I was reading a recent question posed on Spiceworks from the leader of an I.T. Help Desk inquiring about configuring PCs for onboarding new hires. The leader wanted to login to each user’s system (as them) prior to the new hire starting. This way they could to ensure that the user’s applications were installed properly. Thus, the new hire’s onboarding would go a little smoother. The request sounds simple enough, but the help desk leader feared that logging into a PC as another user would go against their corporate policies. Therefore it would be rejected by the senior leaders in the organization.
The dilemma described above is a classic modern business problem, especially for today’s senior IT leaders and CIOs. On one hand we are told to allow our teams to be empowered. Allow our teams to make good business decisions that will promote and accelerate the needs of business lines. This includes rapidly onboarding new hires into our organization’s without having them wait for days or weeks to install applications. The new hire problem compounds when you add the burden of ensuring the user is entitled to correct Permissions (Roles) for each of these applications. Unfortunately, these tasks have become even further complicated as firms shift to hybrid cloud structures and have an increasingly mobile workforce where each user can have multiple devices.
On the other hand, strict adherence to corporate policies must be observed as cybercrime and data breaches have crippled businesses costing hundreds of millions of dollars. The threat of a data breach is one of the things that is probably keeping your CIO up at night. Some of the more famous names have included Home Depot, Sony, and Target. So it is understandable that allowing a user to log in as another user would be negatively viewed and possibly rejected by any senior I.T. leadership board.
Culture over Policies and Strategies
Can policy be modified to allow a help desk, or some other onboarding group to log into a PC as another user? First let us begin with the definition of Policy which is a set of principles and rules which directs the decisions of the organization. Policies are typically written to provide daily guidance for the workers to achieve the overall strategy of the organization. Although this is all well and good. I argue a firm could go much farther in this case by slightly modifying its policy to allow the help desk to log in as another user. What is more valuable is to create a culture of data security. Culture is the attitude and behaviors of the organization, and behavior is exactly what we are trying to achieve in this example. Laszlo Bock, the former SVP of People Operations at Google, wrote about the importance of culture in his book Work Rules! demonstrating how at Google culture takes precedence over strategy.
“Culture Eats Strategy for Breakfast”
In my opinion there is an opportunity here to achieve both goals: Proper user configuration and stressing the importance of cybersecurity through culture not just a simple policy.
A Better Approach – The Onboarding Coach
In this case I would recommend that the policy be modified to allow help desk workers to log in as the new user to validate each application’s installation. However, the optimal solution is to have an onboarding coach to perform this task. An Onboarding coach’s role is more complicated as they must understand what the new worker’s daily tasks will be. This means they also must validate a user’s access or (Permissions/Roles) to each application and/or directory. This is usually granted by the firm’s access control group as requested by the new user’s management team. Naturally this level of onboarding requires the onboarding coach to have a thorough understanding of what the new hire’s function is and what types of applications and permissions will be needed. It can be argued that a manager could perform this role, but that may not be practical based upon the manager’s current work load.
An onboarding coach can better ensure that when the new hire begins their first day all equipment such as their PC, Applications, and finally Roles have all been granted. The onboarding coach will go through each application to ensure new hire understands its functionality as well as ensuring that each password is changed. The coach can stress the importance and culture of data protection. This better ensures that passwords are not easily hacked. In a practical manner they can enforce correct behavior such as making sure that passwords are not left on sticky notes fixed to the users monitor or desk. The coach is to stress real life examples of what harm could be done with the firm’s data while in each of the different applications.
Conclusion: Culture over Policy
For more information about our approach or the use of an onboarding coach please refer to our whitepaper
Tags: Culture over Policy, Onboarding New Hires, Work Rules!