Comments on: The SysAdmin Trap

By: Judith Sol-Dyess

Judith Sol-Dyess — Fri, 21 May 2010 00:12:03 +0000

Besides the arguments which can be made about security rights, access to passwords, etc., I think an important point Peter makes is really about that gap between the “super geek” and the “higher ups” that are so often clueless on the tech side (and I honestly don’t mean that disparagingly). That mission-to-tech misalignment, as some might call it. This is a very high profile case, but think about all the resources, of both time and money, that orgs like this are wasting, on very subtle, non intrusive day to day manners! When there is such a disconnect between the super geeks and management, I think it’s a pretty safe bet there will also be communication gaps leading to mismanaged projects and scope creep all over the board! That may not lead to an arrest, but certainly poses a threat to an org’s mission. Nice post, as always!

By: michael stein

michael stein — Wed, 05 May 2010 13:53:18 +0000

Well, debating the “guilt” of the various parties is interesting – but more to the point is the turmoil the City was thrown into through its errors. I’ve been trying to explain to orgs lately why a formal Information Security Policy is vital—and as you point out this story makes the business case for developing one loud and clear.

By: Peter Campbell

Peter Campbell — Thu, 29 Apr 2010 05:46:58 +0000

Tony—I’ll admit to a bit of hyperbole on the “tenfold” line. I certainly do think that Childs was in the wrong with his attitude and behavior. I’ve blogged here about the problems I see with techs being far too controlling (The ROI on Flexibility) and Childs was a poster, um, child for that self-defeating behavior. But I really lost it when I saw that the chain of command dropped from COO to Sysadmin. If there had been executive level IT, or, at least, an IT Director to look after the organizational needs, Childs would likely have never made it to the position of authority he found himself in. The press I’m seeing on this is acknowledging that the problems were with management as well as Childs. But they’re stopping short of saying what those management problems were, so I wanted to throw in some educated guesses.

Marlina—I actually had a piece published on the best way to manage passwords as well today, on the NTEN blog, and I’m with you 100%. What i do is leave a sealed envelope with the latest admin passwords with HR or the CEO, so that they have the information should they need it. My article is at The Softer Side Of Security.

By: Marlina

Marlina — Thu, 29 Apr 2010 04:44:43 +0000

I’m an accidental techie for a small nonprofit and even I know that one person cannot possess all the passwords. Whether they are physical assets like keys or intellectual assets like software license keys or passwords. Somebody else has to know. What happens to an org if the person with the passwords disappears or dies? You have to have a contingency/disaster plan.

By: Tony Hale

Tony Hale — Thu, 29 Apr 2010 04:22:54 +0000

Peter,

This is a thoughtful and provocative post. I appreciate it and share many of your views here. When IT diverges too far from the business process it serves, everyone loses—including IT itself.

But I think that it is hyperbolic to assert that Terry Childs is “tenfold a victim.” He was mismanaged in a dysfunctional organization, with critical missing links in IT leadership, but I wouldn’t call him a victim of a crime.

If anything, the city’s citizens were the victims of both Childs and a government that saw no problem with the IT departmental structure.

It is important, I think, to identify the patrons/clients/customers as those who are ultimately underserved when an organization fails to reconcile itself to its technology. The network admin might be caught in the middle, but he is not the chief “victim.”