Who Said You Can Work in IT?

By Hank Marquis

(Back to article)

As the unstoppable commoditization of IT breeds new laws that increasingly target individual executives and workers and holds them accountable for their actions, the sobering truth is most IT workers are not qualified to work in IT and most IT managers are not qualified to lead their workers.

This is not my opinion, it is a fact. Craftspeople, for example, face a more rigorous vetting program, are subject to more stringent oversight and review and face more audited personal responsibility than virtually any IT worker employed today.

But that is changing as IT laws and regulations driven by IT commoditization take direct aim at IT practitioners, not just the corporations for which they work.

Some recent examples of individuals targeted by IT laws include:

  • A systems administrator was arrested by the FBI in connection with installing a “logic bomb” on servers at his company Medco, a major prescription benefit manager.
  • The CEO of EBay’s Indian subsidiary was arrested under the Indian “Information Technology Act” for failure to control usage of an IT service.
  • An employee of Seattle Cancer Care Alliance earned the dubious distinction of being the first person sentenced to jail time for “Health Insurance Portability And Accountability Act Of 1996” or HIPPA violations.
  • A helpdesk employee in India was arrested for allegedly using U.S. customer credit card data to which he had access at his workplace to make fraudulent purchases.
  • These few examples illustrate a growing trend: IT workers and executives are now targets of law enforcement. As IT commoditization continues, society becomes even more dependent upon IT and this increased dependency means IT has the potential to cause more and more severe harm to individuals.

    This gives rise to several questions critical to the future of virtually every IT manager and worker: What gives IT workers the right to operate the systems under their control and access the data they manipulate? And, perhaps more importantly: What ensures customers and users those IT workers will perform in a trusted manner and safeguard their information?

    Based on recent industry events and increasing punitive legal action against IT executives, individuals and companies, this article describes one probable future for IT and predicts how and why IT worker qualification will be the top priority of IT leaders in the very near future.


    Did you ever take a moment to consider if you and your team are qualified to work in IT? Consider your own credentials (and I don’t mean a college degree, vendor certification from Cisco or Microsoft, or some quasi-industry certification like ITIL membership in a group like the Project Management Institute, etc.).

    Qualification is meeting conditions or requirements to become eligible for a position. A qualified person has the documented skills, knowledge, experience and permissions to be acceptable or suitable for a particular position or task.

    Consider what it takes to become a qualified practitioner in the electrical, plumbing or carpentry trades. The average skilled worker in these trades, called a journeyman or journeywoman:

  • Must take specific classroom courses in their trade;
  • Has two-to-four years hours of guided and documented apprenticeship under a master practitioner in addition to their formal schoolwork;
  • Is licensed, bonded and industry-certified;
  • Belongs to and is registered with professional industry organizations with stringent membership requirements, prescribed education, defined skills;
  • Has a publicly available history of their work and any infractions;
  • Must take refresher and update classes to maintain their credentials; and
  • Carries out their job tasks in alignment with a nationally recognized code of minimum standards mandated by law.
  • Now consider the common IT role of service desk agent or database administrator. They:

  • Are not required to take prescribed or formal classes, have no requirements for minimum hours in class;
  • May or may not have received formal schoolwork in their trade;
  • Probably never participated in a formal internship or apprenticeship and certainly not one that lasted for several years;
  • Are not licensed, bonded, or insured;
  • Might have a product certification, but probably not a nationally recognized certification that is vendor independent;
  • Doesn’t belong to any formal trade association with stringent membership requirements and codes of ethic/operation;
  • Has no publicly searchable record of qualifications and infractions;
  • Usually are not required to obtain continuing education yearly; and
  • Makes decisions based on situation and instinct (so called “experience”) instead of following nationally recognized minimum standards and best practices.
  • Clearly, IT workers in general are not qualified — if qualification means the stringent controls and work standards required of other craftspeople. Forewarned is forearmed. If IT applied the same rules as say, carpentry, then virtually nobody is qualified to work in IT. But don’t feel bad after all, this is IT, not carpentry. Future of IT

    Analyzing other skills-based industries shows how increasing IT regulations due to its commoditization will dramatically change how IT workers will be qualified to work in IT in the future.

    As new laws, legislation and regulations increasing seek to hold individuals accountable, more and more law suites will seek damages from the organizations for which these individuals work.

    Referring to the aforementioned FBI arrest of a Medco IT system administrator Christopher Christie, U.S. attorney for the New Jersey district, said “The potential damage to Medco and the patients and physicians served by the company cannot be understated.”

    Time will tell if the private legal system takes Medco to task as they did to the Seattle Cancer Care Alliance, which was required to pay over $90,000 in credit reparation activities for affected members.

    However, this is exactly the type of highly-visible harm that spurs legislative response. Lawyers are not ignorant of IT law and are, in fact, assisting in driving the changes that will take place.

    Benjamin Butler, counsel with the Washington, D.C. law firm Crowell & Moring LLP’s Health Care Group, says he finds the Seattle Cancer Care Alliance case particularly interesting because it shows that prosecutors are eager to remind businesses that HIPAA has teeth.

    “It appears that this person could have been prosecuted under a number of other statutes,” Butler said. But prosecutors chose HIPAA. They wanted “to send a message that this authority is out there and people shouldn’t forget about it.”

    The normal response when businesses lose lawsuits is to avoid or mitigate liabilities. Thus, as other trades were forced into the stringent worker qualification processes by government mandates as society became dependent upon them, so too will IT and those businesses that operate their own IT organizations.

    Licensing, Bonding and Auditing

    The normal pattern of response to risk by business is some form of industry self-regulation, which typically does not have the teeth required by lawmakers. Following the inevitable failure of self-regulation, government legislation will begin mandating worker qualifications.

    Following are my predictions on the likely future controls to be placed upon IT workers, executives and companies.

    Prediction: IT workers and IT system users will require formal licensure to operate or access systems with access to personally identifiable information or personally identifying information (PII).

    PII is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. Of course, this definition of PII makes today's IT workers and even many users of IT systems responsible for their actions — and liable.

    One aspect of qualification is licensing. If the work has significant public interaction with potentially high standards of accountability, society typically requires a practitioner to obtain a license.

    Obtaining a license is more than paying a fee and passing an exam. Normally controlled by the government, a license makes one responsible for the consequences of their actions and thus liable to any penalties incurred due to incompetent, illegal, or immoral actions.

    Most licensing agencies have a registry where you can lookup the practitioner and determine if their license is valid and possibly see previous infractions.

    Licenses may be taken away for poor performance, as well. Having a license suspended or revoked is foremost to protect the public and then to punish the practitioner.

    While there is no formal licensure for information technologies today, imagine a day in the future when federal, state, or local laws contain civil or penal code entries like this:

    PURPOSE -- LICENSE REQUIRED. In order to safeguard the public health, safety and welfare, it is in the public interest to regulate and control database administration, to promote the safety and quality IT services, to prohibit unqualified and dishonest persons from practicing system administration and to protect against acts or conduct which may endanger the health, safety and welfare of the public.

    (1) License required. It shall be unlawful for any person to practice system administration or offer to practice system administration unless that person is duly licensed pursuant to this act.

    The preceding is fictitious but based on real, existing legislative language for other trades (nursing, plumbing, etc.).

    Lawmakers have already begun enacting legislation to limit the distribution and accessibility of PII, leading to the question: How far off can IT licensing be and what might such legislation entail? Again, existing crafts predict the future of IT.

    Prediction: Human resource operations in the future will be required to provide personal performance and evaluation information on IT workers and systems to public registries.

    Registration is the listing of a practitioner, their specialty, credentials and performance records. Most often licensing requires registration. Some states already offer license look-up services that search state databases holding information on professionals, for example, plumbers, who hold a professional license in the state. These are easily extended to include IT workers and those who use IT services on a daily basis.Prediction: Companies will be required to bond their workers in order to reduce their liabilities, comply with new laws and reduce insurance premiums.

    Many trades require bonding. A bond is an insurance policy that guarantees the practitioner will meet their obligations in a satisfactory manner or the bonding company will pay related fines or fees.

    In responding to these inevitable laws employers will have no choice but to require bonding for workers with access to PII or other sensitive data. Bonding companies will in turn require proof of qualifications of bonded individuals in the form of nationally recognized and accredited certifications and licenses.

    Prediction: All workers will require certification and continuing education in order to access systems that contain any PII.

    Bonding companies will require proof of knowledge and skills competency before they will write a bond that companies can afford. This will drive certification programs and dramatically improve the quality and consistency of those programs.

    Electricians have to take 144 hours of continuing education per year to remain licensed. Medical professionals all must take continuing education to remain licensed. IT is going to have to get used to idea of investing in education as well.

    We already see this occurring. For example, with the recent announcement by the owners of the IT Infrastructure Library (ITIL) of a major overhaul of its certification schemes in order to promote improved control over instructors, courseware and the companies providing such training.

    The Project Management Institute, the defacto-standard for project management training and certification, requires continuing education to remain certified.

    Prediction: Individual workers will face audits and reviews of their work to ensure compliance with laws.

    Audits will expand to include not just basic controls such as those required by Sarbanes-Oxley, but also down to random audits and inspections of individual workers compliance with new laws.

    Consider the electrical trade. When an electrician completes their work it usually requires review and approval by a state certified inspector. As the process unfolds for IT and governments require licensure of bonded workers, they will establish auditors and independent inspectors to check the quality of work and conformance to code.

    Prediction: IT will formalize and mandate apprenticeship and internship programs for workers.

    Many trades require individual tutelage under an authorized “master craftsperson” as a prerequisite to being allowed to perform their duties — even when supervised. Don’t think this does not apply to so-called “white-collar” activities, some states allow learning the law via apprenticeship as well.

    Apprenticeship gives trainees a thorough knowledge of all aspects of the trade by formalizing the work they perform and monitoring how well they perform the work. Apprentices are learning by practical experience under skilled workers.

    Thus, an apprentice is an inexperienced practitioner. Another word for apprenticeship is internship. Most apprentice or intern programs operate under the auspices of trade associations or professional organizations or unions. Upon completion of the apprenticeship period the apprentice becomes a journeyman (or woman.)

    Employers consider these practitioners highly skilled. Most people learn the electrical trade by completing a four-or-five year apprenticeship program.

    Getting a job in IT is going to take longer and given the slowdown in IT graduates, this is going to drive up the costs for skilled “IT craftspeople.”

    IT Commoditization

    None of my predictions about future IT control activities can occur without standards. Such standards often arise from mistakes made in the past. For example, the evolution of electrical wiring due to harm caused in previous wiring best-practices and standards. Through evolution and revision of such standards codes of conduct arise.

    An example of an existing standard is the National Electrical Code (NEC). The NEC codifies the requirements for safe electrical installations into a single, standardized source. While the NEC is not U.S. law, NEC compliance is mandated by U.S. law.

    We can already see this pattern of standardization occurring in IT. Mistakes are occurring in IT that cause harm to society and individuals on a regular basis. Legislation and auditing exist in growing numbers and the resultant arrests and fines are thereby increasing as well.

    Burgeoning defacto-standards such as the IT Infrastructure Library (ITIL), Control Objectives for IT (COBIT), the Project Management Book of Knowledge (PMBOK) now shape many day-to-day activities within IT.

    None can still deny that IT is on the slippery slope of commoditization and indeed, trades such as the plumbing and electrical industries provide an excellent model of where the IT organization will move.

    These and other commodity trades show us the real future of IT organizations. Perhaps the most visible signs of the coming changes appear in the healthcare industry. This makes sense given that industry’s dependence upon IT, craft-centric licensure, regulation and obvious personal safety issues.

    While healthcare IT may be taking the brunt of the suffering now, new IT laws and increasing regulations brilliantly illuminate how virtually all IT organizations will operate in the future. This future may be a few years ahead of us, but if history and current events are any indication, these predictions will in large part occur.

    Hank Marquis is a partner and CTO at itSM Solutions, LLC, a firm specializing in IT service management, coaching and education. You can contact Hank at hank.marquis@itsmsolutions.com.