In almost all non-Information Technology (IT) organizations, the IT department/functional area, like transpiration or friction, is a necessary evil. The IT Department, in those organizations, is a cost center, which means it doesn’t generate any revenue for the company but costs the company money to run it. Therefore, you would hope that it is imperative on the part of the IT department to listen to the needs of the business, be a partner with the business, provide solutions to pressing business problems and alleviate any technical or technological pain points.
However, that’s not what generally happens in those organizations, based on my experience. The IT department tries to be domineering, is boorish and inflexible, has an authoritarian attitude, and instead of helping business, it actually acts as an impediment and many times hurts the business. IT tries to control the business it is supposed to support. Initially, there is a symbiotic relationship between the IT department and Business. Then, gradually, IT undergoes a metamorphosis, goes rogue, and becomes an entity that tries to control what tools and technology the business is going to use or not use. In many cases, it becomes a parasite that gradually starts consuming the host. Similar to HR, the IT department creates headaches for you that you can live without.
Here are a few reasons why, in my experience, the dysfunctional and the control-freak nature of the IT department in various organizations results in a proverbial case of the tail wagging the dog.
Changing passwords regularly
In many organizations, the password policy specifies that employees should change their network passwords every couple of months, which they do follow religiously, without asking any questions. However, recent studies have shown that changing passwords regularly is more harmful than helpful.
Nevertheless, employees are forced to follow the dictates of the IT department’s password policy. Hence, they change the password every 30, 60 or 90 days and, then, write it down on a piece of paper to not forget it. That piece of paper will most likely be available in the top drawer of their workstation. Moreover, most people will not put much effort in defining their new password. Therefore, you end up with passwords such as—Maggi.123 or asdfqwerty.0 or Password.1 or [email protected]. Is the policy of changing passwords helpful? Based on those articles, no, but IT still follows the password change policy because they, ultimately, want to be in charge of your access to the corporate network.
Automatic daily backups
I do understand the need for daily backups. Backups save your life when a hard disk crash destroys everything. However, you cannot take daily backups if you are away and not connected to the network. In such situations, you should not be dinged by the IT department and compliance for not following company policies. However, the IT overlords will take pleasure to rub your nose in the dust, just because they can.
A day before my planned vacation, my laptop started crashing with the blue screen of death error. Therefore, at the end of the day, I dropped the machine off at the helpdesk, described the problem, told them I’ll be back in a couple of weeks and left work with a big smile on my face because it was vacation time starting the next day. I returned to work after a couple of weeks, got my machine back and then all hell broke loose.
During my time away, no daily backups were taken for two weeks, which resulted in a compliance issue. My mailbox was full of warning and “take action” now messages. After I manually took a backup and became compliant, I received a very sweet message from the head of compliance reminding me why it is necessary for all of us to take backups regularly to be compliant with the business continuity program recommendations.
Although I wanted to write a note explaining the matter to the compliance officer, I finally decided against it. Why bother? It’s going to fall on deaf ears. I think it should be possible to somehow connect your out-of-office status with daily backups, but IT will probably have a reason to say “No“, because it will then lose the power of saying—”You are not in compliance!“
I worked in an organization where IT via Operations did not allow any camera phones/smart phones at work. The reason—confidential data; hence, chance of confidential data being leaked via a photograph taken using a camera phone. Well, but… how about taking a printout home or taking a print screen of the entire interface. What if the person who is supposed to guard the data is the one who steals it? Who will guard the guard?
By the way, what about the camera on your laptop. Can you not use your laptop to take pictures or videos of confidential documents and artifacts? How about buying a pen with an embedded camera, such as this one, and taking pictures of all confidential data and walking out without anybody having a clue about the security breach. It seems that in many organizations, nobody in the IT department will consider those questions. It is as if they all wear blinkers and can only see straight ahead.
The big dogs and “dogeses” of IT, and the obsequious non-IT workers
IT’s dominion over us rests on the principle that we should genuflect at the altar of IT, as they are the big dogs and the rest of us are just obsequious worker. We should plead with them and only then will they grace us with their presence, help us with a problem, recommend a solution or even respond to an email or a phone call. When it comes to using a technology or a tool, unless it is their idea, they will brush aside all recommendations and requests from the business by using compliance, security, cost, lack of resources or lack of support as the central thesis of their argument.
I remember asking IT to give us a demonstration of a particular tool they were using, which after innumerable follow-up they agreed to do, albeit very begrudgingly. Even before the start of the presentation, the big dog of that department, felt that the particular tool wasn’t a right fit for the business, although we had done our research to reach the conclusion that it meets most of our needs. We eventually lost our “battle” with IT and had to develop something internally, because IT was unwilling to support us, as they did not have any available resources. Of course, they could help us, if we were willing to fund the entire project. The quote from them was astronomical and the only option left for us was to develop the tool internally by hiring some developers.
IT support helpdesk black hole
IT helpdesk is a place where requests go to die, heck the requests even commit suicide on arriving there. Level 1 IT support is the worst; they are staffed with morons. Sounds harsh, but that’s the truth. If you are facing a technical problem and need to contact the helpdesk, you cannot do anything but first contacting level 1 support. And Level 1 support needs to wrap up a call within a set duration of time if they do not want a ding in their performance report. Therefore, all they do is log the problem, give you a tracking code and hang up.
Two days later, Level 2 support will call you asking the same questions that were asked by Level 1 support, earlier. They did not bother to even review the case notes logged by Level 1 support. Now, after you again go through the rigmarole of explaining the problem to them, they will respond saying, “we’ll investigate the matter and get back to you at the earliest.” Therefore, the only reason they will call you is to update the log to show that work is in progress, so that they don’t get dinged during evaluation.
By then, through the process of trial and error, you will probably fix the issue or identify the issue at hand and ask IT to take it over from here. At times, I felt that business should charge the IT department for all the requests that IT support helpdesk let fall through the cracks, did not investigate or weren’t able to solve. Some members of my team were technically so savvy that they got calls from the helpdesk to help them with issues that other users had logged with Level 1 support. Go figure!
Additionally, God forbid if your laptop needs any repair or hardware upgrade. The first challenge that you will run into will be disclosing your login password to IT support. The password policy will state that you should not share your password with anyone, even the IT support specialists; however, the helpdesk will ask you to write your password on a piece of paper when you drop off your machine for repairs. Say what? If you gently remind them about the password policy, then, they will smirk at you and tell, “you either want us to repair your laptop or you don’t.” Hence, most people write down the password for the IT support dudes and “dudettes”.
Next, if you ask them for a replacement laptop, so that you can continue working while they are repairing the machine, their response will be, “we don’t have any.” Now, what do you do for two, four, six or eight hours it will take them to repair the laptop? Count chickens? Finally, it seems, most IT support specialists are incapable of troubleshooting a problem. It has been my experience that for even a minor system issue that you may encounter, most IT support specialists will either recommend a system restore or tell you it is best to reformat the drive and reinstall OS and apps. Very few of them will try to troubleshoot the issue, to identify the real problem and implement a fix. Troubleshoot system issues, it seems, is a dying art.
IT’s approach to application development
First, build the application and then force-wrap the process around it, instead of defining the process first and then building an application to support it. A few questions that IT Analysts would pose to the business—”How difficult would it be to modify the process to support what the application can do?”; “Are we sure that this is how the process should work?”; “We have an app that can do what your specification states, the only caveat is that you need to modify your business process.”
Internet usage policy
Most companies have an internet usage policy, which dictates what’s acceptable and not acceptable use of devices, equipment, network and internet access. For e.g., the policy may state that all employees are required to use all company resources judiciously; it may also say what is permissible and not permissible while accessing the internet from the corporate network and protocols to follow while sending and receiving emails using the company email system.
Furthermore, it may say that using corporate internet for personal work is against company policy and anybody found abusing this privilege will face disciplinary action, even dismissal from the company. Those policy dictates are just words; nobody follows them, adheres to them, and IT never ensures compliance to them until poop hits the fan, that is.
You will notice people browsing the internet for hours, watching movies, watching news program, buying personal items, including lingerie, visiting matrimonial sites to update their profiles, tweeting and posting status updates on Facebook.
After a while, an employee will do something stupid online, such as click on a malicious/bad link in Facebook or Twitter that downloads a virus/malware to their machine and infects the network. They may even download a ransomware, which encrypts everything on their machine and demands a “ransom” for the decryption key to get access back to your machine. Then heads roll, everyone goes into a tizzy, emails are sent reminding everybody about the internet usage policy. After a while, though, everything is back to square one. However, if somebody wants somebody to be fired, then internet usage history of that person can be examined to find a probable cause.
A decade or so ago, I worked for a firm that had very strict internet usage policies. They had software installed on the server to monitor and control web traffic. They also had a content-filtering software in place on the server, which would raise an alert, if anybody tried to visit a domain that was blacklisted.
One morning, around 7’ish, I see four network administrators rushing to a c-suite executives’ office. They leave the person’s office after a few minutes, laughing their asses off! It was only later that I learned what had happened that morning.
It was winter in the US, and that particular executive had a habit of checking the weather report every morning. On that fateful day, as usual, he logged in to his machine, fired up the browser to visit weather.com. However, in his haste, he missed typing the “w” in weather.com and instead typed eather.com. The latter domain name was blacklisted because of the pornographic nature of the domain name. The executives typo raised an alert, which resulted in the administrators rushing to his office to prevent any further fallout. I think this must one of the few instances where the nature of the domain changes based on a missed key stroke.
Social Media policy
This is another area, where the IT department and compliance will be missing in action the until excrement hits the rotating device in the ceiling. The social media policy in many companies will state something along the lines—write responsibly; don’t plagiarise, respect copyrighted content; show good judgement while posting messages, pictures or comments; whatever you do in a social media environment, internet or intranet, ensure that you are adding value to the conversation; don’t violate company policies; don’t harass, abuse or threaten anybody online, don’t post proprietary company data/information, non-public information or confidential information online, be professional, etc.
The policy will also make references to the internet usage policy, which will instruct people not to use the corporate internet for personal work. Good enough! The social media policy lays a broad framework around what is proper and not proper to do while using social media.
Nobody follows the social media policy, until something major happen such as employee making a disparaging remark on Facebook, posting copyrighted content or images on twitter, or threatening somebody online, which is brought to the attention of the IT overlords.
Now, the IT compliance folks will act as if a fire has been lit under their derrière. The offender will be reprimanded, email reminders will be sent to all, the CTO will also get in the act espousing the merits of the social media and how we should not abuse the privilege provided by the company, etc., etc., etc. The bottom line is this, abuse your privilege as long as your social media radar cross-section is negligible.
However, if you leave a large enough social media radar footprint, then, you will be dinged, even fired. It is my opinion that IT policies are defined to fill a legal requirement. Nobody follows it, nobody implements it, nobody cares about it. Sometimes, I wonder if there is even a need for such policies in the first place if nobody adheres to them or ensures compliance in the first place.
Network drive usage policy
A few companies will also have a network drive usage policy. A network drive is a shared storage area available on your local network. You can map to a folder on a network drive to store files in it that need to be shared with multiple people in a department. That folder can be open to all or can be restricted to just a few users.
Now, instead of using the drive for work related purpose, many a time, some employees will use them to share pictures/images/graphics, gif files, mp3, mp4, and other types of audio/video files. Eventually, instead of being used for work related matter, the folder on the network drive becomes a dumping ground for all stuffs that a few people want to share with each other.
Rip Van Winkle
One day, IT will wake up from its slumber and do an audit of all folders in the network drives, only to discover misuse. Then, and only then, will they jump into action and delete those files and revoke access to the folder. Therefore, to punish a few folks who are misusing a network folder, the IT overlords will revoke access to all.
Next, an all out war breaks out between business and IT about the use/abuse of network folder. Business will want its access back and IT will stand its ground and so ‘No’ because people are misusing company assets. I used to often wonder couldn’t IT have a process/tool in place to monitor the network folders in real time so that people who misuse the privilege are identified and disciplined immediately. Instead the overlords will do an audit every six months or one year and penalize everybody, instead of just those people who are misusing the shared folders, for failing to follow the network drive usage policy.
Shadow IT versus IT department
Shadow IT is a pejorative term used to describe IT projects that are directly run by business and are outside the control, oversight and purview of the organization’s IT department. Unapproved use of IT systems/application/devices within an organization are also categorized as shadow IT. Shadow IT is a pariah to the IT department. It is a bastard child. A leper. A plague. IT hates, detests, loathes, abhors shadow IT. I was part of the Shadow IT a few times in my career, and I was hated by the IT overlords. However, the overlords never try to understand why shadow IT starts and proliferates within an organization. If you ask the business, they will say they love shadow IT for the following reasons:
Benefits of shadow IT
—> Aligned with the business function
—> Easy maintenance
—> Quick deployment
—> Quicker response time
—> Aligns with the goals of the department/functional area
—> Total control over the system and the developers
—> Can use the latest and best technology/application available
—> Low visibility and joined at the hips with the business area it is supporting
Why business does not approach the IT department for solutions?
—> People just want to get their job done. For e.g., build a swim lane diagram for a process, but don’t have MS Visio. The request is urgent, what will you do. I am sure you are going to browse the web, find an standalone app or a Software as a Service (SaaS) application to get their work done.
Could you imagine going to IT and asking for their advice? You will probably get the following standard response, “Visio will need approval; time to get everything done 3 days to a week.” You cannot wait for 3 days because the request from business is urgent.
Additionally, if you want to get another third party application, the standard response would be, “They are not an approved vendor; we only buy from approved vendors.”
Furthermore, for any other application, you may get the response, “Governance, Compliance and Risk (GRC) issue; hence, we cannot buy the application for you (even if the application wouldn’t have any bearing on GRC).”
—> Familiarity with the product from the personal experience or their previous job. For e.g., a proofreading software they use for their personal works or had used in their previous job.
—> Too much red tape; hence business are reluctant to approach IT with their requirements.
—> Evaluation/approval time is too slow
—> Implementation time is too slow
—> Non-approved software better meets the need of my functional area and its clients
—> Free or inexpensive; why spend money to buy one
—> I can pay out-of-pocket to get the application to get the job done
Many people do not know this fact that the IT organization itself is the biggest user of non-approved IT products. They do this because they consider themselves special and above the average business employees. Arrogance personified!
IT Department versus Business turf war
IT and business are perennially embroiled in a turf war. As they say,
Man Business proposes, God IT disposes. For instance, business would want quick decisions on buying and using an application, to go to market with its product or services as soon as possible; however IT will drag its feet.
IT wants total and absolute control over what technology, system, hardware or application a business can or cannot use. Request them to change their stance and afford you some flexibility and they will “nuke” your request from outer space. As long as you treat them as your master and bow to them, they are your best friends. However, challenge them in any shape or form and they will instantly turn devil incarnate.
We know what’s best for you…
IT always wants to tell the business what’s right for them and business feels, rightfully so, that they know what’s right for them and don’t need IT to make business recommendations. For e.g., Business will ask IT to grant them access to use the Project server and IT will respond saying most business projects will not need a Project server; hence, they should use something simpler such as an Excel spreadsheet to manage its projects.
Business will proclaim that IT is not fast enough, flexible enough, creative enough in this constantly changing marketplace, and IT will respond saying, “we can be all that if your requirements were clear in the first place.”
Now, there are many instances where business users are responsible for rocky relationship between IT and business. For e.g., requesting to use a new shiny gadget to get their work done when another simpler solution is available in-house, submitting incomplete change requests to IT and asking them to complete the request ASAP or wanting every application to be like Facebook or Twitter.
Email policy, just like internet usage policy or social media policy, is in name only, oversight is very rare. The email policy will state that email is a valuable business tool and is to be used for company business only; that it is unacceptable to send, receive or store emails containing obscene, indecent or pornographic content; that misuse of email can negatively affect the reputation of the organization, etc.
However, very few people in the organization will follow what the policy outlines, most employees—business and IT—will flout all policy recommendation. Compliance to the policy is optional until somebody clicks on an attachment in an email from a Nigerian princess and introduces virus or malware in the local network.
Then, IT security experts will jump to action. Emails will be send out asking users to not click on the attachment, but, of course, someone will. Next, the CTO will get involved in the trench warfare and send a note to all managers and above asking them to personally make sure that none of the team members click on that attachment. Now, all managers will be running around like a headless chicken instructing their subordinates to not click on the attachment containing a virus. Finally, when IT has a handle on this matter, everybody will be reminded of the email policy of the organization, which will, as usual, fall on deaf ears. Predictable as always.
A funny story!
A long time ago, I worked in an organization where we used Lotus Notes for email. In Lotus Notes, just like in other email software, you can set a flag to generate a return receipt when the email is read by the intended recipient. Just to mess up with our coworkers, a friend of mine wrote a few lines of code to remove that flag so that a return receipt is not generated.
A few days later, I contacted IT for some help. The response from IT had a return receipt, which I removed using the tool, before responding to her. Billions of bilious blue blistering barnacles in a thundering typhoon! Did the high priestess of IT lose her mind when her emails to me weren’t generating return receipts? She kept on asking me if the configuration of my email client is correct. Finally, she told me that she finds it very strange that her emails to me aren’t generating return receipts. I blamed everything on the server.
In one instance, immediately after sending me an email, she rushed to my workstation to check if her email was delivered. In this instance, I did not run the tool to remove the return receipt flag; hence, a return receipt was generated, which made her very happy and “validated” my excuse that the problem was with the server. Here again, as you can see, it is a case of IT controlling their turf and trying to control your turf.
Charge code for doing any work
The IT department will charge you for menial tasks and then managements will throw a temper tantrum at you for those charges. Business will retort with the cliché, “we have to do more with less,” which is an euphemism for “work till you die, slave.“
The IT department will even ask you for a charge code to grant you access to a site. A charge code for a two minute job, which, by the way, they will claim took them an hour. You will then have to justify this charge to your management, because they will ask you how can somebody take an hour to grant you access to a site. Next, you will have to fight with the IT staff involved about this charge code and ask them to charge for time correctly. A simple task will end up being a pain in the rear, because they will mess it up by intentionally charging you incorrectly.
“No, not yet,” would be the standard response. The organization would be quite willing to spend millions of dollars on office software, which can be saved by moving to open source. But, no! CIO is against open source. They’ll have a support contract with a multi-billion dollar IT company and are quite comfortable paying millions of dollars to it, yearly. In the West, most of these support contracts are agreed upon in a golf course; in India, possibly, over lunch or drinks after work.
Would you believe that, just like Facilities and Operations, the IT department is another area where theft and kickbacks are very prevalent. In my first job, eons ago, one of the IT support staff simply picked up a leased desktop computer from work and took it home. It became his personal computer and was marked as missing in the hardware inventory list. The IT support team is also known to remove RAMs, graphic cards, etc., from machines of non tech-savvy users and selling them online. Do you think a person from Legal who has to be taught how to use MS Office tools will know how or even care about how much RAM his/her machine originally had and if a few GB of RAM is missing from his machine?
In one organization, the entire senior IT staff members belonged to a single family, and they wreaked havoc in that department. It is easy to hire your family members if you are the big dog of the IT department. It took a while before their nefarious activities were detected by the “bigger dogs” of the IT department and the entire team was fired. They were not caught because somebody found out about their thievery, but because they got greedy and careless. Otherwise, they could have carried on with their thievery until retirement.