How should you respond when your executive demands admin access to the core infrastructure? Business Technology’s resident U.S. blogger Keil Hubert suggests that the only reasonable answer is ‘absolutely not.’
I’ve never been keen on attending outdoor barbeques during Texas summers. There’s something unsettling about hanging about outside in the searing heat of a 40+ celsius afternoon under the merciless Southern sun, while people you vaguely know discuss sport and drink light beer, while waiting to gnaw on inexpensive picnic foods. I don’t get the appeal. If I want to get blistered and dehydrated, I can easily achieve that by doing some much-needed yard work, where there’s no light beer or baseball talk required. If I want tasty grilled meats, I can pop down to any of the fifty or so local eateries near my house who will all sell me me professionally prepared products on-demand – and I don’t have to make small talk while I’m eating. Finally, if I want to chat about inconsequential things with people that I only vaguely know, I can go to work and schedule a meeting.
So, while I was getting ready for a holiday barbeque outing on Saturday the 4th, I squirreled myself away for an hour and browsed some interesting discussions over on Reddit. You’re welcome to your version of sport; I prefer office sport. I find that the stakes are more personal, the fighting is often more vicious, and the results actually matter. But, to each his own.
Anyway, one of the discussions that captivated my attention was a post by user ‘CbcITGuy’ titled ‘Need some working advice, non IT user wants Admin access…. To EVERYTHING.’ It’s a bit of a long read, but the gist of the piece was that the author is the head sysadmin for a non-profit venture. As he put it when asking for advice from the community in how best to respond:
‘The ELECTED, VOLUNTEER CHAIRMAN is requesting Administrative access to the ENTIRE network system, servers, firewalls, printers, switches, routers, access points and phone system. He is ALSO requesting access to systems that are co-mingled by a sister non-profit in the same building.’
My immediate reaction to reading that request was a derisive snort. CbcITGuy believed (quite rightly!) that fulfilling this request would constitute an unacceptable breach of essential security for his orgaisation and for all of its users. I think that he was dead right that he shouldn’t acquiesce to such an unreasonable demand without (at the very least) a Get-Out-of-Hell-Free card from the powers-that-be that would absolve him from all suspicion and blame for anything and everything that might go wrong with the company’s information systems from that point on. Many of the commenters advised CbcITGuy to resign from his post immediately. I can’t blame them – a request such as the one he’d received from the elected chairman cannot be granted in good conscience.
One of the essential elements of information security is that users should have no more access than they absolutely need to have in order to accomplish their required tasks, and then should keep that access for only so long as they require it – and not a second more. The SANS Institute’s ‘Critical Security Controls for Effective Cyber Defense’ speaks to this in two of its twenty control measures: #12: Controlled Use of Administrative Privileges, and #15: Controlled Access Based on the Need to Know. The US military refers to this as the ‘Principle of Least Privilege.’ Other InfoSec agencies have similar advice. It’s a very real area of concern; everyone in the business teachs that an InfoSec professional who violates this concept does so at his or her peril.
I’ve found that CbcITGuy’s situation is actually pretty common in industry. People who hold positions of power inside a business often suffer from a powerful urge to try and control everything under their domain. They (the thinking goes) give all of the orders, sign all of the cheques, make all of the tough decisions, decide who’d hired and who’s fired … so why shouldn’t they also have at least equal administrative control over the critical information infrastructure that their company runs on? In the abstract, the argument sounds almost reasonable. After all, if the person who’s saddled with fiscal responsibility for the entire operation can have a master key that physically unlocks all of the rooms in his or her buildings, why can’t they also have a virtual master key that logically unlocks all of the IT kit?
I’ve had that exact statement pitched to me by an executive. The answer should be blatantly and instantly obvious: ‘No, you shouldn’t, because you don’t know what the *#&$ you’re doing.’
The fellow who told me that he expected to have admin rights over the production network was the head of an aviation sector firm, and was himself an amateur pilot. I was able to mollify him by offering him a fair trade: ‘I’ll tell you what, boss: I’ll let you log in to the server farm and all the routers as root when you let me stroll into the cockpit and start flying your bloody airplane.’
The executive laughed and said, ‘That’s ludicrous! You’re neither trained nor licensed to fly a plane!’
I nodded and replied, ‘Just like you’re neither trained nor credentialed to drive a router or a server. No matter how well-intentioned you might be, you’re a technological amateur – and the amount of damage that you could do to the critical infrastructure is much too high for us to allow you to take the controls.’
I obviously didn’t win a friend there. Then again, I wasn’t interested in being friends with someone whose whims were likely to cripple the company and possibly get me fired as well. So, there’s that.
There’s more to the rejection of this silly idea than just the inexperience issue. I worked at a medium sized business where one of the junior executives happened to have come from the IT sector. He owned an IT infrastructure support business in the next town over, and clearly knew what he was doing when it came to systems and networks. I couldn’t put him off on competence grounds. I could (and did) refuse his request for network administrator rights because of the ‘essential scope of authority’ problem: if the production network was somehow compromised on my watch, I would take the fall for it. That responsibility extended to any- and everyone under my control that held admin rights. I was willing to accept that risk for the people that worked for me, since I could apply and enforce mandatory standards of professional conduct for ‘my’ people. I couldn’t, however, exercise any administrative control over the well-meaning executive, since he operated at an echelon well above my station, and I could neither give him orders nor punish him if he did something wrong. Therefore, if I granted him admin rights, he’d effectively have carte blanche to do whatever he wanted whenever he wanted. Because he was untouchable, if he ever did something wrong he’d get away with it … and I’d pay the price for his misconduct. No thanks.
Of course, all of this talk about ‘echelons’ and ‘responsibility’ and ‘authority’ really only applies to a decent-sized and mature organisation: one that’s established enough that it’s decided to structure itself and to police itself based on a system of rules, controls, and segregated responsibilities. An organisation where employees have discrete functions, and often have clearly-defined limits on what they’re required to do versus what they’re forbidden to do. Organisations like businesses, corporations, foundations, and even ministries.
But … what about start-ups? They’re often a very different animal for entirely obvious reasons: they’re not beholden to any established rule-sets, so they can make things up as they go along. Reinvent everything from scratch. They don’t have to play by your tired old ‘rules,’ man! (or words to that effect).
The situation may be different elsewhere. Perhaps new entrepreneurial ventures in Scandinavia or Singapore are orderly, well-structured affairs and are managed by the same corporate principles that govern century-old corporations. Here in the USA, however, many (if not most) new start-ups are brought to life and get regulated entirely by the fervor of one driven individual whose captivating arrogance compels them to breathe life into what is, statistically-speaking, a doomed waste of money and effort. It’s that dream-fueled hubris that makes entrepreneurship work. A dispassionate analyst would look at the overwhelming majority of business plans and deny them based on perfectly rational grounds: insufficient market demand, unproven essential technology, lack of critical infrastructure, too many competitors already in the niche, and so on. Facts and logic are trivial obstacles to a committed visionary, though! A thousand new start-ups are launched every day on the unshakable faith that this time the stars will all align and the founders will secure magnificent fame and fortune. ‘Just you wait and see!’ they say. ‘This time it’s different.’
I love watching it happen. I really do. Being around someone with an epic vision can be positively intoxicating. An entrepreneur’s zealous commitment to a grander future puts pedestrian opiates to shame. Spend some time in one’s presence and you’re at grave risk of being assimilated into his or her cause. They paint you a picture of a better future that you feel you can almost grasp. If everyone just commits to the program, nothing can stop us … etc.
Nothing, that is, save for the aforementioned insufficient market demand, unproven essential technology, and all the rest. Yes, I know: I’m always the soggy wool blanket at the party. Bad on me for bringing up ‘facts’ and ‘logic’ at a tent revival. I’ll see myself out.
That, right there, I argue is why start-ups are very different from every other incorporated entity on the block: because they’re operated by a very small crew of ‘true believers’ and are often under the sway of a charismatic firebrand, they tend to eschew the tried-and-true tactics of a fussy old established businesses. Everything is run as a free-for-all, with every worker chipping in wherever it’s necessary in order to get the job done. It’s exhilarating! It’s challenging! It’s bloody chaotic, and it’s therefore very likely to take catastrophic shortcuts in the name of ‘getting to market.’
I cannot stress enough that I enjoy a good start-up venture as much as the next fellow. That being said, I am also an InfoSec professional. I’m not easily convinced to ignore the fundamental principles of my craft just because someone with a preacher’s gift for inspirational speaking tells me to relax and go with the flow. Technical vulnerabilities don’t go away just because we find them inconvenient. Bad guys don’t have a mandatory hands-off period when it comes to attacking new ventures. Malware doesn’t give two snits whether or not you’ve finished your IPO preparations. You can either take appropriate measures to defend your production systems, or you can accept the inevitable risk that comes from failing to defend said systems. Those are your choices.
I’ve had this conversation with several mesmerizing businessmen whose arrogance left me absolutely speechless. ‘We don’t have time to worry about security,’ one said. ‘There’ll be time to think about implementing security after we’re established,’ another said. I often felt like the only sane bloke in Arkham Asylum during meetings with these someday-billionaires because everyone else in the room at the time was nodding enthusiastically to the Top Bloke’s daft pronouncements. Remove a player from the leader’s ‘reality distortion’ field, and they started to realize that they were being ridiculous. That didn’t stop them from suppressing their common sense, though. Back in they’d go, and it was once again smiles and barmy ideas all-round.
I get it. Entrepreneurs need that streak of irrational exuberance, the same way that pilots need their astonishing arrogance – that unshakable belief that they alone are slick enough to defy God and physics in order to keep a fifty-ton aluminum brick in the sky when everything in nature says that it’s not allowed to be there. Entrepreneurs similarly believe beyond any doubt that they can do what everyone else failed to do under the exact same conditions. That brand of amazing self-confidence is entirely necessary: if you don’t possess it, then you can’t do the job properly. I’m not suggesting that we replace either entrepreneurs or fighter pilots with purely dispassionate logisticians. It just wouldn’t work. 
On the other hand, I am suggesting that every new venture needs a well-grounded curmudgeon on staff to counterbalance the everybody-gets-a-unicorn crowd. Long-term success comes from balancing the two perspectives. Someone has to have the authority and the mandate to say ‘no’ to bloody stupid ideas (like letting the founder have the ‘keys’ the bloody production router), and the credibility to tender a thoughtful, reasonable alternative that the business can live with.
That’s largely because real people in real situations rarely ever conform to idyllic expectations of human behaviour. When you put a bunch of inexperienced workers in an utterly unstructured environment (like a nascent Dot Com), they’re far more likely to behave counterproductively, like the fictional castaways from William Goldman’s interpretation of emergent society  than they are to behave optimally, like the castaways from R. M. Ballantyne’s boys’ adventure tale.  People, being people, bring their inherent irrationality and past psychosocial damage with them to work whether they intend to or not. In an regulated, control environment, most people can generally suppress the counterproductive elements of their personalities, whereas an unconstrained environment lacks the essential social and administrative controls to effectively keep people’s bad habits in check. Take away all of the conventional social controls, and you get drama.
A wise and/or experienced entrepreneur needs to recognize this risk and take deliberate measures to mitigate it as an essential part of establishing the new venture. He or she needs to make the rational decision early on to empower his or her core support staff (i.e., IT, facilities, logistics, and HR) with the remit to act according to best industry principles rather than be subject to management’s arbitrary and capricious whims. The support boffins don’t necessarily get to run the show, but they must be listened to when it comes to issues falling within their sphere of expertise.
I admit that my position represents a daunting challenge for someone that’s already so enamoured of their vision that they’ve slipped the surly bonds of rational thought. I grok. That being said, I’m going to continue to pound this drum for as long as anyone will listen: irrational hope and rational cynicism need to be shrewdly balanced if a company is to have a realistic shot at long-term success. Denying either of the two positions puts your new company on a fast track to self-destruction.
 Along those lines, I once met a military man who voluntarily gave up a career flying big jets because the thought of being responsible for the lives of all his passengers stressed him out until he was too sick to fly. He said once that he didn’t care about dying himself; he just couldn’t justify gambling anyone else’s life on his paltry skill. That fellow made what was probably the most rational decision that I’ve ever seen a pilot make, and I respect the hell out of him for walking away from it all.
 Goldman 1954 novel The Lord of The Flies suggested that bunch of young boys left stranded on a deserted island would create a dystopian nightmare. This was an inversion of …
 … Ballantyne’s 1858 novel The Coral Island, where a trio of stranded boys managed to overcome all of their challenges thanks to strong Christian values and the natural superiority of British Imperialism.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.