I'm working at this health company; it's my first IT job, and I've been here a little more than half a year so far. I do appreciate the opportunity I was given, but man, this place is kind of a wreck. The boss didn't want to upgrade the Windows 7 computer that's sitting on the network and utterly refused to do so. Even with everything that was shown that it could be upgraded, he was pissed, and it took six months to finally upgrade it to Windows 11 with the necessary software we have.
Another crucial issue is that literally the people who work on the floor have FULL ADMINISTRATOR ACCESS to install any programs they want. I brought this up to him, and he said, "We have bigger battles to fight." The computers are literally just "Password" or the start date of the employees. So literally all someone has to do is ask when they started working here, and boom—they have access to their account. We also had local accounts sitting on every computer. He does not want to change any of this.
I am capable of switching jobs. I have talked one-on-one with big figures in the field like Richard Stallman before. I do testing and help port hardware for coreboot/Libreboot. I am also looking into getting my Linux+ (currently only have my A+). What should I do?
(My boss and I are the only two IT people)
Step one, take a deep breath and realize that, unless you own the company, killing yourself to save it is dumb.
That said, there are some things you can do to try and improve thing:
Learn to "talk business". Yup, this one sucks, but it's also the only way you are ever going to get traction. Take that Windows 7 system, why do you want to upgrade it? "Because security", right? Well, how does that translate into costs to the business? Because, businesses don't care about security. I work in cybersecurity for a large (Fortune 500) company and upper management has given exactly zero fucks about security for a very long time. They only started coming around when that lack of security starting costing them real money. They still give zero fucks about security, but they do care about risks to the business and what that might cost them. Having security and money linked in their heads means we can actually implement better security. You need to put the lack of security of that Windows 7 system in terms of dollars potentially lost. Something like the Annualized Loss Expectancy. If that box gets popped, how much would it reasonably cost the business to recover from? Is that something which you expect to happen once a year, once every five years? These numbers will be mostly made up and wildly inaccurate. But, the goal is to just get in the right ballpark. How does that cost compare with the cost to upgrade? What about other possible mitigating controls you could use to protect it? Does it need to have internet access? Could you VLAN it off into it's own little world and keep it running with reduced risk? Give management the expected costs of that system becoming patient zero in a ransomware outbreak and then give them several options and the associated costs (upfront and ongoing) to secure it. Have multiple options. A high cost one (e.g. replace the box), a low cost one (FW and VLAN controls) and the one you actually want right in between (OS Upgrade). Managers are like children, they need to feel like they made a choice, even if you steered them into it.
Next, don't try to boil the ocean. You're not going to fix everything, everywhere, all at once. Get some small wins under your belt and prove to management that you aren't going to break the business. Show that you aren't just some greenhorn cowboy who is going to break the business because you think you are so smart. If you can make a plan for that Windows 7 system, show the costs involved and actually get the job done smoothly, then you might be able to move on to other things. Sure, you might actually be right; but, you could also end up breaking a lot of stuff in your quest to have perfect security (which you'll never actually achieve). Take one one or maybe two things at a time. It's a slow process and it leaves things broke far longer than you will like, but it builds trust and gets more action than just screaming about everything at everyone. Slow is steady, steady is fast.
Moving on, be aware that you probably don't know everything about the business, and the business functioning is paramount. Why does everyone have local admin? Because that's the way it's always been and it has always worked. If you start pulling those permissions back, what processes get broken? This is a tough one, because it means documenting other people's processes, many of which probably only exist in the heads of those people. How often are people moving around critical files using CIFS and the
C$
share. It's fucking stupid, but there's a good chance that the number is greater than zero. You pull local admin from people, and now work doesn't get done. If work doesn't get done, the business loses money. You need to have a plan which shows that you have considered these things. Design a slow rollout which phases local admin rights out for the users who are least likely to affect the business. Again, slow is steady, steady is fast.And thins brings us to another point, auditors are your friends. No really, those folks who come in and ask you where all your documentation is and point out every single flaw in your network, ya, they deserve hugs not hate. You're in healthcare, where does your business fall on regulations like HIPAA (US-centric but similar regulations may apply in other countries)? 'Cause nothing says, "fuck your wallet" to a business quite like failing an audit. If you can link the security failures of the business to required audit controls, that's going to give you tons of ammunition to get stuff done. I've watched businesses move mountains to comply with audit controls. Granted, it all becomes "checkbox security" at some point; but, that is vastly better than nothing.
All that said, company loyalty is a sucker's game. I'm guessing you're early in your career and an early IT career likely means job hopping every 3 years or so. Unless you get a major promotion and associated pay bump in that time, it's probably time to move on. Later in your career, this can slow down as you top out in whatever specialization you choose (or you get lured in by the siren song of management). So, there is that to consider. It might just be time to go find greener pastures and discover that pastures are green because the cows shit all over them. But, it can feel better for a while. Having your resume up to date and flying it out there usually doesn't hurt. Don't job hop too fast or you start to look like a risk (I stick to a 1 year minimum). But, don't stick around trying to save a sinking company.
Along with that, remember that you don't own the company; so, don't let it own you. When you get to the end of your day, go the fuck home. Don't let the business consume your personal time in actions or thoughts. If they place burns, that's the owner's problem, not yours. Do your best while on the clock, do try to make positive changes. But, killing yourself to make the owner just a bit richer makes no sense. The only person who is ever going to truly have your best interests in minds is you, don't lose sight of them. Say it with me, "Fuck you, pay me"
So, where to go from here? Well, you sound like you have a good plan at the moment:
Sounds solid. If you care about security, let me recommend poking your head into the cybersecurity field. I'm am absolutely biased, but I feel it's a fantastic field to be in right now. Following up the Linux+ with the Sec+ can be a great start and maybe the Net+. The A+, Net+, Sec+ trifecta can open a lot of doors. And you now have some IT/systems background, which I always suggest for folks (I look for 3-5 years in IT on resumes). As a lead, I get to be in on interviews and always ask questions about networking, Active Directory, email security and Linux. I don't expect entry level analysts to know everything about all of them; but, I do expect them to be able to hold a conversation about them.
Good luck, whatever path you choose.
It’s remarkable that you took the time to write this essay just to reply to that post. Thank you for the effort and your insights, it was very interesting to read and I’m glad I stumbled across it!
Thanks man, that's some solid advice even if my work is a lot more pliable for security. I'd also say that compliance and risk are very good motivation, if you can nmap the servers and SSH in with default credentials and zero alarms during, that could cost millions in data loss, compliance fines, and recovery efforts. Show them solid figures and it's a hell of a motivator.