Many organizations have in-house IT staff that has been around for a long time. However, if the organization has not invested in employee skills, there is a tendency for complacency and stagnation, says Lou Rabon, Cal Net Technology Group’s information security practice manager.
“This stagnation comes in the form of believing that solutions the in-house IT people are providing are the best ones out there based on their experience,” Rabon says. “For loyal IT staff, their experience is usually only in one environment, and if no new education or experience has been acquired, then an element of risk is introduced into the organization. Not only will the organization be getting outdated and inadequate service and solutions, but the risk introduced may prove to be fatal to an organization’s data, as well.”
Smart Business spoke with Rabon about how to spot IT staff stagnation and what steps to take to address the problem.
How critical is the need to update IT skills?
Information technology experiences paradigm changes over very short periods of time. New, disruptive technologies are appearing all of the time, sometimes in as little as months. In information security, this trend is even faster, where minutes and seconds can separate effective solutions from completely inadequate, and expensive, defenses.
What are signs that IT staff might have stagnated?
If your IT person has been doing the same thing since 2007, you can be assured that there are going to be problems. Large and small companies should take stock and ask:
• Does current IT staff/policy favor convenience over security?
• Are there direct remote connections to machines because a virtual private network or remote access solution was considered too complicated or not possible?
• Are there passwords that are not complex or do not change?
• Do easy-to-remember — and therefore easily crackable — administrative passwords exist that have access to sensitive data?
• Is there a lack of visibility on the network?
• When problems occur, is root cause rarely determined and downtime frequent?
• Is there resistance to change?
• Are overly technical and confusing answers given when approached for advice or questions?
These are just some of the more obvious ways to determine if your current IT staff might need a knowledge refreshment or replacement. Unfortunately, most internal IT staff will believe everything is being done right, despite evidence to the contrary. This is what psychologists call the Dunning-Kruger effect, ‘in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than average.’
What steps can be taken to address this problem?
The first might be to look at how staff is managed. Maybe the reporting structure should be changed. In many growing organizations, IT will typically be CFO-led. Ideally, IT staff should fall under a COO or, better yet, a dedicated CIO who can look at the big picture of where an organization is headed and drive this strategy.
Another option is training. Incompetence of any staff might be a failing of the organization itself to properly invest in its work force. Picking the right training can be a challenge, but there are a number of solutions. Vendor training is an option and can typically be obtained at a reasonable cost, especially if the organization has used one vendor’s technology over a long time and can leverage fidelity for a reduced training cost. New vendors also can be looked at to displace existing technology and they may throw in training as part of a purchased bundle. Many specialty organizations offer training such as A+. For security, the SANS Institute has an excellent Security Essentials Boot Camp, which can start to embed some of the basic tenants of security for any staff working with sensitive information or information technology. Finally, continuing education at a local university and even some of the free courses released by institutions such as Stanford might be a good way to stimulate critical thinking and encourage the staff to refresh its skills.
Another solution, which could be the easiest, is to augment the staff with outside talent. Bringing in an outside consulting firm can give an internal IT department a kick in the pants. Personnel will respond differently to this, with some seeing it as a threat and others embracing the help. Both perceptions can be helpful. An outside firm will help you navigate the technology, but more importantly, a good outside firm will help you identify who in the organization you should keep and who should go.
What about outsourcing all IT work?
Some organizations are much better off going in this direction, depending on what internal resources are available. IT, in and of itself, is a business, and, if you’re a small to mid-sized company, you might want to ask yourself, ‘What business am I in?’ For those organizations that prefer to concentrate on their core competency, outsourcing is a great solution. Doing so can help dramatically reduce costs, increase efficiency and productivity, and increase the security posture of an organization. A good IT outsourcing company is continually investing in its team, and because it sees many different IT environments, it is in a unique position to see what works best and provide those best practices to its clients.
Risk in any organization must be managed and mitigated as much as possible. Continuing to employ or engage unskilled or inadequate IT resources introduces an unacceptable level of risk. Your first step is to take a hard look at your organization, and evaluate whether or not you need to invest in IT skills or bring in external resources to best manage the information assets of the organization.
Lou Rabon is information security practice manager for Cal Net Technology Group. Reach him at (818) 721-4414 or [email protected]