Attitude Adjustment: How to Keep Your Job

by The Piano Guy

Having written for this fine publication for many years and many times, I've written previous articles that made the point that no matter how good we are technically, just because we can do something doesn't mean we should.

Now that I'm a CISSP and can make the point better, I think it is time to do so again.  After all, half a generation has gone by since I last made that point in these pages.  If you don't believe me that it's time, check out the 2600 Facebook group.

I see way too many comments about the "dumb IT guy," suggestions to tell the IT guy to screw himself (not the exact word choice, but you get the idea), and all kinds of rants and raves that indicate an attitude of "they're dumb, we're smart, what a-holes, we could do their jobs better than they do."  Maybe you can, but just because you can doesn't mean you should.  Unless you're tasked in that role and/or have explicit permission.

While there are certainly IT staff that deserve our ire, for the most part they are good people, who also have bosses that they answer to.  IT, if done right, is a helping profession.  Respect your IT staff, and they will usually respect you.

Time for a sanity check here.  Reading this, are you angry?  Do you think I'm a clueless idiot?  If so, then the shoe probably fits and you should wear it.

Of the people who had a bad reaction to this article so far, I would divide you into two rough groups.  If you're a lawbreaker who doesn't respect appropriate boundaries of others unless they earn your personal respect, then you probably won't listen to me anyway (as much as I'd like you to).  As a lawbreaker, you're part of the bigger problem of why the word hacker has such a bad and undeserved reputation.  You make it bad for everyone.

If you're a more reasonable person who figures "Hey, it's against the rules, but I'd never do anything to hurt anyone, I know what I'm doing, and I'm doing it for the good of the company," you are the target of this article.  I hope you take it to heart.

And if you're the guy or gal with your IT job on the line that has to deal with the folks described in the previous two paragraphs, share this article with them.

If you have a network at home, you can do whatever you want to it.  You can check out all the cool tools, hack it to your heart's content, test out theories, and have a blast.  You can purposely try to infect your network with malware and see how your defenses hold up.  Go for it.  Once you hit your employer's network, however, you are bound by their rules.  Or, you're unemployed.

Doing IT stuff is like sex - if you have to keep it secret, you probably shouldn't do it.  And, what you do in the privacy of your own home (network) isn't necessarily the kind of stuff you should do in public (at work).  Even a race car driver going 25 over on the freeway is going to lose in traffic court, even though they can absolutely control their car.

I've been working in computers since Windows was at Version One and MS-DOS was at Version Two.  This means two things.  First, it means I'm old.  Second, at least in this case, it means I know my stuff.  My current role as a CISSP has me supervising people, designing action plans, and implementing them.  When a computer breaks that is not my responsibility to fix, I usually don't have admin credentials.  I call the IT department.  I let them fix it.  I treat them with respect, having once been in their shoes.

If you want to work on your system at work at an admin level to get something fixed, get written permission first.  If you can't get your work done because of an IT problem you're not allowed to fix, blame IT.  If you think that you joining the IT department would make your life and their lives better, apply.  And, if after trying all that you get nowhere, get another job, maybe doing IT.

The more you dink around on the system, even if things don't go wrong, the more that security will be tightened.  IT security relies on humans following the rules, or systems being locked down so tight that the humans have no choice but to follow the rules.

If you think about it, you can draw a triangle like this:

As an aside, if you've studied for your Certified Ethical Hacker, this graphic should look very familiar.

You can rate any IT system by putting a spot on the triangle.  Want more usability and function?  You've sacrificed some security.  Want more security and function?  You've just sacrificed some usability.  Your escapades will get security tightened and ultimately make life harder for everyone.  Having the IT department scared of what you do will just make your life harder - it is hard to look for work.

When anyone engages in extracurricular activities, there is no 100 percent guarantee that something won't break or get infected or damaged.  Even by accident, you can introduce a vulnerability which allows malware to enter the system, potentially causing or allowing substantial damage.  Even if you didn't break anything, if something else goes wrong, you'll be blamed.

To sum up, follow your IT department's rules even if you don't respect them, treat your IT people like you'd want to be treated if you have their job, realize they have bosses to answer to as well, and if you want to do something out of your swim lane, get permission in writing prior to doing so.  If you don't follow these simple guidelines, the personal cost, and potentially the corporate cost, is just too high.