Slashdot Mirror
Ask Slashdot: IT Personnel As Ostriches?
MonOptIt writes: I'm a new IT professional, having recently switched from a different sci/tech field. My first gig is with a mid-size (50ish) nonprofit which includes a wide variety of departments and functions. I'm the sole on-site IT support, which means that I'm working with every employee/department regularly both at HQ and off-site locations. My questions for the seasoned pros are: Do you find yourself deliberately ignoring office politics, overheard conversations, open documents or emails, etc as you go about your work? If not, how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position? In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation. Are there protections or policies that are standard, or is this a legal and professional gray-area?
Yes
IT has access to everything and should read nothing. The content is just that, content. It doesn't matter
I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them. If it's a temptation, might want to re-evaluate your own professionalism.
The same with politics and gossip: keep it to yourself; do not participate. If asked a question, smile and decline to comment. Be polite and cordial but trust no one.
Basically: do your job and stfu.
Always remember that you are dealing, in your case where your internal customers are not IT savvy, that there is a reason why we refer to them as lusers:
1) They have no idea how to do what you do, and need you to help them perform even the simplest of tasks
2) What you do is so simple any moron can do it
3) Their son / brother-in-law / uncle, etc. is much more of an expert then you. They re-install Windows for them every six months, and made their system much faster by upgrading from a 512GB drive to a Terabyte drive as well as much safer by installing three, count them three different Antivirus products!
4)You are some kind of idiot, because you haven't done what their expert relative has done
I wish I was kidding. The reality regarding your question is that as an IT professional you will have access to said sensitive information. It will only make you jaded if there is good reason to be jaded. If there is good reason to be jaded, run don't walk to a better gig.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Read the System Administrators' Code of Ethics and take it to heart. Even if your job title doesn't include the words "system" or "administrator."
It's actually pretty easy to ignore the content of an email if you're focused on the email delivery process (mail server logs, the headers of forged/spam mails, things like that). Similarly, if you're doing FTP hosting or file drops for customers, you rarely need to dig into the content of the files themselves to troubleshoot upload/download problems. There are rarely reasons to dig into the content of whatever you're working on. It does come up, if (for instance) some piece of email has wacky malformed content that keep crashing the mail client, but IME those situations are uncommon.
I used to work at a mom-and-pop ISP, in a small town. Our customers included the local police and fire departments, City Hall, and most of the larger law offices and accountants' offices. Since we provided email and Web hosting (among other services), I certainly could have made some locals' lives very interesting. Hell, I had access to the email of everyone in my company, including that of the owners to whom I reported. I'll admit to having been tempted once or twice, but I'm proud to say I never abused my privilege.
You can never ignore office politics. You don't have to play the game actively, but you do need to be aware of what's going on around you, who is in what camp, what the major conflicts are. You have to cross battle lines regularly to do your job; you can't afford to be seen as a member of the 'enemy camp' by *anyone*.
As an IT guy you need people to trust you, which means you need to be ethical. If you see something you shouldn't know, don't go chattering about it.That kind of thing does get around, and you'll lose trust instantly.
Nothing's stopping you from making personal career decisions based on the information that you come across in your daily work. For instance, if you see that the company is about to be liquidated and you don't want to be around for the mess, by all means polish your resume and start interviewing. Just don't assume that just because you saw something you have the whole picture. You could end up feeling stupid when the private email you saw turns out to be a deliberate test of your trustworthiness. It does happen.
Keep your mouth shut about the things you see. Look after your career and reputation. Be aware of politics, but abstain from participating wherever possible. After a few years when you have trust and credibility, you can consider climbing the ladder a bit and playing the game - you'll have capital to spend.
As an IT professional, you will have access to data that regular employees don't. You keep your mouth shut and you don't snoop. Period. You only look at as much as you have to diagnose and fix problems; the details are irrelevant.
It's called "being professional."
Think of it as the equivalent of lawyer-client or doctor-patient relationships.
I do not fail; I succeed at finding out what does not work.
Never get involved with reading others' emails, documents, etc., that you are not required to be privy to.
Never ever let the temptation allow you to see others' performance reviews, salaries, politics. I've seen how it leads to telling someone else and then they become the go to person for information. And if the information is bad and they didn't share it, even though they had no idea, well, they didnt' say that there was a problem, the @$$#013! Hell, I've seen someone with access to the HR database pull up salaries of EVERYONE and share it out. "Oh, can you tell me how much Jason Mcboogerhead is making? What?!? I'm making $1k less?! WTF, time to march off to the manager!!!" [A manager who was stunned at the level of knowledge! AFAIK, no info was given out about how the salary info was found. I found out later when it was offered to me.]
Ignore any overheard conversations, it'll only be a couple of people talking, who knows the truth and what really is going on? You must throw out any info you "accidentally" pick up too. The obvious is the missing context of the info. As a manager, I've had other directors and managers openly talk about staffing, budget, bonuses, performance or lack thereof, in front of me. In all cases I threw away what I heard, after all, all I'm hearing is a snippet of a longer discussion. It's not my business to try to save John's job if he's pissed someone off, so I'm better off not worrying about it.
Sometimes I received a list of users to be locked out of their accounts. The only reasons to receive such a list is that they are being laid-off/let-go or in a heap of trouble. I never shared such a list with anyone. It was given to me, as a manager, in confidence. Keep that confidence. Even after the firing, I still didn't tell anyone, there's no point or net positive to be gained.
In another instance I was at a company that changed their HR such that you logged into a page, and it told you your salary, OT rates, etc. You could print your confirmation of employment for loans and such there too. But there was a bug. This bug allowed me to view everyone's salary, their bank account info and some other stuff in a nice neat chart. I immediately picked up the phone and called head office IT Security and talked them through the bug. They fixed it, phoned me back to test with me on the phone, thanked me and sent off a thank you cc'd to my manager, director, etc., praising my immediate response and "help" in fixing it.
What I didn't do was say, "Hey everybody, look at this!" and print it off, etc. Nor did I read further than a few lines and then remove it from my screen. To this day, I run into some of the higher-ups from then from time to time, they still remember me, who I was, only because of that email and that to them I was trustworthy.
It's not up to you to solve office politics, who said what to whom, or anything else. You are there to do IT. So do it and maintain your dignity and professionalism and just don't even think of looking.
You, and hopefully everyone else, will hopefully see that you are in a position of trust. You are trusted by many to keep secrets. If you can do that, it only helps your reputation. If someone can actually say you are trustworthy in your IT job then you've accomplished a lot and it only helps down the road when you want to switch jobs.
Vip
Ideally, but office politics is complicated. Sometimes making one person's life easier makes another's harder - teach the micromanager that he has the ability to add items to his underlings' outlook calanders, and said underlings are going to be annoyed. Sometimes people actually like their lives to be harder, for not-apparent reasons.
For example, having worked at a school in IT support, part of my job was to maintain the various measures used to keep the students away from games in lessons. Due to some sadistic tendencies, I have become quite skilled at this. New games sites appeared all the time, and were quickly blocked - often while a student was trying to use them. We watched their screens.
Until some of the teachers started acting very annoyed, and complaining about us interfering in lessons. Why would they do this? We were trying to make their lives easier, keeping the students from entertaining distractions so they would focus on their work. We were enforcing the usage policy, everything by the book. What we hadn't realised is that many of the teachers were well aware of the gaming going on in lessons, and turning a blind eye to the class clown. Games keep the disruptive student busy, and if he weren't playing the latest flappy bird clone he would just be jumping around the room, distracting his friends or demanding most of the teacher's attention. So when we stepped in to 'help' the teachers, we actually got in the way of a little trick of theirs by turning the silent non-working student into a class-ruining joker that kept everyone else from working too. All they needed was an excuse to stop us, and it wasn't hard to find one - they just argued to the boss's boss that we were performing 'classroom management,' a function that the union said must be the exclusive domain of teachers.
The way the workplace actually functioned differed from the way it actually functioned. By not noticing the unwritten procedure in use, we disrupted it and caused friction with another department.
We still block the games, of course. Teachers should learn to manage their students, not just give them an electronic pacifier. We're just a bit more subtle about it.
In my field, education, it's quite common for the IT guy to be the one with absolute access to more things than anyone else. Nobody else, not even the data-protection officer, or the people on the senior management team, or the people ultimately in charge of the school (the heads and governors) has as much access to information as the IT guy.
Senior-management team files, HR databases, etc. are part and parcel of the job. The web filter logs are generally very revealing and, hence, why I anonymise them by default (Usually squid logs - which only contain source IP addresses, which can only be correlated to a machine using the DHCP logs, which can only be correlated to a user using the Windows event logs on the AD servers - NOT something you can do accidentally, but also allows you to analyse, spot trends and find dodgy things without immediately revealing the source. When I come upon something that worries me, I go to my boss, ask permission to de-anonymise those records, provide them with my results. I've had to do it a couple of times and it turned out to be nothing, but I've also worked with colleagues who've spotted a paedophile on the staff that way and got them prosecuted).
Despite all that data access, tou don't look. It's that simple. If I'm asked to work on a confidential file or database, that's what you do. It's just data. What you see is just numbers and letters and then forgotten. You do not dig. Not only are there alerts and warnings for digging into certain things (and I don't want to KNOW what triggers those alerts or warnings necessarily, but I know that they are in place on the MIS databases, for example - I only trigger them when it's been part of my job to go into that part of the databases), but it's a matter of professionalism.
If I become "exposed" to salary details, or witness protection details (children in schools rarely have as simple a home life as they might at first appear to have), or that some child's father is a Colonel in the Army who's asked for his address details to be maintained private, or whatever... that's what you do. You're not there to suck up data, you just treat it like anything else and move on.
If I suspect illegal activity - there's a lot of activity you CANNOT ignore in a school - I'd go through the proper channels and report it however I'm supposed to. It came up as part of my job, it's not like I was snooping for it.
I *STILL*, fifteen years into my career, look away when I ask people to set their passwords. I don't WANT to know. I want the deniability if someone gets into their account to say "There is no way I could know their password, without triggering a reset of their account, which would lock them out and inform them immediately anyway". My boss keeps trying to tell me his password "to save time". I don't want it. With it, I could - in theory - change my own salary, or modify any amount of details. Chances are it would get picked up eventually but if you were clever enough, you could get away with an awful lot very quickly, or very discretely.
Hence, I don't WANT to know those things. I choose to forget them, unless there is a reason to immediately report them. I suggest you get into the habit of doing the same.
Long, long ago, early in my career, I spent about fifteen years in the non-profit sector.
You don't ignore office politics, but you don't take sides either unless there is a crisis brewing -- something illegal, highly unethical, or financially dangerous. When you work in IT, you're in a "support" position, rather than a "line" position. Your job is to support. So when there's a big pissing match between two line functions, your job is to support *both* sides.
Often this means documenting business processes that sort of evolved via the lava flow antipattern; 50ish is the size where things start to get out of hand, because it's the size where the amateurishly hacked-together processes that keep the organization running start to break down because everyone can't be aware of everything that's going on in detail, in real-time. Make it your business to understand what business systems (not necessarily computer systems) *accomplish*. That puts you in a position to offer a third way, the one that emerges as obvious to everyone once somebody has figured out what's actually going on.
It's supposedly hard to implement changes in non-profits because of the consensus-driven decision making processes, but I found that I could make that process work for me. Lack of understanding is a vacuum; presented with a clear picture people usually line up behind the obvious solution quickly. But you do have to do your homework. Never surprise anyone with anything in a meeting. Bring people up to speed with things you're going to say about their work *before* the meeting so they don't feel blind-sided.
In a crisis be prepared to do the right thing. If you're in a non-profit they're paying you below market rates, so you can do better elsewhere. There is no call for getting yourself sucked into something that offends your self-respect. I resigned one job because my superior (the COO) was doing things that were financially reckless and improper (spending without proper authorization). I informed the CEO in my exit interview. That was my solution to the problem of not getting drawn into a persistent pattern of dysfunction.
When you handle sensitive information, just ask yourself what is the professional thing to do? Be discreet. Resist the temptation to peek at data, and when you *do* accidentally learn something you're not supposed to know, disclose that to the responsible parties. Be trustworthy, and present a trustworthy face.
Finally, don't let them pay you far below the market rate for your services, and expect a really good benefits package, including 1.5x to 2x the vacation you'd get in a for-profit. Insist on the respect due a professional. Non-profits are full of young people who haven't learned that the IT guy isn't there to be kicked around when they're frustrated, and the fact that you're in a support position rather than a more glamorous line position doesn't make your work any less important.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
If a secretary with no professional qualifications can take minutes in a senior management meeting and maintain confidentiality about what was said there's no reason you, as a theoretically highly-educated IT worker, can't do the same about the content of emails you happen to read in the course of doing your job.