Getting Company Owners To Follow Their Own Rules? 387
techmage writes "Recently we had an issue at our small company that resulted in the loss of a lot of important data. To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc. How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"
Explain what can happen (Score:5, Insightful)
meh, keep it simple (Score:5, Insightful)
Who signs the checks? (Score:5, Insightful)
You don't (Score:4, Insightful)
Quite simply, you don't. I've worked at large banks that do not follow their own rules. IT cannot drive policy if C level executives do not want to follow the policy. If you can get auditors or examiners to force the policy to be followed, then it can work. Otherwise, IT cannot do anything. They will only be seen as chicken little and IT will lose what little standing they have at the company already.
Don't be a dumb ass (Score:3, Insightful)
They who have the gold make the rule.
Your responsibility is to recommend and record your recommendation, and do your job as you can.
In the end, it is "their" company, not yours. It's the way of capitalism. You don't like that? Change your job.
For what it's worth, I didn't mean any of this in sarcastic/offensive way. I am being sincere.
Flip it around and see how you would see things if you were the owner.
Figure a better way (Score:5, Insightful)
You've already failed. (Score:5, Insightful)
You've created a policy and don't have the owner-level execs onboard?
That's failure #1 right there. Good policy making for security purposes isn't "And IT saith THUS!". Operating in this kind of vacuum gets your enforcement NO PLACE. Fast!
You have to involve these people pretty much from the get-go. This way they understand why the policy is in place and have less self-provided incentive to circumvent it.
And yes, as others have said, a small amount of "horror story" can go a long way too. But only DURING the policy creation process. Afterwards, they look at it as simple justification of an arbitrary policy.
Right now you guys haven't got a leg to stand on.
Re:Who signs the checks? (Score:5, Insightful)
Pretty much the best way (Score:5, Insightful)
I mean you can't make the owners do anything. They own it, it is theirs to do with as they please. They could close up shop tomorrow for no reason if they wanted. So you can't force them to do as they should. Likewise, nagging them could be a bad career move. So the best thing is a CYA. Have something that says they understand the risks of not following the policy more or less. Then, if shit does break you should be covered. They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."
That's the best you can do.
Re:meh, keep it simple (Score:4, Insightful)
Reassess your place in the universe, techmage. (Score:4, Insightful)
What makes you think the owner's information should be available to you in the IT department?
Re:Explain what can happen (Score:5, Insightful)
Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.
Have no fear, I have an asshole cousin who used to own a company. Anytime something went wrong he made sure to blame somebody else.
So it doesn't matter what you document, or how hard you try convince them that you're trying to protect their company; if something goes wrong, you're probably fucked. But keep those notes as due diligence, in case they really try to screw you for their fuckups. And keep your resume up to date.
sociopaths (Score:4, Insightful)
Re:Who signs the checks? (Score:2, Insightful)
Re:meh, keep it simple (Score:5, Insightful)
I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.
If they have the authority to routinely ignore / override your security policies, they don't have to sign the fucking form either.
Re:sign this (Score:5, Insightful)
1) Thank you for trying to save me money. Your recommendations are welcome as I'm paying you for your expertise and opinions.
2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.
3) If it's a dumbass relative that thinks they can ignore the rules because they're family working in a family business (and they don't sign the checks) then I expect to see their name (and possibly mine if I'm doing it too) on the report of IT security scofflaws that you periodically (though infrequently) prepare for me.
In a company controlled by a single or few owners it is reasonable to recommend, cajole, suggest or encourage proper owner behavior, but if you dictate it and attempt to threaten (for instance by saying in a confrontational manner 'ok, but I'm not taking responsibility then') you are writing checks that your expertise may not be able to cash. As an owner it's important that my IT works right, but it's absolutely imperative that I don't lose control of the company. Don't make me think that you're trying to take it away from me or lord your technical expertise over me unless you have a VERY secure position.
Re:Pretty much the best way (Score:3, Insightful)
Meanwhile, back in the real world:
Owner : IT Guy IT Guy, my data is gone! Save me
IT Guy : Well here we have this release I made you sign last month that clearly said that if you lost any data it was your own damn fault.
Owner : He's a post it with the words "you're fired on it". Now take your arrogant self-righteous ass out of my office.
Re:Explain what can happen (Score:5, Insightful)
If you have that stuff documented, they can't screw you out of unemployment.
Re:Pretty much the best way (Score:2, Insightful)
I remember in 2003 I worked for a non-profit where I managed all IT software (but not hardware). I noticed that various employees were storing large files onto the server. Not a big deal, but we only had about 3 months left of harddrive space at the current upload rate.
I informed my boss several times, telling him if we didn't expand memory, everything will crash - including email for all 40 employees.
Well, he didn't act, everything crashed, and apparently they had a several day 'emergency' until they remembered what I told him.
Point is, I protected myself by having multiple talks with my boss on the situation before it happened.
Re:meh, keep it simple (Score:5, Insightful)
If you honestly work at a business where the boss both ignores your expert opinion and refuses to acknowledge their contempt for business continuity planning, you should probably be looking for employment elsewhere. You're never going anywhere in that business environment, and the business itself is likely never going anywhere positive either. Unemployment sucks (and I've been there), but a dead-end job can be worse (stress in the short-term, and employability in the long term).
Re:Explain what can happen (Score:4, Insightful)
If you have that stuff documented, they can't screw you out of unemployment.
Wanna bet?
Re:Pretty much the best way (Score:5, Insightful)
Talk the Talk (Score:3, Insightful)
"How do I get through to the bosses..."
Talk boss language to them.
Wait until one costs the company something through a computer failure and failure to follow the policy.
Fix the problem and present the machine back to them with a bill for the repair. Make sure to boost the price to cover any ancillaries such as your training, their training, their retraining, lost time to the company due to their down time, and any similar costs you can dream up. Keep copies.
Request a general meeting with the bossships. Present the data from the above repair, anonymized to protect the guilty. Compare the cost presented with the cost of following policy. Make sure to point out that they too stand to lose financially (ie not make even more money) if they or others cost the company money. Suggest that in order to protect the company they adopt the policy that such unnecessary costs be charged to the individual in the future.
For theft, adjust scenario as necessary as well as costs. For concominant data theft, do the same, as well as figure in cost to the company.
Or put together a 'what if' report based on a previous loss and present that at such a meeting, rather than wait until it actually happens. Feel free to pretend it did at the start of your presentation (with knowledge of at least one boss). Done this way you could make it look like the company was sunk and scare the bejeezus out of them.
Re:Explain what can happen (Score:2, Insightful)
Shouldn't be marked troll. Unemployment bureaucrats are simplistic beings and only understand things like "he violated the dress code" or "he came in 5 minutes late once". They aren't going to give a crap about your "data protection policy" if the owners even bother going through the motions.
Re:Assign it a cost (Score:5, Insightful)
Re:Just remind them (Score:4, Insightful)
That's a very good point, it's quite likely that the owners know exactly what they are doing and why they are doing it. You won't get far in business by blindly trusting everyone who works for you.
I've worked a couple places like this (Score:3, Insightful)
My advice: Find a new job.
It's done wonders for my stress levels.
Re:Pretty much the best way (Score:4, Insightful)
They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."
The only thing you'd get out of such a document is protection from them suing you after they fire you! I'd suggest this:
1) Write an email to them, indicating your concerns about the safety of the data, and how they need to adhere to the protocol in order to protect themselves. Be very nice about it, and indicate that you are confused as to how you should proceed after meeting X...
2) They'll reply with something or other. Print both emails off, WITH FULL HEADERS included. File those someplace offsite, perhaps at home.
Why would you need everything signed in triplicate? That's just intimidating, and likely to engender mistrust. These are your bosses! They're nice enough to hire you, provide you with a living wage, and ask you to solve their problems - be nice enough to respect their position and wishes. And even if they are vindictive, you just need enough to show good faith effort on your part.
In my experience with things legal, the law isn't interested in the fine grains of the contract, they're interested in what you actually agreed to. At least in California, verbal contracts are OK so long as they are substantiated by actions or supporting evidence, and the courts have already ruled that email is sufficient evidence of an agreement/contract, so anything more is just a formality. But if you get all weird on them, it's a good possibility you'll just lose your job.
Of course, if you are really worried, IANAL, go hire a lawyer, blah blah. But IMHO, if you do, you'll probably just end up fired.
Re:Pretty much the best way (Score:5, Insightful)
Re:Explain what can happen (Score:5, Insightful)
If you have that stuff documented, they can't screw you out of unemployment.
Sure they can... even if one is perfect, I am sure there are citable reasons one would have trouble defending against in an unemployment benefits battle. And if the person is not perfect, well, then, there's grounds for termination without unemployment. "Gee, that's the third time you were late... I dont care that it was only 37 seconds, or only the 3rd time in 10 years... the employee rules state that on the 3rd time, we can terminate you. This has nothing to do with that whole lost data fiasco that you documented was my fault."
Seen it happen. Fortunately never to me... though, I also never filed for unemployment...
Comment removed (Score:5, Insightful)
Re:I don't get it... (Score:3, Insightful)
I am with you as far as the confusion. You they asking all the laptop users to hand their laptops over at certain intervals to be backed up, reformatted, and reallocated? That sounds like the definition of fail, and if I was in charge I would not put up with it.
Here are my simple tips for discussing backup with people who are generally "too busy" to bother with backups.
Advise them to keep all their data on the server. When they are working in the office, this should be easy. Word, Excel, or whatever should have the default save to directory be the directory they would save things to on the network. They might say that the data is too important to share with anyone. Create them a network share that only they (and the account used for backing stuff up) can access. When they work away from the Office, ask them just to copy the stuff they did over to the network. They will probably do it anyway after they get sick of having data in two places. Note that this is for the people who are typically in the office.
For people who are out of office/in satellite offices, create a system that is simple and doesn't require much effort on their part. I bought western digital passport drives and set up their software to automatically backup/sync whenever it is plugged in. I had a talk with these guys and told them to keep in on their desk and plug it in every monday morning if possible. They didn't believe me that their stuff was backed up that easily. You can do this for internal users who refuse to use the network, as well.
I personally will send out E-Mail messages every two months or so asking those with laptops to "Make sure they have plugged in their backup drives" and "Do a quick check to see if your Antivirus says it is up to date" because there is a virus coming around that could be very deadly. Sometimes it is a little white lie. Sometimes it is the truth. Whatever. The fear of a possible virus seems like a scarier and more immediate threat than a random hard drive crash so they take action. I usually get a response from most of them that gives me an overview "I plugged in my drive last Monday and my virus definitions say they are from today....I'm safe, right?"
In summary, just do what you can to automate the process and make it simple for users. Don't make them hand over their laptops for several precious hours/days of business. The less effort they have to put forth, the more likely they are to do it.
Re:Explain what can happen (Score:5, Insightful)
suing to get your job back
I've never understood that concept. If your employer fired you, why would you want to continue to work for them? I know you might need the money or something, but surely the fact that they fired you would create a less than ideal workplace environment, if not an outright hostile environment? Especially if "get your job back" involves working for the same manager...
I am speaking from experience here, to a degree. My manager fired me (literally because I insisted I be allowed to clean up code incidental to my bugfixes), but his boss overrode the firing and gave me control of IT instead. It was not exactly pleasant having to continue to interact with the former manager - and even though the manager later admitted to his boss that he was wrong to have fired me, he refused to admit it to me, and of course that meant he was unwilling to do anything to improve the work environment as it related to the interaction between our jobs.
What I'm getting at is that if I ever find myself in a similar situation again, I do not believe I would attempt to force the company to continue employing me, because I do not believe I could tolerate the resulting poor work environment.
Does anyone have any insight on this? Anyone ever been through this before? How did it work out?
Re:Explain what can happen (Score:3, Insightful)
And for that exact reason, sometimes IT has to enforce things that even bosses don't like.
I read a lot of "the owner is the boss" replies, which is technically correct. But if something goes wrong, your ass 's gonna get in trouble. Therefore, if the boss doesn't cooperate, sometimes you have to 'help' him/her a little.
1) You could fix it under water by syncing over their c$ d$ etc, install a rsync daemon or something.
2) Make them come to you: i once had this boss that refused to bring his laptop in for anti-virus installation after the stand-alone anti-virus expired, for about half a year. I made a vbs script to pop up every hour warning about security issues, installed it over the network and had the laptop in my office in a few days.
3) Or use auditors to enforce policies. I have a little chat with our accountant's auditors every year. I haven'd had the need to use this way, but if i really need something fixed, I may inform the auditor something's wrong.
Re:Explain what can happen (Score:1, Insightful)
"so that they can't try and blame you if it goes wrong and data loss does occur"
Oh hoh hoh yes, everyone is so understanding and rational when shit goes down.
Have you ever WORKED for a corporation? Dealt with the CEO? This never happens. They will be unhappy with you, regardless of whether they know that it's not your fault or not.
Re:Reassess your place in the universe, techmage. (Score:3, Insightful)
If there's a trust issue between the boss and his employees, someone should be looking for a new job, or at least assessing their loyalties.
Re:Explain what can happen (Score:3, Insightful)
If nothing else it can help remove a black mark from your resume. Depending on the job, you might change positions or locations. Sometimes the same action will even cause the bad person to be fired, if the stars are truly right.
Re:Explain what can happen (Score:4, Insightful)
I'm not sure about elsewhere, but in the UK, you'd have good grounds for an employment tribunal. Specifically you'd be looking for an unfair dismissal (if sacked) or constructive dismissal (if you were forced to quite) case. For what it's worth, most companies don't even seem to bother fighting these now if they are in fact justified, purely because they have come to accept that you can't treat employees like that. They will most likely just settle with you if you find yourself in this situation.
Companies can't just sack people, and even making up excuses doesn't work for them if the employee chooses to fight it. They have to be able to justify why you were sacked, whilst you're right that being late 3 times may be justification, it is not justification if others have also been late 3 times and yet only you have been sacked. If you had been late 3 times, constantly under-performend and so forth then they could again justify this, but they would need to prove you've under-performed, this might include bringing up past appraisals and so forth, but this is why it's a good idea to make sure you agree with your appraisal outcomes.
The key is that the company has to be able to show that you were worse than other employees, and that if you were worse, it's not because you'd been treated differently and set up to fail.
I believe the US has slightly less employee protections than this, but this is certainly the case in Europe. Whilst someone whose hated by the whole company can be sacked, employees here have a lot of protection against bad bosses who would sack them out of sheer malice or incompetence. If anyone is wondering why we have such laws, it's because we don't want unemployment stats and unemployment benefit costs raised unnecessarily by having people perfectly able and competent enough to do the job sacked unfairly.
Regardless though, if you are in such a situation, and taking the matter to a higher level of management if one exists doesn't solve it, then you're better off going elsewhere anyway, because although they may not be able to get rid of you, they can at least kill off your career by preventing you getting promotions and payrises although even that's subject to some protections if everyone else gets a rise, or the interviews for promotion were carried out in a provably unfair manner for example.
Re:Pretty much the best way (Score:3, Insightful)
That said, I think it's important that you find a way to be very very clear with the owners about what you believe the consequences to their actions will be. Do it in writing if possible. Be polite and respectful, but don't be subtle. The more vague you are, the more likely it is that they'll hear what they want to hear and ignore what they don't want to hear. Be as clear as possible without incurring their wrath. If you have to, be repetitive and say the same exact thing 5 different ways, but make sure that they understand how their bad actions put the future of your company in jeopardy.
Also understand that they might not like you afterwards. I've known a number of small business owners who were manipulative and petty and they couldn't tolerate anyone pointing out their flaws or telling them they're wrong.
So don't tell them they're wrong, tell them they're important. Tell them their work is also important, and therefore it needs to be backed up regularly, protected with the best anti-virus stuff, whatever. Don't make it sound like a chore, make it sound like you're doing it especially for them. Because they and their work is really that important.
How are they going to reply to that? Say that their work is not important? Not likely.
How unprofessional (Score:3, Insightful)
So you are hired to perform a professional service, and your brilliant sugestion is not to do the work properly but to follow the money?
What kind of "professional" are you? Not one I would want on a sensitive environment, since obviously you would not have the presence of mind to stick to security procedures.
There is certainly a problem if you don't bring on board of your suggestions the owners of your place of employment, but that is a problem of presentation. Part of the skill set of a Systems Administrator is to be able to convince people about why something is necessary and to ensure people will abide by what has been agreed.
Obviously you may have more problems enforcing the rules with people with political power in the firm, but that does not leave you of the hook from a moral, professional and most importantly, legal point of view when legality is relevant.
I have worked for big corps, and I am telling you in no uncertain terms that the CEO or majority shareholders, who earn millions per year, will not access my systems without following the procedures in place. This is actually a very easy case to make, since it would be for their own legal protection.
If you can't make a convincing case for your policies then you have to rethink them and to present them in a way that is attractive to the people that is being disruptive (i.e.: your ass will not go to jail)....
Re:Explain what can happen (Score:3, Insightful)
Also - Since it's a small business, and the people at the top are owners you have to put it in terms that hit home for them.
1) Sir, this is your company. I am trying to ensure this policy is enforced to protect it, and you from data loss and security breaches. It's important to me that this company not only survives, but thrives and that we all do what we can to make sure we do everything right.
2) I'm not trying to do this to be a pain. I want to make sure we properly handle all hardware turnover. This is done to protect your data, your work, and every contribution you make. If something were to go wrong, I'd be responsible for making it right. If you have anything on the laptop that is critical for you or the other owners, I want to make sure it's protected... Not because there's a policy. I want it protected because it's your work, the policy is just the formal way of telling everyone what is best for our company.
I know... It's sappy... But I've had these conversations with business owners who don't want to comply with the rules. They look at many rules as barriers, and in many cases, they have a tendency to want to bring barriers down... it's why they started the company. You have to be clear that the rules aren't there to hold them back. The rules have been carefully thought out, and are really just a way of showing that you really do want to protect what those owners have built.
Re:Explain what can happen (Score:3, Insightful)
Two points:
1) Whether the US cares more about the people depends on whether the people are happy with the ability to walk out easier with much lower job security. Being able to sack at any time without question seems to be a much more business oriented law than a people oriented law.
2) As mentioned in my original post, Europe has much better employee protection in that most of it includes the protections I mentioned, and yet has a much stronger economy than the US.
Or were you being sarcastic?
Re:Pretty much the best way (Score:3, Insightful)
Exactly. Sounds more like you should me sending resumes then trying to convince the bosses of something they do not care about. Typically, something bad has to happen until everyone is on board. And it has to affect the bottom line.
I would approach with a very automated backup system. Something that requires no interaction on their part, that is invisible to them. Like a CrashPlan or Data Deposit Box account. Set it to backup all their main folders and some other places where files might land by accident. It's cheap protection. They even send you e-mail alerts if the backup agent hasn't communicated in a week so you know something is not working, without having to take their laptop from them all the time.
No backup system is perfect, but there are certain tools for certain situations that make it better. And no one will sign anything to release you of liability, you're an employee. Besides, that's hurting the company, not helping it.
-m
Re:Pretty much the best way (Score:4, Insightful)
Meanwhile, back in the real world:
Owner : IT Guy IT Guy, my data is gone! Save me
IT Guy : Well here we have this release I made you sign last month that clearly said that if you lost any data it was your own damn fault.
Owner : He's a post it with the words "you're fired on it". Now take your arrogant self-righteous ass out of my office.
You know what? If it goes down that way, leaving is really your only option. The company is clearly too dysfunctional for you to be happy/successful, so why torture yourself? Move on, and call it a learning experience.
Life is too short to work in a job that sucks. Yes, being unemployed sucks too, so better to go on terms of your own choosing. But if your boss is determined to be an asshat there is very little you can do to change that.
You tell them then let it go (Score:3, Insightful)
Re:Reassess your place in the universe, techmage. (Score:3, Insightful)
Because we already have access to that data. If you don't trust US with that data, then you have bigger issues.
Re:Works both ways (Score:3, Insightful)
It's not so much about being able to fire or quit on the spot, it's about giving both the employer and the employee time to make alternative arrangements.
It means that the company has a month or whatever your leave period is to find a replacement so that they're not inconvenienced and hence don't have their business dealings interrupted and it's about ensuring the employee has time to find another job, so that they're not a drain on the state either because they end up claiming unemployment benefits, or because they have no money and end up resorting to crime, or simply end up losing their house and end up on the street.
I should note that you can still just walk out of your job here tommorrow if you choose, you don't have to work your notice period, however if you do then you just wont get paid any remaining holiday leave you haven't used up and are owed for example that's all. Similarly companies can just sack you tommorrow if they want too, but they have to have justification to do it without giving you a bit of notice and hence time to find another job.
Effectively, we have the same freedoms in terms of firing and quitting, just that we have additional safeguards to ensure it's done in a way that minimises problems for both the employee and the employer and makes the transition between employees and jobs as smooth as possible.
Comment removed (Score:3, Insightful)
Re:Explain what can happen (Score:3, Insightful)
Mod as +1, sad - unable to tell if this is sarcasm or not!
Get creative (Score:2, Insightful)
Truth be told, if you're an American worker, you are expendable. You can be outsourced or replaced faster than you realize. Sure, the company might have some serious issues (of if you're a really bad IT guy, come crashing down because you took all the keys to the fortress that the company didn't even know existed). Generally, life goes on without you in that company.
You're best bet is to understand the reasons why your policies aren't working and rewrite them to work. If you can't get them to give you their machines for backup, write scripts to back them up when connected to the network (there are solutions out there that can do this for you, too).
If they don't want to spend the money or allow you to bog down their machines, negotiate other solutions. Sure, you're not going to get an ideal-for-you resolution. I'm not sure if you realize this, but the world doesn't revolve around IT. If something bad happens, it's never just one persons fault. Everyone is at risk. It's no different with automobiles, homes or the food supply for that matter.
CYA is only one necessary reaction when dealing with these types of situations.
Getting creative and working with the staff ensures you continue to have a job. It will also teach you about what types of questions your should be asking before declaring policies and that policies are really only guidelines when it comes to owners and high level managers.
If all else fails, it's time to move on. Do so before it gets ugly so you can get some good references. Everyone dies on a burning bridge.