I've started and restarted this post, but I keep changing my narrative, and backspacing over my words. Maybe it's out of unearned respect for the subject of this post, since they cannot defend themselves here. Maybe because it's unprofessional to gripe about workplace activity. So I'm going to be exceeeeedingly diplomatic about the subject, and ask from "What would you do?" perspective.
I work for an IT department of three people that works like two. We have always operated like firefighters instead of being proactive, and I'm hoping to change this beginning with a top-down policy shift (thanks, CISSP training!). Documentation, policy, configuration base-lining, change management procedure... I look forward to using these new tools in our improving discipline!
Still, we have this coworker that prefers to do their own thing. There's only one tool in their toolbox, and that's Google. They have thrived in our reckless, undisciplined, unaccountable world. And when challenged with things beyond what the Google machine says, they CC the problem to others. Voila!
We not only need a "policy with teeth" for our users, but we need department-level accountability. This person has Peter-principled themselves into a job that permits endless web surfing, but IT really craves discipline and procedure. The person is a risk, and I am now professionally aware of it, but don't know how to present it without metrics or KPIs. And hell, we're not doing any of that right now.
Where would you start? What kind of benchmarks can we work toward, to get this person to improve themselves?
Lamont, thanks for your perceptive reply. I am the network administrator. The colleague is first contact at the helpdesk, but we are considered equal. I overlook that because I don't mind the work, or setting the pace, or taking a project lead. It becomes an issue when a shared responsibility becomes solely my burden, or shifting ownership when his resources dry up, or when procedures are inconvenient.
To our supervisor(s, historically), the business of IT is a black box. Like laws and sausages, no one wants to understand the process. It didn't bother me, until I realized that only we are aware of our process. They're not inept, they're just inattentive.
So you are tackling a problem that persists in many companies.
It is hard to call out that person as they typically can pull a rabbit out of their ear or hat at the last minute and have mastered the art of pointing the finger at others. As you are a small shop, we can understand where the blame goes.
Here is a good article:
These are tips how to deal with those folks.
Not knowing your industry, I would think that someone in management is concerned over what happens? and if not may be time for Security Awareness training for management.....for this you will need to find a sponsor (typically the CIO or a VP) who will say the training is mandatory. For that you need to build a solid case.
@ericgeater, first of all, make sure you've defined a set of policies wherein you've allocated responsibilities to specific entities / departments. Top management has to approve policies & assuming they don't just sign these blindly, they'll have to get themselves familiar with what happens in your IT Department. (Even if they approve these without reading them, the policies will allow you to justify things.
Here's are excerpts from one of the policies I've drafted. (I picked a policy that specifically talks about whom you mentioned...)
The section above states the obvious responsibility, but I've put in more, so they do more than just that, as shown below...
Now this is a reference to them in just 1 of the policies, and there are more. So if there's anything that has to be done by them, make sure you have responsibilities in documented policies, which management has approved.
Also useful is Incident management. When I prepare reports, I mention who had to do what, and whether that happened. With this, you can make it clear to management just who's accountable for something.
Last but not least, all this depends having on good management. There's also politics here, and it's best that you have a good relationship with someone up there. You should find a sympathetic ear, & gradually impress upon them with what you are getting at --- coz you'll need their support at the end of the day.
@ericgeater, further to my earlier reply, if you want to present this entity and his / her actions as a risk, provide one to management in a risk analysis report. Supplement your report with any records, documentation, and so on. Also prioritize the risks, and recommend actions that can be taken.
You should cover multiple risks in this, else it would look like you are just trying to point a finger at this person, which management won't appreciate.
I am going to respond because I have been down the same road as you.
First, you cannot MAKE co-workers accountable. They have to want to be held accountable. Like the saying "You can lead a horse to water but you can't make him drink." If you try to MAKE them accountable it can have devastating effects on Your career. Here is my story:
I worked in a 5 person IT shop, with one of those people being the boss. Names have been changed to protect the innocent and the guilty;
Joe- Joe was an oldschool IT guy, been doing it since monochrome displays. He really didn't want to learn anything new. He could solve a lot of IT problems if they were routine. If it involved researching or digging really deep into the problem he passed it off to someone else. He was the 4th highest paid person in the shop.
Steve - Steve was the lowest paid employee but knew a lot about IT. Hard-charger and could solve almost any problem. Steve was also the biggest jerk. Steve was the lowest paid (5th) person in the shop.
Mary - Mary knew the least about IT but was the highest paid person in the shop. She even made more than the boss! She just happened to be in the right job description category when HR decided to pay all those with a special IT code more money. She was also the only one in that special IT code in the shop! Her default troubleshooting step was to call the vendor.
Me -Tied with Steve with IT knowledge and skill in finding resolutions to problems but not a jerk like Steve. I was the 3rd highest paid person.
Boss - Someone who had peter-principled himself into the position but performed adequately as a boss. Boss was the 2nd highest pay in the shop.
So Steve was really upset that both Mary and Joe made more than he did. He couldn't do anything about Mary because she was paid out of a different bucket of money, but Joe and he were both paid from the same source. He was upset that he did so much more and knew so much more than them but still couldn't get a raise. So he set out to try to prove that Joe was "falsifying government documents". Joe was the kind of guy who would work over without charging the company, work through lunch, etc and on his timecard he would just put 8:30-5 everyday. He gave the company more time than he was paid for and he didn't worry about his timecard being 100% correct down to the minute because he always put in more than 40 hours. So Steve set out to try to prove that Joe was somewhere at 8:31 when he said he was at work at 8:30 according to his time card. So Steve got his girlfriend (who was also his fiancé) to look up Joe's Social Security Number and then started combing the databases to prove his point. When he found what he was looking for he turned over his "evidence" to the officials. The officials then said "Let me get this straight. You had your girlfriend look up his SSN without a valid and approved reason to do so, then you illegally looked through databases for information which you had no valid and approved reason to do so, just so you could prove this guy lied on his timecard?" Yup. Both him AND his girlfriend were fired.
Part 2. The boss was upset that Mary made more than him so he would get frustrated because Mary also knew less about IT than he did. Also Mary was friends with the assistant director and whenever she would get flustered she would run to him and complain. So one day the boss was frustrated with Mary's lack of ability to get the job done and went to Mary's office to MAKE her be accountable for her actions. Well Mary got flustered during the conversation and said she was leaving to go talk to the assistant director. The boss said NO! and gently pushed her back and shut the door. He said "You are not leaving until I have finished this conversation and understand what your task is!". Mary listened and when the boss was done she left and went to see the assistant director AND HR. Mary was offered the supervisor (boss) position and the boss was fired.
I tell you this to show you what can happen when you try to force someone into being accountable by yourself. What Steve and the boss should have done is focus on what can be changed by themselves and not try to force people to conform. I know it can be frustrating to work in. I was in that environment and too felt jilted by the system that would allow the person with the least amount of IT knowledge and skill to be the highest paid person in the shop. But it wasn't Mary's fault, she just got lucky when the system shifted in her favor. I treated Mary with respect and just accepted the fact she was never going to be the IT guru that I was. She was actually very fun to work with, so was Joe. Joe wasn't going to be an IT superstar and was just coasting until he could retire, but he was a fun person to be around and would help you anyway he could.
So what can you do? I'm glad you took the time to write this and write it so carefully. I often times rewrite my communications several times before sending to make sure the appropriate message gets across. The best thing you can do is to try to shine and do the best job you can. If you spend all of this negative energy and let this situation get you down and frustrated, then the only person you are hurting is yourself.
Having a policy with teeth is only effective if you have someone to enforce it. Does your boss feel the same way? Do your coworkers feel the same way? Before Steve did his SSN lookup job he had confronted Joe and the boss and we even went through a mediation (not meditation) session with HR to "air" these grievances. It had no lasting effect so Steve set out to get Joe fired but ended up getting himself fired instead.
Your boss may not have the desire or energy to help you enforce accountability. Our boss didn't. He actually liked Joe and was mad at Steve for not being a "team" player. He like his IT knowledge but disliked him being a jerk. He probably would have fought harder to get Steve a raise if he wasn't so jerky all of the time. You also need to understand your agency's/departments culture. If what you are proposing goes against it, you will be met with resistance and ultimately fail. I don't mean the published culture/policy but the actual culture that everyone actually does.
So creating a policy may not have an effect if you don't have anyone willing to enforce it. This includes not only your boss, but HR, Legal, etc.. Control what you can about the situation. Improve yourself and your skills. I gathered as much information and skills that I could and kept updating my resume and eventually I got a promotion with another agency. I knew I was not going to be able to change Steve, Mary, Joe, or my boss' work ethic. I made myself into a superstar and left. So yes, you will have to take on more duties, but gain that experience and use it to your advantage. Document standard operating procedures (SOP's) if you are tired of telling people how to do it over and over, besides it being a good practice.
@Shannon, this is what I'm describing. Our org doesn't have a problem clearly delineating the boundaries of acceptable practices in other departments. Policies should inform a department of an expected level of behavior.
I have written configuration documents, drafted and improved over time, which serve as a minimum configuration baseline. My colleague has whittled it down to a set of bullet points in his own check-off procedure. In some cases, he may use 14.0.1 instead of 14.0.2, which is merely sloppy.
In other cases (plural), my colleague configured backups, but wholly excluded the user's Documents folder. These were discovered by sheer coincidence, after months in production! This drove a new behavior pattern from me; when I am at a computer, no matter the call, I review OS updates, BIOS, antivirus, and a review of user backup data, to ensure they're all up-to-date.
Now... how do you enforce that?
There's also core competency issues. One department stopped calling our Help Desk for physical printer support, because my colleague repeatedly told them to carry faulty printers to a third-party company for repair. This persisted through seven or eight printers, and this behavior only stopped because the repair company could not find replacement parts, and the department actually needed IT to form a replacement solution which wasn't on our radar.
Relatively speaking, we have very few incidents, thank the Flying Spaghetti Monster. My goal is to drive all request traffic to our helpdesk, where every call generates a ticket, big or small. I do believe metrics can help shine a little light on some of these issues. Talk me down!
p.s. in the words of the Dave Chappelle meme, "You got any more of those... draft documents?"
To answer your second reply, I have a contemporaneous diary of my colleague's activity. It goes back four years.