Tip No. 3: Turn them into sys admins
A smart way to handle superusers is to give them more IT authority, not less.
For example, 12 years ago, Maureen Vadini was recruited to help bring Parma Community General Hospital's paper records into the digital age. A registered nurse by trade, Vadini is still holding hands and taking temperatures -- but now she's doing it for users of the hospital's Vocera Communications System, which is modeled after the badge communicators from Star Trek: The Next Generation. When hospital personnel need to find each other, they speak into their badges, and Vocera gets the message to the right person.
Now a patient care informatics analyst in the Ohio hospital's IT department, Vadini made the leap from superuser to tech professional about four years ago. But she's hardly the only nontechie fulfilling an IT role.
At PCGCampbell, a marketing and communications company in Dearborn, Mich., some superusers have been dubbed "information administrators" and have been imbued with special powers not available to ordinary mortals -- such as managing access to sensitive data.
"As a marketing company, we often handle personally identifiable information that needs extraordinary protections on it," says Joe Vandervest, vice president of information systems at PCGCampbell. "These guys are sensitized to it. They're right in the trenches, so they know what's going on. We empower them to set up protected folders for the data or to come directly to us."
Some employees feel more comfortable talking with superusers than with IT personnel, Vandervest adds. Likewise, the information admins can report back to IT about issues other users may be encountering. Later this year, PCGCampell plans to empower its information admins to act as content managers on the company intranet and to install software on clients' machines.
"In our organization, people are superbusy, and they travel all over the country," Vandervest says. "They need flexibility in the field, which is what we're trying to get at by having delegated powers."
But there are caveats, Vandervest says. For example, the approach can only work if you have the necessary training and certification procedures already in place.
"I would caution against delegating authorities without compensating controls in terms of certifying their abilities and their understanding of security policies," he says. "Trust, but verify. Most people tend to delegate and empower without checks and balances. If you're allowing superusers to install software, for example, you better make sure you're keeping an eye on license compliance. You want to make sure you're compliant."