Deployment Blocker No. 1: Silo your talent
Active Directory Administrators, who often control (but not always) the
Group Policy Administrators, who rarely talk to the
Desktop Administrators, who might participate in planning or more likely outsource image work to
Image Developers, who usually do not consult with the
Help Desk Technicians, who are painfully aware of but often cannot control the behavior of
Local Administrators, who are just trying to get the real work of the organization moving along
And all of the above hate the Security team
Actually, there are good reasons for many of these silos. Local Administrators out in field offices frequently
regale me with war stories which prove if they didn’t operate as independently as possible everything would go down. I am sympathetic to their plight, and wary of wading in and changing things too
quickly on that front.
However, leaving the situation as is won’t improve matters and is a major blocker to any deployment.
These silos are simply not conducive to rapid and effective deployments. They are as un-cloud-like as you can get, structurally hostile to collaboration and enterprise services. The only thing that alleviates the problem is when personal relationships exist between the silos.
Security teams who are earnestly trying to do their job are often the most divisive of all, despite the fact they have the best of intentions and the most to lose should the environment get compromised. The problem seems to be one of two (and sometimes both) in my experience: either the Security team has all the responsibility and none of the control (purportedly they have control, but not truly), or they have a really hard time keeping track of what the other groups are doing to these systems, because the tools
are complicated and spread out.
As a result security teams often become marginalized and scared, or control freaks deploying intrusive scanning systems on every corner of the network. The best security teams strike a balance and work hard to communicate with the other groups—but this is a rare and beautiful thing.
The Better Way: I’ve learned over time that it is absolutely essential to get operations, security, and support staff in the same room as early as possible to hash out all the decisions in one pass prior to building the master image. Often that is the first time they really sat down with one another. Not enough, but it’s a start.
Getting a meeting like that is challenge enough, but beyond it, think about how to re-organize these silos so the right communications continue to pass back and forth between people? It has been different for each customer, since any personal relationships that already exist between the groups are where we usually have to begin this process of change. There is plenty of turf protection, constant alarms over territory that might be lost, which everyone has to get through for the greater good.
I often tell customers that wherever they end up with their re-organization of IT staff, make sure there are checks and balances in the end state. A natural tension should exist between operations and security—they have to balance each other out. Help desk ought to have enough power to call out problems and force
Operations to deal with the root source of the problem—but rarely does.
This is part of a ten part series of blogs “Top Ten Deployment Blockers”