Jabo

At my place of business, there's a recently acquired "analyst" who is about as unscrupulous as they come. Within the first week, he already had several admin accounts on our servers without the proper clearance, aye without any clearance at all. He spent the first few weeks kissing ass and buttering up and now it seems he can get away with anything he desires.

We've already seen the affects of his time at his previous place of business. He injected himself into nearly every server and over time made it to where he was the only one who could admin anything. I know people see what he's doing, but I'm not so sure they understand how dangerous he is, especially the CIO who backs him up on everything gladhandedly.

I'm thinking one of two things. Either he's got something the CIO is afraid of, or even worse, the CIO is just as devious as he is. If this continues, I believe a lot of people will be out of jobs. This is why I suspect the second outcome above, as less salaries to pay equals more money for the CIO.

I feel obligated to protect my job; is there a way?

grumpy

I doubt it's the CIO being devious - quite the opposite. The analyst is, from what you describe, using the simple strategy of making himself valuable at first, and then set things up so be becomes indispensable so he can't be easily gotten rid of. The thing is, you can't ignore the possibility that this guy is doing things because he believes they're the right things to do for the organisation (eg it is often hard to distinguish between malice and incompetence).

One basic management tenet for any organisation over a certain size (and an organisation that has a CIO is well over that size) is that no employee should be allowed to become indispensable, precisely because they can hold the organisation or a work area to ransom.

Basic security policy in any IT support organisation generally makes a point of ensuring that administrative privileges are held by a group of trusted team members, and never held by an individual.

I would suggest the way to counter this guy is to pull out the IT security policy for your organisation. If it has such provisions, use them as justification to ensure that administrative rights/privileges/responsibilities are not held by a single individual. If there are no such clauses, seek for an independent review of the policy and work with the reviewers to get such clauses inserted. If there is no IT security policy, then lobby to have one created and make sure such clauses are in it.

You haven't said what your role in the organisation is, but generally you will need to find someone with influence in middle or upper management to take an interest and convince them to be a champion of a workable security policy.

Whatever you do, however, try to do things in a manner that emphasises what is good for the organisation. Minimise any personal references to the individual involved (unless there happens to be a significant example of something that is definitely at odds with policy) as that weakens your case: one of the best way to be ignored by a manager is to look like you are attacking the person rather than the issue.

By taking your time (and it can take a while) and tackling the issue from a perspective of making sure a good policy is in place and then complying with it, you will not do the organisation any harm and management will tend to support you. If the guy (despite your concerns) is actually conscientious, he will go along with such an approach. If he doesn't, it will become obvious to managers where the problem really lies; it is better if they decide that for themselves, rather than you trying to tell them.

Jabo

That's sound advice, in a normal situation. The problem from my perspective is this: we have just gone through a major structure change, along with a new entity acquisition which pretty much doubled the size of our oganization (and also acquired said analyst) and a new CIO (not from the acquisition but due to the retirement of previous CIO). The new CIO seems all to happy to circumvent established practice and policy in order to "git r dun", so trying to enforce a policy or establish a new one I believe would be largely ignored or derailed.

I do a bit of system administration but this guy isn't playing by the rules of the game. He is hiding his presence from everyone in the organisation. I guess he figures if no-one knows his footprint, no-one can track him. By the time they get around to acting, he's going to have a choke-hold on the place. Normally I would just ride the storm, but with the economy, I can't afford to hope for the best.

grumpy

Make sure you are seen by the new guy to be a benefit to him: openly give him credit (preferably in front of management) for his contribution when you have both been involved in a task and it goes well. But, selectively, allow some tasks to fail in some circumstances where things aren't quite clear and, in front of management, offer only neutral comment about the facts of what happened and ask for him to comment on the situation. This lets you be seen as a team player (by both him and, more importantly, by management - which he will have trouble countering) and selectively makes his footprint visible by putting him in a position where he will often have to offer comment on problems.

Keep a log or diary of your tasking making the reasoning clear for all your actions (where guidance came from, reasons for decisions, etc). In meetings, refer to that log when explaining things to make sure you stick to the facts.

Keep in mind that a key to strategy when others have control is not deciding what you do: it is deciding when not to do something.

If you think about it, this is actually the same strategy that I discussed in my first post.