What level of trust do you afford users by default? What level of support do you offer users who have low technical skills? Are you creating a system which is more difficult to use with little or no payback? Are you adopting administrative policies as a punitive measure? do users believe that you are deriding them for their ignorance? Matt provides some timely advice.
If management is the art of utilizing resources to accomplish goals, then administration might be thought of as the maintenance of those resources to ensure that they can be properly utilized. Administration of users is, for many, the most challenging aspect of their positions. In addition to the technical and logistical challenges provided by all resources, interpersonal relationships add a complexity that cannot be abstracted away in a script.
To help administrators cope with these issues, this column will explore various administrative tactics, how their effectiveness varies according to the traits displayed by their co-workers and we’ll learn from examples of positive and negative administrative decisions.
There are many pressures placed on the IT administrators of the world. Corporate regulations, compliance requirements, and security best-practices compete for our time and resources. After meeting legal demands, there are sometimes few tactics available with which to approach administration. Many times, the tone and phrases used make greater differences in the perceived attitude than actual policies.
For our purposes, we can consider the laws and business requirements immutable. What we have left is really the core of administrative policies. What level of trust do you afford users by default? What level of support do you offer users who have low technical skills? Are the decisions you are making creating a system which is more difficult to use with little or no payback? These questions should be in your mind as you design system policies.
User Trust
In IT security, it is widely deemed to be the best practice to deny access by default. It has also become apparent that the most potent threat to an IT infrastructure comes in the form of insider access. This leads to the solution that users should have no unnecessary trust, be universally logged, and treated with general suspicion.
From the strictest security perspective, this makes sense. In practice, however, mistrust breeds mistrust, and you may soon find that the users who’s lives are made difficult may find ways to return the favor to the administrators.
I propose that there may be a happy center ground. There are various occupations with extremely high turnover where extreme caution is called for. The same goes for certain financial, medical, and governmental institutions, but the majority of users and administrators find themselves under somewhat less pressure. In these cases, I believe that it is in the best interest of administrators to give the users leeway.
Many long-term technically oriented users have displayed responsibility in their decision making. Affording them administrative access to the machine that they use day in and day out shows an amount of reciprocity in appreciation. There is the chance that the user could install non-approved software, or through inattention allow a virus onto the machine. Proper end point protection software can all but alleviate the latter, and to be honest, the former probably isn’t the end of the world. Obviously the situation is different if the software in question is illegal or opens an attack vector, but barring these complications, perhaps you should think twice before punishing the user for attempting to improve their environment.
If you find that several users have all installed the same (or similar) unsupported programs, you should examine why it is unapproved. If so many people find it important enough to install, it may fill a niche and should be added to the support list. If not that particular program, then at least one which accomplishes the same task. Conduct non-confrontational interviews with users who installed the software to find out what it gave them. You may be surprised in the ways that your users are accomplishing their tasks.
I know that I have some problems sometimes when designing security policies. I tend to get carried away, and I start to resemble Mordak the IT preventor from Dilbert. Whenever I find this happening, I close my eyes, count to ten, and try to re-evaluate the situation from a new perspective. Sometimes, I have to stop working on the policy and sleep on it. This fresh view is enough to tell me that I’m being particularly retentive, or that the threat is warranted. I’ll also ask advice from another admin. Getting the additional input helps a great deal.
User Support
It may help to examine how the typical administrator is viewed by the typical user. Obviously, all users are different, as are all administrators, but as a generalization, the relationship might be thought of as similar to that of a car owner and an automobile mechanic. The owner shows faith that the mechanic will properly maintain or repair the vehicle, and the mechanic makes their best effort to do so. Of course, there are mechanics who will abuse this relationship, as are there IT administrators.
No one wants to work with someone who will deride them for ignorance, and belittling someone is not an administrative tactic, despite how boneheaded some peoples’ action might seem. On the other hand, coddling users and excessive handholding will ensure that a user who doesn’t know how to do something will never have to learn. Where is the line drawn?
As each user is different, the approach taken must vary as well. Some users show eagerness to acquire new skills. Repeatedly performing a task for these users will do nothing but cause them frustration. Instead, demonstrate the task, and ask if there are any questions. The next time it is to be performed, be on hand to offer support if needed, but otherwise remain in the background. Offer encouragement and praise, or constructive criticism as necessary. This user’s goal is to learn how to accomplish the task, and they will appreciate any efforts you make in helping them succeed. These users are valuable assets who generally have no problems expanding beyond their current tasks and taking on more responsibility.
Many people are not interested in employing skills which they deem unnecessary or time consuming. These people are very goal oriented, and want the path streamlined as much as possible. Attempting to teach the intricacies of a task to these users is seen by them as a waste of time. Success might be found in developing a solution which requires less interaction or is less time intensive. These types of solutions are generally an improvement for the business at large, as processes such as these consume everyone’s time. Because of this, the goal oriented users become barometers for inefficiencies that, despite their reporting being mostly negative, instigate progress for everyone else.
Users also exist who learn and operate by rote. These users are typically very quick and efficient workers, as long as their environment is consistent. Large operating changes can unsettle users such as these, so a forewarning that a change will be implemented, along with a phone call or visit when the change takes place will ease them into their comfort zone. While the amount of personal attention required might seem overwhelming at times, remember that this is time invested. These users will not only pay you back with efficient operation, but they will act as red flags to system changes that even the keenest monitoring systems may fail to recognize.
This column would be incomplete without mentioning the infamous “bad user”. Though lumped into one category, the reason a user earns this label varies a great deal. Either through actions or attitude, this user has shown that they do not want to contribute positively to the task at hand. Assuming that you do not have a supervisory role over this user, the best advice might try to make the best of a bad situation and work around them. I would advise against granting these users any more access than they need, regardless of technical prowess. Providing disgruntled users security clearance is asking for abuse. If the situation gets bad enough, it may warrant speaking to your supervisor about it. Under no condition should you speak with their supervisor, unless you both report to the same manager. The corporate hierarchy exists for a reason, and crossing boundaries will not endear you to the difficult coworker, their manager, or your manager.
Regardless of the tactic you are employing, the goal is to complete your task. Getting sidetracked into personal conflicts will deter you and hamper your schedule, not to mention lowering your concentration on the job at hand. Whenever interpersonal friction occurs, be the bigger person and move past it.
I’ve dealt with each of these users in my career, and I currently work with all of them with the exception of the “bad user”. I have also mishandled each one of them at times. It was through trial and error that I found my mechanisms to best deal with them, as well as learning about the benefits that they all offer the group. I’m very fortunate to have my current group of users, even though I will most assuredly make mistakes dealing with them in the future. To live is to learn, as they say.
Administrative Policies
As a general rule, the policies that you write and put in place should exist to best enable the business of the company to proceed, while meeting the various legal and professional regulations.
Never adopt administrative policies for punitive measure, and do not allow your emotion to cloud your judgment. Policies provide guidance and protection, not punishment. A potential positive opportunity to educate users can easily become negative if handled incorrectly. A user or group singled out in a policy can quickly become bad users, which lowers the efficiency of the company, which in turn makes it more difficult to conduct business. Focus on preventing the undesired actions in the future and ignore the past when writing policy.
I think we’re all guilty of retribution at some point in our lives, even if we’re not proud of it. I’d be lying if I said that I didn’t implement firewall rules at an ISP in direct response to user activity. The user didn’t break the terms of service (TOS) in literal word, but in spirit, and I reacted to that by changing the firewall rules specifically to prevent them from doing what they were doing. What I should have done was discuss the situation with management, edit the TOS, and the firewall to reflect it. Fortunately in my job roles after that, I have reacted more maturely to issues such as these.
The Bottom Line
Managing users effectively is one of the most difficult tasks that your job can include. Experience is the best teacher, as long as you pay attention and learn from your mistakes. You don’t need to be a “people person” to communicate well, you only need to try to see things from the others’ perspectives and follow the golden rule. Treat other people like you would want to be treated. Respect and real communication will be your reward.
