Why Your IT Department Needs To Staff a Hacker

First time accepted submitter anaphora writes "In this TED Talk, Rory Sutherland discusses the need for every company to have a staff member with the power to do big things but no budget to spend: these are the kinds of individuals who are not afraid to recommend cheap and effective ways to solve big company problems. This article argues that, in the IT world, this person is none other than a highly-skilled hacker. From the article: 'To the media, the term “hacker” refers to a user who breaks into a computer system. To a programmer, “hacker” simply means a great programmer. In the corporate IT field, hackers are both revered as individuals who get a lot done without a lot of resources but feared as individuals who may be a little more “loose cannon” than your stock IT employee. Telling your CEO you want to hire a hacker may not be the best decision for an IT manager, but actually hiring one may be the best decision you can make.'"

On Staff?

[WrongSizeGlass]

I don't need a hacker on staff. I'll just leave a few ports open, like FTP, Telnet, HTTP, RDP, etc. They'll find me and I won't have to spend a cent on payroll! ;-)

Re:On Staff?

[N!k0N]

I don't need a hacker on staff. I'll just leave a few ports open, like FTP, Telnet, HTTP, RDP, etc. They'll find me and I won't have to spend a cent on payroll! ;-)

That's like expecting your car's security will be improved by leaving the windows down in a well-visited parking ramp in an area with no security cameras. No, you'll just get robbed, and likely the inside will be trashed because if there's one thing criminals love more than a free lunch, it's shitting on someone else's hard work for thrills. There aren't many real hackers left in the world... it's all assholes looking for cheap thrills or cash. Those of us who still do it to teach ourselves about how these amazing little boxes of wires and boards work and make them do nifty things for us are about as plentiful as 20-something aged stamp collectors.

I believe "woosh" is in order.

Re:On Staff?

[virgnarus]

So the moral of the story is: don't leave your lunch in your car, and keep the windows up so some jerk doesn't come around and leave a complimentary air freshener in your car's interior.

Things must be slow at TED

[Animats]

They must have had a slow day at TED and needed a talking head.

Re:Things must be slow at TED

No,
You all miss the point. The point, said in terms I speak, is that IT is a cost center in almost every company that has an IT department. By having a resident hacker, you have the ability to generate prototypes quickly, and switch IT from a cost center to a profit center. By doing this rapid prototyping, you have the ability to demonstrate to management the ability of IT to increase profit. This is a *good thing*.

To some extent, yes

[Thyamine]

I can agree to a point. I certainly know people/places that just throw money at a problem. And I know that when systems and down and the customer is starting to panic, that I've come up with some interesting and very good solutions. However there are problems with always trying to solve solutions with 'hacks'. They become unsupportable, they fail in unexpected ways, and they make it harder for you to get a budget to do things you simply can't/shouldn't hack a solution together for. 'What, why do we need a SAN? Remember how you wired those netbooks together for our web farm! Figure something out for us. KTHXBYE.'

But I do agree you need someone who can think creatively and not be locked into marketing speak anytime a problem comes up.

Re:To some extent, yes

[godrik]

I think teh point of the original article is not to build your IT staff out of hackers-that-don't-shave-and-keep-swords-under-their-pillow. But having one in the corner that will recall you periodically that "we don't need a supercomputer, we can do it in excel" is sane for a team.

Re:To some extent, yes

[crazyjj]

I become very wary when the higher-ups start talking about fixing problems without spending any money. It's usually corporate-speak for "Do everything for nothing." Some things are WORTH spending money on. Some things you absolutely NEED to spend money on. And hacking together cheap solutions only makes it even more problematic when one of these situations arises (Expect to hear "Hey, why do you need a budget bump now? You did fine last year on next-to-nothing"). Corporate culture almost demands that you spend at least enough money each year to not shock the hell out of the boss when you really NEED it one year.

Not to mention that hacked solutions tend to be a fucking NIGHTMARE to maintain over the long-term. Think about the day your "hacker" leaves and his replacement has to come in and try to figure out his predecessor's jerry-rigged mess.

Re:To some extent, yes

Agreed. Quality work is made by following processes and using checks and balances, not by trying to patch holes with someone who doesn't understand the whole picture.

...Wrong. I was called in as a hacker to a fortune 500 (at the time, but no longer) manufacturing company that had an emergency. Their WAN connection was down which took out their VPN connection to their corporate offices which housed a lot of their IT equipment. It essentially left them dead in the water. To the tune of losing about $100,000/hr (not including employees lazing about with nothing to do). Their proprietary firewall failed. The cold spare turned out to be dead. The firewall vendor said they could have one next morning at 8 AM. I told them I could have them back up in about an hour.

One pfSense install later (and a call to corporate) and they were back up and running. Was it done with checks and balances? Approval all the way up the chain of command? A plan? A review? No. They simply said "Do whatever needs to be done and get it back online as quickly as possible." Done. At the next maintenance window, the pfSense 'hack' was replaced.

In the context of the article, the 'hacker' needs to be your 'go to guy' when you are looking for a brilliant solution to a tough problem. (And I'm not saying pfSense was some sort of 'brilliant' solution--I'm saying that it was 'brilliant' and a bit 'magic' to the IT-types at this company....which is why they are no longer Fortune 500)

Re:To some extent, yes

[Tough+Love]

What a hacker does not do, is produce a solution that will be easily maintained.

Wrong, that depends on the hacker. To qualify as a great hacker, the hacks have to be good by this metric too. A lot goes into being a great hacker, but this much is always true: greatness is on more than one level.

Re:To some extent, yes

[sjames]

That's why you don't want only hackers. Just one or two. When they create the amazing solution, then you get the other staff involved in documenting it and creating procedures around it so that it becomes a formal solution. That's also where you decide if it's a stop-gap, a prototype, a permanent solution or an abomination to be replaced yesterday.

Re:To some extent, yes

[war4peace]

There's just one problem that comes with that, and it's called management expectations. I've been doing that sort of hacks for a while. Management says "we need an automated reporting application that gathers data from 5 different sources and displays nicely formatted reports on a web page, 24/7, every 15 minutes, but we don't have a budget for that sort of thing". I got an old desktop, installed Apache, installed an Office suite, created some VBA code that did all that. The reports were displayed best in IE only; under FX, the colors were a bit garbled but oh well, it was a quick hack. Right?
Wrong. Management wanted FX compatibility. I talked them out of it, but it took me longer than actually writing the damn code in the first place. Then they wanted historical data, so I expanded my script to do that. Then they wanted e-mails to be sent to them automatically because they were too fucking lazy to check the damn webpage. Then they wanted 2 more data sources included in the consolidated reports. Then they wanted reports customization.
We have a saying here in my country which sounds like this: "You can't make a whip out of shit and expect to crack it". But management expected just that. There's a pretty thick line between aiming for more and being flat out ridiculous. And needless to say, I am not a programmer and never been one, my job was different but I took this project to see what could I accomplish.
That's the problem right there: you do something with nothing and then they expect you to do just that and more of it indefinitely. So good luck in hiring a "just get shit done" guy. It's good to have one. But the temptation to abuse him is high and most management level dudes have no clue when they cross the line.

Re:To some extent, yes

[SuricouRaven]

This is why Scotty always padded his time estimates.

Re:To some extent, yes

[CodeArtisan]

Agreed. Quality work is made by following processes and using checks and balances, not by trying to patch holes with someone who doesn't understand the whole picture.

...Wrong. I was called in as a hacker to a fortune 500 (at the time, but no longer) manufacturing company that had an emergency. Their WAN connection was down which took out their VPN connection to their corporate offices which housed a lot of their IT equipment. It essentially left them dead in the water. To the tune of losing about $100,000/hr (not including employees lazing about with nothing to do). Their proprietary firewall failed. The cold spare turned out to be dead. The firewall vendor said they could have one next morning at 8 AM. I told them I could have them back up in about an hour. In the context of the article, the 'hacker' needs to be your 'go to guy' when you are looking for a brilliant solution to a tough problem. (And I'm not saying pfSense was some sort of 'brilliant' solution--I'm saying that it was 'brilliant' and a bit 'magic' to the IT-types at this company....which is why they are no longer Fortune 500)

Sounds like you're wrong about processes. Many people assume a process == bureaucracy. In all the large companies I have worked with, what you describe is covered by an Emergency Fix process, which basically will let someone dive in and fix things as quickly as possible without the usual chain of command overhead. However, once in place, there will be checks and balances applied after thee fact to ensure the implemented fix won't cause any security/maintenance.performance etc. issues in the future.

Re:To some extent, yes

[TheSpoom]

If the client is being shady with long term expectations of a software product they're paying you to build, you need to either make them let you participate in the planning, or find another client. There are software companies out there that understand why scope creep is a bad thing.

Re:To some extent, yes

[hairyfish]

$100k/hour, cold spare dead, NBD replacement... the problem isn't the lack of a hacker, more than likely these types of operations are caused by a team of guys who think they're hackers and don't need to follow proper process. Any system that generates $100k/hour should have fully tested and monitored resiliency with tested and available contingency. The solution to cowboys isn't more cowboys.

Re:To some extent, yes

[pnutjam]

I agree, I am always careful to document the open software and standards I am adhering too. In my mind it always looks straightforward and I have maintained systems for years. Unfortunately once it gets turned over to someone else they always have maintenance problems, usually because they cannot understand the process no matter how much training I provide.
However, I see this with commercial solutions also. Either the new guy can't understand the current stuff, or he needs to mark his territory by replacing things.

Just don't call them a hacker

[crazyjj]

To the general public, the term “hacker” refers to a user who breaks into a computer system.

FTFY.

Best not to go to your boss asking to hire a "hacker." And I sure wouldn't use that term in writing.

Re:Just don't call them a hacker

[SJHillman]

That's because the general public informs the media. It's like a game of Telephone, in which each link further from the source is more convoluted than the previous link.

Subject Area Experts >> People that work with the experts or have intermediate experience in that field >> enthusiasts/hobbyists >> selective public that will read an article on the topic from time to time >> general public that "knows a guy" >> media who gets it from a "guy who knows a guy" or reads a blog by "a guy who knows a guy" >> ... ad infinitum ... >> politicians

Re:Just don't call them a hacker

[geminidomino]

but B.A. Barabbas

Is he the one who pities the fool who put Jesus on the cross?

Re:I can't be the only one...

[YodasEvilTwin]

It might result in a lot more "debugging" than you want. STDs are bad, mmkay?

There's a balance

[grasshoppa]

I'm a big fan of standardized solutions from a name big enough to provide consistent support. That said, sometimes 2 hours spent writing a script is cheaper than 20,000 spent to your vendor to accomplish the same thing.

It's a balance, and it's up to the manager to determine the best financial choice.

Bullshit

[holmedog]

One of the most annoying things I deal with at work is people who think they are "hackers". The best and brightest people follow the rules - that's why they are the best. They break the rules in great times of need. When a project blows up on the weekend and we are going to miss an SLA, etc.

The idea that you want to work with someone who spends their time trying to half-ass things to save themselves time is not only stupid, it's completely the opposite of what you want in a professional environment.

"Hack" in your spare time. Enjoy it, have fun. I know I do. My home-grown projects have none of the constraints my work does. But, don't do it on my company time.

Re:Bullshit

[Bob9113]

The best and brightest people follow the rules - that's why they are the best.

Following the rules is orthogonal to greatness. Joan of Arc, Steve Jobs, Richard Feynman -- not big on following the rules. Alan Greenspan, Warren Buffet, W. Edwards Deming -- big rule followers. Each extraordinary in his or her own way.

BURN THE WITCH!

[girlintraining]

You're joking, right? A hacker is, by definition, someone overqualified for every job where the dress code includes the word "business" in its description. Why the hell would someone like that want to work for peanuts, creating miracles out of thin air with no budget? Because they find it challenging? Bitch, please -- we want to get paid, and if I'm working for a place that values IT so little they can't even come up with a budget for things that would (by your own definition!) render improvements to their infrastructure, what are the odds of promotion? A raise? Benefits? Answer: Zilch. Nothing. Nodda. Zero.

I know it's an unrelated field, and some of you will probably laugh, but when I was in school for graphic design (I already know enough for a degree in IT), one of the things my first teacher told me is: Don't work for free. You're not going to get any exposure, leads are worthless, and charity work doesn't get the bills paid. As a graphic designer, most of us are self-employed and it's essential we know to the nearest half-hour mark how long a project is going to take in billable hours. We need to make our own budget for every project, and everyone and I mean everyone is looking for free work or thinking they can do it themselves with photoshop.

IT is approaching the same commoditization of labor -- Many of us are "contractors" already, but eventually people are going to wise-up and become self-employed because contractors are paid shit and treated as such. Be ahead of the curve people: Don't work for peanuts, and if someone says "there's no budget for what you do," take the hint and move on.

Every IT department needs an English major, too

[sandytaru]

Someone who has coding chops but whose happy place is 50 pages deep in documentation.

Me?

[SJHillman]

I suppose I'm my department's hacker. One of the more fun things is I've begun repairing touchscreen wallmount PCs in-house rather than sending them out for repair at $350-$1000 each. A shame the money I save likely won't be rolled back into my salary.

Re:Quite obvious for security reasons

[SomePgmr]

It doesn't sound like that's what they're talking about.

I think they're talking about the "I'll just get shit done where it needs doing, by whatever means I feel most appropriate" type worker. In my work experience, that guy is usually the one that is just an OK programmer, but the only one in the building that actually knows how to work on his machine, too. He probably also doesn't much mind office politics because he'll blow right past it and deal with any fallout when the problem is solved. He may or may not have read the manual. He's the practical person more than the academic, if you're brave enough to stereotype like that. ;)

You wouldn't believe the supposed "really great programmers" I've seen that just throw their hands up when something goes sideways on their workstation, or sit on their hands for days over a management dispute. They're there for one job, to write textbook quality code for a single project, collect the paycheck and be out the door at 5:01 unless someone insists that he stay. That's it. If anything else happens that complicates that arrangement, it's like a train derailment.

I know, I'm being a bit obtuse about the difference where there's a million shades of grey... but it's something I've seen a lot and I agree with the general point.

Re:Quite obvious for security reasons

[St.Creed]

True enough. If you really want to hire one, though, replace the name "hacker" with "troubleshooter" or "all-round developer". Management can understand why you would want to hire a troubleshooter, as opposed to a hacker who "just makes trouble".

Instead of a highly skilled hacker

[houghi]

why not go for the socially skilled hacker? You know, one that is not thinking that the company is there so the IT department exists.

I know, many will say that without IT the company would not exist. Well, that goes for any other department as well. If the company could do without them, they would not exist.

Re:I can't be the only one...

[St.Creed]

Always use antivirus and firewall while debugging :)

Re:To another extent, no

[Tough+Love]

Where I work "hacker" is a derogatory term for coders who write non-maintainable solutions.

Must suck to work there.

Re:Quite obvious for security reasons

[ArhcAngel]

You just described the job requirement for a trade floor tech. I've been working in the trade support role for ~10 years and that's exactly what we do. On a trade floor where seconds count management doesn't care if you skirt company policy to get a problem solved in the shortest amount of time. IT can address the issue formally post trade close. Corporate IT doesn't always get the urgency with these environments and explaining to them why you need the firewall turned off because it just went postal and started blocking the main trading hub isn't likely to get you anywhere.

Re:Quite obvious for security reasons

[element-o.p.]

What you describe is what I call the "Just get it done" attitude, and it's one I've personally had for a very long time. People with this attitude sometimes do get themselves in trouble (I know I have) but they're also the guy who can pick something up and poke at it for an hour or two and produce a result, which is a useful skill to have, particularly if the shit hits the fan.

There are a couple of problems with this type of person, and to be clear, I tend that direction myself and fortunately, so does my boss. I've seen cases where we've built circuits on a verbal request, but then the service orders never get put in and the customer never got billed. I've seen cases where we got a project 75% complete, but then the customer pulled the plug before there was a contract signed, or the requirements were changed so that we had to start over. I've seen cases where what was documented and what was actually built were two entirely different things. And I've seen cases where a union was in a pissing match with...someone, I don't actually know who...and they got their collective boxers in a wad and grieved a bunch of guys and their managers because on the day that the order was due for a customer (after a month wait), they still hadn't even strung the CAT-5 in the data center, so a bunch of my coworkers just went in there and did it themselves.

I'd still much rather work with a "just get 'er done!" type than the typical bureaucrat, though!

Re:Quite obvious for security reasons

[sycodon]

"To a programmer, “hacker” simply means a great programmer. "

I've been doing this since 1986. I have never, ever heard anyone, in a large company (10,000+) or small (11) one, call a great programmer a hacker. I have heard them call "hackers" irresponsible, self important jerks who have little regard for the fact that a company will out live the brief time of their employment and that those who follow will have to deal with their non-standard, obtuse, "brilliant" way of doing things.

It's not about You, it's about providing the infrastructure for the company to do business in a reliable and predictable fashion. All of the safeguards and practices developed over the years to provide stable systems, delivering accurate results argue implicitly against the romanticized definition of a hacker and certainly against the reality of your average hacker.

Re:Quite obvious for security reasons

[SuricouRaven]

There is a difference. The hacker is an expert in haste and improvisation. When the network is down due to a failure of a nonredundant fiber interface, the troubleshooter is the one who leaves everyone working on pen and paper while a 24-hour urgent delivery of a new SPF is arranged. The hacker is the one who is trailing ethernet cable out of the window on the top floor and back in on the bottom to make a quick-and-dirty workaround that'll have the network somewhat operational again in fifteen minutes.

Re:Quite obvious for security reasons

[internerdj]

In the moment of crisis, they are a lifesaver pushing your software out moments before you piss off the customer. Of course, they are also often the reason you lost three weeks of development time chasing a bug in undocumented code that isn't in the repository and they don't remember writing.

Over generalization yet again.

[jklovanc]

To a programmer, “hacker” simply means a great programmer.

I have been programming for over 20 years and my definition of a hacker is some one who writes quick and very dirty code to fix a specific issue for a short period of time. In my experience hackers have a tendency to leave behind fragile, undocumented code that may or may not work in the future. Some hacks stand up over time but most fall down when run long enough. All hacks need to be eventually documented, tested and approved before they become permanent parts of the code base. The worst thing that can happen is to come across a hack a year later and no one know what it does or why it is there. In my experience most hacks need to be replaced as soon as possible.

Re:Quite obvious for security reasons

[grcumb]

There is a difference. The hacker is an expert in haste and improvisation. When the network is down due to a failure of a nonredundant fiber interface, the troubleshooter is the one who leaves everyone working on pen and paper while a 24-hour urgent delivery of a new SPF is arranged. The hacker is the one who is trailing ethernet cable out of the window on the top floor and back in on the bottom to make a quick-and-dirty workaround that'll have the network somewhat operational again in fifteen minutes.

I beg to differ. The REAL hacker is the one who's been running on their own clandestine ethernet (possibly Internet) connection quietly for weeks or months, and simply turns it on for the rest of the company the moment he sees a connectivity problem. And that's ten minutes before anyone else realises what's happening.

At least that's what I'd do. (Hi, Boss!) 8^)

I have a problem with the 'no budget' part of the assertion, though. It doesn't have to be a lot, but a good hacker does need enough discretion to spend a little money from time to time on 'useless' things like that extraneous ethernet cable or a network-enabled KVM that isn't strictly necessary but sure comes in handy when a server stuffs in a way that nobody can fix, or a 3G modem with a decent data plan that allows him to back up his music collection^W^W^W^Wmonitor mission-critical backups from the road. Most importantly, the hacker-in-residence needs to have discretion enough to contract outsiders from time to time to do little needful things that he can't be arsed to do himself.

Likewise, the real value of a hacker is someone who has management's ear. It's one thing to be the friendly, half-mad hermit living in the cave that nobody visits until they need a Ben Kenobi; it's another thing entirely to be able to explain in clear terms to the CEO that while this Enterprise Solution will indeed increase synergy, maybe they should just use this $2 hack running on PostGRES on a 3 year old server until such time as the company figures out what its requirements really are.

(P.S. In case it escaped you, I am my organisation's hacker. I don't have a lot of budget, but I do have some. And I have real authority, though I don't tend to exercise it for its own sake.)

Re:Quite obvious for security reasons

[Floyd-ATC]

This.

That said, when management decides they can just keep using the quick-and-dirty cable out the window solution instead of paying for something proper they will soon get into trouble. When I took over the network at my workplace after about 10 years of symbolic funding, there were flat layer 2 networks spanning some 120 WAN sites over 480 square kilometers using multiple radio hops and FreeBSD based tunnels for encryption. Very cheap, very clever... and very useless for getting any actual work done. When management finally woke up they had to spend a LOT of money to rebuild everything from scratch, a process that has taken tree and a half years and still isn't finished.

Every company needs a hacker, but they also need someone in charge with enough technical insight to know when to let loose that hacker and when not to.