Okay, that’s it – I hate IT security. And I really think that many folks in IT are actually like Mordac, the Preventer of IT, from the Dilbert comic strip. Okay, that’s not fair…
Allow me to back up just a bit to explain where I’m coming from. Recently, one of my clients told me that I had to change my password – actually several passwords. I’m probably not the best customer for most IT organizations – I can’t remember passwords like “@GHtf4#8iJJj6s$hillbilly9” – so I use passwords like “IHateThatCompany@5”. Even then, I have so many locations to go on the Internet and various internal intranets that I find it impossible to remember them all. By the way, I refuse to use one of those password amalgamation programs because if I forget that password I can access nothing; worse, if someone hacks that password, they can ruin my professional life.
Being essentially lazy, I let Windows remember all of my passwords – a reasonable risk that pays dividends in productivity, while my Windows password is reasonably secure.
And this is what got me into trouble. My client has web access that forces me to use a “contractor number” as my username for some types of access, my initial/lastname for other types of access, and email address with a corporate prefix for still other types of access. I was told that I could change my password in one place, and all of my corporate passwords would be the same. Okay, that should help somewhat, I thought.
So I changed my password in that one place, and was locked out of all accounts almost immediately. Why? I forgot which username type I had to use for the various web access portals. When a username/password combination didn’t work, I’d try the old password, in case the new password “didn’t take yet” – yes, a bad decision on my part. I then had to request IT to reset my accounts again – a one-day delay because the head-office IT group in California had to do it.
I tried to access again the next day – but not before asking the local IT guy which username type matched which portal. Well, he got it wrong, so I was locked out again. For another whole day. Bottom line, I was able to get full access back only after being locked out for three whole business days.
No doubt there were good security-based reasons for using different usernames (I guess), but it remains a constant source of confusion for all but the most experienced employees. As new application portals come on line, default formats are used to save time, and to get things online as quickly as possible. I get that. But at the end of the day, in the haste to block unauthorized access, the IT group(s) had succeeded in blocking authorized access.
Is this fixable? Certainly, however, IT groups have only so many cycles to burn, and must spend the majority of their time fixing things that are actually broken rather that making existing systems more usable. It’s an endless cycle, and often, some of the most glaring workflow challenges in an organization never receive the attention they deserve.
This challenge can easily burrow its way down to the mainframe – the repository for the majority of large business’ most valuable data. As soon as corporate policy works its way through the entire organization, monthly password changes become the norm, which increases the likelihood that workflows will be interrupted for reasons similar to my experience. This can be exasperated by the influx of new employees into the mainframe sphere of influence, and as older employees retire.
It’s one thing to have marketing people locked out of their systems for days on end, but it’s an entirely different thing if a Mainframe DBA or lab manager is unable to make timely adjustments or emergency fixes. The truth is that any employee unable to efficiently perform business tasks is a drain on the company, which cumulatively affects the bottom line. For a large organization, the cost of this downtime – and associated cost per hour in lost productivity – can be significant.
Okay, I’m venting. The fact is, all organizations must have proper security protocols in place, and people like me have to live with them. That’s a given. Now, if your DBAs and lab managers are the same people that are controlling access to systems, then your organization is probably in default of a whole slew of security and regulatory protocols, and problems like mine are the least of your concerns.