I don’t really buy it: A survey came out last week which said 88 per cent of IT administrators would take valuable information with them if they were laid off, including the CEO’s password, the customer database and R&D plans.
The survey was published by Newton, Mass.-based identity management software maker Cyber-Ark Industries, and was regurgitated almost verbatim from the press release by many bloggers and technology media. You can understand why. That 88 per cent is a sensational number and gets enough attention (and traffic) without having to delve very deeply into the research process behind the survey. And perhaps the research also taps into a latent attitude of fear many business managers might have towards their IT administrators, reinforcing a sense that they are both dependent upon them and in possible danger from them.
I contacted Cyber-Ark to find out how exactly they posed the question that got that result. Here’s what they said: “If you were told that you were going to be fired tomorrow and you could take three things, what would they be?” They were then given some of the options mentioned above. I think that kind of says it all, but let’s think this scenario through as though the results were more valid. You find out you’ve lost your job. You take everything you can with you. Then what? March over to a competitor and offer them access to the CEO’s system (even though the passwords will likely be immediately reset by whomever’s left behind)? Sell the R&D plans on some kind of intellectual property black market? Abandon IT administration to start up your own firm, which you will get off the ground by winning over your former employer’s customers? As crimes go, stealing information doesn’t amount to much if you don’t do anything with it.
Based on other fear-mongering surveys by the anti-virus companies, I thought the real danger from laid-off employees was the potential for setting off malware attacks or something that could bring operations to a halt. What the Cyber-Ark research suggests is more serious – that most IT administrators consider job security a prerequisite for professional conduct. Or, to put it another way, that upon termination they would almost always be prepared to act in a way that would make them a poor candidate for any other job.
Installing ID management software will not resolve this issue, of course, given that it’s the IT administrators who would install (and mostly likely be able to circumvent) such technologies. A better bet might be for senior executives to extend their governance activities to enough there are safeguards in place around IT-driven information assets in the event of staff restructuring. I suppose you could also ask IT administrators before you hire them how they’ve handled layoffs in the past and why they should be trusted with keys to the enterprise kingdom, but that seems dubious. Just as many executives have no idea whether the technology professionals they hire will have the expertise they need to handle network operations and business projects, trusting in their ethics requires a leap of faith. But then, so do the results of this survey.