I think their performance is relevant. Why would an employee be able to easily run an unknown binary from the internet to begin with? If the systems were properly configured to block this, there would be no issue. If I were an executive, I would absolutely be looking at my IT team in this case.
If the employee went entirely out of their way to run an unknown binary, bypassing OS-level restrictions, and sidestepping established procedures - then the employee should be fired.
You really are not familiar with the concepts of company policy and liability, are you? Whether there is an effective technical restriction in place is relevant to the question “can you run the thing”. It is irrelevant for the question “did you circumvent company policy?” and, subsequently, to the blame/firing that comes from it.
This is the exact same discussion people keep having about “government can’t block VPN” or “encryption can’t be broken” when the idea of a law forcing backdoors in services floats around. Sure, you can still use encryption, technically. But if there’s a law that say “encryption too strong to be broken is illegal”, then you’ll get arrested all the same, effective technical restriction or not.
I’m well-aware of how corporate policy, liability, and hierarchy works - the issue with your take is that you act like the IT team is innocent to somebody higher up on the ladder. My issue isn’t with the concept of policy itself (and the enforcement thereof) and the issue of liability, but with the misplaced absolution of IT teams from any responsibility when things go wrong.
IT teams are essentially the secret police in companies. I’m aware of how they usually function. I’ve heard many first-hand accounts from those behind the big screens making sure Bob doesn’t watch porn or that somebody doesn’t do something unauthorized with company computers. I’m unimpressed and it’s frankly a dystopian twist of what IT actually should be; which is best serving a company’s technical needs collaboratively - not roleplaying as the NSA.
It effectively shouldn’t be possible for Bob to watch porn on company devices/internet. It shouldn’t be possible or desirable for somebody to skirt policy to run binaries (even on a whim) for software they feel that they require for maximum productivity. There should be reasonable, timely, and accessible procedures for employees to request necessary software to be deployed.
If I recall correctly in another part of the thread, a user discussed a group of employees (including themselves) needing WSL for job duties and it being blocked without notice. This is an example of sheer incompetence of the IT team - blocking necessary software and failing to maintain/establish timely and accessible procedures to contest a block as an employee who needs specific software to function in their job.
Required software should never be blocked - so who is at fault? Who caused the most damage to the company? The people attempting to work? Or the people who have no idea what they’re doing; making employees feel they need to completely disregard them to function in their duties - the people sabotaging operations?
You’re free to fantasize about the little guy as the only one getting disciplined in these scenarios. I’m sure most corporate environments do work like that, but it just protects incompetency - unless, again, the employee went out of their way to run the binary in an abnormal way or otherwise had less than ideal intentions.
You’re free to fantasize about the little guy as the only one getting disciplined in these scenarios
I never, not once, implied that. And frankly speaking I have no idea why you would think that. I said that a user, circumventing a company policy, would be in a tight spot, and depending on the policy most likely fired, regardless of the actual effectiveness of these policies implementation.
At no point have I said that nobody else would be in hot water for failing to do their job, nor did I say that the IT teams is above all and always perfect. But, for the user that did go around the aforementioned policy, the fate of someone else on another team is pretty much irrelevant after they’re put down themselves.
Thanks for the exchange, it seems you misunderstood my intentions in commenting/responding.
I will stand by my points: corporate policy and course of action isn’t always by the book — it can be unevenly enforced (depending on the circumstance, environment, and context).
As for me? I’ll never work for Nazis or in environments ruled by people roleplaying as Nazis. It’s demeaning.
The cool thing is that you can have better security without such an atmosphere — and I described it: it starts with locked-down systems and networks, IT actually being approachable human beings that communicate (who also understand business needs and requirements), policies that only punish and target bad actors (because it is effectively impossible for good faith actors to violate them), and accessible procedures for employees to escalate their needs to IT.
Anyway, have a good one. I apologize for being slightly rude with my phrasing, but I truly am aware of how draconian some environments are (especially depending on the context) and it was rude of you to confidently assert that I had no idea.
No problem. It was mostly hypothetical worst case scenario anyway. It would be nice if understanding, workplace improvements, and overall security where the targets everywhere, but unfortunately that’s not always the case. It’s also easy to lose the point in an online discussion, sorry about that.
I think their performance is relevant. Why would an employee be able to easily run an unknown binary from the internet to begin with? If the systems were properly configured to block this, there would be no issue. If I were an executive, I would absolutely be looking at my IT team in this case.
If the employee went entirely out of their way to run an unknown binary, bypassing OS-level restrictions, and sidestepping established procedures - then the employee should be fired.
You really are not familiar with the concepts of company policy and liability, are you? Whether there is an effective technical restriction in place is relevant to the question “can you run the thing”. It is irrelevant for the question “did you circumvent company policy?” and, subsequently, to the blame/firing that comes from it.
This is the exact same discussion people keep having about “government can’t block VPN” or “encryption can’t be broken” when the idea of a law forcing backdoors in services floats around. Sure, you can still use encryption, technically. But if there’s a law that say “encryption too strong to be broken is illegal”, then you’ll get arrested all the same, effective technical restriction or not.
I’m well-aware of how corporate policy, liability, and hierarchy works - the issue with your take is that you act like the IT team is innocent to somebody higher up on the ladder. My issue isn’t with the concept of policy itself (and the enforcement thereof) and the issue of liability, but with the misplaced absolution of IT teams from any responsibility when things go wrong.
IT teams are essentially the secret police in companies. I’m aware of how they usually function. I’ve heard many first-hand accounts from those behind the big screens making sure Bob doesn’t watch porn or that somebody doesn’t do something unauthorized with company computers. I’m unimpressed and it’s frankly a dystopian twist of what IT actually should be; which is best serving a company’s technical needs collaboratively - not roleplaying as the NSA.
It effectively shouldn’t be possible for Bob to watch porn on company devices/internet. It shouldn’t be possible or desirable for somebody to skirt policy to run binaries (even on a whim) for software they feel that they require for maximum productivity. There should be reasonable, timely, and accessible procedures for employees to request necessary software to be deployed.
If I recall correctly in another part of the thread, a user discussed a group of employees (including themselves) needing WSL for job duties and it being blocked without notice. This is an example of sheer incompetence of the IT team - blocking necessary software and failing to maintain/establish timely and accessible procedures to contest a block as an employee who needs specific software to function in their job.
Required software should never be blocked - so who is at fault? Who caused the most damage to the company? The people attempting to work? Or the people who have no idea what they’re doing; making employees feel they need to completely disregard them to function in their duties - the people sabotaging operations?
You’re free to fantasize about the little guy as the only one getting disciplined in these scenarios. I’m sure most corporate environments do work like that, but it just protects incompetency - unless, again, the employee went out of their way to run the binary in an abnormal way or otherwise had less than ideal intentions.
I never, not once, implied that. And frankly speaking I have no idea why you would think that. I said that a user, circumventing a company policy, would be in a tight spot, and depending on the policy most likely fired, regardless of the actual effectiveness of these policies implementation.
At no point have I said that nobody else would be in hot water for failing to do their job, nor did I say that the IT teams is above all and always perfect. But, for the user that did go around the aforementioned policy, the fate of someone else on another team is pretty much irrelevant after they’re put down themselves.
Thanks for the exchange, it seems you misunderstood my intentions in commenting/responding.
I will stand by my points: corporate policy and course of action isn’t always by the book — it can be unevenly enforced (depending on the circumstance, environment, and context).
As for me? I’ll never work for Nazis or in environments ruled by people roleplaying as Nazis. It’s demeaning.
The cool thing is that you can have better security without such an atmosphere — and I described it: it starts with locked-down systems and networks, IT actually being approachable human beings that communicate (who also understand business needs and requirements), policies that only punish and target bad actors (because it is effectively impossible for good faith actors to violate them), and accessible procedures for employees to escalate their needs to IT.
Anyway, have a good one. I apologize for being slightly rude with my phrasing, but I truly am aware of how draconian some environments are (especially depending on the context) and it was rude of you to confidently assert that I had no idea.
No problem. It was mostly hypothetical worst case scenario anyway. It would be nice if understanding, workplace improvements, and overall security where the targets everywhere, but unfortunately that’s not always the case. It’s also easy to lose the point in an online discussion, sorry about that.