I read a blog post recently advocating end-users to have full admin rights to their work computers and have the ability to install softwares for efficiency and productivity. I agree that end-users (of which I am also) need to be provided the tools required to do our jobs, which includes researching new technologies. These tools include the software we need installed on our desktop that may not be provided by IT. I hear and read frustrations from end-users who seem to constantly hear “no” from IT when a request for a software or service is requested. I feel the same way sometimes. However,those software on the desktop are useless when the network or some other critical services used by the entire organization (e.g. email, student information systems) are not available as a result of disruptions caused by malicious software. I will admit that there have been a couple of times when I have had to re-image my personal machine because of a virus that I had unknowingly downloaded from an infected site. My point in sharing my experience is that even the most careful end-user with the best intention can still introduce malicious code to the network.
In my role as a liaison between business units and IT, I have to find the balance between the need to provide the flexibility to end-users (including the ability to install any software), protecting the network, the possibility of confidential student, financial and medical data being compromised, as well as conforming to federal (FERPA, HIPAA), state (IS-1386) and campus electronic policies. In addition to the responsibilities mentioned above, there is also an issue of capacity, specifically with regards to where IT should be spending the time and resources. I don’t think IT (of which I’m a part of) say no just for the sake of saying no (I hope your IT folks don’t). I work with helpdesk staff, network, and server staff and I know that sometimes it requires an entire team to fix an infected machine. It takes time to troubleshoot and repair desktops and there’s an opportunity cost to this time and effort. Every minute spent on troubleshooting a machine is a lost minute towards working on projects that are already under-staffed. While standardization of tools has its disadvantages, there are also advantages. Imagine having to support 1000 computers that have different configurations and so when something goes wrong, IT doesn’t know when and where to begin to troubleshoot it.
Few years ago, a worm hit our network from a software downloaded by a staff and it took down our network causing outage for a few days. Our IT staff had to work through Thanksgiving break to troubleshoot and fix the problem. The effect of that outage included delays to critical projects for a couple of months. The point is that a user’s desktop is connected to all other computers on the network and it just takes one entry point to introduce a virus to affect all the other computers as well as the servers where FERPA, HIPAA, financial data reside.
I’m very active in social media and I have my differences with our network/security admins to the extent of how social media is used in our organization. I can tell you that they’re probably not happy with my efforts in promoting social media as business tool given the security risks associated with the use of social media. However, I do understand their concerns and it’s my concern as well, given the responsibility to safeguard our sensitive data. The repercussions to the institutions when a data breach happens and/or the network goes down is very expensive.
Accommodating the specific needs of an individual user vs the entire organization (enterprise) is a constant battle in part because of support issue as well as cost, not just financial, but time and effort. There are always more tech demands than IT can provide. How to address this issue is a topic that requires another discussion in itself.
Any thoughts on how IT can better provide service to end-users? I’d love to hear your thoughts on this.
June 17th, 2011 on 11:38 am
As the writer of the aforementioned post, I wonder if the solution to this issue could be connected to the hiring and performance of employees. If folks new that technology competency was part of their job and not just a random entry on a skills list, then perhaps folks would actually come on board with more than just a basic understanding of how computers work. Plus, what if someone’s performance review included whether or not they had contributed to a larger-based attack on the network. I think that would get peoples attention and create space for more education and learning about prevention. Just a thought…
June 17th, 2011 on 10:19 pm
It’s interesting for me to revisit this balancing act after being out of IT for a few years. I’m now on the research side of the house in an academic auxiliary so we’re not nearly as locked down as the administrators (and I have even more freedom given how much my administrative staff likes and trusts me and my IT background; I even have local admin rights on my machine!). I’m in a good position right now because my coworkers are very reasonable and know that in my case it’s a good tradeoff between practicality and efficiency to let me have a more expansive sandbox that allows me to get my job done with less hassle without posing a significant risk. But I know this is not a scalable solution; it’s unreasonable to expect researchers, faculty, or admin staff to have multiple IT certifications and several years of IT experience.
Quite honestly, these kind of decisions were some of my favorite ones to make when I was in a position similar to yours, Joe. To do it well requires not only solid technical knowledge but also extensive knowledge of the particular context, including the needs and practices of both the “customer” and the institution’s IT staff. It’s very, very satisfying when you can thread that needle, especially when you can do so creatively.
Quite honestly, I haven’t met very many people at all who have solid IT skills and extensive knowledge of higher ed, especially formal experience and knowledge respected by both sets of professionals. It’s a reflection of my own impatiences and distrust of others but I get frustrated with those who have poor knowledge of one or both domains but pretend otherwise (or simply are so ignorant that they don’t even know that they’re ignorant). It might be interesting to think about how to effectively train, mentor, and hire people with these skills (I’ll be on the job market in a few months! 🙂 ).
There was also an entry in Slashdot a day or two ago discussing a very closely related topic if you haven’t gotten enough of this yet: http://it.slashdot.org/story/11/06/17/1312206/Why-Businesses-Move-To-the-Cloud-They-Hate-IT