Jurassic Park is an excellent sci-fi movie it checks all of the right boxes:
Genetic engineering? Check.
John Williams? Check.
Samuel L Jackson saying "Hold onto your butts" with a cigarette in is mouth? Check.
Possibly evil mega-corporation bringing back dinosaurs and thus monetizing life itself? Check.
A subplot about a bunch of computers going offline to be fixed by some kid who says “it's a Unix system I know this!”? Check.
Humans running for their lives from dinosaurs? Check.
Lawyer caught on the toilet by a T-Rex? Double Check.
Something easy to overlook however is that it's equally filled with warnings about systems automation, a foreboding tale about corporate espionage/sabotage, and how poor business continuity planning brings about disasters that can at least, in this case, can literally eat you alive.
Welcome to Jurassic Park, a post-mortem about workplace culture problems and how they affect IT, workers.
Many people probably think the disasters on Isla Nublar were caused by rogue programmer Dennis Nedry, But truth be told Jurassic Park had much bigger problems. Even if Dennis had never decided to steal dinosaur embryos in a modified Barbasol bottle Jurassic Park still likely would have been doomed. Why? Culture, that's why. In the case of InGen, Jurassic Park, and Dennis Nedry: “He had become very annoyed with InGen; Hammond continually asked for things which hadn't been included in his original contract, and InGen demanded that they are done. When Nedry refused, lawsuits were threatened and letters were written to Nedry's other clients insinuating that he was unreliable. Nedry had no other choice but to return and carry out the extra work, but for no extra money.” -jurassicpark.wikia.com
Dennis clearly had his reasons to hate his employer, who had no problem manipulating him just like they did the DNA of dinosaurs. The problems created in IT departments because of culture mismanagement are huge, in the case of Jurassic Park those problems were:
- Reduced size of IT staff created a dependence on undocumented automated processes.
- Note: When Sysadmins are busy and alone they don’t document anything, in this case, Dennis just didn’t care but worth keeping in mind, if documentation is your priority and your sysadmins can’t seem to do that it's probably not because they don’t care. Sysadmins are typically nerds and nerds love to brag about how cool the thing they just built is, sysadmins do this through documentation, its a personal priority for anyone who takes that role seriously, so if its not getting done odds are its because management hasn’t provided IT with enough “Free Time” to do so. If your a manager check yourself before you wreck yourself.
- Inability to step away pinned the stability of Jurassic Park to Dennis instead of an IT team.
- Lack of properly configured logging and alerting systems, Dennis should never have been able to run code against the security system without it first being checked by teammates. Source control is important.
Problems like these are not isolated however and are often felt across infrastructure engineering as well, engineering issues such as:
- Lack of redundant systems (Ironically those systems that should have been there to prevent a T-Rex from eating the company lawyer, that T-Rex might be a subtle allegory for ransomware or other system calamities)
- Lack of adequate logging/alerting systems for the systems Dennis was responsible for.
- Lack of antivirus systems or properly configured workstations, even though what Dennis wrote was not technically malware if a sysadmin can write code for your systems without it being authorized and signed through a code signing process it mine as well be. Having some form of application/code whitelisting such as app locker is critical in the modern enterprise.
So how do you prevent a Jurassic Park incident? Culture, and IT culture specifically The mark of a good company culture is that it creates the ability to step away for a time with little to no business impact felt, furthermore it should encourage it. The ability to step away is likewise the trademark of a good Sysadmin. If you think the main goal of a sysadmin is to keep all the computers working, servers humming, and network up you would be sorely mistaken even more so if you are a sysadmin and you think you have job security because that's how you define your job. Dennis’s exact problem was that his employer had made it his job and pushed moving targets on top of it. The main goal of a sysadmin (or any employee) should be to achieve the results of the company they work for. A good sysadmin should be a driver of positive change that accelerates businesses to meet and excel past their goals, this is where job security comes from. If I step away from my job (which I have, I’m writing this in a coffee shop in Maui Hawaii) I have full faith that my coworkers will be able to use the systems I've set up to keep everything running.
- Our passwords are in a password manager
- Our primary systems are redundant with backups
- Our network is designed to reasonably handle internet outages and gateway failures
- We have antivirus and reporting squared away
- There are a variety of workstations I have left prepared to be deployed in case of hardware failure or in case my process for provisioning new workstations is not understood quickly enough to meet an immediate need.
- In the event that my plane crashes in the Pacific and I’m eaten by sharks the documentation I’ve left behind should be informative enough for another sysadmin to do my job and meet business needs quickly.