I know how it happens.
You’re the IT director of a fairly large division of a fairly large corporation. You have a few hundred users coming through your backend using email and the web. You have all the basics: email attachment size limits (set at 10mb… a generous but reasonable size), random spot-checks on surfing habits (just to make sure no-one is downloading full-length movies or gigabytes of porn), an adequate and inexpensive enterprise anti-virus system.
Life is good.
Then some idiot in upper management wants to know where your budget is going. Of course, if you tell him how you’ve spent it on a server for porn, movies, games and music, LCD screens and PDAs for the IT support staff, you’d be in trouble.
So you have to justify all that expense by actually doing something. You set in motion an easy 5-Step Plan.
Step 1: Increase resource utilisation (English translation: ‘Make your staff do some work’). Action a task-team to prioritise a network security plan (Translation: ‘Get your overpaid and underworked IT ninjas to spend 6 months coming up with a list of ways of annoying the users by restricting their usage in-between their daily gaming and porn-viewing times.’)
Step 2: Implement network utilisation strategy (Trans: ‘Prevent users from sending email attachments larger than 3MB regardless of file type or user. This rightfully prevents PAs and bored accounts ladies from sending cutesy PowerPoint slideshows, but simultaneously prevents systems engineers from sharing vital documentation like functional specifications and database table-dumps. Then buy 3 new email servers to increase storage space, and simultaneously decrease the allotted mailbox size of all users by 75%.’)
Step 3: Upgrade network security (Trans: ‘Replace inexpensive, unobtrusive and adequate Anti-Virus software with ridiculously overpriced, useless Anti-Virus software that is so resource-intensive it instantly renders every machine on the domain useless. Block any and all ports that don’t have any immediately apparent purpose, and blatantly refuse to re-open them, even if they are needed for operations.’)
Step 4: Upgrade network infrastructure (Trans: ‘Upgrade all WAN connections from ADSL and Diginet to MPLS so that everyone can fail to do their jobs with better bandwidth, and so that the useless Anti-Virus can update itself even more prolifically.’)
Step 5: Implement web restriction policy (Trans: ‘Prevent users from gaining access to the few websites that relieve the tedium of their work-days because those sites look too much like porn, music, violence, free-thinking, entertainment or news which might result in reducing a user’s productivity… thus forcing users to spend their time playing solitaire or producing cutesy PowerPoint slideshows just small enough to email. Also, prevent systems engineers from communicating with their counterparts in remote areas and various international support desks via IM or VoIP networks, forcing them to use the company’s phones instead, at far greater cost’)
So, at the end of this process, you have not only justified the expense, you have also doubled the organisation’s IT budgetary requirements, and created jobs by increasing the amount of personnel (and hardware) required to do the simplest tasks.
Good job! You can go home to your family knowing that you have made a difference... right after calling the AA to rescue you after finding your car tyres slashed, obscenities spraypainted on every body panel and a small pile of what appears to be human feces on the driver's seat.