Ask Slashdot: IT Personnel As Ostriches? 246
MonOptIt writes: I'm a new IT professional, having recently switched from a different sci/tech field. My first gig is with a mid-size (50ish) nonprofit which includes a wide variety of departments and functions. I'm the sole on-site IT support, which means that I'm working with every employee/department regularly both at HQ and off-site locations. My questions for the seasoned pros are: Do you find yourself deliberately ignoring office politics, overheard conversations, open documents or emails, etc as you go about your work? If not, how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position? In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation. Are there protections or policies that are standard, or is this a legal and professional gray-area?
Re:Simple Answers to Simple Questions (Score:3, Interesting)
That wasn't the question. What do you do when you did read something inadvertently? You can't unread "Irregularities in the pension fund". Do you pretend that you don't know? What if it's something illegal / against company policy / unethical?
Re:Simple Answers to Simple Questions (Score:4, Interesting)
Does your country have laws protecting corporate whistle-blowers?
It's a lot easier to defend your position if it's the FBI asking you to make surreptitious copies of documents, after they called you following an "anonymous" tip-off...
Re:Don't look for logic (Score:2, Interesting)
No, they don't need a master's, just a bachelor's degree and continuing education and training that will exceed the time invested in a master's and NEVER. STOPS.
If you're considering IT to be equal to janitors, you are not the person who should be doing the job you are doing.
Re:yes, ignore office politics (Score:5, Interesting)
Ideally, but office politics is complicated. Sometimes making one person's life easier makes another's harder - teach the micromanager that he has the ability to add items to his underlings' outlook calanders, and said underlings are going to be annoyed. Sometimes people actually like their lives to be harder, for not-apparent reasons.
For example, having worked at a school in IT support, part of my job was to maintain the various measures used to keep the students away from games in lessons. Due to some sadistic tendencies, I have become quite skilled at this. New games sites appeared all the time, and were quickly blocked - often while a student was trying to use them. We watched their screens.
Until some of the teachers started acting very annoyed, and complaining about us interfering in lessons. Why would they do this? We were trying to make their lives easier, keeping the students from entertaining distractions so they would focus on their work. We were enforcing the usage policy, everything by the book. What we hadn't realised is that many of the teachers were well aware of the gaming going on in lessons, and turning a blind eye to the class clown. Games keep the disruptive student busy, and if he weren't playing the latest flappy bird clone he would just be jumping around the room, distracting his friends or demanding most of the teacher's attention. So when we stepped in to 'help' the teachers, we actually got in the way of a little trick of theirs by turning the silent non-working student into a class-ruining joker that kept everyone else from working too. All they needed was an excuse to stop us, and it wasn't hard to find one - they just argued to the boss's boss that we were performing 'classroom management,' a function that the union said must be the exclusive domain of teachers.
The way the workplace actually functioned differed from the way it actually functioned. By not noticing the unwritten procedure in use, we disrupted it and caused friction with another department.
We still block the games, of course. Teachers should learn to manage their students, not just give them an electronic pacifier. We're just a bit more subtle about it.
Professionalism. (Score:5, Interesting)
In my field, education, it's quite common for the IT guy to be the one with absolute access to more things than anyone else. Nobody else, not even the data-protection officer, or the people on the senior management team, or the people ultimately in charge of the school (the heads and governors) has as much access to information as the IT guy.
Senior-management team files, HR databases, etc. are part and parcel of the job. The web filter logs are generally very revealing and, hence, why I anonymise them by default (Usually squid logs - which only contain source IP addresses, which can only be correlated to a machine using the DHCP logs, which can only be correlated to a user using the Windows event logs on the AD servers - NOT something you can do accidentally, but also allows you to analyse, spot trends and find dodgy things without immediately revealing the source. When I come upon something that worries me, I go to my boss, ask permission to de-anonymise those records, provide them with my results. I've had to do it a couple of times and it turned out to be nothing, but I've also worked with colleagues who've spotted a paedophile on the staff that way and got them prosecuted).
Despite all that data access, tou don't look. It's that simple. If I'm asked to work on a confidential file or database, that's what you do. It's just data. What you see is just numbers and letters and then forgotten. You do not dig. Not only are there alerts and warnings for digging into certain things (and I don't want to KNOW what triggers those alerts or warnings necessarily, but I know that they are in place on the MIS databases, for example - I only trigger them when it's been part of my job to go into that part of the databases), but it's a matter of professionalism.
If I become "exposed" to salary details, or witness protection details (children in schools rarely have as simple a home life as they might at first appear to have), or that some child's father is a Colonel in the Army who's asked for his address details to be maintained private, or whatever... that's what you do. You're not there to suck up data, you just treat it like anything else and move on.
If I suspect illegal activity - there's a lot of activity you CANNOT ignore in a school - I'd go through the proper channels and report it however I'm supposed to. It came up as part of my job, it's not like I was snooping for it.
I *STILL*, fifteen years into my career, look away when I ask people to set their passwords. I don't WANT to know. I want the deniability if someone gets into their account to say "There is no way I could know their password, without triggering a reset of their account, which would lock them out and inform them immediately anyway". My boss keeps trying to tell me his password "to save time". I don't want it. With it, I could - in theory - change my own salary, or modify any amount of details. Chances are it would get picked up eventually but if you were clever enough, you could get away with an awful lot very quickly, or very discretely.
Hence, I don't WANT to know those things. I choose to forget them, unless there is a reason to immediately report them. I suggest you get into the habit of doing the same.
I've been in exactly your position. (Score:5, Interesting)
Long, long ago, early in my career, I spent about fifteen years in the non-profit sector.
You don't ignore office politics, but you don't take sides either unless there is a crisis brewing -- something illegal, highly unethical, or financially dangerous. When you work in IT, you're in a "support" position, rather than a "line" position. Your job is to support. So when there's a big pissing match between two line functions, your job is to support *both* sides.
Often this means documenting business processes that sort of evolved via the lava flow antipattern; 50ish is the size where things start to get out of hand, because it's the size where the amateurishly hacked-together processes that keep the organization running start to break down because everyone can't be aware of everything that's going on in detail, in real-time. Make it your business to understand what business systems (not necessarily computer systems) *accomplish*. That puts you in a position to offer a third way, the one that emerges as obvious to everyone once somebody has figured out what's actually going on.
It's supposedly hard to implement changes in non-profits because of the consensus-driven decision making processes, but I found that I could make that process work for me. Lack of understanding is a vacuum; presented with a clear picture people usually line up behind the obvious solution quickly. But you do have to do your homework. Never surprise anyone with anything in a meeting. Bring people up to speed with things you're going to say about their work *before* the meeting so they don't feel blind-sided.
In a crisis be prepared to do the right thing. If you're in a non-profit they're paying you below market rates, so you can do better elsewhere. There is no call for getting yourself sucked into something that offends your self-respect. I resigned one job because my superior (the COO) was doing things that were financially reckless and improper (spending without proper authorization). I informed the CEO in my exit interview. That was my solution to the problem of not getting drawn into a persistent pattern of dysfunction.
When you handle sensitive information, just ask yourself what is the professional thing to do? Be discreet. Resist the temptation to peek at data, and when you *do* accidentally learn something you're not supposed to know, disclose that to the responsible parties. Be trustworthy, and present a trustworthy face.
Finally, don't let them pay you far below the market rate for your services, and expect a really good benefits package, including 1.5x to 2x the vacation you'd get in a for-profit. Insist on the respect due a professional. Non-profits are full of young people who haven't learned that the IT guy isn't there to be kicked around when they're frustrated, and the fact that you're in a support position rather than a more glamorous line position doesn't make your work any less important.
Re:Simple Answers to Simple Questions (Score:2, Interesting)
As a sysadmin, there isn't the option of doing things the wrong way. Your job security and salary actually depend on you knowing "the right way", especially when everybody want to cut corners. This is why you always make sure you speak your mind, and if still the managers and leadership wants to do it their ass-backwards way, you get to say "I told you so".
After a few years, most of the good ones will start listening to you, even if you're totally fresh in the role. THIS is why you never just bow your head and remain silent. Consider it an investment, not necessarily in salary, but getting a say in how things should be done. Otherwise, leadership and managers will think it's someone else's fault when they screw up, so there's really no other option to it.
Re:Simple Answers to Simple Questions (Score:4, Interesting)
Your best bet is to "forget" you read it; never acknowledge that you saw it, and assume the best.
For example, just because someone wrote about supposed "irregularities in the pension fund"; doesn't mean there are irregularities in the pension fund, it may just be some ignorant person spouting out / jumping to wrong conclusions.
Case to case basis. "irregularities in the pension fund" is something that could be ignored, "couldn't dispose of the corpse last night" puts you in a spot where you might be committing a crime by not reporting.
Actually, you'd probably be committing a crime by not reporting there too... In both cases, if it could be proven you were aware of it. What you're talking about is the different levels of moral responsibility between the two cases.
To answer the OP, as someone who's had root at large positions... Assuming you are not intentionally spying on something or doing something at the behest of a security directory, legal, or other internal affairs-ish agency (which probably doesn't exist at your smaller company), you should treat everything as if you were a cop and you didn't have a warrant. You're not going on a fishing expedition, but if something is "in plain view", it is not inappropriate to use common sense and reason to consider that information now available to you and make choices accordingly. If that means calling your CFO/Legal that's one thing, if it's police that's something else.
Overall, it's hard to go wrong with the time-tested advice sudo lectures you with, specifically #1/#3:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.