New IT Director
-
So we hired a new IT Director in the last month or so.
He's didn't come from a large enterprise before, and is now having us give out local admin rights to many people. We've never given it to anyone outside of IT before. We've brought it up to him as a security concern, and not even sure how this will go with our auditing stuff. He says that's the way he's done it where he comes from, and it works much better. How should you address this?
-
@Jason said:
So we hired a new IT Director in the last month or so.
He's didn't come from a large enterprise before, and is now having us give out local admin rights to many people. We've never given it to anyone outside of IT before. We've brought it up to him as a security concern, and not even sure how this will go with our auditing stuff. He says that's the way he's done it where he comes from, and it works much better. How should you address this?
Fire him?
-
Don't handle it. Document your concerns in an email and keep both a digital and physical copy. If he continues to go down this path then you've done what you can and have to follow management's lead. If management doesn't care about security then obviously you shouldn't either.
-
-
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
-
@Jason said:
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
I certainly would. He is obviously not familiar with controls and audit reporting needs in an enterprise.
-
Do you have departmental meetings? This might be the place to talk about it.
-
@JaredBusch said:
@Jason said:
So we hired a new IT Director in the last month or so.
He's didn't come from a large enterprise before, and is now having us give out local admin rights to many people. We've never given it to anyone outside of IT before. We've brought it up to him as a security concern, and not even sure how this will go with our auditing stuff. He says that's the way he's done it where he comes from, and it works much better. How should you address this?
Fire him?
This is the only reasonable option, most likely. He...
- Isn't aware of even the most basic helpdesk level IT security needs.
- Isn't aware of possibly the most basic industry best practice.
- Isn't experienced or prepared to be in the position he applied for.
- Isn't doing basic research before making uninformed decisions.
- Isn't listening to the IT people when they try to advise him.
-
@Jason said:
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
Is the CIO his boss? That doesn't sound like outside the chain of command if his title is Director. It sounds like the correct chain of command.
I don't know your chain, just guessing based on titles.
-
@JaredBusch said:
I certainly would. He is obviously not familiar with controls and audit reporting needs in an enterprise.
Or even a well tended home environment.
-
It all depends on your environment, of course. When I worked in the enterprise space, this would be a "call someone and shut it down now" situation, not a "let's talk it through." This would literally have meant calling his supervisor, making him walk down there and having a heart to heart right now, live. But I come from banking where security doesn't get you fired, it gets you arrested.
But I've never worked in any serious environment where going to the CIO would even be a question, it would be the only allowed path given that you are holding a critical opinion of a security concern.
-
-
@scottalanmiller said:
@Jason said:
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
Is the CIO his boss? That doesn't sound like outside the chain of command if his title is Director. It sounds like the correct chain of command.
I don't know your chain, just guessing based on titles.
I mean My boss is the Director of IT, the CIO is his boss. and I'm the boss for Jr System Admins.
-
Just make them domain admins......
-
@Jason said:
@scottalanmiller said:
@Jason said:
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
Is the CIO his boss? That doesn't sound like outside the chain of command if his title is Director. It sounds like the correct chain of command.
I don't know your chain, just guessing based on titles.
I mean My boss is the Director of IT, the CIO is his boss. and I'm the boss for Jr System Admins.
Then you are only skipping the one level that is the problem point. I see no issues with that. Of course ocmpany culture and poilitics plays into that too.
-
Get a new job or wait it out in the hope that he'll get fired soon. No good can ever come from having a boss like this.
He may not need to be aware of best practice if it's your job to advise him. But if he isn't listening to your advice then you're screwed.
-
@Jason said:
@scottalanmiller said:
@Jason said:
@scottalanmiller said:
@Jason said:
How should you address this?
Take it to the CIO's office.
That's what I was wondering, is this a case when it's okay to go out of chain of command?
Is the CIO his boss? That doesn't sound like outside the chain of command if his title is Director. It sounds like the correct chain of command.
I don't know your chain, just guessing based on titles.
I mean My boss is the Director of IT, the CIO is his boss. and I'm the boss for Jr System Admins.
Right, so it sounds like the right chain to me to go to anyone's immediate boss if they are:
- Blatantly unqualified for the position.
- Creating a viable security concern.
It honestly feels really weird that going to the CIO would even be in question at that point. Would the CIO really want shielding like that in the organization? Hopefully not, hopefully he trusting everyone to report up when they see something.
-
@JaredBusch said:
Then you are only skipping the one level that is the problem point. I see no issues with that. Of course ocmpany culture and poilitics plays into that too.
I would call this "standard escalation." If your boss isn't giving you a satisfactory response, you escalate to his boss. Doesn't sound even remotely questionable to me as a practice.
I totally understand that some companies have horrible cultures and do weird things like allowing anyone to arbitrarily block anything, but in a healthy company the boss' boss is there for a reason.
-
@scottalanmiller said:
It honestly feels really weird that going to the CIO would even be in question at that point. Would the CIO really want shielding like that in the organization? Hopefully not, hopefully he trusting everyone to report up when they see something.
I assume the CIO employed the IT Director? That can make it tricky, because it can sound like you're implying that he was an idiot for recruiting an idiot. You need to tread carefully here.
-
@Carnival-Boy said:
@scottalanmiller said:
It honestly feels really weird that going to the CIO would even be in question at that point. Would the CIO really want shielding like that in the organization? Hopefully not, hopefully he trusting everyone to report up when they see something.
I assume the CIO employed the IT Director? That can make it tricky, because it can sound like you're implying that he was an idiot for recruiting an idiot. You need to tread carefully here.
Not really? You employ someone based on what their credentials etc are...the whole point of a probation period is to check if they are actually fit for the job? And in this case it sounds like this guy really isn't fit for the job...
