On Slashdot, a newcomer to the IT field asked a really good question: What do you do to avoid seeing things you’re not supposed to see?
Clearly, some people do it better than others, but it seems to me it’s a fact of life that eventually you will see things you’re not supposed to see. How you handle it is the bigger problem.
I know what the guy is talking about. One time I was working on a computer when a sensitive e-mail message came up. The user took me for a walk. He’d applied for a new job, and his dad–who also worked there–e-mailed him wanting to know everything.
“You weren’t supposed to see that,” he told me. “Promise not to tell anyone?”
I told him I see stuff like that way too often, and that I wouldn’t tell anyone, just like I never told anyone about the other stuff I found. I kept my word, he got his job, I got the next job I applied for, and everyone was happy.
It seems like something like that happened at least once a year, and more like once a month people would tell me their passwords. I’d cut them off as early as I could, saying I didn’t need to know their password and didn’t want to know it. That’s one thing you can do. The other thing you can do is to ask someone to close their e-mail and close any sensitive documents they may have open while you work. People will appreciate that, and it can only help your professional reputation, but let’s face it. When everyone’s trying to squeeze 60 hours of productivity out of your 40 hours at the office, from time to time you’re going to forget to ask that question.
The inescapable fact is that most IT professionals have an administrative account that lets them see a lot of things. A company’s computers collect tons and tons of information anyway. So we need to operate by a high code of ethics anyway. Our employers or clients have entrusted us with a great deal of power, and we have to not misuse it.
Part of being an ethical professional is that we won’t gossip about the things we see, or the things we happen to overhear because cubicle neighbors didn’t realize we were there, working on a machine.
Now, people won’t notice when you keep your mouth shut about things you’re not supposed to know, because they can’t possibly know you know about it if you’re not talking. But they’ll certainly notice when your mouth is running and it shouldn’t be. In IT, people assume you’re trustworthy until you prove otherwise, and talking about stuff you shouldn’t be is the best way for you to prove that you aren’t.
And in the long run it pays. I’ve seen people who stepped on other people, used things they shouldn’t know to their advantage, or were otherwise dishonest, but it’s always caught up with them. Sometimes it takes years, but it catches up with them. While people who are honest and trustworthy may hit a bump in their career here and there, they always land on their feet, and some do a whole lot better than landing on their feet.
In my case, doing better than landing on my feet meant moving from the sysadmin side of the house to the security side of the house. One of the very fundamentals of security is not talking about stuff you’re not supposed to talk about. There are lots of opportunities in security, and that’s not going to change for a very long time. Seeing things you aren’t supposed to see is inevitable, but one should minimize it, and then when it happens, look at it as an opportunity to practice being honest and being careful what you talk about.