« December 2006 | Main | February 2007 »

Scaling the Heights Wed 31 Jan 07

Climbing_1 Last Friday Dan Morrill over at the ITtoolbox had a very interesting post (Vertically Challenged) on how IT experts often get stuck in a position by being too good at their job.  I'm sure you've seen the situation, Joe is such an expert that we can't afford to promote him since we can't find anyone with his skill level to replace him so we promote someone else instead.   What eventually happens in these situation usually falls into three not very appealing scenarios.

  1. Joe eventually leaves us for "greener pastures" leaving us with a large gap in our organization.
  2. Joe stays but over time becomes increasingly bitter and disruptive until we end up taking some sort of disciplinary action.
  3. Joe becomes so narrow in the focus of his expertise that when we change technology we no longer need Joe's skills and get rid of a long-term faithful employee.

So what should IT managers and employees be doing about this?

Continue reading "Scaling the Heights" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

Trust, but Verify Tue 30 Jan 07

Internet We previously talked about web filtering packages and not restricting access to non-business web sites followed by how to write an effective Acceptable Usage Policy.  This brings us to the third part of this subject: setting up an effective monitoring program.  Email and the Internet are tremendous tools but they also have tremendous potential for misuse.  While we need to treat employees as adults and trust them it as President Reagan used to say quoting a Russian proverb "doveriai, no proveriai" (Trust, but verify).

Continue reading "Trust, but Verify" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

Surfing Conditions Mon 29 Jan 07

Websurfing_3 In my last post, "IT is NOT your Mother", I talked about IT restricting access to non-business sites and made my case for why this is a bad idea.  Two key points I made were:

  • It is the supervisors job to let people know what is expected of them.  Excessive use of the Internet for non-business items is a supervisory issue more than a technical issue.
  • It's was important to treat people as adults with trust and respect.  I believe it is likely that most will act accordingly.

To go along with this I promised some practical tips on how to write and use good email and Internet usage polices (also known as AUPs or Acceptable Usage Policies). 

Continue reading "Surfing Conditions" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

IT is NOT Your Mother! Fri 26 Jan 07

Angrymother IT is NOT your mother.  We're not here to look over your shoulder while your doing your work, or scold you if you've done something wrong.  Unfortunately, many companies want to use IT in this role.  Managers and supervisors have many "mothering" duties.  Sometimes these include watching closely what you do, sometimes they are that of a stern disciplinarian, sometimes it is being an encourager and teacher and sometimes it is as proud parent reveling in the accomplishments of their "child".  Technology is now often being used in lieu of a manager/supervisor performing their  oversight role and leaving it to IT perform this unpleasant task.  Sad to say but often IT willingly accepts this role.

Continue reading "IT is NOT Your Mother!" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

Say What? Wed 24 Jan 07

Ie_2 Joe Pallatto's article this past Monday (Monthly Microsoft Patch Hides Tricky IE 7 Download) likening Microsoft's Internet Explorer 7 (IE7) to viruses, worms and other malicious software generated quite a few comments.  It seems Joe unwittingly downloaded and installed IE7 by clicking on the Microsoft January 2007 security and products updates without fully checking to see what the consequences would be.  Specifically, he wasn't aware that the update wouldn't merely update his IE version 6 but completely install a new version.  As a result IE7 downloaded and unfortunately ended up causing numerous problems for Joe.  As Joe describes it "clicking on the familiar gold shield icon was not much different from getting suckered into opening an e-mail message infected with a virus or a worm Trojan".

Continue reading "Say What?" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

All Tangled Up in the Greynet? Mon 22 Jan 07

Greynet_4 This past November, FaceTime Communications released Employee Use of Greynets: 2nd Annual Survey of Trends, Attitudes & Impact (free download but registration required).  Greynet is the term given to applications that users download to the PCs without the permission of IT network administrators and without an awareness to the possible security implications.  I discovered this report through 2 very recent online articles.  Joe Wilcox reported on this in Don't Get Caught in the Greynet at microsoft-watch.com and made some suggestions on how to deal with this.  Brian Prince at eWeek.com wrote Risky Employee Behavior on Web Threatens Corporate Networks summarizing the report.  Both articles generated a couple of interesting comments.

Continue reading "All Tangled Up in the Greynet?" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

Email Disclaimers and the Road to Hell Fri 19 Jan 07

Roadtohell_2  "The road to hell is paved with good intentions."

Some of those good intentions are no doubt email disclaimers.  I'm sure you've seen them.  They are fairly commonplace in many corporations.  These are legalistic sounding statements added to the end of all out going emails automatically by the corporate email system.  You may not ever realize your company uses one since you don't see it when you compose your message, it is added by the system as it sends emails externally.  Take a look at some of your replies or send an email to your personal email to see if you have one.  They usually say something along the lines of:

"If you are not the intended recipient of this email please notify the sender, do not read the email and please destroy it."

Continue reading "Email Disclaimers and the Road to Hell" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

A Timely Example Wed 17 Jan 07

My good friend Russ Svendsen recently sent me a link to a rather timely article in the International Herald Tribune (IHT) that ties in nicely with my recent post on shadow IT and also my post on People and IT Security.  The IHT article "Firms fret as office e-mail jumps security walls"  talks about corporate email users forwarding company email to free web-based email programs such as Google's gmail or Yahoo! Mail.  The story is also posted at TechNewsWorld.

Emailsecure_3 People like to use these systems because it lets them by-pass the hassle of dealing with security provisions such as multiple passwords, the corporate email system only being accessible through company PCs, or special security systems.  Simply put, using these services is easier and quicker than the approved corporate systems.  Use of these methods can quickly spread as users pass along tips to each other or the shadow IT guys add it to their bag of tricks to make things simpler.

The formal IT folks are understandably worried about this due to the increased possibility of viruses and spyware.  But it isn't only the IT folks that have some concerns.  Circumventing the corporate email systems raises issues of data control and integrity which gets the lawyers and Human Resources folks attention.  Having email stored where IT can not locate it can raise serious legal issues if it involves subject matter caught up in a lawsuit.  Likewise there are certain legal requirement regarding data privacy such as patient data being stored in this manner.  As the IHT story reports "The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of "some or all" of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users' address books to Internet attackers."  Try telling your CEO that Google lost your company's data.

Obviously we have a significant security issue resulting from the shadow IT effect of using outside emails system.  The challenge is how do we address this in our IT security program?  The 3 goals of an IT security program are:

  • Tight security
  • User convenience
  • Low cost

Along with this goes an old saying - that when implementing a security system you can pick any two of the above but have to be willing to sacrifice the third.   This is not a pleasant scenario.  So what do we do?

This is where the "people factor" I mentioned in People and IT Security comes into play.  Making security awareness an important part of your security program can help.  It won't solve the pick 2 and sacrifice 1 conundrum but it can help minimize the problem.  It is naive to think security awareness effort will eliminate the issue entirely but with some effort you may be able to contain the issue.  Without awareness user are only concerned with the convenience factor and hence their choice is easy.  Some would argue that users are concerned with security too but typically it is only when security becomes an issue and not until then.  A good awareness program can help them appreciate all 3 concerns and help create a workable balance.

What are your thoughts on this?

One logical question that this discussion raises is - What constitutes a good security awareness program?  I'd love to hear your thoughts on this and perhaps we can have a future post on that topic.

If this topic was of interest, you might also like these:

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

How We Can Become More Like "Shadow IT" Mon 15 Jan 07

Shadowit_1 In my previous post I made my case for formal IT becoming more like shadow IT by co-locating people with our customers.  I closed that post with what I thought were two logical questions about this proposal:

  1. Just exactly how is this co-location structured?  Are you saying we put PC techs and programmers out with our customers?
  2. How do we accomplish this?  It calls for more people than I have available.

I will now try to address these questions.

Keep in mind that what I've proposed deals with our tactical duties such as PC problems, questions about how programs work, connection issues, and simple programming issues.  These are the issues our PC techs and Help Desk people deal with on a daily basis.  In our quest for efficiency we've decided the best way to handle these issues is to physically locate all these people in the IT department.  Although this centralization has made us more efficient the presence of shadow IT indicates it has made us less effective.  Our customers have taken on the task of dealing with many issues because we in IT can't or won't.

I've proposed replacing shadow IT  with formal IT people co-located or embedded with our customers.  Specifically, I suggest we disband the PC tech and Help Desk organization and move these people out to work directly with our customers.  These folks remain IT employees and take direction from IT on items of policy, standards etc.  However, they take direction from the business units in terms of what things to work on first.

Because of our previous focus on efficiency we've tended to hire people for these positions that have "depth" that is, they are narrow in their focus.  They know a lot about their specialty but don't have a lot of "width" -- knowing something about a lot of areas.  In contrast, most shadow IT folks have more width than depth.  To make this transition we will need to make sure we have a lot of communication and training.  We also need to make sure we support these people by providing a way for them to come back to centralized IT when they have questions.

The second question is perhaps the more difficult one.  Even if you are willing to convert all of the PC techs and Help Desk people you may find that you don't have enough to provide someone for every group.    Plus we've all been around long enough to know that we aren't going to be able to increase headcount either.

The first step is to figure out who currently makes up shadow IT.  Ask your people and talk to your users and you can probably get a pretty good handle on who makes up shadow IT.  In many cases, the departments are very open about who their shadow IT person is and acknowledge it freely.  In other cases, fearing a loss of service they deny having any shadow IT.  Keep in mind that not every "department" has a full-time shadow IT person.  Smaller departments either have someone who does this only part-time or more likely they use someone from a neighboring department.

The next step is to work with the business unit manager to convert some of the shadow IT people to formal IT personnel.  To do this you have to address their WIIFM (What's In It For Me) issues.  If you can show that by doing this you still provide the same service they have had through shadow IT plus the IT concerns are addressed they will be more accepting of the change.  Business unit managers understand and really do support the IT concerns as long as IT's concerns don't hold them back.  If you can demonstrate the same level of service through co-location they will support the move.  Taking people out of their budget and into IT's can also be an added incentive (again, as long as the service level stays the same).

In doing all of this don't forget to work with the Human Resources and Accounting folks.  The key point is that although IT's headcount and budget goes up, there is an offsetting decrease in other areas for no net change.

Not all departments will go along with this.  For these groups I'd suggest skipping them and implement this where you can.  Over time as people see actual result they may be more agreeable to make the switch.  In fact, you may want to roll this out a department or major area at a time to work out the issues.  This gives you the opportunity to adjust the program as you go along and to demonstrate your seriousness about making this work.

Lastly, don't forget your IT folks.  Don't blindly ship them off with nary a fare-thee-well.  This change may be difficult for them.  Support them with training, communication and support.

Co-location isn't easy.  It makes our management task more difficult.  But keep in mind, our ultimate goals is to provide better service.

What do you think about this? 

If this topic was of interest, you might also like these:

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

IT Needs To Become More Like "Shadow IT" Fri 12 Jan 07

Go into any company with a formal IT group and you'll also find some "shadow IT" groups.  Shadow IT is the un-official IT group that people have learned to depend on to get things done.  You know the folks I'm talking about.  It's the lady 2 cubicles down from you that you go to ask questions about Excel.  It's the engineer you go to when you have a question about your PC.  It's the guy that loads a bootlegged copy of a program on your PC for you or wrote the Access database that your department's operations have come to depend on.  It's the people the IT folks dismissively refer to as "those cowboys".  It's the guy that installed the scanner for you that upset IT so much when you called them for support because they didn't even know you had a scanner.  It's not anyone in the IT group.

Shadow IT is the bane of formal IT's existence.  Just go ask your IT manager about shadow IT and watch the veins in their forehead pop out.  Shadow IT can really be a problem for a company.  The problems with shadow IT have to do how they deal with issues of:

  • Documentation - Why should Sally document what she did?  She's the only one that works on it.  It's not like she might ever quit or get sick or infamously get hit by a bus.  Right?
  • Backup - Backup is just a hassle. It's running on a reliable PC.  What could go wrong?
  • Standards Compliance - Why bother using IT's programming or hardware standards?  It's not like we'll ever ask IT for help or want to connect to other systems is it?
  • Security - Security just gets in the way.  We all know each other don't we?  Would anyone really snoop through my files for salary information?
  • Testing - I've been doing this for along time.  There's no need to test.  The result look about right so it must be running perfectly.
  • Inefficiencies - Sure my shadow IT activities take up a lot of time but it's more fun than what I'm supposed to be doing.   Besides, Joe the Ph.D research engineer over in the R&D's shadow IT group is helping me write a database for our department phone directory.
  • Software Licensing - One extra copy won't hurt.  It's easier than going through IT and Purchasing to get a legal one.  Besides, Microsoft makes too much money anyway.
  • Proper Control - Controls just slow us down.  Besides it's the IT guys not us that have to answer to the Sarbanes-Oxley (a.k.a. SOX or Sarbox) auditors.

These are all valid concerns for both the company and IT and IT managers understandably want to do something about getting this under control.  Typical reactions include doing such things as:

  • Locking down PCs and limiting what users can do on them
  • Issuing strongly worded memos
  • Going to the boss's staff meeting and getting all the managers to agree to talk to their people about this
  • Writing lengthy and detailed policies and procedures
  • Complaining to the boss about what problems it is causing us
  • Talking to the department manager and explain the situation to them so they understand they really need to work through IT
  • Ranting to anyone who will listen about how miserable shadow IT is making your life

Despite all of these valiant efforts, shadow IT continues to thrive.  Why is this?  Perhaps it is due to:

  • Accessibility - They are in my area.  They are very easy to access them.
  • Responsiveness - They respond quickly.  I tell them what I need and it gets done.
  • Dedication - They only work on my problems.  The only problems I have with competing priorities are from others in my group.
  • They know my business - Shadow IT knows my business and what I need.  After all, when they occasionally aren't doing IT stuff they do the same things I do.
  • Easy to use - It's easy to use shadow IT.  No Help Desk to go through, no project request forms, no cost/benefit analyses, no Steering Committee reviews.

The reality is that no amount of ranting and raving, or writing of policies and procedures or threats or talking with managers will stop shadow IT.  The perceived benefits are just too attractive to users and their managers.  In my opinion the only way to put an end to shadow IT is for formal IT to compete with shadow IT head-on and outperform it.  We need to have more shadow IT groups by forming them out of IT.

Orgchartx Doing this means changing the way we have traditionally organized and run IT.  It also means giving up some control.    In a nutshell I'm suggesting that we physically place or "embed" IT people out in the business departments and we let the business departments control what they work on and what they do.  Basically the business determines the priorities and IT controls the methods (i.e. security, documentation, standards compliance etc.) which addresses the valid concerns of each group as described above.

I should mention one clarification.  This co-location is not intended to change how strategic IT projects are handled.  Although shadow IT is often involved in strategic projects they are not they sole implementers.  The same holds true with what I'm proposing.  However, although this proposal deals with tactical issues it does impact a significant effect on strategic issues.  It is a matter of credibility.   If you don't think executives say to themselves like following your kidding yourself:

  • "Why should I believe that IT will be able to successfully implement an ERP solution when they can't even fix my PC, answer my questions or Microsoft Office?"
  • "How can IT talk about configuring a solution to my needs when they don't have a clue about how my business works?"

One of the biggest advantages of co-locating IT people with their customer is how closely linked they quickly become with their customers.  It is a matter of empathy and can go along way towards alleviating the concerns above.  Jeffrey Phillips at Thinking Faster recently posted on Customer Empathy Matters which discusses the need for employees to be able to develop an empathetic attitude.  Christopher Koch at CIO.com also commented on this in his blog posting Play Fair.  I feel that this is so important that I feel it is a critical key competency that I look for when hiring new IT employees.  By co-locating IT people with our customers  we greatly improve our chances at being successful at this.

So although you may agree with this approach in theory, I imagine you have some very logical questions.

  1. Just exactly how is this co-location structured?  Are you saying we put PC techs and programmers out with our customers?
  2. How do we accomplish this?  It calls for more people than I have available.

Please bear with me.  To avoid making this post too length I'll discuss these questions in my next posting.

If this topic was of interest, you might also like these:

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed


tell_a_friend Tell a Friend About Mike's Blog

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription

For An Email Of New Articles
Enter your email address:

Read On Your Mobile Device


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:

This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.

Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.