• United States



Truth, Lies, and Data Tapes: The Politics of Dishonesty in IT

Mar 04, 20085 mins
CareersData and Information SecurityIT Leadership

You’ve done it. I’ve done it. I’m sure we’ve all done it at some point, but why? I’m not talking about drugs or smoking, but misrepresenting the truth. I contend that IT as an industry has accepted dishonesty and disinformation as standard practice.

Let me give you an analogy of this situation. My Toyota is having mechanical problems and when I press the brake pedal, the car won’t stop. Being a somewhat rational individual I do what I feel is the responsible thing and take my car to the dealership’s mechanic. I describe the problem in depth, how it occurs, and what I think should be the expected outcome. The mechanic agrees that when I press the break pedal that my car should stop. After weeks of working on my car, the mechanic phones me that the repairs are complete. I get to the dealer ship and the mechanic hands me a cheeseburger. Confused, I ask why I am now holding a cheeseburger. “Well, you wanted your car to stop when you press the break pedal.” More confused I reply, “Yes, but why the cheeseburger.” “Exactly”, says the mechanic. Now I’m just pissed off, “”Śexactly what? Do my brakes work?” “You were a quart low of cheeseburger. Hold this and everything will be fine”, says the mechanic.

The point is instead of a)fixing the problem b)defining why it can’t be fixed or c)admitting that they don’t know how to fix it, an alarming number of people simply lie or “amplify the truth”. A good deal of what Microsoft says can fall into these categories. Take, for instance, the assertion by Microsoft that Vista is more secure than Linux or OS X. Common knowledge (and common sense) tell us that this isn’t the case, but instead of owning up to the shortcomings, the truth gets spun into some marketing hype that running Vista will make you taller, more attractive, and cure you of the common cold. I do understand why big companies like Microsoft fall into this trap, they have to so that they can convince us to buy their products. I imagine that there would be an audible thud on Wall Street if Microsoft started a new ad campaign, “Our products suck, but we have market share. Buy Microsoft or you will be consumed!”

On the smaller scale, though is there really a huge disincentive for your average system administrator or CIO to own up to the truth? In a government agency or privately held organization, how much fallout could there be? I suppose in some respects that the damage done by admitting a mistake could be troublesome, but when you abuse the truth, aren’t you putting your relationship with your constituents at risk? We have entered a new age in which most of our clients are tech savvy enough to be able to accept the truth for any IT based issue without us spoon-feeding them a pabulum of falsehoods and misinformation. Smoke and mirrors IT is a detriment to the field and in my un-humble opinion if you can’t be leader enough to communicate truthfully with your clients then you should consider a career change”Ś perhaps an auto-mechanic. Realistically, if you explain to your clients that you forgot to place a semi-colon correctly in the 200,000 lines of code, isn’t that better than saying that there isn’t a solution or that the company will need to buy everyone a new computer to meet the increased computing demands of the new version of Notepad. How about saying, “Despite our months of testing this complex software, we missed an important coding element which resulted in the problem that you see now. We have a fix that is being tested now and will be distributing that as soon as we have further validated our coding.” The nonsense that I hear and read which are served up as explanations for problems is truly astounding.

Let’s be honest, IT is a very broad industry and even if you have spent several years working on one particular IT issue, odds are that some one out there knows something that you don’t about that issue. IT has operated for so long behind closed doors and in the shadows of the core business that some of us built our own guest lists for the “truth doorman”. Frankly, you’re not on that list even if you slip a ten spot to the doorman. The reasons we don’t tell you the truth vary but a few of them are listed below:

“˘ We think that admitting that we don’t know the answer will hurt our credibility and our credit is already pretty bad.

“˘ We aren’t smart enough to realize that we don’t know the answer”Śor to realize that we’re not smart enough.

“˘ Finding a real answer is too much work and we’re in the middle World of Warcraft.

“˘ You can’t handle the truth.

“˘ We will have to admit that we fouled up and the Vulcan code prohibits failure as a logical outcome.

“˘ We don’t like you and will tell you anything to mess with your head.

“˘ Cheeseburger”Ś

Despite these very valid reasons, I think that an argument can be made for keeping your clients in the know. As IT becomes increasingly commoditized, the relationship between the IT shop and the core business clients will a major factor in whether or not the business relies on YOUR IT shop for its services. How many times would you expect me to take my Toyota to the burger-flipping mechanic when there is another wrench-toting mechanic across the street? If your IT shop isn’t willing to be above board with its clients, then rest assured that your clients won’t be dealing with your IT shop for long.

Chad McDonald, CISSP, CISA, C|EH, PMP is a Senior Professional Services Consultant with Imperva. Chad has worked previously at National Student Clearinghouse, Centers for Disease Control and Prevention, Georgia Department of Audits and Accounts and is the former Chief Information Security Officer at Georgia College & State University. Chad has addressed numerous groups on topics such as business continuity planning, incident response, and information security awareness. Chad has spent the bulk of his career building, managing, and assessing information security for educational and research organizations. Chad has earned multiple professional security certifications. He is a member of the Information Systems Audit and Control Association as well as InfraGard, an FBI Task Force charged with protecting the nation's information infrastructure. Chad is active in the security community He worked with law enforcement agencies to assist in the prosecution of the first computer crime on record in Georgia and continues to assist local and state authorities with computer based investigations. Chad has investigated computer and computer-related crimes for local and state law enforcement agencies. Chad is an avid Mac user, since he was rescued from the dark side eight years ago. He currently conducts the vast majority of his work using a MacBook Pro and a MacBook. Chad looks forward to the day that he can stop referring to himself in the third person and actually pay someone to write his bio for him. The opinions and statements expressed here are those of Chad McDonald and in no way reflect opinions or statements of any employer or organization with which Chad is affiliated.