Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses IT

IT Departments Fear Growing Expertise of Users 499

flatfilsoc recommends a long article in CIO magazine on users who know too much and the IT leaders who fear them. Dubbing the universe of consumer technology the "shadow IT department," the article highlights the extent to which the boundary between users' workplace and home have broken down. It notes the increasing clash — familiar to anyone who works in a company with an IT department — between users' home-grown productivity boosters and IT's mandate to protect corporate data. The inherent tendency of the IT department to want to crack down and control technology that it doesn't supply should be resisted at all costs, according to CIO. The article outlines strategies for co-existence. It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM.
This discussion has been archived. No new comments can be posted.

IT Departments Fear Growing Expertise of Users

Comments Filter:
  • by zappepcs ( 820751 ) on Tuesday February 20, 2007 @03:46PM (#18087124) Journal
    and there are always groups of individuals in every company that DO NOT fit the one-size-fits-all software/security model.

    Some people/groups really need a sandbox to work in, without interference from good intentioned IT departments.

    A virus spread wildly throughout my company recently because IT had thought to conveniently map some not so useful drives for everyone... guess how that virus spread?

    IT needs to learn to provide and protect without being so intrusive as to hinder real work being done.

    Sighhh
    • by bigtomrodney ( 993427 ) * on Tuesday February 20, 2007 @03:51PM (#18087214)
      That is certainly true to a large degree, but let's not overshadow the need for tighter security. Ultimately users need to bear in mind that their PC is for working, and really should only provide for their working environment. It's best to put aside the 'it's my computer' attitude and push the 'it's a company tool' attitude. Speaking as someone who has worked for years in IT, I would be more of the opinion that most staff in the IT department fear user knowledge because their own knowledge is lacking. From experience of a few different departments it's usually only one or two who have the knowledge to begin with and another five or six who are all talk. That's more what causes the friction between users and IT staff. No one minds a straight no if it is qualified, but I don't think anyone will tolerate a grunt of 'no' from someone who's not even sure why in the first place.
      • by Jhon ( 241832 ) * on Tuesday February 20, 2007 @04:07PM (#18087448) Homepage Journal

        Ultimately users need to bear in mind that their PC is for working, and really should only provide for their working environment.
        Agreed. What need does a biller have in hooking up their IPOD to their work PC? Why would a clientservices-phone jockey need to hook up their USB memory stick? Why would a transcriptionist need access msn/hotmail/yahoomail?

        Then again, if it's a small shop and you're not really dealing with protected information on the network (say, medical records for example), then you may be fairly lax as to what users can/can't do at the workstation.

        *IF* however, you have federal and or state guidelines you MUST follow with regards to protecting identity and health information, then sorry pals, your workstation is locked down. Nope -- no unauthorized memory sticks. Nope, no internet access -- other than white listed work related sites. Nope, no access to install software.

        I've had users ask me for permission to install some "app" they like to use. The simple answer is "no" and I don't want to waste my breath re-hashing the same reasons. So I say "No. Check your employee handbook, page 12 for why" and walk away. I'm not going to have anyone of my guys jump through paperwork hoops to keep CAP or CLIA or MediCal happy so someone can have their computer go "ding" at a certain time using their favorite software.
        • by markov_chain ( 202465 ) on Tuesday February 20, 2007 @04:26PM (#18087808)
          What need does a biller have in hooking up their IPOD to their work PC? Why would a clientservices-phone jockey need to hook up their USB memory stick? Why would a transcriptionist need access msn/hotmail/yahoomail?

          Morale.

          This is a tricky thing and different for different types of work. A long time ago when I worked at a research lab, they tolerated my Linux boxes going onto their corporate network, which was a mix of Solaris and Windows. I even managed to interfere with their routing infrastructure by doing experiments with gated. They might have been upset about it, but in the end good work got done and the creative people were happy. If their policy had been draconian, the said good work would have been done at a competitor.
          • by Jhon ( 241832 ) * on Tuesday February 20, 2007 @04:32PM (#18087896) Homepage Journal

            Morale.


            And how would their morale hold up when their employer is either shut down, fined in to oblivian or loses their ability to bill medical or some critical private insurance (essentially, you go out of business) for not providing necessary safegards for indentity/medical history? I don't think that their morale will be that high when they get their last check...

            A radio is fine. A tape deck. Even a CD player. Hell... even an MP3 player is fine so long as it's not hooked up (and unable to hook up) to a workstation.
            • And how would their morale hold up when their employer is either shut down, fined in to oblivian or loses their ability to bill medical or some critical private insurance (essentially, you go out of business) for not providing necessary safegards for indentity/medical history? I don't think that their morale will be that high when they get their last check...

              Why is data so unsecured that the receptionist who plugs in her iPod can somehow get access to identity/medical histories? That's not the fault of the iPod or the receptionist.
              • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday February 20, 2007 @04:44PM (#18088102)

                Why is data so unsecured that the receptionist who plugs in her iPod can somehow get access to identity/medical histories? That's not the fault of the iPod or the receptionist.

                Because without physical security there is no security.

                Locking down the PC so that the receptionist cannot move data to his/her iPod would also, logically, prevent the iPod from doing anything that s/he would want it to do.

                Unless you configured an iPod specific rule. And security is broken by "exceptions".
                • by rsborg ( 111459 ) on Tuesday February 20, 2007 @07:37PM (#18090318) Homepage

                  Locking down the PC so that the receptionist cannot move data to his/her iPod would also, logically, prevent the iPod from doing anything that s/he would want it to do.
                  This is not true. The receptionist should be using his/her PC/Mac at HOME to load the iPod with *her* music. No interaction between the mp3 player and the workstation/laptop is necessary. The iPod still plays songs/video as it should, but without interacting with the work computer.
              • Re: (Score:3, Insightful)

                by ElleyKitten ( 715519 )

                Why is data so unsecured that the receptionist who plugs in her iPod can somehow get access to identity/medical histories? That's not the fault of the iPod or the receptionist.

                An iPod could have a virus/keylogger/spyware/whatever, and whatever information the receptionist (or data entry minion, or whoever has an iPod) works with as a part of her job can then be comprimised. It's not that she'd suddenly gain access to things she shouldn't, but that things that she does have and need access to need to be se

                • If the receptionist is assumed to be untrustworthy, then they could just as easily install a real hardware keylogger in between the PC and the keyboard. (And that would be a lot easier to get than an iPod-disguised keylogger.)

                  I'm not saying that there aren't situations where barring anything that could carry data away is appropriate. It's just that IT types seem to hone in on the "security breaches" that they can shore up, to the greatest inconvenience of users, while ignoring glaring holes elsewhere. If yo
                  • Re: (Score:3, Insightful)

                    by Jhon ( 241832 ) *

                    "anything that annoys the users in the name of security must be good."


                    I think it's more the case that you are focused in on the restrictions that effect you rather than getting a view of the "big picture". The trees are blocking your view of the forest.
              • by Jhon ( 241832 ) * on Tuesday February 20, 2007 @05:11PM (#18088508) Homepage Journal
                Print Screen -> jpg -> IPOD HD.

                Cut/Paste from APP -> text File -> IPOD HD.

                Scan

                You've obviously never worked with state/federal payors who are cracking down on fraud. Not only from the entity making the claim for service, but forcing the entity making the claim to police their own CLIENTS for fraud. There are volumes of various types of regulations and procedures that CAP/CLIA/Medi require and we are regularly inspected for compliance.

                Sucks to be in IT in the medical field sometimes.
                • by gmack ( 197796 ) <<gmack> <at> <innerfire.net>> on Tuesday February 20, 2007 @06:31PM (#18089566) Homepage Journal

                  The problem most of the time isn't theft. The problem is users who THINK they know what they are doing but really don't. I have worked in several offices where everyone felt they could do whatever they felt like to their own computers and only called the admin when they were at a loss of how to fix it.

                  Some noteable moments:
                  • The user who decided he needed a better sound card so he switched his with a "less important" user. I get called in when both machines have screwed up drivers
                  • The user who thought that his department should have his own file server but then didn't secure it properly. They had to shut the server down to block the resulting viral infection that took out half the office.
                  • The constant complaints that our 10 meg fiber internet connection feeding an office of 30 people just wasn't fast enough thanks to some user thinking (s)he closed his/her file sharing app but only backgrounded it.
                  • The screaming panicked call from my boss telling me our website was hacked because our web page now contained links to other websites.. Turned out the machine he was viewing it on had adware installed that came with his favorite file sharing service.
                  • Why is our traffic so high and why are we getting spam complaints? Traced to a user with a non secured wireless gateway being hijacked by some spammer.
                  • Spotty network connectivity traced by another admin to a wireless gateway plugged in BACKWARDS and was feeding DHCP packets onto the network that provided a network connection to nowhere.

                  Show me a way in advance to know what users can be trusted and I'll consider letting users have more control. Until then I'll demand that users don't' mess with anything for no other reason that I end up with more work every time they mess up.

                  • by dave562 ( 969951 )
                    The problem most of the time isn't theft. The problem is users who THINK they know what they are doing but really don't.

                    I agree completely. The term that I've heard for it is, "Knowing just enough to be dangerous." It is especially prevalent in the Windows world where everything is so "easy" and "simple". There are those users who want to do it all themselves and they think they are the best thing since sliced bread, but as soon as their house of cards comes crashing down around them, it's "All IT's fa

                  • by RMH101 ( 636144 ) on Wednesday February 21, 2007 @10:40AM (#18096320)
                    Add to this the tool who brought in an apple airport and hooked it up to the corporate network without any wireless security, so that he could sit by the window. I'd have given him a longer patch cable, if he'd asked.

                    Also add to this the other tool who plugged in another WAP with the internal DHCP server turned on and serving addresses in the same address range as his office network.

                    A little knowledge is a dangerous thing? Just look what a *lot* of it can do...

              • Re: (Score:3, Funny)

                by corbettw ( 214229 )
                Why is data so unsecured that the receptionist who plugs in her iPod can somehow get access to identity/medical histories?

                Because it's an important plot device so the hero can save his family. Duh.
          • by dankney ( 631226 ) on Tuesday February 20, 2007 @04:51PM (#18088206) Homepage

            A good net admin is flexibile. If there's a good reason for it, any rule can be bent. I'm going to treat you like an adult and explain why your actions are potentially risky and are against policy -- I'll ask you to work with me to find a less risky way to accomplish the same goals.

            If you're doing network experimentation for a legitimate reason (work-related, not just being a dick), it's easy enough for me to vlan you off from the rest of the network. I'll even give you a gateway to the internet if you need it, but you'd better believe that your gateway is going to null route anything that's attempting to hit my servers or your co-worker's machines. My job may be to enable your research, but it's also my job to protect everyone else's data and productivity from your experiments should they go wildly wrong.

            I'll make sure you can do your work, but you may not be able to go about it in the way that you originally wanted to; my flexibility must be matched by yours. If you crash your own machine in the process, that's a risk you chose to take. I just have to make sure that everyone else on the network has the same choice and isn't subjected to yours.

        • by yuna49 ( 905461 ) on Tuesday February 20, 2007 @04:49PM (#18088160)
          One of my clients is a community health center. We're looking into the Linux Terminal Server Project http://www.ltsp.org/ [ltsp.org] for precisely the reason that meeting HIPAA requirements for privacy and security is nearly impossible unless we can centrally control what's running on the workstations. In the next hardware tranche we're looking to go diskless with no CD writers and no USB support for mass-storage devices.

          Having only one, centrally managed, desktop image has a lot of appeal as well!

        • Re: (Score:3, Insightful)

          by RESPAWN ( 153636 )
          I was going to compose my own post, but you pretty much summed up what I was going to state. Most of these people posting here have probably never worked in the Healthcare IT industry. With the HIPPA laws (or is it HIPAA? I forget.) there are extremely stringent guidelines describing what will happen to a company if they mistakenly allow data to be released without authorization. Merely not being in compliance with the regulations (and there are many, including a stipulation regarding removable media) c
        • by MobyDisk ( 75490 ) on Tuesday February 20, 2007 @06:30PM (#18089546) Homepage
          Everyone clap. You just met the IT guy you have all been loathing, and he posts on Slashdot. Thank you, take a bow.

          What need does a biller have in hooking up their IPOD to their work PC? Why would a clientservices-phone jockey need to hook up their USB memory stick?
          Because if you whitelist sites, then when the boss says "go to site XXX and tell me this..." they can't. And when the HR department says "go to www.friendlyHRpeople.com" to file a complaint they can't do it. But if you blacklist sites, then they can get to what they want anyway using some workaround. slashdot.com is blocked but engaget.com isn't. Or you can see it through someones blog, or redirection, or RSS feed, or a cache, or an anonymizer. This is a battle nobody can win.

          This is the type of attitude that gets us into the game of "If I rename the extension to .rar then I can send you this critical document you've been needing!" Then .rar files are blocked the next day. Then you zip the rar and it gets through again. The war escalates forever. Perhaps each employee should make a formal request to their boss, then to the IT department, then write a formal justification for why you need to visit each web site.

          Of course, it is probably all moot because you had to give everyone local administrator priviledges so they could run the ActiveX time-sheet application your IT department mandated.

          This is the mysterious "IT guy" who thinks he knows the fixed-length list of things that each and every person in the company needs to do their job. They create a blacklist of everything they think you could do on your computer that is bad, and use some 3rd-party product to scan everything you do and disable those actions. They already know better than you every tool needed for every position in the company. Really, this person could just do your job.

          I've had users ask me for permission to install some "app" they like to use. The simple answer is "no" and I don't want to waste my breath re-hashing the same reasons.
          Yes, you surely know every app they are going to need and have pre-installed it for them. And every application you haven't heard of is probably a virus. Of course, if you had setup their permissions properly then they couldn't install applications anyway. Instead of policing each application, set appropriate domain policies and work policies that make sense. Limit the size of email attachments. Put quotes on their accounts. Make sure the network drives have appropriate permissions.

          Trying to monitor every application used on every PC is a modern version of micro-management. Do you look at every tool that is on someone's desk? Do you approve each stapler? If you don't let people visit web sites, can they bring in books and newspapers? Do you blacklist/whitelist the phone numbers they can call and receive calls from?

          So I say "No. Check your employee handbook, page 12 for why" and walk away.
          Then you are a jerk.

          This will probably get modded as a troll. But I bet every person with mod points on this system has had to deal with the likes of you. I'm glad I got to find you and finally say it.
        • Re: (Score:3, Interesting)

          Where I work, our official policy is that the computers are for work purposes, and unauthorized software is verboten. Our unofficial policy, however, is that if you don't cause the IT department more work and if you aren't causing a problem, then we (IT) don't really care...within reason. But, if something you installed hoses the network, or if you are sucking up so much bandwidth that it becomes a problem, then expect the IT manager to pay your manager a visit.

          It's basically a tacit acknowledgment tha
      • by Mutatis Mutandis ( 921530 ) on Tuesday February 20, 2007 @05:07PM (#18088430)

        This is a general observation that can be made regarding 'regulatory' departments that are concerned with security and legal compliance. Generally the rules are written down by someone senior, who uses common sense to reach what seems, at the time, a reasonable compromise and a practical approach. Next, they are handed down to a team of juniors, who enforce without understanding, because that is what they have been told to do. Through habituation, the regulations become Holy Writ and nobody is allowed to touch them --- a situation the original author(s) would probably have regarded as silly and dangerous. Finally, everybody formally adheres to the rules while circumventing them by any means possible, making a total nonsense of the original purpose.

        This is by no means limited to IT. It also applies to finance or health care, or for that matter the US Constitution. It seems to a general human phenomenon. But it just seems that IT departments are more prone than others to the extreme aberration that I would call IT fascism: The belief that the ideal organization is regimented, uniformed, homogeneous, goose-stepping, controlled, and obedient; and that any exceptions need to be eliminated. Maybe the use of binary code stimulates binary thinking.

        Of course, for any commercial organization, this can be a real killer in the long run. I've seen creativity and innovation totally stifled by regulation, until most people were so marinated in the status quo that they became completely incapable of independent decision-making, and the creative minds got frustrated and left. It's pretty much the reason why, if I were to make a SWOT analysis of our firm, I would classify much of our IT department under 'threats'. It's not because these people are of ill will, but the idea of trying, stimulating, or even supporting something new has become alien to them.

        They are taking care of the daily business, according to present regulation, and they just can't imagine that there might be more to the job than that. To be fair, most of them are so far from the "frontline" that they no longer hear the din of the battle for survival.

    • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Tuesday February 20, 2007 @04:09PM (#18087482) Homepage Journal
      whether you like it or not.

      In the US, Sarbanes-Oxley places some strict requirements on data retention for publicly-traded companies. Employees choosing to use IM and gmail, could cause those requirements to be circumvented.

      • by LurkerXXX ( 667952 ) on Tuesday February 20, 2007 @04:17PM (#18087640)
        This is why the clever IT guy who doesn't want to get blamed for limiting user, as in the blurb, should bring in the corporate lawyers to lay down the law. This way it isn't the good IT director who wants to supply any needed technology, but the lawyer cracking down on things that could get the company in hot soup.
      • and I still say:

        1) It's my property (well, the owner of the company is my boss, but I manage this data center)

        2) On my property, it's my internet usage rules, as long as I'm fair about it.

        3) I bear the full responsibility for stuff going boom (physically, financially or legally), so I have the full right to monitor and control network usage.

        4) You can always go home and use IM and gmail if you want. I have no control over that (though one jackass company in Michigan certainly would want to).

        I support SOX, t
        • by KingSkippus ( 799657 ) * on Tuesday February 20, 2007 @04:58PM (#18088302) Homepage Journal

          The point of the article is not that you should or shouldn't try to lock things down. It is that that no matter how much you try to lock things down, your users will find ways to open it up to get their work done.

          If you're smart, you'll figure out ways that you can both get what you want: Your security and manageability, and their productivity and ease-of-use. Handing edicts from on high is a pretty stupid idea. The point of the article is that you're not shutting down what they call "Shadow IT," you're simply driving it underground where it's harder to see and deal with.

          But, you know, it's your property and your rules, so by all means, do with it what you will, and good luck with that.

    • A virus that executes itself off network shares? Do you recall the name? I was thinking the other day about how I never see virii like that anymore. Now adays its all install adware, blah blah, show pop ups - aw cute, sell winantivirus subscriptions.. boring!

    • by HTH NE1 ( 675604 )
      and there are always groups of individuals in every company that DO NOT fit the one-size-fits-all software/security model.

      Well, there's that, and then there's IT departments that use one-size-fits-no-one software. We develop our software using XEmacs 19.13 (September 3, 1995) because IT doesn't want to tweak a more modern version to work with our RCS.
  • by NerveGas ( 168686 ) on Tuesday February 20, 2007 @03:48PM (#18087150)

        Has always been the user who *thinks* he knows too much, and is out to prove it - usually causing problems, havoc, and destruction in so doing. You know, the kind of guy who gets pissed when you won't give them root/Administrator priveliges because he thinks he's a real big-shot. I've heard arguments as silly as "Well, I'm learning Linux on my own at home, so sooner or later, I'm going to know how to use it whether you give me root or not." Yeah, good for you.

        It seems that every company I've worked for has had one. Maybe it's a small part of my personal castigation for the things I've done wrong. Who can say...
    • by russ1337 ( 938915 ) on Tuesday February 20, 2007 @04:07PM (#18087442)
      For a moment I thought you were talking about me....

      But seriously. My IT department guys were kind enough to give me admin privileges on my workstation and on my colleagues workstations in my department. I didn't ask for it, but they obviously trust me to some extent and i've built that trust over time. I'm not a sysadmin and have never been one.

      It could have something to do with the fact I'm overseeing a highly technical project involving setup of IT systems of sorts. This leads me to the same problem the article mentions. Our system must stay isolated from the world - physically and connectively (no inter-tubes for you!). The problem is its users 'think' they know better and think its ok to put in a CD, or plug in a USB drive to play MP3's or whatever because they can at home. (I don't think I need to tell /.'ers of the dangers of CD's after the Sony rootkit debacle). Of course we've removed all accessible means in - CDROMS/USB slots etc... and have some very harsh rules. But still, it's only a matter of time before I walk in and find some guy with his mp3 player hanging from a machine, or installing something unauthorized... because they thought they knew better.
      • by jbarr ( 2233 )
        Some people are just very trustworthy with high integrity while others will abuse whatever they can. Of course, the challenge is determining that at the interview stage...
    • by 0100010001010011 ( 652467 ) on Tuesday February 20, 2007 @04:14PM (#18087582)
      My personal nemesis is the layers of abstraction you have from someone that actually knows something and the mentality of those people.

      My laptop at work continuously reboots. I ran a memtest on it and narrowed it down to a bad memory chip. IT wants me to send in my laptop. I'm sorry. I don't have time to deal with that down time, so I just put up with it restarting.

      The most annoying one is when they redid a few dozen internal webservers. All of a sudden the redirect didn't work (If you went to an internal site and it had been X minutes it redirected you to Corporate Web Login).

      I did some research on my own and found that when they upgraded to the newest webserver someone forgot to bring along the configuration. All the redirect websites were being sent out as plain/text. Firefox correctly rendered it as... plain text. When I e-mailed IT about it I got a nice form letter about "Firefox isn't supported, we use IE, etc".

      I then copy and pasted curl -v logs of all the websites that were broken. I didn't just tell them what was broken, I told them HOW to fix it. I never got a reply back and everything magically worked within a week.

      Sometimes there ARE users out there who know what we're talking about. I'm not asking for admin rights or root access. But I do want to be able to do my job and when your fuckups impede that, it does tick me off. The IT people I know are the ones that seem to have the hardest time saying the two 3 word phrases that every engineer (in my opinion) must learn before leaving college: "I don't know." and "I was wrong."

      In the mean time I wrote a greasemonkey script that when it saw the redirect page it sent me to the correct website.
    • If he were really smart he'd init 1 that thing and make his own root password.
  • by yagu ( 721525 ) * <yayagu.gmail@com> on Tuesday February 20, 2007 @03:48PM (#18087152) Journal

    I've met uncountable numbers of idiots when it comes to understanding technology. Guess what... many of them were peers in IT. In retrospect, it makes sense. I'd anticipated my move from college to a "real" job as a release from the world of idiots in the CS curricula. Finally, I'd get a chance to work shoulder to shoulder with people who knew.

    Not so much.

    I'd never considered where the rest of my university peers had to go -- into the same work force I entered -- duh.

    In the non-IT universe I discovered many were also clueless around technology, as I'd expected. What I hadn't expected was there were many non-IT people who got it, who understood technology, and worked with it adeptly. Many "got it" more than my peers. Some of the most profound ideas and innovation I've seen in IT have come from nontraditional non-IT people.

    I agree (without reading the entire article) with the summary and gist of the article -- IT does itself no favors ruling by fiat and instead should collaborate with users.

    This doesn't dismiss bad things happening and messes created by users left behind for IT to clean up. People who mess up should help clean up, but my experience has been many IT people are equally inept and likely to make messes.

    A degree and title in IT and CS means only that one has a degree in IT and CS, nothing more. It doesn't mean they're anointed and it doesn't mean they know more about technology than users.

    • I can't speak to the IT profession as that is not my field of expertise. I am, however, an aircraft structural engineer and have been one for a long time now. Most everything I know I learned after college and I'm still learning new stuff.

      No...that degree is mearly your ticket to the starting gate...the good ones realize that.
    • IT Titles and IT BS (Score:3, Interesting)

      by umbrellasd ( 876984 )
      Worked for 3 years as a business analyst at a health insurance company. I came from 6 years of IT background and we developed IT solutions in the business group. This was a general trend of consolidation where there was more leverage to have a person that understands the business as well as technical side and cut down the overhead between the two groups.

      At the company, many of the users were technically savvy, and more importantly, the process associated with IT was prohibitively complicated. It would

  • It takes a lot more than "I know how to build a computer .. and i play WOW all the time so i'm leet" to run an IT department. I welcome the smarter users; as long as they arent all wearing my tinfoil hat.
  • I don't work in the IT dept at my current employer, but I spent a number of years in the trenches before working here. Just today, I was causing fear, loathing, angst, and gnashing of teeth to one of our local IT folk. I told a young lady that I was going to ghost the hard drive from a little used computer onto a USB stick. Then take the hard drive and add it to my PC since I needed more space for my music collection. She was very nervous and thought I might actually do it. I was just giving her crap,
  • by Anonymous Coward on Tuesday February 20, 2007 @03:51PM (#18087206)
    I'm sick and tired of IT departments that try to control everything I do when I know perfectly well that WeatherBug and WinFixer are the right tools for the job. I am a smart and knowledgeable IT consumer, and I've been using these fine products at home for some time now. Why not at work too?
  • by 955301 ( 209856 )
    What, you mean like when I brought my own google search appliance to work at my last job because the corporate intranet search capability blew chunks?

    IT lost this fight when the USB memory stick became popular. Besides, no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.

    But I did always wonder why more departmental firewalls were present in all the places I've worked. I mean, does the CTO's pet project development team really ne
    • by smooth wombat ( 796938 ) on Tuesday February 20, 2007 @03:58PM (#18087306) Journal
      IT lost this fight when the USB memory stick became popular.


      Lock down usb ports.

      Besides, no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.

      They can fire you.

      See, not so hard.

    • no matter what they do, they can't stop me from creating a knoppix cluster from my coworkers pc's after they all leave for the day.


      Sure they can. They can fire you [wikipedia.org].
  • Here's one. Working at a community college, we have 3.5 separate departments/groups of people who "know" computers. Theres ITS - including network ops, mainframe ops, all the servers, connectivity, etc. Then theres Academic Technologies - all the student labs, computers, etc. Then theres the CIS/ITE staff, teaching things like programming, networking, etc. And then the .5 group is the business degree folks, but they offer classes in F/OSS software (ITE doesn't, except a Linux admin class), etc.
  • by doormat ( 63648 ) on Tuesday February 20, 2007 @03:54PM (#18087254) Homepage Journal
    As a software developer outside of the IT department (I'm under direction of the Engineering group), I get this all the time. I get the run around, exclusion from important meetings, no say in things I have a large stake in, put at the bottom of the priority queue, and sometimes even people working to throw roadblocks in my way.

    I've always been a fan of decentralized IT - a core group working to "keep the lights on" and seperate groups providing services embedded in the groups they're providing services to, responsible to the managers of the groups who use the tools. Meetings still happen with the needed staff, but someone is a few cubes down the hall or at least on the same floor to answer questions and get feedback.
  • And why not? (Score:5, Interesting)

    by Realistic_Dragon ( 655151 ) on Tuesday February 20, 2007 @03:54PM (#18087262) Homepage
    I would be 7 kinds of mad if anyone was using gmail and IM in my office.

    We work with NATO restricted data. *Everything* requires appropriate handling. E-mail is carefully fenced and the IM service is encrypted.

    But even if you aren't a company with such a strong need for data protection... well actually there is no such thing. At the very least you have financial data and client information on your systems. Losing some of that stuff is considerably more harmful than restricting people to company provided communication tools.

    Anyone placing data that hasn't been cleared for release (even by the very informal process of being sent out on purpose) onto services run by people with whom you have no contract and no reasonable expectation of integrity is, frankly, no better than the idiots who don't back up their data and are then surprised to find out that MTBF is not a guarantee. After all if your employees are using gmail et al you don't even know what data you *have* let alone what steps you need to take to protect it.
    • by sjbe ( 173966 )

      I would be 7 kinds of mad if anyone was using gmail and IM in my office. We work with NATO restricted data. *Everything* requires appropriate handling. E-mail is carefully fenced and the IM service is encrypted.


      But apparently slashdot is totally kosher...
    • Anyone placing data that hasn't been cleared for release (even by the very informal process of being sent out on purpose) onto services run by people with whom you have no contract and no reasonable expectation of integrity is, frankly, no better than the idiots who don't back up their data and are then surprised to find out that MTBF is not a guarantee.

      Be sure to let Jimbo Wales know he's an idiot for doing it that way. [wikipedia.org]

      I'm not advocating Wiki methods for a nuclear missle silo, but I think a lot more

    • Er. You seem to be making an assumption not in evidence: That they are advocating using these tools to necessarily communicate with others in the workplace using company sensitive, FOUO, or whatever you happen to be handling.

      The impression I got from the summary was about restricting their use for personal use or things where a layer of abstraction is desirable. An example of the latter would be if I have a question regarding Jython but for whatever reason do not wish to directly associate my company's n
    • I would be 7 kinds of mad if anyone was using gmail and IM in my office... But even if you aren't a company with such a strong need for data protection... well actually there is no such thing.

      Welcome to this decade. IM has been a vital sales tool for many years now in some industries. That means non-encrypted communication with the outside world using AIM or something. It is no more dangerous that unencrypted e-mail which is, sadly, still a requirement for doing business with most of the world.

      Anyone p

    • I sure hope you didn't post this from work without getting it cleared!

      Or is it more of a "do as I say, not as I do" policy?
    • by elrous0 ( 869638 ) *
      Buddy, if your stuff is THAT critical, your computers shouldn't be connected to the internet AT ALL. You do realize that a good hacker could easily walk through your "fenced" system with relative ease, right? If you're dealing with classified data, you should NEVER have that data connected IN ANY WAY to the outside world. That means clearly designated separate computers on a purely internal separate network--no email, no web access, no anything.

      -Eric

  • Working from home isn't a bad thing (if you can handle it and can prioritize life/work appropriately). I believe an IT department, if the organization is so structured, should allow people who can handle the access to work from home. To do this, WE will provide YOU with the necessary equipment to do this task. This allows standardization (as much as can be afforded) and redundancy (I would imagine an inventory of at least one backup device).

    To have someone who just arbitrarily says "I'm going to work fro
  • People who think they know what they're doing are far more apt to screw up their computer up than an avowed newbie who is scared to do more than check e-mail and type Word documents. I don't think the IT department is going anywhere soon.
  • by Fatchap ( 752787 ) on Tuesday February 20, 2007 @03:57PM (#18087292)
    Quote from the article:

    According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie "would bet the ranch" that the current numbers are higher.)
    Quote from Vin Cerf:

    ...approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet--nearly all of them unwilling victims. (http://arstechnica.com/news.ars/post/20070125-870 7.html)
    Yep as a CIO / CSO I would really be an idiot not to let my users do exactly what they do at home would n't I!!

    The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
    • Re: (Score:3, Interesting)

      The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.

      Where I work is probably not representative of the industry as a whole, but IT and their policies result in less security and functionality than letting the users run amok. We started out as an engineering organization, a start up. Think a couple of n

    • by vux984 ( 928602 )
      The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.

      Its worse than that. Its not that they can't assess risks, its that they aren't even aware of what is at stake. Nor do they understand the priorities of corporate IT in terms of cost and maintainability.

      Examples:

      We frequently rotate units and staff aroun
  • by Oriumpor ( 446718 ) on Tuesday February 20, 2007 @04:03PM (#18087392) Homepage Journal
    Is the day hundreds of callcenters close down their Level 1 support. I always thought it funny to have columns and rows of people that do nothing but open the documentation the users have and read it to them over the phone. Since the phones are still ringing, I think this announcement is still quite a bit premature.
  • QUOTE: It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM. UNQUOTE

    Sorry, that is not the case. Where I work, the word "email" is not even allowed in a URL anywhere. They block it period. Career-limiting my foot. I am sure any company with more then a couple of hundred people tends to be the same.
  • by bhmit1 ( 2270 ) on Tuesday February 20, 2007 @04:10PM (#18087506) Homepage
    I've been a user that is locked into crazy setups. The traveling consultant at client sites who's PC is setup to be managed from the corporate network. At one point, I got tired of the insanity, took a ghost image of the machine they gave me, and installed linux on the machine (and then restored the ghost image in a vmware session).

    But here's the thing, I don't ask for support from the IT department because I'm the odd guy. I know they can't support me. What annoys me (as the one who helps other IT departments manage lots of PC's) are the people that install various applications that cause our automated installs to fail. 90% of the machines are managed with little to no effort. It's the 10% that cause days of work while we try to figure out which of the 20 apps you installed is breaking our install tool.

    And for all those against IM and email lockdown, I've been to trading companies where that's the law. They get in trouble when they don't have logs of what people said on IM, email, phone calls, etc because that's how they catch insider trading. Of course for every sensible rule, I've seen 10 that make no sense at all. As has been said before, the USB key should force companies to reevaluate their policies.
  • by Psmylie ( 169236 ) * on Tuesday February 20, 2007 @04:11PM (#18087518) Homepage
    But wrong on a few counts. There are so many reasons to keep things locked down. Data security is the main one. There is also support issues, regulatory issues, etc. For example... traders don't get to use IM where I work. Know why? Because the SEC wants to be able to pull records of all financial instructions, and our traders wanted to send trade instructions to each other via IM. We had no way at that time to record IM's, and no way to confirm that an IM was actually read by the person it was sent to in a timely manner.

    This is kind of interesting, from the article:

    "When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it."

    Sorry, no. When you find out that people have broken the rules, you write them up or you fire them, depending on the severity of the situation. What if the rule that was broken was someone carting around an unencrypted "backup" of a customer database on a thumbdrive, which he lost? Where I work, that's three major rules broken right there. If that happened, that person would be fired immediately.

    Corporations aren't stupid. Hidebound, maybe, and slow to change, but if something is forbidden, there is usually a really good reason for it. Also, IT does not run the company, in most cases. Follow the chain of command up high enough, and you'll find IT's bosses. If you have a tool that you need or want, then petition for change. Don't do an end-run around the guys that are trying to keep you working, you're only going to hamstring yourself in the end.

    The major problem is, people are making their decisions based on commercials or salesmen that promise an easy, 100% reliable solution to an existing problem. Then they run to IT to complain when the product doesn't perform the way it was supposed to. This makes extra work for an IT department that is probably already overworked. You want to play with toys, play with them on your own gear, not the corporate gear.

    That said, a wise CIO is going to pay attention to what the employees say they need to find out:

    a): If they really need it

    b): If there isn't something better or already in-house that can fill that need

    c): Is it safe to use, and what are the support requirements.

    The important thing then is to tell the end user, No, you can't have that because of: ___, and give them an actual reason, instead of just telling them "against policy"

  • by onkelonkel ( 560274 ) on Tuesday February 20, 2007 @04:12PM (#18087528)
    1. "My hard drive is howling like a panther passing a kidney stone. Every time I run chkdsk I lose a few more sectors. I've backed up all my work to the network drive. When you get a chance can you come and fix my computer?"

    2. "My computer won't start. It's been making this squealy noise for about two weeks and then all of a sudden it just died. You have to come right now and fix it because all the annual budget files are on my desktop."

    Which call would you rather get?
    • by garcia ( 6573 ) on Tuesday February 20, 2007 @04:58PM (#18088296)
      I'm a fairly knowledgeable computer user with 10 years of Linux experience on top of the standard Windows use since 3.1. When I have an IT problem I play stupid, real stupid. You know why? Because the second they think that I'm self diagnosing a problem it becomes priority 0.

      When I called up to tell them that my co-workers computer was denying Groupwise proxy rights via a VBA Access module for a single proxy account and not any others, they ignored me for *four weeks*.

      When I call up and say, "my computer doesn't work" they show up in minutes and do whatever it is that they need to do.
    • by Heisman ( 1002013 ) on Tuesday February 20, 2007 @05:28PM (#18088730)
      Well, since user #1 is probably a typical /.er, and user #2 is probably the long leggy blond girl from accounting/payroll. I'm going to go hang out under #2's desk for a while. I'll see you guys later.
  • Most system admins and network admins have always felt that their systems would run just fine except for all of those pesky users.

    And a lot Mac users feel that system admins like Windows to make sure that system admins are needed.
  • Yes, most corporate users surf the web at home.

    Yes, most of their home machines are horribly infected with spyware, viruses, and other things I grow weary of cleaning up. I have friends who make their livings cleaning up home PC's. Most of them have "regulars".

    I have no problem helping my advanced, capable users be more productive through technology. I will even grant local admin when warranted.

    I have major problems letting my users chat with their friends on IM while surfing porn, watching last nights C
  • by thomasa ( 17495 ) on Tuesday February 20, 2007 @04:14PM (#18087576)
    When I come across someone who I find reasonably able to fix problems, I sometimes
    enlist their help on assisting their computer neighbors. I also find that people
    who think they know a lot quite often mess up their computer even more and consequently
    require my help more - That is okay, it keeps me employed. It is changing though
    with users losing admin rights. They really cannot do anything as a standard user.
    On UNIX computers, The users tend to be more technical (I find) but still require
    assistance sometimes. Especially when they do not have root.

  • by Junior J. Junior III ( 192702 ) on Tuesday February 20, 2007 @04:18PM (#18087652) Homepage
    We should love smart users. If they come up with their own solutions to problems, they're de facto developers. If the business is run well, good workers will succeed and advance while poor workers fail and leave the company. In time, we'll have evolved a class of competent users, even experts, and have application development in the hands of everyone, along with the skillset to actually make decent software. It's a long way off, and maybe a pipe dream, I know, but don't squash the dream. Please.
    • Re: (Score:3, Insightful)

      Perhaps more importantly, smart users should love you. IT departments suffer because they don't forge relationships outside their department. While everyone else has friends and advocates at budget time, IT workers are viewed as interchangeable, even redundant. If you snub or ignore technically smart users, you're alienating the one outside segment that's even capable of understanding why you're needed.

  • ...back in the early 90's when I managed single DEC MicroVAX minicomputer with over 60 connected VT terminals and 25 printers. System Management was easy, centralized, and completely controllable--users only had access to what we gave them and absolutely nothing else. OK, so character-based Word Perfect, Lotus 123, Pine, and Lynx could be difficult at times, but people were honestly very productive, and things hummed along nicely.

    Enter the mandatory Windows world, and that's when things really went to Hell.
  • Wherever these advanced users are at, please send some my way. As an R&D programmer and backup admin, I get hit by unskilled users twice. Users that manage to get a completely dumbed down interface wrong, or a user that wonders why they can view a PDF after deleting acrobat reader (only God knows why).

    In our company, everyone who has any amount of talent on the computer becomes a part of IT at least in some small way. And I know we certainly wish we had more people we could trust with more responsib

  • They're the same exact gimps who ask me why they're getting spyware at home all the time.

    Just like a new hire into the IT department; I don't know these people from anyone else. Anyone can claim any amount of knowledge they like but as long as I'm responsible for the systems they're working on I'm not real comfortable letting these people do as they will in the hopes that they really know what they're doing.

    Unlike the new hire into the IT department; I have neither the time nor the authority to monitor th
  • by brendanoconnor ( 584099 ) on Tuesday February 20, 2007 @04:21PM (#18087718)
    Letting users do whatever they want on company computers is a great way to have a lot of things go wrong very quickly. When you are at work, you are there to be working, not playing around on the internet, talking to your buddies, exchanging ims and emails an whatever else you could possibly be doing that has absolutely nothing to do with your job.

    At my work, our computers are completely locked down and we cannot change anything, no matter how mundane. I personally thing this is great because I know that whenever I go to the computer, it will just work. If we could change things, I have no doubt a few of the employees would just have to screw with things and then when it didn't work, it would then screw up my job and cost the company a lot of money, not to mention cause my workers and I unneeded stress.

    All this comes from someone who has several computers running from home with various operating systems doing various tasks. I could probably improve things at my work in regards to how tech is handled, but it is not my job. If I want to play sysadmin, I can do it with my own gear, on my own time.
  • by e.coli ( 131048 ) on Tuesday February 20, 2007 @04:25PM (#18087786)
    As an IT tech, I have known users who knew their stuff, maybe 0.5% of the employees of any given company. And I have know techs who did not know their stuff, maybe 60%.

    But all in all there are reasons why computers are locked down and there are reasons why IT mandates that "thou shalt not". Too many times there have been licensing issues where a know-it-all user with the ability to install software on their local box has brought in a package from home to install because they could get their work done better/faster/more colorfully with it than they could with the software that the company licensed. And when the project/document/spreadsheet that they created in that software can't be read or modified by any of the licensed software, they instantly become indignant and blame IT for not finding a way to convert their information. Contrary to popular mis-belief, IT does not have experience in EVERY piece of software out there. And when some disgruntled soul left the company they would let the anti-piracy folks know about the illegal installs.

    And then there are the ones who download every bit of shareware/freeware/spyware in the known universe to their local box, turning their machine into a zombie or worse.

    IT is usually mandated to keep the network running smoothly, virus and spyware free, and within the licensing agreements of the software that they have purchased. To do that they have to lock down the network, the computers and the user rights because the know-it-alls don't care about security, safety or licensing. They just want to run Weatherbug because they are too lazy to check into the WeatherChannel.

    And then there are the users who listen to Internet radio (sucking down bandwidth), download illegal music and software (because it's faster than at home), and cruise the porn and game sites. Most users don't remember that the computer, network and internet connection still belong to the company that they work for and the aim of IT is to make sure that everyone can play and work together to the betterment of the company.

    Give me a user who will work within the guidelines, request the software that they need to do their job and, at the end of the day, tend to their personal internet needs from their home computers.
  • I'm not sure if those are the words of kdawson or flatfilsoc, but whoever wrote them needs to stop being a dumbass.

    The author has obviously never worked at a regulated and/or publicly traded company or a company that has experienced the embarrassment of a PII leak. Those decrees come from Audit and/or Legal. And it may be painful to admit this, but those departments are trying to look out for the company - yes, ignorance can cause a misstep or three, but it's naive to assume all their decisions are driv

  • I'm curious to hear how other Slashdotters are able to make use of wiki's within the corporate firewall. I have seen some companies where really useful wiki's begin on someone's desktop and are subsequently subject to push back, mostly based on security concerns.
  • by pla ( 258480 ) on Tuesday February 20, 2007 @04:36PM (#18087970) Journal
    IT's mandate to protect corporate data

    Here we have the single point that makes this entire FP one big strawman...

    Yes, IT takes some measures to protect corporate data, both from inappropriate access, and from erroneous (or malicious) deletion.

    The bulk of this "clash", however, involves two points - Maintainability, and the difference between personal and corporate liability.


    Maintainability... Given a network of dozens, or even hundreds, of users, homogeneity means everything. If it takes an extra 15 minutes to solve a five minute problem because each user has their own bizarre configuration and preferred tools, you've wasted three quarters of my time vs just using the tools provided. And speaking of "provided", IT simply doesn't have the time to check each and every machine daily for pirated software. "Oh, but just fire anyone that has pirated software"... Yeah, sure, at up to 50k per violation and the need to replace a presumeably qualified (if careless) employee - Not an option as a default policy.

    And I haven't even mentioned that people expect support from IT on anything and everything they can find on their machines... Guess what? I don't know everything. I can fix and teach Outlook, ThunderBird, Netscape, Eudora, Calypso, Elm, Pine, and perhaps a few dozen clones thereof, but I still won't have a clue how to fix your problem with FooMail; and even if it works similarly enough to one I do know that I can walk right through it, I won't know that until you've already wasted the time it takes me to visit your office (times two, since presumeably neither of us will get anything else done in the meantime).


    As for liability, take the GMail example... In many companies (anything healthcare related, anything publically-traded, and just a good idea in most cases) you have legal minimum retention times for email; On top of that, since those emails count as a liability, you want to enforce that same period as a maximum retention time as well. GMail makes both impossible - You can't guarantee the legal minimum, and you can't automagically delete mail after that time. For that matter, you can't even guarantee that you'll ever again have access to a terminated-for-cause employee's email five minutes after security escorts them out.

    You also need to worry about the motivation for using third-party email... If a company provides its own email server with no unreasonable content or size filtering, why would employees use GMail for work-related material?

    The same applies to IM (though admittedly far fewer companies host their own IM than host their own email).



    I (and most IT workers) don't seriously give a rat's ass what you do on your office computer - Your productivity only matters to you and your manager. I really don't care if you want to play Solitaire all day long. So this has nothing to do with control. But when I get reprimanded (or worse) for letting a random user get the company fined tens of thousands of dollars or under criminal investigation for unknowingly hosting kiddie porn, yeah, you can bet the farm I'll choose "lock your machine down" every time.
  • by Twillerror ( 536681 ) on Tuesday February 20, 2007 @04:38PM (#18088014) Homepage Journal
    It sounds all fine and dandy to allow the user to install all kinds of stuff on there machines. And without a company mandate with some teeth ( termination or write ups ) most people will install things on their own anyways. We have prevented people from having root access, but generally they figure out what the password is or someone in IT tells them.

    The only problem with these sorts of users is the support they require when it turns out they don't know what they are doing. Any boob can install iTunes, but even the smarter ones start having problems trying to figure out why there machine crashes afterwords. Then IT is called and blamed.

    I'm fine with having these users install whatever they want, just as long as they realize that when they have a problem of any kind of size ( word won't start ) I'm going to blast the machine. If they are smart enough to install all the extra software they are smart enough to put their data on the network or at least in one folder where I can copy it. If they say I lost all my MP3's I'm not going to have a problem telling them tough.

    These same people don't have to sign the invoices for their expensive laptops, I do. It is company property and companies should have every right to tell individuals what they can and can't install. At the same time they cannot be so stubborn as to not allow for newer software to get added, even if it does pose some sort of risk. Instant messenger and those types of programs can greatly increase productivity if used correctly. If the employee is chatting with his wife, I'd rather he do that then go in the hallway and call him on his cell...chances are he is actually doing something in between the chat lines.

    That said the company still has the right to monitor the person for any traffic going over their network. If the guy gets in trouble and they find that he chatted with his wife all the time it should be admissable in determining his dismisal. Everyone out there knows when enough is enough, those that don't usually end up without a job.
  • by Avatar8 ( 748465 ) on Tuesday February 20, 2007 @06:00PM (#18089198)
    I've been in IT for 23 years. I haven't seen it all by any means, but I've seen enough to consider myself an expert on many things. IT, yes; business, no.


    At a previous company we were very flexible and provided everything we could for users, especially remote users: OWA, VPN, wireless, SSL-VPN, Terminal Server for those legacy apps that no one could do without, etc. et al. We held a pretty secure ship, filtered only what was legally necessary and monitored traffic/e-mail only when requested by HR.

    Regardless we still had this Shadow IT. Typically it was the guy who ran his own network and Exchange server at home telling us how we should run things, how he should have two monitors even though no one else had that and that he should be allowed unfiltered internet because it made him more productive.

    Then there was the time the top salesman left his laptop at home, connected to our VPN, his son used it and it began attacking our firewall with a SQL slammer worm. One time can be forgiven, but this was the third time in a year that this occurred.

    IT was thrown under the bus on these accounts and others.

    Mr. Know-it-all got his second screen and caused a chain reaction of others crying for them and costing the company a sizable chunk of change.He also won having the internet opened up for sports and games. IT watched productivity drop as non-business internet usage climbed.

    Mr. VPN received a third "warning" in his HR file, but IT had it's hand slapped because we hadn't really educated him on how to use his laptop, the VPN or the update programs. This in spite of us producing a document signed by the guy that stated "I understand IT policy and proper use of issued equipment and the network."

    Back and forth this struggle has continued for the past 20+ years I've been in IT. For a few years, we're heroes. We implement technology and methods that allow businesses to grow and profit at the speed of light. We save businesses from going under when disaster strikes because we backed up the data. Then for the next few years we're the villains. We don't implement the latest technology just because the CFO said not to spend any money. We're thrown under the bus because an executive sent an illegal e-mail and IT had the nerve to have it backed up and accessible for the legal system.

    The longer I'm in IT, the more I wish I'd have learned a real skill like cooking or carpentry.

  • by Mutatis Mutandis ( 921530 ) on Tuesday February 20, 2007 @06:08PM (#18089290)

    From the posts in this thread, one gets the impression that there are rather a lot of places where IT people and other employees are locked in a state of permanent warfare, or at best uneasily living together in mutual disdain.

    The curious thing is that rather a lot of IT people seem smugly satisfied with this. They are confident that they have everything "locked down" and that nothing can go wrong as long as they don't allow the users to do anything important -- whatever that means.

    To me this seems the ultimate in IT nerdiness. It gets pretty close to programmers who exclaim that they "didn't change anything" when their product suddenly starts to misbehave -- only applied to people, who are even more unpredictable than even the most chaotic software product.

    The reality is that if people hate you, they will find a way to subvert your systems, and IT won't know. People are resourceful. I strongly believe that a security system that is not supported by the people who have to live with it, will be valueless in the long run. People are your major threat and your strongest vulnerability, but potentially they are also your best line of defense. A serious outside attack is not unlikely to have a strong social engineering aspect to it.

    I've met IT technicians who blithely assumed that outsiders could never guess an internal password, because their systems strictly limited the number of login retries and required frequent password changes. It never occurred to them that someone might entice out a password by putting on a lab coat and looking official, that people are rather stimulated to write down passwords if they have to change them too often and any mistake brings about a clash with IT, or that the use of incremental suffixes permits any outsider to predict the new passwords years in the future. They sought refuge in strict IT rules, but their psychology (and their logic) was all wrong.

    Apparently, there is this curious notion in some places that IT is about managing machines. Curious, because any engineer in another field could tell the IT staff that a big part of effective support is dealing with people, their needs, expectations, and perceptions. An IT group that is just busying itself with keeping the hardware and software in a good state and not positively interacting with and educating users, is an IT group that is failing in its job.

    Of course it is much easier to concentrate on the machinery and ignore or crush the users. Machines are far more predictable and easier to work with, and sadly a lot of IT people are still conforming to stereotype and not blessed with great social skills. But at the end of the day they should watch out for their own interest --- there is no future in being a glorified window(s) cleaner.

  • by brxndxn ( 461473 ) on Tuesday February 20, 2007 @06:31PM (#18089556)
    Any IT department that fears its users are learning too much is a goddamn shitty IT department. Seriously.

    I'm an IT guy.. at an engineering firm. Pretty much everyone here is a 'computer guru' by todays' standards. So, for about 100 employees, the three of us 'IT guys' get to spend most of our time doing real engineering, programming, HMI design, drafting, etc. Our job is made much easier since we can give users full administrative control over their own computers/laptops (necessary in engineering anyway). We just 'lay down the law' in terms of what users are allowed to install and uninstall and we never have to take away privileges from people that know what they're doing.

    So, for years, the entire network and seven servers is managed as a 1-10hour/week job for one of our three 'IT guys.' We secure the network and the servers.. and we don't even bother to secure the servers per user - we just have them making tons and tons of backups so if a user does remove/move files that are important, we just replace them with backed up copies from whatever date we want.

    Having a smart userbase allows a 'smarter' IT dept. to spend less time on IT unless the IT dept. is a bunch of bumbling idiots who find it hard to stay ahead of the curve. It's really nice not to have users that need help just because they cannot map a drive.. or because they cannot install a different version of Industrial Software X because it is incompatible with Industrial Software Y.

  • by Animats ( 122034 ) on Tuesday February 20, 2007 @06:52PM (#18089772) Homepage

    1982 called. They wanted to tell you that some people now have PCs and aren't using the mainframe like they're supposed to.

You know you've landed gear-up when it takes full power to taxi.

Working...