4. Treating "legacy" as a dirty word
Eager young techies may hate the idea that mission-critical processes are still running on systems their grandparents' age, but there's often good reason for IT to value age over beauty. Screen-scraping isn't as sexy as SOA, but an older system that runs reliably is less risky than a brand-new unknown.
Modernizing legacy systems can be expensive, too. For example, the State of California expects to spend US$177 million on a revamped payroll system. And according to one IDC study, annual maintenance costs for new software projects typically run into the millions. In these days of tightened IT budgets, don't be in too much of a hurry to make your "dinosaurs" extinct before their time.
5. Ignoring the human element of security
Today's network admins have access to a dizzying array of security tools. But as hacker Kevin Mitnick is fond of saying, the weakest link in any network is its people. The most fortified network is still vulnerable if users can be tricked into undermining its security -- for example, by giving away passwords or other confidential data over the phone.
For this reason, user education should be the cornerstone of your site security policy. Make users aware of potential social engineering attacks, the risks involved, and how to respond. Furthermore, encourage them to report suspected violations immediately. In this era of phishing and identity theft, security is a responsibility that every employee must share.
6. Creating indispensable employees
As comforting as it may be to know that a single employee understands your systems inside and out, it's never in a company's best interests to let IT workers become truly indispensable. Take, for example, former City of San Francisco employee Terry Childs, who was eventually jailed for refusing to reveal key network passwords that only he knew.
In addition, employees who are too valuable in specific roles can also get passed up for career advancement and miss out on fresh opportunities. Rather than building specialized superstars, you should encourage collaboration and train your staff to work with a variety of teams and projects. A multitalented, diverse IT workforce will not only be happier, it will be better for business, too.
7. Raising issues instead of offering solutions
Are your warnings of critical vulnerabilities falling on deaf ears? Identifying security risks and potential points of failure is an important part of IT management, but the job doesn't end there. Problems with no apparent solutions will only make senior management defensive and dismissive. Before reporting an issue, formulate a concrete plan of action to address it, then present both at the same time.
To win support for your plan, always explain your concerns in terms of business risk -- and have figures available to support your case. You should be able to say not just what it will cost to fix the problem, but also what it could cost if it doesn't get fixed.