How do I convince my company to invest in IT - domains, security, etc.?
I work for a small-medium size retailer which has half a dozen high street stores and a website.
The IT situation is currently in a very basic state. As being "Head of IT" is only a small part of my job description and the last on the list I haven't been able to put as much time into it as I would like.
We have around 50 computers and 14 Windows tills on our network (30 inside the head office, 20 external stores, warehousing and laptops). This is all built on a Workgroup network and all sites are connected together over a very basic router level VPN setup with subnets for each store.
Therefore I can not manage anything, check computers are secure, do any auditing, ensure updates are installed, manage Wi-Fi for guest devices or check anything.
I would really like a domain and, but after telling my boss, he says it's not worth it as:
- We have coped for years with a workgroup without an issue
- Employees can be trusted
- If I left or was not available when something broke, then no one would be able to understand how it works
- Setup costs for new hardware and licensing for a domain are very high. (We currently just buy prebuilt OEM Windows PC's and then the odd retail Office licenses)
- As domains are centrally managed, if a major issue occurred it could stop all computers from working. (Unlike a workgroup where if just one computer dies then everything else is fine and doesn't affect anyone else's work.)
I don't know how to stress how serious the security aspects are that we have no domain. Anyone can access content if they connect to our Wi-Fi, anyone can access content from any PC as users do not have passwords installed, shared folders can be seen by anyone and deleted with no logs to show or backup. I am not sure how PCI compliant we are or if we are compliant for auditors. I have been told to ignore this and not to worry.
As "Head of Internal IT Infrastructure" is on my job description, I also don't want to be found accountable if we get a data breach or a legal suit comes against us.
How can I show that things need to change and my time and extra money needs to be spent on this? For a company of our size, perhaps a full time network administrator would be needed. Or am I overthinking things and being very selfish for what I would really want and a workgroup will be just fine?
Update: It sounds like I perhaps keep the idea of a domain on back burners and just try some smaller things. For example, ensure updates, virus scans and firewalls are on, ensure passwords are enabled on individuals PCs, enable backups on every machine, physical locks on rooms with servers in. I am not sure what to do about network-wide file sharing and Wi-Fi, but that's another question!
This is not going to be an IT tech answer, but hopefully useful nonetheless.
Speaking from years of experience, you will not be able to convince your boss to do everything differently. The primary reason for this is that he is the boss while you are just his subordinate. You are in the wrong position to push fundamental changes.
Can you live with the prospect of very gradual change with an always-too-tight budget and problems solved by sheer amount of labour instead of concise planning and smart use of tools? This is exactly the prospect you're looking at. Your boss has run his shop in this way for years. The business has grown and thrived, so the strategy worked out. Who are you to question his business decisions and strategies?
If you want to bring change to an organization, the organization must be asking you to do it. Any change will come at a cost which has to be considered worth it by the management. You need the management's backing to overcome the resistance and the inertia involved. If you can find a consultant your boss will listen to, it might be a more promising route than wasting your (and your boss') time and energy for persuading him into something he told you he does not want to do.
If I were in your shoes, I probably would start looking for a new job.
You need to focus on how it helps them, not on what you "want."
- we have coped for years without an issue
And you don't want to start now! There have been a number of data breaches lately, including Target, Home Depot, and more. Home Depot spent $43,000,000 on its data breach in only one quarter. Target paid $10,000,000 in a settlement. An IBM study found that the average data breach costs $3.8 million. Getting pwned is expensive.
- employees can be trusted
This is demonstrably false. Employee theft costs companies about $18 billion a year.
- if I left then no-one would be able to understand how it works
This is why you're going to use standard, best practices instead of the weird setup you have now.
- Setup costs for new hardware and licensing are high compared to the $0 now.
Setup costs for new hardware and licensing are dirt cheap compared to security breaches.
Also, if "Head of IT" is only a small part of your job description, it might help to document that you're spending more time on IT when you could be spending it on your other duties. That's costing them money, too.
All that said: I fear the-wabbit is right. People who don't get IT and think it's just a stupid expense for stuff they don't need are pretty hard to convince. I'm going to stop short of telling you to get a new job because some months ago there was a thread on meta saying we were laying the "get a new job" advice on a bit thick, but I'm not optimistic about your company.
I'd go the incremental route--find something relatively easy to implement that will help a lot--and make a case for it. You can go from there.
The answer to "how PCI compliant" you are is Not Very (edited based on a comment). Your CC terminals might be okay if the tills themselves don't hold any data.
Now to pick apart the "not worth it" list...
We have coped for years without an issue
This may well be true, but the problem is perception. This will be your biggest hurdle.
Employees can be trusted
Well, no. They cannot. To me, this illustrates that your boss is blissfully ignorant of losses in the organization. Moreso, this is in retail, where losses are typically tightly managed, or at least understood.
If I left, then no-one would be able to understand how it works
This is completely incorrect. Nobody could come in today and make sense of what's going on, because nothing is joined to a domain, etc. Admins that at least have a basic understanding of Active Directory and OU structures are a dime a dozen.
Setup costs for new hardware and licensing are high compared to $0 now.
Where on earth do they get the impression that his costs are $0 now? Costs are never, ever zero in an IT organization. Clearly things are not being accounted for, but this does not mean the costs are zero.
If your boss needs convincing, give them a list of articles of companies that have been breached in the last month. You can bet that any big names on that list actually DID work to address these issues, but still got broken into.
It would seem that the boss in this situation is more than happy to gloss over all concerns (trusting employees, security, compliance, etc.) as long as the money keeps rolling in. Professionally speaking, this is a shaky situation for everyone in the organization.
Here are my thoughts:
Management very rarely understands technology and its place in business. Most times, management has misconceptions about what technology is and how it affects business. Yes, it's true that mismanagement of technology often leads to wasteful spending, but proper management increases productivity dramatically. Waste generally happens when you have people who think they understand technology do it wrong or for the wrong reasons.
- we have coped for years without an issue
Coping doesn't essentially mean doing things the right way or the most effective way. Coping often leads to complacency, which sets a shaky foundation for ethics and compliance, but it means you don't have to invest any money in anything new.
- employees can be trusted
This is a double-edged sword. I'm fond of the phrase, "trust, but verify". Yes, all people **should** be "innocent until proven guilty", but experience in information security will tell you that 70% of intrusions occur from an inside/trusted source. Yes, retail waste can be controlled at the transaction and properly developed practices and policies limit these risks, but no industry is ever safe from insider threats. However pretending like there aren't any problems is an easy way to avoid spending money.
- if I left then no-one would be able to understand how it works
This phrase only extrapolates on how misunderstood technology is. A company that doesn't shape it's practices, policies, and technology on standards is more likely to experience a devastating disaster if/when their technology staff parts ways. The amount of time it takes to train an employee on systems particular to a business is on average 3-6 months, depending on complexity, intricacy, diversity and volume. Following a standard means less time wasted attempting to find the "right" candidate. Not following a standard means finding people with a broad enough skillset to survive 3-6 months, while drowning in a lake of fire. But, convincing one's self of this is easier than spending money on employing expensive IT staff.
- Setup costs for new hardware and licensing are high compared to the $0 now.
This isn't completely accurate. In almost all industries (other than technology), the IT department is a cost center (meaning, the department does not derive any profits). Buying/replacing computers, routers, switches, cables, plugs, etc... In regards to setting up a centralized management infrastructure (a "domain" as you put it), yes, it would cost money to buy servers and time to engineer a solution to put the right things in place to manage things. Depending on the size of the environment, it can take 4 hours or 400 hours to do properly, and it will continue to cost money to maintain throughout it's life-span. It can get pretty expensive, pretty quickly.
At this point, you might be thinking, "Wait a minute; most of what you're saying is in favor of my boss's stance on not doing what I'm suggesting." Well, you're 1/2 right.
Although, technically speaking; so long as a solution is standardized and the practices/policies are not overtly complex/time-consuming, replacing staff is as simple as finding candidates that have experience with those standards. This really isn't an arguing point.
The other 1/2 is that you need to understand the cost/benefit of putting the technology you want in place as well. It could and it could not be worth the expense. You won't know unless you can spend time putting together your own cost/benefit analysis. To do this, you need to consider the costs (note: these are just the start of the questions you should ask yourself before you bring your approach to your boss again):
- how much is a server?
- how many servers do I need?
- how much is licensing?
- how many licenses do I need?
- will my network be able to handle the bandwidth change due to increased traffic from a management network?
- do I need to change my infrastructure?
- do I need to change any of my end-point systems to meet a bare minimum requirement for my domain?
- do I know how to set up my own domain or do I need to bring in a 3rd party to drop a turn-key solution for me? and if so, how much will they cost?
- how many issues exist in the environment and how much time do I spend working on them that could be mitigated, relieved or reduced with the solution I'm proposing?
- how much money is being spent working on issues that could be mitigated, relieved or reduced with the solution I'm proposing (including cost of my time, cost of employee downtime, and cost of actual or potential business loss)?
Again, keep in mind that the questions I proposed above are not all-inclusive. There are more technical questions that could be asked, which lead to other questions and so forth, and so forth. Once you have all those numbers, determine the following:
- Will implementing the technology truly mitigate, relieve or reduce the amount of time/money/effort spent on recurring problematic issues?
- Will implementing the technology adversely offset the cost of coping/complacency?
Once you're able to develop a proper cost/benefit analysis, you'll be better able to approach your employer with a proper solution, as opposed to an unfounded suggestion.
Based on my experience, the cost of implementing a centralized management infrastructure and the cost of continued support of said infrastructure is equivalent to the cost of hiring another body for the IT department (depending on the size of the environment); at least, with implementing an internal solution. Cloud and SaaS solutions available today may offset the cost of physical infrastructure and save some money, but it really depends on the department's or company's business model and security constraints.
Note: if the cost of implementing a solution is more expensive than hiring a full-time person to deal with the issues the solution is supposed to resolve, it's generally more cost effective to hire the body (depending on the complexity of the issue needing to be mitigated, relieved or reduced).
TL;DR: spend some time relating to your boss though dollar amounts as opposed to a fancy IT alphabet. It may or may not help your argument, but whatever happens, you end up learning more about how to manage your infrastructure more efficiently.
Lastly, if your conclusion is that the company desperately needs the solution, can afford it, and your boss still doesn't want to do what you say for illogical reasons you can't negotiate reasonable middle-ground, it's time to pack your things and find a new employer. The kind of employers who are OK being mediocre and don't make logical decisions when presented with evidence are not the type of employers you want to stick with; they tend to be make bad decisions and take everyone around them down.
Update: 2015-10-11
Calculating cost of time
Scenario: One aspect of meeting PCI DSS compliance requires your end-point/POS computers to be up-to-date with patches (or have a patch management process in place).
Let's say you make $15/hr USD or $31,200/yr USD, and to make sure patches don't break your systems, you have to manually patch all your systems every time a new patch comes out. For simplicity sake, let's also say a centralized management infrastructure (Note: this is just a simplified view; it really depends on how your offices are interconnected, whether you need redundancy, and whether or not it makes sense to have a server in every office or just one) will cost you $11,000 for a server, $2,500 for the server license and $2,500 for CALs and 80 hours to set up a domain and join all the computers to the domain; 80 hrs x $15/hr = $1,200 (more if you're outsourcing it to a local vendor; highball is $120/hr; so 80 hrs x $120/hr = $9,600). Your total centralized management infrastructure could be put in place for roughly $17,200 to $25,600.
Patch Tuesday occurs every 2nd and 4th Tuesday of every month. If there is even 1 patch released every Patch Tuesday, that requires anywhere between 15min-30min to install and reboot, you're spending at least 1 hour every month patching 1 computer; or 12 hours per year.
Already, you're spending: 12 hrs x $15 = $180 per year on patch management for 1 computer. Now, multiple that by the 50 computers you have (because remember, you can't let the systems automatically patch, because you don't know if the patches will break any apps you currently have installed). This mean you're spending closer to $180/yr x 50 computers = $9,000 on patch management. That's 28.85% of your wage and...
- 15min x 50 computers = 750min or 12.5hrs or 1.56 days minimum
- 30min x 50 computers = 1,500min or 25hrs or 3.13 days maximum
spent on a menial task that can be managed by a centralized management infrastructure; testing a patches is simplified now, only based on the number "images" you have, where an "image" is a base copy of the OS and Apps that a group of systems use. At this point, you're only spending 15-30min per image, as opposed to 1.56-3.13 days. This doesn't include travel time if that's required nor does it include wasting/waiting for people to get off the computer so you can do your job.
Wait, $9,000 doesn't seem like it'll justify my request. Maybe, but have you considered centralizing your end-point security solution (anti-virus, anti-malware, etc...)? Oh boy! That's another $9,000 if you consider end-point updates happen every week! Plus, being able to identify which systems are infected with viruses and pin-pointing the computer AND person is a HUGE victory; now you know which groups of people you need to educate on information security awareness.
Wait! You're saying that's still not enough? Oh? How about now being able to implement Group Policy to prevent people from doing things they shouldn't? That's gotta be worth a pretty penny in risk prevention. Oh man, you're saying that's still not enough? What if I told you you can now remotely image/format and reinstall a system without ever having to leave the office!? Oh boy! Wouldn't that be worth something? That's 2-4 hours per system that you're saving; potentially 100-200 hours per refresh period.
So, what am I implying with my generic info from above? Well, potentially, you could save $18,000 minimum by implementing a centralized management system (Windows AD). That's more than 1/2 the salary of an IT guy making $15/hr. $18,000 is more than the cost of the solution (well, my basic solution; you'll need to figure out your own actual numbers), which means the solution will pay for itself over time; technically, within 12 months of implementation.
These numbers do not take into account any projects that may require having a centralized management infrastructure in place to begin with. For every project moving forward that you needed an Active Directory for, it's now a 50 times how-ever-much-time-you-spent-implementing-it-on-one-system times your hourly-wage in savings.
This also does not take into account the capability of now implementing proper user authentication, password aging, password complexity requirements, and a slew of other risk management practices and policies that could potentially save the company lots of money in the event of a breach/intrusion or compromise.
Oh, by the way, you can always throw compliance requirements at people, too. Just for good measure. There is no way your company is PCI compliant if people are sharing passwords.
Get the idea now? Now, get to it.
You say one of your jobs is "head of IT", but your boss over rules IT decisions. Ask yourself and your boss in what way you are really "head of IT"? He should be giving you an IT budget and letting you decide how to spend it. If he is not doing that amount of delegation you are not the head of anything.
As it is only one of your roles, consider relinquishing it, handing responsibility for it to your boss. If he insists on you being responsible, but does not give you the budget or tools to do your job, leave and (if you live in a civilised jurisdiction) take him to an employment tribunal for constructive dismissal.
In short, this is not really an IT question, it is a management question.