Infrastructure management is undergoing a transformation. ITIL can help manage conflicting demands like – “low cost but high service quality”, “ubiquitous access but enhanced security”?

« Reminiscence of Consulting All Hands Meeting on 18th and 19th July 2008 | Main | CMDB Implementation ... Introducing Gaurav Uniyal »

People over process – Is your IT department doing it too?

Posted by Bhoopendra Adhikari 

Some kind of dependency on one person is a way of life in most IT departments in small and mid size organizations and its not uncommon even in large organizations. We are all used to that ‘wizard’ in IT department who knows those key systems like no one does and who can do everything. Every once in a while these guys turn rogue and we start debating how imperative it is to be not dependent on one person but do we ever try going beyond this reasoning!

Latest in this is the case of Terry Childs who was a network administrator with San Francisco city’s department of telecommunication information services (DTIS). As per the few details that were released Terry changed all the devices passwords (locking everyone else out of the system) and set up devices to gain unauthorized access to city’s prized WAN which carries 60% of municipal government  traffic. Worse, for some devices system configurations have been changed to erase configurations in case an attempt is made to restore the administrative access. Now he is in Jail and despite the continued efforts by the city’s department and vendors like CISCO, understanding the extent of damage and regaining the control back is still a “Work in progress”. The chances that they may end up reconfiguring the whole system are not ruled out currently.

So what are we looking at here. Is it too much dependency on one person that was the cause? Yes and No. Apart from dependency on one person, which certainly played a part, what I am looking at is a blatant circumvention of processes/best practices and a lack of management oversight to prevent that abuse. It’s not difficult to deduce here that simple controls over access and change management are either not in place or were overlooked completely by the staff and management in IT. Had they been in place, had a proper backup was mandatory before configurations can be changed, had a proper permission required to change admin access and privileges, had a proactive monitoring for rogue devices is in place, a lot of it could either be prevented or discovered before it assumed this grave shape.

The fact that these instances are few and far between is not assuring enough. First a lot of them actually go unreported. Secondly various studies including Verizon 2008 data breach report and Information weeks 2008 strategic security study  have made it clear that insiders have potential to do a lot more damage then outsiders due to the inherent trust placed in them. If insider is in privileged position like these and you have no processes to mitigate the risks then you may be  sitting on a ticking bomb. So before you beef technology and start relying on few people to manage it ensure that you have processes in place to manage the risks from them.

Having dependency on one person or a set of persons is a reality many  IT departments have to live with due to limited resources but does having some process in place to reduce the avenues of exploitation/risk really too much to ask for? Alas, we always learn it the hard way.

 

Posted by Guest Author on July 28, 2008 05:58 AM |

TrackBack

TrackBack URL for this entry:
http://www.infosysblogs.com/ITSM-service-matters-mt/mt-tb.fcgi/73

Comments

I don't believe we often learn the hard way either as we often see the same mistakes made again and again. Implementing best practices in our daily IT Service activities requires both experience and action taken from lessons learned. If we don't learn from our mistakes, those mistakes will be repeated.

Posted by: Jim Fogarty | July 29, 2008 03:03 PM

Agree! There is some tightening of belt that happens when situation like this blows on our face but it usually fizzles out after some time and we go back to our comfort zone. The most challenging part is to sustain the process over a period of time and make it a part of your IT operational fabric.

Posted by: Bhoopendra Adhikari | July 30, 2008 12:41 PM

Well said, It's not just one issue, but many - Overdependency on people, Neglect towards potential (identified / unidentified) Risks, committment to Change, Absence of process, Or No committment to Execute the process in its sanctity...

I have always agreed to the phrase ' people over processes' in absolution though I keep debating that in Management, there's no absolutes. It's because all processes are defined by people and to be followed by people. As long as the people element remains, and things are left for 'individual discretion', these are perhaps inevitable.

But, they can be kept at a bay with robust processes, or strong execution if processes are in place already!

Posted by: Manohar Lazarus | July 30, 2008 06:44 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)