Over the last couple of months I've been working quite hard on "the big project" at the day job, which involves a large number of people spread across four continents. The project has been an ongoing affair for about a year now and there are core teams working in pockets of productivity that get a lot of things done quickly. Since November my primary tasks have been related to data migration for the Japan region, writing a quick web application for HR, building some customer survey APIs and accompanying websites, and generally answering the same 18 questions over and over to the same group of people who have asked these questions since the spring of 2018. Since this clearly wasn't enough work for one person to do, I was asked to help out with a few other "little tasks" that, on the surface, shouldn't have taken more than a couple of hours to complete.
Six days later, the smallest one is just now coming close to completion, while many of the other priorities and responsibilities have started to slip past their soft deadlines. This small project would have been a quick task had the department in question followed company procedure and used company resources. Instead, they went out of their way to hire a vendor, over-complicate things in the name of "security", and abandon their responsibilities of running a mission-critical part of the business. Essentially, a department wasn't happy with IT back in 2014 so went and got themselves some server space. Since then, they've built out this website to be the primary place where existing and potential customers get in touch with us. Their contact form sends information to a 3rd-party service that is being decommissioned next month, and I was asked to help point the form to Salesforce, the new platform that the executives believe will save the company from itself. It took four days to get access to the server via official channels, and another day to have the privilege of seeing files on that server. After a little bit of poking around, I discovered that the system has not seen a single security update since December 2014. As one would expect, I raised the alarm with several managers, all of who said "Don't worry about it for now. Everything will be on the new system soon."
The new system goes live in Japan in 15 months.
I then poked around and tried to get specific information about what versions of certain software was on the machine, because different versions have different capabilities. I'd hate to invest a bunch of time writing code only to have it not work on a server because I didn't take a moment to see whether a function I'm relying existed in 2014. Every discovery was another disappointment, all the while my Inbox was filling up with messages from members of different teams wondering when I'll complete an important task or provide a required data transfer. For over a week this situation has been a source of frustration. So much so that when I look in the mirror all I can ask myself is: WTF am I doing?
The vast majority of my efforts with the day job have involved doing things in a way that solved a real business problem for the least amount of money while keeping data and systems safe. My software and servers have gone through countless security audits by vendors because I'm generally working on these things alone, and some members of management have a grudge. The expensive pen tests and audits are an excuse to find fault with my work in order to say "I told you so." The managers in question have been doing this for three years and have yet to find anything worth reporting beyond how expensive all the tests cost, which isn't at all my problem.
One would think that if the work that I do for the company is held to such strict standards, other teams - and they're usually teams - would also face regular tests and system checks. Sadly, this isn't the case. Our databases have gone years without patches being applied. Our servers have been running outdated operating systems that can't make full use of the modern hardware, effectively handicapping powerful computers that cost more than a decent Mercedes. Departments host mission-critical systems on a single server running a version of RedHat that was originally released in 2013 with no backup strategy or regular maintenance plan. All of this is perfectly okay, but God help me if I misplace a single semi-colon in any of the work I do for the day job.
So WTF am I doing? At the end of the day, the fundamental problems at the day job are not at all my responsibility. When I find problems, I am expected to report them and carry on. I'm not required to bang the drum or insist on getting things fixed or coordinating efforts to bring tools in line with current corporate policies. That's what "management" is for.
People generally learn to not take on other people's problems unless it's absolutely necessary. If we were to take on too much, we would be in a state of constant stress and anxiety. This is pretty much how I feel when I encounter situations like this. Not only because of the double-standards within the company, but because a lot of the major issues uncovered could be mitigated for almost no money. It's ignorance and/or laziness that needs to be addressed at the same time as the technical problem ... by management.
This is something I really need to force myself to remember, possibly by putting up a big sign over my desk reading:
Being frustrated and angry all the time keeps me thin, but it doesn't do anything to make the days more enjoyable.