I’m working at this health company; it’s my first IT job, and I’ve been here a little more than half a year so far. I do appreciate the opportunity I was given, but man, this place is kind of a wreck. The boss didn’t want to upgrade the Windows 7 computer that’s sitting on the network and utterly refused to do so. Even with everything that was shown that it could be upgraded, he was pissed, and it took six months to finally upgrade it to Windows 11 with the necessary software we have.
Another crucial issue is that literally the people who work on the floor have FULL ADMINISTRATOR ACCESS to install any programs they want. I brought this up to him, and he said, “We have bigger battles to fight.” The computers are literally just “Password” or the start date of the employees. So literally all someone has to do is ask when they started working here, and boom—they have access to their account. We also had local accounts sitting on every computer. He does not want to change any of this.
I am capable of switching jobs. I have talked one-on-one with big figures in the field like Richard Stallman before. I do testing and help port hardware for coreboot/Libreboot. I am also looking into getting my Linux+ (currently only have my A+). What should I do?
(My boss and I are the only two IT people)
Step one, take a deep breath and realize that, unless you own the company, killing yourself to save it is dumb.
That said, there are some things you can do to try and improve thing:Learn to “talk business”. Yup, this one sucks, but it’s also the only way you are ever going to get traction. Take that Windows 7 system, why do you want to upgrade it? “Because security”, right? Well, how does that translate into costs to the business? Because, businesses don’t care about security. I work in cybersecurity for a large (Fortune 500) company and upper management has given exactly zero fucks about security for a very long time. They only started coming around when that lack of security starting costing them real money. They still give zero fucks about security, but they do care about risks to the business and what that might cost them. Having security and money linked in their heads means we can actually implement better security. You need to put the lack of security of that Windows 7 system in terms of dollars potentially lost. Something like the Annualized Loss Expectancy. If that box gets popped, how much would it reasonably cost the business to recover from? Is that something which you expect to happen once a year, once every five years? These numbers will be mostly made up and wildly inaccurate. But, the goal is to just get in the right ballpark. How does that cost compare with the cost to upgrade? What about other possible mitigating controls you could use to protect it? Does it need to have internet access? Could you VLAN it off into it’s own little world and keep it running with reduced risk? Give management the expected costs of that system becoming patient zero in a ransomware outbreak and then give them several options and the associated costs (upfront and ongoing) to secure it. Have multiple options. A high cost one (e.g. replace the box), a low cost one (FW and VLAN controls) and the one you actually want right in between (OS Upgrade). Managers are like children, they need to feel like they made a choice, even if you steered them into it.
Next, don’t try to boil the ocean. You’re not going to fix everything, everywhere, all at once. Get some small wins under your belt and prove to management that you aren’t going to break the business. Show that you aren’t just some greenhorn cowboy who is going to break the business because you think you are so smart. If you can make a plan for that Windows 7 system, show the costs involved and actually get the job done smoothly, then you might be able to move on to other things. Sure, you might actually be right; but, you could also end up breaking a lot of stuff in your quest to have perfect security (which you’ll never actually achieve). Take one one or maybe two things at a time. It’s a slow process and it leaves things broke far longer than you will like, but it builds trust and gets more action than just screaming about everything at everyone. Slow is steady, steady is fast.
Moving on, be aware that you probably don’t know everything about the business, and the business functioning is paramount. Why does everyone have local admin? Because that’s the way it’s always been and it has always worked. If you start pulling those permissions back, what processes get broken? This is a tough one, because it means documenting other people’s processes, many of which probably only exist in the heads of those people. How often are people moving around critical files using CIFS and the
C$
share. It’s fucking stupid, but there’s a good chance that the number is greater than zero. You pull local admin from people, and now work doesn’t get done. If work doesn’t get done, the business loses money. You need to have a plan which shows that you have considered these things. Design a slow rollout which phases local admin rights out for the users who are least likely to affect the business. Again, slow is steady, steady is fast.And thins brings us to another point, auditors are your friends. No really, those folks who come in and ask you where all your documentation is and point out every single flaw in your network, ya, they deserve hugs not hate. You’re in healthcare, where does your business fall on regulations like HIPAA (US-centric but similar regulations may apply in other countries)? 'Cause nothing says, “fuck your wallet” to a business quite like failing an audit. If you can link the security failures of the business to required audit controls, that’s going to give you tons of ammunition to get stuff done. I’ve watched businesses move mountains to comply with audit controls. Granted, it all becomes “checkbox security” at some point; but, that is vastly better than nothing.
All that said, company loyalty is a sucker’s game. I’m guessing you’re early in your career and an early IT career likely means job hopping every 3 years or so. Unless you get a major promotion and associated pay bump in that time, it’s probably time to move on. Later in your career, this can slow down as you top out in whatever specialization you choose (or you get lured in by the siren song of management). So, there is that to consider. It might just be time to go find greener pastures and discover that pastures are green because the cows shit all over them. But, it can feel better for a while. Having your resume up to date and flying it out there usually doesn’t hurt. Don’t job hop too fast or you start to look like a risk (I stick to a 1 year minimum). But, don’t stick around trying to save a sinking company.
Along with that, remember that you don’t own the company; so, don’t let it own you. When you get to the end of your day, go the fuck home. Don’t let the business consume your personal time in actions or thoughts. If they place burns, that’s the owner’s problem, not yours. Do your best while on the clock, do try to make positive changes. But, killing yourself to make the owner just a bit richer makes no sense. The only person who is ever going to truly have your best interests in minds is you, don’t lose sight of them. Say it with me, “Fuck you, pay me”
So, where to go from here? Well, you sound like you have a good plan at the moment:
I am also looking into getting my Linux+ (currently only have my A+)
Sounds solid. If you care about security, let me recommend poking your head into the cybersecurity field. I’m am absolutely biased, but I feel it’s a fantastic field to be in right now. Following up the Linux+ with the Sec+ can be a great start and maybe the Net+. The A+, Net+, Sec+ trifecta can open a lot of doors. And you now have some IT/systems background, which I always suggest for folks (I look for 3-5 years in IT on resumes). As a lead, I get to be in on interviews and always ask questions about networking, Active Directory, email security and Linux. I don’t expect entry level analysts to know everything about all of them; but, I do expect them to be able to hold a conversation about them.
Good luck, whatever path you choose.
Thanks man, that’s some solid advice even if my work is a lot more pliable for security. I’d also say that compliance and risk are very good motivation, if you can nmap the servers and SSH in with default credentials and zero alarms during, that could cost millions in data loss, compliance fines, and recovery efforts. Show them solid figures and it’s a hell of a motivator.
It’s remarkable that you took the time to write this essay just to reply to that post. Thank you for the effort and your insights, it was very interesting to read and I’m glad I stumbled across it!
Yes, try to find a different job. It’s tough out there right now, as you probably know, so don’t quit until you’ve secured a position at a less crazy place.
I’ve found the market is actually warming a bit. Now may be a great time to search casually and find something they’re happier with
Health, Financial and Education are some of the worst sectors to work in IT for differing reasons. (And usually, DON’T give a salary to match)
Health, because if something breaks people might just not be able to work, people might die. And regulatory environment.
Financial, just sucks because of the regulatory environment and banks are some of the worst offenders of “IT is just a cost center”
Education, (Well funded colleges/universities might be different) because of lack of funding and annoying bureaucracy
I’ve worked in 2 of the 3 (education and financial) in IT and they SUCKED, but probably would have been a bit better if I had a good paycheck to match the suckiness.
I will never work any of those three again.
A health company where they have that poor of security practices? Get the hell out ASAP! When they get ransomware, (and they will,) you do NOT want to be on the hook for trying to recover their systems.
Trust me, I had to help recover from a ransomware attack at a small company a while back, it hit early in the morning, I got there a little before 8am once I got the call.
22 hours later, we had only just finished wiping and re-imaging every computer, let alone getting all the software reinstalled, configured, tested, backups re-synced, etc. It took weeks to get everything fully recovered, and that was with a team of half a dozen people.
In the meantime, CYA hardcore. Document all security issues you can find in email and make sure whoever is in charge is aware and is on the email chain. There literally could be legal charges brought up if it’s involving private health information.
I got let go from a healthcare company around the pandemic, for asking if I could work from home a bit.
I had been doing all the back ups before I left. Months later I found out they got hit with ransomware and ended up having to pay it. 😂
the last time i was in a position like yours i almost learned the hard way to make documentation to protect yourself.
the next time you and your boss have a conversation on security things like that windows 7 computer; tell him that you’re going to send an email at the end of the conversation restating what he told you to do; then send that email; and then use your smartphone to take a picture of the email. (time stamps are important so make sure that the phone’s picture metadata is enabled and they’re usually on by default or make sure that the picture includes something with the date & time on it like a calendar on your computer).
do this for anything security related like passwords or administrator access. if you have a good boss, they’ll realize that you feel like you need to protect yourself and they’ll start making changes.
Oh, I’ve already been doing this putting “Read Receipt” on emails and also checking confirmation of delivery. I forward any critical emails to my personal email just in case he deletes it. He would definitely throw me under the bus if he wanted to. Thank you for the advice though!
in the health sector specifically, IT is a mess because you can’t stop people from working or there will be deaths. one thing you should take away from this is that their jobs are important and it is crucial that they can do them. it is your job to support them; anything that stops them doing their job or makes it take longer, even once, is dangerous. improving infra for its own sake is not a good idea because it comes at the risk of peoples lives. the details don’t matter in the face of that.
if this stresses you out, you can absolutely change jobs. i did.
if you think you can work within those parameters, and you think you can find ways to improve the system in-place while mitigating the risks, then you will be highly respected.
I get you with the windows 7 thing but how big is this company? There’s a point where “corporate best practices” don’t make sense because there are fewer employees. Maybe negotiate with the boss for one or two of the top things on your list and push the rest until next year.
Also, no matter where you are you’ll probably end up frustrated with management not giving you what you need.
Over 40+ domain accounts. 200-300 employees on the floor. We’ve had a couple phishing attempts via email of someone impersonating our CEO.
If you are able to, I would almost always recommend changing.
Are you happy? Is the vibe nice? Are people friendly? Are you being paid a fair amount or can you get more at an other job? Do they respect your private life, are they stressing you out? How is the commute?
There are other things to consider then industry best practices. You might very well end up in a place that treats you like shit, is much farther and let’s you go the moment they don’t need you.
Yes you should switch jobs. But make sure you have a good answer when they ask you why. You don’t want to talk bad about your current employer to your possible new employer.
So find a positive way to describe why you are changing jobs. What are you looking for, what skills and area’s do you want to grow in? This is important. Don’t get hung up on your current job, find something new that you like doing and focus on your personal growth and career.
What is your experience you gained at your current job? Anything special that you archieven? You need to have an answer to that for your future employer. You don’t need to lie, but you need to prepare for some questions.
It definitely sounds like a job change is a good idea if you’re feeling like the environment is holding you back or just not a good fit for your skills and values. I’m actually in a similar boat and actively exploring new opportunities as well. It’s tough when you can’t make the changes that would improve things for everyone. Keep pushing for what you know is right, but also keep your options open and look for a place where you can grow and make a real impact.
Yeah, time to pack up and make a change. Find a new place before you quit, and I wish you luck.
Believe me when I say there ARE better organizations out there, even in healthcare. I work for a regional healthcare org, and we’ve got well-enforced policies for security (among other things). We actively work to maintain our environment to supported equipment only, and we have more than 2 people doing it.
Good luck.