Computerworld published a scare piece on rogue IT people.
Linuxplanet countered with a piece that was about equal parts substance and hand-waving. I found myself mostly agreeing with the Linuxplanet piece, but was disappointed it didn’t go deeper into the counter-arguments.
I’ve been on both sides of this.
In my first job, I worked with a rogue sysadmin. A department with a lot of clout decided that they wanted their own IT guy, so they could control him. So they went and hired someone. I wasn’t part of the interview process, so I don’t know what they were looking for other than someone who was willing to work for less than $20,000 a year. But that dollar figure tells you a lot. Even in 1998 in central Missouri, at best, $20K is going to net you damaged goods. Ten bucks an hour doesn’t buy you much experience or quality.
He did run rogue servers, or shadow IT, and I caught him sabotaging a production server because he thought that would help further his own agenda. Fortunately, he made no effort whatsoever to cover his tracks, so another coworker was able to corroborate my findings, keeping it from just being his word against mine. He was escorted from the building later that day, and we spent the afternoon scrambling to secure the network. It was a long day.
Two harsh lessons
To its credit, that department learned from its mistakes. They did a lot better when they hired his replacement. I thought they had a couple of viable candidates, but the final decision wasn’t mine to make. And he was honest and reasonably competent.
Pay a reasonable rate
They figured out that they weren’t paying enough to get someone who was, you know, qualified. That’s lesson one. Almost any job search site has a salary estimator, where you can punch in qualifications and get a dollar figure. Those estimators are meant to be used by job seekers to figure out what they’re worth, but someone doing the hiring can use them too. They can give you a reality check. You may be able to get someone for substantially less than the going rate, but you’ll get what you pay for–either damaged goods, or someone biding time until a better job offer comes along.
Maybe you’ll get lucky and find someone who has no idea what the going rate should be for that job description. I’ve seen that happen before. But word travels. You can prohibit people from talking salary at work, but eventually they’ll get an offer outside of work, and if that offer is significantly higher than what they’re making now, they’re good as gone.
When that department decided to hire a replacement for their rogue sysadmin, they involved us in the interview process. Someone questioned why they wanted us there, and one of the higher-ups put it really bluntly. “Farquhar knows how to cut through the [expletive] and see if the guy knows what he’s talking about.”
I wasn’t doing anything special, other than talking shop with the candidates. They could claim experience with whatever they wanted and put lines on their resume. It’s another thing to talk intelligently about them. And even though those managers probably didn’t understand a word we were saying, they could gauge my reaction.
Many months ago, I read an assertion in an editorial (it may have been in Computerworld) that only a doctor can properly interview a doctor, and only an IT person can properly interview an IT person. It makes sense. Someone in HR or management can ask if you know Windows Server 2003 or 2008, but an IT person who already has the experience you want can go deeper and get the interviewee to tell stories, and actually understand what the interviewee is saying.
If I ask what you do when a computer falls off a domain, I’m not satisfied with “Add it back in.” I can follow up by asking how. If the interviewee mentions deleting the account out of Active Directory Users and Computers, and logging in locally, taking it out of the domain, adding it back in, and rebooting, I’ll be happy. And since I know about how to do that, if the interviewee is just making stuff up, I’ll know that too.
So if your organization already has an IT department, involve the person with similar qualifications in the interview process. If you’re a small organization with a one-person IT department, your job is tougher. Hopefully you know someone and can borrow an IT person for a couple of hours to help in the interview.
There seems to be too much concern about trying to find someone trustworthy in IT. Yes, there are untrustworthy people in IT. I’ve worked with some sleazebags. I can say they’re in the minority. I’ve probably worked with a couple hundred different people. I can think of six who, frankly, I wouldn’t believe a single word that comes out of their mouth. But that’s six. Out of a couple hundred.
As for the rest, they’re like anyone else. Some are people you can coexist with, but you don’t invite them over for BBQ or anything. And some got invited to my wedding.
Yes, there are corrupt people in IT. There are also corrupt people in finance. And any other field.
To avoid hiring corrupt IT people, follow whatever procedures you use to not hire corrupt accountants and other job descriptions. Check references and do background checks and/or drug tests. I’ve had to do all those things.
There’s nothing all that different about IT. If the rest of your organization is a den of thieves, then your IT organization probably is too. If your hiring policies keep the rest of your organization pretty clean, then your IT department is probably pretty clean too.
Being on the other side
I’ve been on the other side too. Long-time readers know that 2005 was a rough year for me. I won’t go into all the details, but I got downsized in May, and then again in October.
From what other people told me afterward, after the May departure, they scrambled to secure the network from their new “threat”–namely, me.
I’m not ashamed to tell you what I was doing while they were making sure I couldn’t get into the building or the network or anything else ever again. I was making phone calls, trying to find other work. I knew of other people who had expressed interest in me, and suddenly I had motivation to find out just how interested they were.
And in the November case, I did the same thing. I started making phone calls.
I’ll tell you the other thing I did, in both cases. I offered to help if needed.
The first one took me up on it a couple of times, with phone calls. I didn’t get compensated for that time. I probably should have worked out some kind of arrangement, but they only kept me on the phone a few minutes each time.
The second one took me up on it by keeping me on for a while, on a week-to-week basis. One coworker was having difficulty keeping his kids healthy. The other was missing a lot of work for other unspecified reasons. I won’t speculate. Thanks to that situation, I was able to stay on almost an extra month beyond what was supposed to be my last day.
Of course I wasn’t happy about leaving either position. I wasn’t especially happy at either job either, but it was work, and I needed a paycheck. But no amount of revenge is worth giving up your future to get. And I actually told at least a couple of people that there was nothing I could do that could measure up to what they’d do to themselves anyway.
Was I right?
Well, that November layoff filed for bankruptcy a year or two later. They’ve since emerged, but they’re a weaker company. When their CEO was offered a position other than CEO at another company, he jumped. What’s that tell you?
As for the May layoff, a few years later, their upper IT management all showed up for work one day and was escorted out of the building. Out of curiosity, I checked up on the former head of IT last year. As far as I can tell, he’s running some kind of independent consulting business out of a spare bedroom of his house. And the address isn’t the half-million dollar pad he lived in when I knew him, either.
Most of what’s in the preventative measures sections of the article are common sense. Make sure at least two people have administrative rights to everything, separate the duties of IT and security, check credentials, use the principle of least privilege, and, I’d add one more thing. When you hire someone, keep them on probation for six months. Six months is long enough to know what you have in someone. Almost everywhere I’ve worked has one of those. Terms vary, but in some cases, you don’t even get your full salary until the probationary period is over.
Either checking credentials or a probationary period would have prevented the first problem described in the Computerworld article. Either of them. There’s no reason that creep ever should have been hired in the first place.
And when you have to pull the trigger and terminate, do it right. In that regard, you have to treat IT like you would anything else that was critical. Surely there’s a plan in place for handling someone who had the ability to move large amounts of money with a phone call, right? Anyone with admin rights has comparable power.
And that alone is part of the key. IT people all too often are treated like blue-collar workers. And yes, sometimes the job requires literally getting dirty. But it’s a job that requires a lot of hard-won skills and knowledge and carries a lot of power. Respecting your IT workers can go a long way, because in many cases, that’s what they crave the most.
Treating them with respect is a good start to keeping them happy and keeping good workers from going rogue. And I’ve seen people treat hiring IT personnel with less thought than they give to where they’re going to eat lunch. That, too, is a mistake. You’re hiring someone who carries a great deal of responsibility and a great deal of power to either help you or harm you when you’re at your most vulnerable.
So you’d better choose wisely.
Well, as far as securing the network from the “threat,” hey, a good security person is a paranoid person. And sometimes it’s the person least likely to sabotage you… I suspect that all the people who actually scrambled to keep you out would have been willing to swear on a stack of Bibles that you weren’t actually going to try anything. Doesn’t really matter to me; the principle is, that one person who surprises you is the person who is going to cost you millions.
When I resigned from my job a year ago, I found myself in the unique position of having to defend my own network from the future threat — “myself”.
I wasn’t going to attack the network after I left, of course. I was leaving one government branch to work for another, but as a senior network engineer and a domain admin for one of the largest sections of the FAA, it behooved me to change passwords before I left. It protected them, and it protected me.
Unfortunately, many of the security programs and scripts we ran were written by yours truly, so I had to work with other people to show them how to remove my access. One by one, passwords were reset and accounts were disabled. I told them I would not take it personal if I were escorted out or found my account disabled, but of course those things never happened. In fact, on my last day, everyone else had to go home early, and I ended up closing up shop on my own. My last official act was disabling my own account.