IT Departments Fear Growing Expertise of Users 499
flatfilsoc recommends a long article in CIO magazine on users who know too much and the IT leaders who fear them. Dubbing the universe of consumer technology the "shadow IT department," the article highlights the extent to which the boundary between users' workplace and home have broken down. It notes the increasing clash — familiar to anyone who works in a company with an IT department — between users' home-grown productivity boosters and IT's mandate to protect corporate data. The inherent tendency of the IT department to want to crack down and control technology that it doesn't supply should be resisted at all costs, according to CIO. The article outlines strategies for co-existence. It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM.
I don't see a problem (Score:2, Interesting)
IT lost this fight when the USB memory stick became popular. Besides, no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.
But I did always wonder why more departmental firewalls were present in all the places I've worked. I mean, does the CTO's pet project development team really need access to the production CRM cluster?
I experience this every day... (Score:5, Interesting)
I've always been a fan of decentralized IT - a core group working to "keep the lights on" and seperate groups providing services embedded in the groups they're providing services to, responsible to the managers of the groups who use the tools. Meetings still happen with the needed staff, but someone is a few cubes down the hall or at least on the same floor to answer questions and get feedback.
And why not? (Score:5, Interesting)
We work with NATO restricted data. *Everything* requires appropriate handling. E-mail is carefully fenced and the IM service is encrypted.
But even if you aren't a company with such a strong need for data protection... well actually there is no such thing. At the very least you have financial data and client information on your systems. Losing some of that stuff is considerably more harmful than restricting people to company provided communication tools.
Anyone placing data that hasn't been cleared for release (even by the very informal process of being sent out on purpose) onto services run by people with whom you have no contract and no reasonable expectation of integrity is, frankly, no better than the idiots who don't back up their data and are then surprised to find out that MTBF is not a guarantee. After all if your employees are using gmail et al you don't even know what data you *have* let alone what steps you need to take to protect it.
Re:My personal nemesis... (Score:5, Interesting)
But seriously. My IT department guys were kind enough to give me admin privileges on my workstation and on my colleagues workstations in my department. I didn't ask for it, but they obviously trust me to some extent and i've built that trust over time. I'm not a sysadmin and have never been one.
It could have something to do with the fact I'm overseeing a highly technical project involving setup of IT systems of sorts. This leads me to the same problem the article mentions. Our system must stay isolated from the world - physically and connectively (no inter-tubes for you!). The problem is its users 'think' they know better and think its ok to put in a CD, or plug in a USB drive to play MP3's or whatever because they can at home. (I don't think I need to tell
For every rule, there are exceptions (Score:5, Interesting)
But here's the thing, I don't ask for support from the IT department because I'm the odd guy. I know they can't support me. What annoys me (as the one who helps other IT departments manage lots of PC's) are the people that install various applications that cause our automated installs to fail. 90% of the machines are managed with little to no effort. It's the 10% that cause days of work while we try to figure out which of the 20 apps you installed is breaking our install tool.
And for all those against IM and email lockdown, I've been to trading companies where that's the law. They get in trouble when they don't have logs of what people said on IM, email, phone calls, etc because that's how they catch insider trading. Of course for every sensible rule, I've seen 10 that make no sense at all. As has been said before, the USB key should force companies to reevaluate their policies.
IT is there for the Users to use (Score:4, Interesting)
IT Titles and IT BS (Score:3, Interesting)
At the company, many of the users were technically savvy, and more importantly, the process associated with IT was prohibitively complicated. It would take too long to get an IT project approved, and so people would use readily available tools (Excel and Access were the big ones) to develop solutions that met the need.
I'm sure everyone knows that in the health insurance industry, data privacy is extremely important, so yes, the IT department had some valid concerns about meeting government regulation, but to be fearful of an educated and motivated user that needs something and is willing to invest their time to get it...that's stupid.
This type of alarmism is your typical FUD that arises when a bunch of established people get jittery about where their paycheck will come from when they feel that someone is threatening the usefulness of their job by doing the things that they used to do. I have one response to that.
The model-T Ford.
Yes, all those horse and buggy people were pissed. The smart ones just rolled with it and became mechanics and made fortunes in the automotive industry. And here, too, all that is really required is to say, "OK, what are the new services that we can provide now that we have successfully built tools easy enough that the end-user can use them productively for basic development and analytic tasks?" Guess, what? There will be many more jobs that grow out of millions of educated users all over the world learning to use Excel and Access, etc.
At the health insurance company, what I could clearly see that our VP of IT could not, was that the efforts of our business people were doing an amazing job of forcing the IT process to become more efficient and less complacent. In other words, it demanded that IT actually earn their paycheck, and that IT explore the new responsiblities that they could take on with their considerable technical skills, in order to better serve a new and more educated customer (technically knowledgeable business users).
Fear arises because people are God damn lazy. "But I like doing what I've always done. Doing new things is hard. I have to actually learn to do new things. Oh, I just can't possibly see what we will do now that users can do things with data. Oh, why! Why did we give them a power tool that empowers them to go to Home Depot and then rennovate their house themselves, oh why???" Well carpenters haven't gone out of business and neither will IT people...not the proactive ones at any rate.
The tools will get better and the end user will be able to do more, which means there will be more new business requirements that need specialists to assist the business user, and so on. It's been this same process for generation after generation, and every there are a bunch of alarmists crying doom, and every time new opportunities arise from the changes and the economy experiences a net positive growth.
Re:Most users are experts at being idiots (Score:3, Interesting)
The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
Where I work is probably not representative of the industry as a whole, but IT and their policies result in less security and functionality than letting the users run amok. We started out as an engineering organization, a start up. Think a couple of network engineering experts and a few security guys. Add in a hundred more coders and 100 more business people (selling security tools). The engineering half of the organization goes out of our way to bypass IT as much as possible because they were hired by business majors with no clue. They implement things like an exchange server, Windows desktops, and an intranet Web portal that cost a fortune but only works in IE (engineering desktops run OS X, Linux, or a BSD). We actually (with no official IT on our side) maintain our own mail and IM and Web and fileservers.
Now if this were an isolated case I might be willing to say, yeah that never happens, but this is about the 3rd place I've worked where IT was a bunch of clueless people that knew how to set up Windows servers and basically nothing else. Within the security industry, IT is often the weakest link.
Note, some IT people are versatile and brilliant hackers that can put together a secure server from spare parts and OSS and fix my weird networking issues. Hail to them! Would that they were the norm in my experience.
One big logical flaw... (Score:3, Interesting)
Here we have the single point that makes this entire FP one big strawman...
Yes, IT takes some measures to protect corporate data, both from inappropriate access, and from erroneous (or malicious) deletion.
The bulk of this "clash", however, involves two points - Maintainability, and the difference between personal and corporate liability.
Maintainability... Given a network of dozens, or even hundreds, of users, homogeneity means everything. If it takes an extra 15 minutes to solve a five minute problem because each user has their own bizarre configuration and preferred tools, you've wasted three quarters of my time vs just using the tools provided. And speaking of "provided", IT simply doesn't have the time to check each and every machine daily for pirated software. "Oh, but just fire anyone that has pirated software"... Yeah, sure, at up to 50k per violation and the need to replace a presumeably qualified (if careless) employee - Not an option as a default policy.
And I haven't even mentioned that people expect support from IT on anything and everything they can find on their machines... Guess what? I don't know everything. I can fix and teach Outlook, ThunderBird, Netscape, Eudora, Calypso, Elm, Pine, and perhaps a few dozen clones thereof, but I still won't have a clue how to fix your problem with FooMail; and even if it works similarly enough to one I do know that I can walk right through it, I won't know that until you've already wasted the time it takes me to visit your office (times two, since presumeably neither of us will get anything else done in the meantime).
As for liability, take the GMail example... In many companies (anything healthcare related, anything publically-traded, and just a good idea in most cases) you have legal minimum retention times for email; On top of that, since those emails count as a liability, you want to enforce that same period as a maximum retention time as well. GMail makes both impossible - You can't guarantee the legal minimum, and you can't automagically delete mail after that time. For that matter, you can't even guarantee that you'll ever again have access to a terminated-for-cause employee's email five minutes after security escorts them out.
You also need to worry about the motivation for using third-party email... If a company provides its own email server with no unreasonable content or size filtering, why would employees use GMail for work-related material?
The same applies to IM (though admittedly far fewer companies host their own IM than host their own email).
I (and most IT workers) don't seriously give a rat's ass what you do on your office computer - Your productivity only matters to you and your manager. I really don't care if you want to play Solitaire all day long. So this has nothing to do with control. But when I get reprimanded (or worse) for letting a random user get the company fined tens of thousands of dollars or under criminal investigation for unknowingly hosting kiddie porn, yeah, you can bet the farm I'll choose "lock your machine down" every time.
Re:IT title does not an expert make (Score:2, Interesting)
This was mind-boggling to me as, even at that time, my friends and I had been learning about computers on our own for a number of years (yes, we were the ones in highschool who were 'assistants' to the teacher in computer classes... mostly because our teacher was smart enough to know that we probably knew more than he did so he asked for our help rather than try to prove that he knew more than we did).
This carried over into work where many of the people who were actual programmers at the time were amazed at this group of people coming in who actually had computers at home and actually did things with them at home. Seeing us basically live-and-breathe computers frightened them because we kept up with (and devoured) any and all tech releases, both hardware and software, because we *love* it, not because we were required to do so for our job. For us, computers were a huge part of our life because we enjoyed them, not because we had to work with them. I know of several of those programmers who actually left the field to go do other things (or simply retire) because they were afraid they couldn't compete with us (more than one actually told me this personally).
The trend of people thinking themselves computer experts because they could send/receive email and surf the web has only increased as computers became more popular and more and more people had contact with them. Heck, these days, I've seen people who have problems sending email try to diagnose and 'fix' computer problems for others who know even less than they do.
It's actually fairly interesting... as OSs get more and more stable and more like set-top boxes, the more users will become strictly users (and rightly so) and less prone to doing more than installing software or maybe something as complicated as a new DVD, HDD, or more RAM. This means that less people will really be able to dig around inside a box and figure out what's wrong but it also means there *should* be less reason to do so (barring a hardware failure, they shouldn't have to do more than install/remove software and maybe click a button to allow OS updates to happen). I can easily see IT getting more hardware oriented and less software oriented over time because of this.
Re:The power user vs the not so power user (Score:4, Interesting)
When I called up to tell them that my co-workers computer was denying Groupwise proxy rights via a VBA Access module for a single proxy account and not any others, they ignored me for *four weeks*.
When I call up and say, "my computer doesn't work" they show up in minutes and do whatever it is that they need to do.
Re:Most users are experts at being idiots (Score:3, Interesting)
You sound like you have an IT department that is run by the muppets (wrong 1)
From what I've seen, this is about 85% of IT departments, who think Windows is all there is and wouldn't know real security if it bit them.
Your team then go and implement IT solutions that are outside of your mandate and that do not follow corporate standards or processes (wrong 2)
It's not so much that we go outside our mandate, we just keep using resources that were set up before we had an IT department because they work, unlike the servers set up by IT. We go through normal channels to purchase new servers and the like, the problem (or benefit) is when they need fixing we don't call IT, we see who is on IRC that happens to have an admin account on that server (usually whoever set it up and one or two other people).
Have you and your guys introduced more risk to the business because of your actions?
I'm not sure this is true. Does keeping a lot of engineering data only on our internal, well protected apache hosted wiki reachable only via a VPN tunnel mean the company has more or less risk than if we all used IE to connect to some god-awful active X filled publicly reachable Web portal?
Possibly, however I doubt you can substantiate that without being part of a corporate risk assessment, which you cann't do when flying below the radar.
I'm not sure much flies "beneath the radar." We sell really expensive network intrusion detection and prevention applications and we run them internally and everyone has an account. The last time a virus got into our network everyone got an e-mail notification it had been detected and isolated and we made fun of the sales engineer for a week. The last time I had a poorly configured e-mail account that was trying both encrypted and plaintext communication with a server, I got an e-mail about it within hours of my client "upgrade."
Still if I was CIO / CSO I would fire your asses! :-)
Firing the guys that make all the money would be pretty interesting, but it would not be the first time I was at a company where all the people that made our products were let go, while management stayed on for a while. The real point I was trying to make is a lot of IT people are "muppets" in your terminology while a lot of engineers are not. If IT is in conflict with users, that does not necessarily mean IT is doing the right thing and often it means they are doing the wrong thing and need to be fixed/fired/replaced/castigated/or something.
Business will always win (Score:3, Interesting)
At a previous company we were very flexible and provided everything we could for users, especially remote users: OWA, VPN, wireless, SSL-VPN, Terminal Server for those legacy apps that no one could do without, etc. et al. We held a pretty secure ship, filtered only what was legally necessary and monitored traffic/e-mail only when requested by HR.
Regardless we still had this Shadow IT. Typically it was the guy who ran his own network and Exchange server at home telling us how we should run things, how he should have two monitors even though no one else had that and that he should be allowed unfiltered internet because it made him more productive.
Then there was the time the top salesman left his laptop at home, connected to our VPN, his son used it and it began attacking our firewall with a SQL slammer worm. One time can be forgiven, but this was the third time in a year that this occurred.
IT was thrown under the bus on these accounts and others.
Mr. Know-it-all got his second screen and caused a chain reaction of others crying for them and costing the company a sizable chunk of change.He also won having the internet opened up for sports and games. IT watched productivity drop as non-business internet usage climbed.
Mr. VPN received a third "warning" in his HR file, but IT had it's hand slapped because we hadn't really educated him on how to use his laptop, the VPN or the update programs. This in spite of us producing a document signed by the guy that stated "I understand IT policy and proper use of issued equipment and the network."
Back and forth this struggle has continued for the past 20+ years I've been in IT. For a few years, we're heroes. We implement technology and methods that allow businesses to grow and profit at the speed of light. We save businesses from going under when disaster strikes because we backed up the data. Then for the next few years we're the villains. We don't implement the latest technology just because the CFO said not to spend any money. We're thrown under the bus because an executive sent an illegal e-mail and IT had the nerve to have it backed up and accessible for the legal system.
The longer I'm in IT, the more I wish I'd have learned a real skill like cooking or carpentry.
Re:Yeah, what he said.... (Score:2, Interesting)
Walk through the offices four months later, flip the keyboards, and you'll find post-it notes with the last four passwords they've used placed underneath. Typically "1, 2, , 4." Teaching doesn't work.
Relying on unreliable things for security is a Bad Thing, and the user is always the most unreliable part of any security system.
Re:Yeah, what he said.... (Score:3, Interesting)
It's basically a tacit acknowledgment that it's impossible (or at least, not cost-effective) to micro-manage every users' use of their work computers. We won't get too uptight if you bend the rules a little, once in a while. But if you cause problems because you are goofing off at work, the rules are in place to allow IT, through management, to take action to keep the company productive.