It isn’t easy being IT. There’s no shortage of urgent work for them to do, yet people always think they should be doing other things. Sometimes they’re tasks which less technical people can handle. Sometimes they’re things they really aren’t qualified for. Sometimes they’re things which nobody should be doing at all! Let’s look at a few of them.
Making security and IT policies
IT people can make useful suggestions about policy. They might point out that a requirement would really help or that a proposal is a bad idea. But the actual policies need to come from management. Employees answer to their bosses, not to the people who make their computers work.
Everyone, including the CEO, has to respect policies if they’re going to work. The IT manager can ask the CEO to do things but can’t make it stick. Only policies that come from the top are going to be enforceable.
Restrictions and requirements for applications and services
A policy can say, “IT can specify what applications to use and which are prohibited,” which would technically comply with the first point, but it’s not a good idea. The choices don’t depend on technical issues alone. Management has to decide what software to use, based on technical quality, price, suitability for the business purpose, and many other considerations. If the technical people say a piece of software is horrible, management needs to listen to them, but other factors come into play as well.
It’s legitimate to say that IT can block or de-authorize applications or websites when it discovers a security emergency, but that’s a different matter.
Good trainers are people with good teaching skills. IT people are hired for their computer skills, and they aren’t always good at communicating them to people who aren’t at their level. They’re apt to go off into details that will leave the typical user bewildered.
Successful training engages and motivates the users. That’s a different kind of skill from optimizing a database. Some companies have their own training departments. Others have qualified trainers in the HR department. Sometimes the right approach is to hire them from outside.
It’s not the job of IT to keep a list of every employee’s passwords. In fact, it isn’t anyone’s job. There shouldn’t be any such list. It’s one-stop shopping for data thieves if they find it.
What IT can do is provide users with a password manager so that they can store their own passwords securely. The information will be encrypted so that no one can get it without the master password.
IT does need to keep passwords for services that don’t belong to individuals, such as databases, and for administrative accounts. Storing them requires extreme care. The fewer such passwords there are, the less risk there is.
Who watches the watchers? IT can’t do security audits on itself. It’s not just a matter of whether they’re honest. People just aren’t good at catching their own habitual mistakes. The only way to be confident that they’re doing as good a job as they think is to bring in independent experts. Qualified auditors are detached enough to ask the questions which people don’t think to ask themselves. They’ll provide a detailed report with recommendations for running the network more safely.
For much the same reasons, IT shouldn’t run its own penetration testing. The goal of testing is to find security holes which the developers and administrators haven’t thought of. If they haven’t thought of the holes, they won’t think of the right tests.
Some businesses would rather leave pen testing to IT because they don’t like the idea of outsiders probing for weaknesses in their systems. But outsiders are doing that all the time, and not with the intent of providing helpful advice. It’s far better to find out about problems from testers than from a data breach.
IT departments are best at the things which IT people know how to do. Sticking them with tasks that are more appropriate to management or to outside consultants wastes a valuable resource.