This is not a frivolous question and one that you really should ask yourself. In recent weeks, 43-year-old Terry Childs allegedly used his super–user access to lock out San Francisco City officials from their core computer systems. For a period of days, as he sat in Jail on $5,000,000 bail, he also refused to give up the passwords. According to a July 17^th, 2008 AP story, “San Francisco officials allege Childs created a secret password that would have given him access to things like e-mails, payroll files, confidential law enforcement documents and even jail bookings.”  What’s ironic about this is that city officials admit that he was the single administrator with ostensibly total control over the Wide Area Network system, so his having a password with that level of access is the nature of his role. The reality that he was the only one with the super-user access and that there were no checks and balances, documentation, or DR plans in place are what should make the hair stand up on your neck. This is why there should never be a single person with such unlimited power and with such a high degree of personal knowledge that is not recorded elsewhere. If he had been run over by a truck instead of allegedly holding the city’s core computer systems hostage, this situation could have been far worse. He eventually gave up the passwords but if he were dead, that obviously would not have been an option.

     There has reportedly been no motive identified, but to be honest, this seems to be a no-brainer. It has been said that he was disciplined by his employer just prior to his alleged actions.  I don’t know where to start when it comes to the IT Kingdom Builder Syndrome that is likely at work in some form here. It is something that I have seen time and time again and I will elaborate on this syndrome as a completely separate subject in a later entry but in this case an IT professional was placed in a position of unquestioned and/or unchallenged authority and control by his/her employers and was trusted with the lifeblood of the city and its citizens. He then for whatever reason chose to take advantage of his kinglike status and make life difficult for his employer. In this and many other cases this total control is offered without any thought being given to who the IT employees really are, what motivates them and how truly competent they might be. In the case of Mr. Childs, he was clearly technically able but not professionally able to handle such power.  He has apparently shown he has control issues and no concern for the potential damage he might be doing.

    When a company or organization does not expect or demand that their assets be documented and the IT person becomes irreplaceable due to mystery, this is a recipe for disaster. They may not be irreplaceable because they are amazing at what they do or that they are the only ones who can do the job, but because they can hide behind the mystery and fear that they create, and the information and access only they hold. In cases like this, the IT professional has a level of pride of ownership that goes beyond their job function and in their minds, it is no longer the organization’s network but theirs. They built it, nurtured it, and GOD help anyone who gets between them and their creation.

    What problems can this cause beyond the blatant take over that allegedly occurred in San Francisco?  I have consulted with several companies that have found themselves in this position. In most cases it was simply easier to give up control. The company execs are not technical and just trusted the people that they hired to take care of things. In many cases, the owners and executive had intuitive beliefs that they were being misled, lied to or even blatantly ripped off. Because they really didn’t know what the IT person had done, or not done, and because they were being spoken to in a language they themselves don’t understand, they just went along.  In a most recent case, I went to consult with a company that had gone from a small firm of less than twenty employees to one with nearly two hundred in the span of one year. They were using a single IT resource that was in way over his head and was severely overcharging the client to clean up his own messes. The IT person had failed to document any of the company’s software licensing which put them at risk of penalties from a Business Software Association audit. He had given administrative access to a myriad of employees, done no work to provide for proper back-up of the systems, and generally done a particularly poor job of delivering for the company.

    When we started work on this particular company’s systems, this individual (who was still employed by the company) immediately started a pattern of behavior that is predictable. He worked to reverse our fixes, took systems down and tried to point a finger at us, refused to give up critical passwords and other information needed for us to properly fix the network and generally cost the company far more money that it should have. The reason he was still there, was it took some time to squeeze out the information he had coveted within his mind instead of documenting it.   Plus, the client needed time to be reassured that he wasn’t the only one who could keep them up and running. Today, he is no longer with the company; we have fully revamped the system and brought them up-to-date on their licensing. We assisted the company in hiring a new IT staffer and we are now working closely with that staffer to fully document the system and create standard operating procedures. The company now has the freedom to fire that IT staffer or us for that matter because no single individual owns the system.

  While I believe this example serves to tell of the common damage wrought by unregulated IT staffers, I have seen far more extreme cases than the ones spoken about here. I’ve seen multiple cases where data was completely deleted from the company servers, where company intellectual property was held for ransom and in two severe cases, the employee physically assaulted the employer and threatened their families but the company owners were too afraid to do anything until we finally got involved.