints" (unless you are senior management, then it looks pretty cushy to those of us in the trenches.) If we don't buy and use our own stuff, we have to limp along with "stone knives and bearskins" (thank you, Leonard Nimoy and Star Trek). Our choice is to work around IT or get hammered at performance review time for "not getting the job done."

Re:Wow, what a stupid post

[Tanuki64]

I am so glad I don't work in system administration anymore. Tools like you really were a pest. My first job was system administration. The person I replaced was a really good administrator. If good administrator means that he was liked by the rest of the company. Ok, when I examined the server I discovered a rootkit, some unknown outside party had access to this company's servers for month, but hey, shit happens. This is only a small problem as long as the employees were able to surf their porn sites. I built a firewall, cleaned the servers and all computers in this company and generally closed a whole bunch of security holes. What happened? Did I get thanked? Bah, a few weeks later I had a very inconvnient talk with the boss. Sure, I was the BOFH and the mobbing started. Everything worked under the old administrator, why can I idiot not keep everything as convenient as my predecessor? For instance he never forced anybody to use scp instead of ftp to get their files. And really all websites worked. I quit after about three month. Don't know what happened. Perhaps they were able to get their old, good administrator back. At least for a while. Because what I know, is that this company does not exist anymore.

Re:Wow, what a stupid post

[Hognoxious]

I'm inclined to agree. GP comes across as the kind of feckless twat who equates making everyone's job easier with doing everything they say and no questions asked.

I'll tell you whose job it doesn't make easier - the one who has to clean up the inevitable wreck that occurs when you take understanding the users (a good thing) a step too far and let them run the show.

Re:Wow, what a stupid post

[BlakJak-ZL1VMF]

This old argument... I know exactly what you mean, but if your productivity is being hindered by 'stone knives and bearskins' then surely this is something that management simply get to live with? When Management cease to support the employee, surely the employee should become a 'timecard-worker'....

if your productivity is high, they're going to think all is well. Let your productivity slide and when they ask why, point out to them how they're screwing themselves over with their stone-age conventions?

Sucks I know, but otherwise you're shooting yourself in the foot.

Re:Wow, what a stupid post

When was the last time you heard of a company getting fined or giving data to a competitor as a result of a data leak from a lost piece of computer equipment?

First of all, that was just a singular example of IT security. There are numerous other attack vectors that IT has to enumerate, assess, and control.

Second of all, the reason why you don't hear about it is, firstly, it's rarely a front page news story when $RANDOM_COMPANY loses a harddrive full of customer account information (unless it's a particularly large breach). Secondly, the actual fines (which are, for the most part, a recent legislative creation) are incentivizing companies to actually implement the proper IT policies such as device encryption and remote wipe / disable. So the problem is starting to be solved.

When was the last time you heard a salesman say they lose time to IT policies.

Not the first time I've heard "It's IT's fault" from underperformaing salesmen. I'm not going to say IT is always innocent, but I've been around long enough to seen the patterns.

I personally have had two clients because it's easier for them to outsource the work than it is to get their IT enabling that work to be carried out internally

Specific examples? I'm not saying you're lying, but I can't argue with vague generalities.

Re:Wow, what a stupid post

[Genda]

I've been on both sides of this conversation and I understand the temptation for engineers and techies to just figure out a local solution, get the job done and be productive in the moment. Now just for a moment, put yourself in the position of an IT professional.

They are responsible for: The whole intranet working, efficiently, cooperatively, and securely. You have 10-20 little network fiefdoms, with different hardware, operating systems, application software, security, network interfaces, proprietary services and infrastructure and degree of collaboration and shared resources. Now you have to make this mob of PCs, Macs, Linux/Unix servers, and personal devices, all singing, all dancing, while sharing consolidated storage and corporate resources. You have to have consistent access and availability to the internet. You have to provide intranet access to dozens or hundred of smart phones, tablets and laptops, while at the same time providing some semblance of security and application accessibility (have you got even the foggiest idea how easy it is to have a bluetooth device and use it to get into a corporate network?)

You have to meet corporate guidelines, bring up ethical issues (should or shouldn't employees expect their email to be private when it runs through corporate servers?) and stay on top of the growing list of compliance to government regulation. The last item is an issue the keeps IT specialist up at night. The government is making it absolutely clear that it's willing to hammer large businesses that don't meet minimum federal standards for data security and compliance. Add to that laws which intrude into business operation (everything from HIPPA to DMCA) and IT has to be on top of nearly every byte comes and goes from an enterprise server.

Then of course you have employees, accessing social networks, reading anything from funnies to personal email, streaming music and video on corporate servers and networks, playing games and doing any of a thousand things they probably shouldn't be doing on a corporate network. Laptops, pads and smart phones come and go all day, and expose your secure data to terrible threat. Anybody can now plug a 128 GB USB thumb-drive into computer and slurp off a ton of proprietary data.

All those personal devices, with different OSs; IOS, Android, OSX, Windows, Blackberry, and all those devices with different apps some play nice, but whole bunch are shoddy slap-together security disasters. If you have recently heard about huge breaches in banking and financial institutions or massive government fine against corporations that didn't comply with new regulations in data security or proper operating practices, you're simply not been paying attention to the business news. All of this becomes even more critical for a start-up or small company. Lose you IP and goodbye company. Breach a serious government restriction and there goes your company and the penalties nowadays may not end with just fines.

Play nice with your IT team. Yes, there are occasionally despotic little tinpot dictators protecting their little corporate territory (I find however, that is more often than not the fault of higher management, and that such fiefdoms abound in such an organization) bur for the most part, more often though, your IT professional are there to provide the best service they can inside the constraints of best corporate practice. IT just needs to find the best balance between the needs of the corporation vs the needs of the individual. Talk to your IT manager, come up with a clear procedure for submitting apps to IT for review, and if they don't violate corporate standards, can be integrated into the corporate environment.

Re:Wow, what a stupid post

[prisoner-of-enigma]

When you call it "my corporate network", you have defined yourself as the exact IT staff users complain about. It's not your network, unlesss you own the corporation itself. It is the company's network.

I think you drew the wrong conclusion from the GP's phrasing. Having been an IT Director for several companies, I commonly referred to any equipment or applications that I was responsible for as "mine." It doesn't mean I own it. It means it's my job to make sure it's up, available, reliable, and secure at all times.

Sure you keep things up and running, but you're not making the products, or out there selling them. Therefore, you're job is wholly dependent on your ability to let the breadwinners of the company do what they do best. If they find they feel more comfortable on an iPad, your job isn't to defend "your" network from an unsanctioned device. Your job is to make sure the device works, so that the employee who is generating the dollars that pay your salary and benefits can continue to do so.

You're both right and wrong here. My job *is* to make sure the breadwinners can do what they do best. Now, please tell me how they can do that when the whole network's been taken down because Mr. Breadwinner brought in his shiny new doo-dad -- which got infected at home before it ever hit the corporate network -- and allowed an outside party to get in and screw everything up. Tell me how customers will keep using our company's services after all their personal data was stolen and sold on the black market after a compromised device was used to hack a server. Tell me how long our company will be in business after Mr. Disgruntled Employee wandered out the door on his last day with our complete client list, pricing data, project plans, etc. all ready to be turned over to the competitor he's leaving us for.

It happens a lot more often than you think. Most intrusions these days are the result of compromised *internal* systems reaching out to external entities for command & control rather than nefarious outside hackers trying to ram their way through the corporate firewalls, DMZ's, and so forth. The *least* secure place on almost any network is the "inside network" where all the PC's, laptops, and shiny new doo-dads Mr. Breadwinner brought in lives. The absolute dumbest thing any IT group can do is give carte blanche to folks who want to bring in any whiz-bang device they just happened to pick up at Best Buy last night.

My job is to make sure *everyone* can do their job, not just the people in direct client-facing roles. Remember, even though *you* may bring the money in the door, Payroll pays *your* paycheck and benefits the same as it pays mine. If they're down, none of us gets paid...including you, Mr. Breadwinner.

Because if the CEO comes in with a new device, I don't know about you, but I've never known it was an option to tell him "no, you have to go return that" if it was at all possible it would e made to work. And if their iPad or android tablet can work for them, it should be a no brainer that any other employee in the enterprise that requires remote email access should be able to use the same.

Any reasonably-structured IT organization has a published policy or set of policies governing approved devices. These policies are enforced regardless of employee rank or position. If the CEO wants to violate IT policy, the CIO should vigorously object. Should the CEO insist, he may get his way, but the policy violation will be documented and the CEO will be held responsible for any fallout. This is enough to desist all but the most idiotic CEO's. There are regulations governing pretty much every major industry, regulations requiring something like a security policy with company-wide compliance. Violating this is a good way to get your business shut down, even if the violation never results in any breach (i.e. it's only discovered in an audit).

The real answer h

Re:Wow, what a stupid post

[mbkennel]

"Well yes, but I think you're implicitly overestimating the typical cost of "resulting in regulatory fines or competitive disadvantage". When was the last time you heard of a company getting fined or giving data to a competitor as a result of a data leak from a lost piece of computer equipment? "

Where I work, the prospective clients insist on various security audits of procedures in our company before they are willing to buy our products or share their data with us (necessary for the work we do). This is standard.

Loopholes == losing huge deals.

Re:Wow, what a stupid post

[Archangel+Michael]

When you call it "my corporate network", you have defined yourself as the exact IT staff users complain about.

Fine. When the CORPORATE network blows up, it isn't "mine", and I won't give a shit. How does THAT sound?

"My Network" doesn't imply "ownership" as much as it does "complete responsibility", which is why TWITS like you don't get it. "My Network" is something that I take a great deal of pride in. It is MY responsibility, and therefore it is MY network. It is like the sales guys getting all upset when another sales rep "steals my client". It isn't your client, it is the company. That isn't YOUR desk, it is the company's. It isn't your office, it is the Company's.

You get the point now?

Sour Grapes

[MaskedSlacker]

Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.

Re:Sour Grapes

[girlintraining]

Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.

Yeah... then there's my job, where somebody recently pushed out a GPO update that was supposed to make internet explorer "more secure" by preventing downloads. It's been five days now, and our company is at a virtual standstill... it's costing tens of millions every day, probably more. Bonus: I work for a major health insurance provider in the US.

The problem is when you get people who just start adding restriction after restriction with no understanding of what it does not just to productivity and worker morale, but in some cases to the very applications they support.

It's like how they've encrypted my whole drive and then added 3 antivirus scanners to it, running constantly... and now they're planning on upgrading to Windows 7. The only reason the system works at all is because it has 4GB to run XP ... and a couple web browser windows. It chokes on anything more.

No, IT policy is often both foolish and stupid, and getting around it is the only way to get work done. Unless you don't care about that sort of thing, in which case, yeah... feel free to do nothing until they fire you and replace you with someone who does bypass the policies. IT has become like marketing that way -- sure, it's probably against policy, but if you want to make quota, you better ignore them too.

Overhead

[Scutter]

IT is overhead. It's a cost center. It generally does not generate revenue. Maintaining an infrastructure costs the company money. Every time you want to bring in your personal equipment, we have to figure out how to support it and that raises the company's overhead. Instead of making IT justify why we don't want to support your Widget Of The Day, why don't YOU justify to the company why you're increasing costs and then work to have that increase added to IT's budget so that we can actually afford to support your crap without having to divert funds away from things that the company has already approved?

Re:Overhead

[jroysdon]

Except when your uber-important report or presentation or project or whatever is lost and when your laptop goes belly-up and you want to waste IT's time to try and recover it.

Yeah, the problem is these folks want all the freedom and none of the responsibility for maintaining their own gear.

How about when there is a lawsuit and all emails, IMs, etc., must be collected? Do you really want your personal laptop being inventoried for all of this? I think not. There is a good reason for a line between business and personal.

Yea..but users don't make policy.

[geekforhire]

I certainly understand that users want to use what is easy for them but they need to understand that they don't set policy. I listen to any reasonable requests and if they fit within our policy (or if it makes sense to change the policy to allow it) I will authorize their request. However, understand that I have been working in IT for over 20 years and know a thing or two that you probably don't. Its not a power trip, its my job, it is what they pay me to do. Employees need to understand that its not personal. If their request was denied I had a very good reason to do so. Get over it, move along.

Welcome to Clueville, population: You

[pla]

Seriously? We don't want uncontrolled portable devices on our networks because we don't control them. We can't force-install AV software (if it even exists for your favorite no-name phone/player/tablet/whatever), we can't even do basic cleanup of them without your cooperation.

And that only describes them as a potential vector for attack. We also can't control who else has access to them, can't wipe remotely without your permission, can't keep you from leaving it, complete with the latest super-secret corporate strategy on it, in the bar at a random trade show.

Dislike of portables has nothing to do with controlling you, and everything to do with controlling and protecting what the company pays us to - Their IT infrastructure and digital IP.

Completely brain-dead

[ErikTheRed]

It's the sort of stupid article you'd expect from an organization that is supposedly all about information technology, but is so backwards that they're endlessly pestering me to take a free subscription to their dead-tree edition. If their web site isn't even worth visiting for free articles, why would they think I want to spend the effort moving their magazine from my mailbox directly to the trash?

Dear GMGruman...

[Richard_at_work]

Dear GMGruman,

Go fuck yourself.

Yours sincerely,
Pretty much every sysadmin anywhere that's been tasked with providing IT services to keep a business running as productively and profitably as possible, in spite of people like yourself.

Galen Gruman, you have trolled and I'm respoding

[onyxruby]

All right, Mr Gruman you have trolled and since I'm one of your bad guys I'm going to respond and enlighten you:

They want control, and users who want to choose their technology tools are apostates to be crushed.

I have best practices that tell me to control these things that you want to let roam free. I also happen to have laws, and some of these laws have very large financial penalties or the possibility of jail time.

Mr Gruman, how many attorney generals have you had conversations with after someone went ahead and did what you wanted done? I'm willing to bet it's not as many as I have had and that you've never had to deal with the results of your company making the international news because someone decided to bypass IT.

When you come across an IT pro stupid enough to use the "toys" epithet, complain to your CIO. Send the IT person back and ask for someone who actually respects you. Marginalize and isolate these IT staffers before they do it to you.

Your insight into how to play dirty politics to get your "Toy" into the office shows your complete lack of an understanding of how the enterprise works. Is your department going to pay for the budget for the time needed to support your toys?

Instead, you hear the code phrases, involving "security," "governance," "compliance," "risk," and "efficiency." These code phrases (the middle three are often referred to as a group via the acronym "GCR") boil down to "if you do it, it will be bad; if we do it, it will be good."

These code phrases are code for things like "mutli-million dollar fines", "angry attorney generals", "class action lawsuits", "criminal negligence", "security clearance", "ethics", "privacy" and other such things.

You see this is what happens when some petty ass whiny twit such as yourself goes to the CIO and says I want my toy and the IT department won't let me have it. The CIO comes to the IT department and says, "why won't you let this twit have his toy" and we're going to come back with something like "federal law, accountability, public relations disaster".

You know what Mr Gruman, I have never, ever lost that argument. When you take into account that regulation is only increasing the odds that I might lose that argument drop even further.

Now Mr Gruman, instead you should try the tactic of saying "IT Department, I want to use this toy for business purposes and not just as a toy, can you please look too see if we can?". You might have a perfectly legitimate case, and it might be very reasonable to do what you want, but you have to ask so that we can see if we can do that without avoiding nasty code words.

Just remember my code words can and have cost companies many millions of dollars when someone blew them off and ignored the IT department.

I actually read the article...

[Angst+Badger]

...but I stopped counting how many times the author recommended trying to cost people their jobs for actually doing them after the third time. I'd like to offer something more insightful in response, but I'm afraid I'm left with "What a smug asshole."

SOX Compliance

[sycodon]

And I'm not talking about Hanes.

If you are dealing with the feds, the meeting the requirements of the Sarbanes-Oxley act is a fact of life. Failing to deal with the requirements can essentially mean the death penalty for the company because the feds won't do business with you if you are out of compliance.

The Act essential deals with setting up security and policies that prevent someone from being able to game the system. A Buyer can create a PO, but cannot perform A/P functions do pay the PO and cannot receive the product. Just a simple example.

But in my company, many, many people got their panties in a twist when we started taking away their ability to do things and requiring them to abide by policies and procedures. It can be a big culture shock to small to mid size companies that grow into a larger markets with the Feds.

One of the biggest headaches was enforcing the use of standard cell phones and disallowing the storage of data in the phones. Anything that comes onto premises, had any kind of connectivity with the network and then left the premises is now tightly controlled and locked down. All the laptops have encrypted hard drives and even USB drives are automatically encrypted when they are connected if they are not already. If you have dealt with sales people, you know they don't like that one bit. Shit, I can't even install and use iTunes or any other mp3 players.

So to the feds, this is a Big Deal and people can and have lost their jobs for trying to game the system because otherwise, the whole company could be dead, figuratively speaking.

Re:SOX Compliance

[AmiMoJo]

Shit, I can't even install and use iTunes

You can't really blame them for blocking malware...

Re:That's simply not going to happen in this decad

[rabbit994]

Maybe you have never worked with stupid requirements that Feds enforce but I have. This stuff is life or death to company. People can and will get fired instantly for breaking it. So like others have said, it's not that we want to impede the user, we have no choice.

Re:That's simply not going to happen in this decad

[ArhcAngel]

And if they get caught they will be fired...if they are lucky. Working around IT policies put in place to comply with government regulation for any reason looks suspicious. If the feds notice the results can be much, much worse. When I see violations to SOX or corporate policy I make it a point to inform the person violating the policy and their supervisor. I also send an email to my supervisor with the details of my observations and subsequent actions so there is a record that I did not turn a blind eye to the infraction. How it is handled from there is up to the person violating the policy and their superiors. I can't speak for other IT "dictators" but the way I look at it is if you get this office shut down it affects my job too @ss hole. As it happens I can see the old Enron building (now owned by Chevron) from my office. A constant reminder of just why SOX exists in the first place.