Personality types: Your key to better business relationships
by Trish Smith
If there’s one lesson Michael Santarcangelo has taught me, it’s that security (and business) aren’t just “about business”. They’re about people. People who we get along with, people who we (as much as we might not like to admit it) don’t always get along with. But unless we’re Steve Jobs, we don’t have much choice who we need to interact with (and I’ll bet even Steve has to deal with people he doesn’t get along with too well, sometimes).
It’s about the people, stupid.
This article shares information to become more flexible, adaptable, and resilient in dealing with others.
Imagine the power of being able to predict, prevent, and resolve conflicts. How about improving communications with co-workers, clients, and peers?
This might sound like a pretty big claim, but when learning about personality and how it determines the ways people interact, this information is invaluable.
What is a “personality type”?
In modern psychology, there are two ways to think about personality: “traits” or “types.” Personality trait theories suggest two people can both be extroverts, but be very different in terms of how strong the trait is in their personality (for example, Bob and Mike might both be extroverts, but the trait is much stronger in Mike than it is in Bob). This view of personality sees it as existing along a continuum, rather than as an “either/or”.
“Personality type” approaches suggest people either have a characteristic or not. An individual is an introvert or an extrovert, assertive or passive, someone who works well in groups or not. This view is the more popular one among those who study personality today, and as such, is the one we’ll explore in more depth.
Defining the Type
The most common instrument to measure personality type is the Myer-Briggs Type Indicator (MBTI). It’s widely used by businesses (and individuals) to better understand personality. It usually consists of about 70 questions that ask you about your likes, dislikes, opinions, and personality characteristics. It then groups people into several “types” based on four personality traits:
- Extroversion/introversion (need external contact to recharge, or time alone?)
- Intuition/sensing (trust more in own feelings or in external observations?)
- Thinking/feeling (the dominant force relied upon to make decisions?)
- Judgement/perception (the need to organize life or let the chips fall as they may?)
Although it would be useful to be able to administer this test to everyone we deal with day-to-day (as impractical as that might be), it’s not necessary.
Usually, it’s enough to simply understand which of the different personality types someone is, and keep that in mind when dealing with others. For example, recognizing that a team member is closer to the “judgement” end of the judgement/perception scale will help explain why they need to research and plan out every move of the project.
We can understand other people’s personality differences without making value judgements. John isn’t trying to drive you crazy by going with his feelings on a decision; he’s simply on the “feeling” end of the thinking/feeling scale, and that’s how he makes decisions.
This knowledge reduces frustration and improves approach to others – especially if an action is needed on their part.
Learning how to type others
So how do we figure out which personality type someone is?
We can’t very well hand everyone a Myers-Briggs test (although if the topic is brought up, it’s likely that at least one person in the group will volunteer not only that they have taken the test, but what their result was: That they are an “INTJ”, for example).
Observation is the key to success.
People’s personality comes out in a variety of ways, even when the person isn’t aware. Everything from personal style (how they dress), to their environment (how they set up their office), to social signals (verbal and nonverbal communication), reveals information about what personality type they are.
Want to type someone out?
Listen.
Watch.
Observe the things people are doing.
Recipe for Success
Then it’s simply a matter of being conscious of others’ personality styles and how your own (yes, you have a personality style too!) interacts with theirs, for good or for ill.
If you can do this successfully, it becomes easier to do all those neat things mentioned earlier – become more flexible in dealing with others, resolve conflicts, and improve communication with everyone.
So tell us – do you try to be aware of different personality types in your day-to-day life? Has knowing someone’s personality type ever helped you in your work, or has the converse ever happened – not being able to understand another’s personality style negatively impacted your business? Share with us in the comments!
Strategies and guidelines for developing a motivational strategy
by Trish Smith
Happy New Year! Has the year started with a bang, full of passion and excitement? Or is motivation lagging?
Last month we explored the concept of motivation and why employees’ motivation is important. As the year brims full of potential, the timing is perfect to develop and implement a motivational plan for your employees.
While there is no one-size-fits-all plan for improving employees’ motivation, there are some proven guidelines that simplify the process and lead to success. There are five factors considered essential to a successful program:
- Flexibility
- Increase positive behavior
- Decrease negative behavior
- Provide constant feedback and a framework for teaching skills
- Be an overall positive approach
Is the problem really about motivation?
Before developing a motivational system, determine whether the problem is actually motivation. Could it be something else, such as lack of access to the tools needed to do the job, or the working conditions of the job itself?
These aren’t motivational issues and cannot be fixed with a motivational system. These and other environmental challenges need to be addressed beyond motivation.
No Limits?
Improving motivation is an investment. Investments have limits – so what is the organization is willing to do to improve employee motivation? While this often boils down to cash, sometimes other investments can be beneficial, too. Regardless of the answer, it is essential to ask.
There is nothing more demotivating than to be promised something, only to find out afterwards that the company can’t or won’t do it.
Steps to create a motivational system
1. Analysis
The analysis is focused on determining what factors are in scope. Will efforts be to:
- Implement a program based on performance?
- Develop new ways to satisfy employees’ needs?
- Change discipline policies?
- Create new opportunities for employee learning?
- Make the organization more receptive to employee feedback?
These are starting points – and the program will likely be a blend. The key during the analysis is to focus on where improvements will occur.
Without focus, the risk is of turning the program into just another ineffective “flavor of the month”, and making the chances of any future, well-intended change programs less successful.
Including employees in this process is critical to its success. After all, they’re the ones who best explain what would improve their motivation. Making them allies in the effort to create a workplace where they can bring their best will increase the chances of program success.
2. Development
This is the nuts and bolts of the system. Use all the resources at hand to develop the actual motivation strategies and specific methods, such as developing a new feedback system for employees to share ideas, a new continuing education program, or a recognition system for outstanding customer service. Make sure to involve relevant managers, executives, decision makers and influencers in the plan. Buy-in is important: the last thing the company wants is to roll out a new program without approval, only to have it shut down before it even gets a chance to work.
3. Materials
What materials are needed to support the program and engage people? Does it require new forms (electronic forms might be a strong option), a new company wiki, or a new guidebook?
Make sure to enlist the skills and talents of anyone who can help you in this area, including HR, IT, and administrative support. Michael often talks about finding and amplifying the good; when it comes to developing an effective program that truly engages people, this can be accomplished by letting them participate in the development and improvement of the materials.
4. Monitoring
The goal is to get it right the first time. But even if that happens, monitoring is an important, often overlooked, element. Monitoring provides insights and guidance necessary to make changes and help the system evolve.
When considering what and how to monitor, include goals, objectives, and criteria for their success. If possible, set dates by which the goals and objectives must be met.
Develop methods for people to track their progress in the program, or by which others (for example, their supervisor) can track progress.
Remember to focus on effectively tracking behaviors, not attitudes; goals and objectives need to be things that are quantifiable, not vague concepts. “Number of staff attending afternoon meeting” can be more easily tracked than a vague concept like “employee attitude”.
5. Training
Conduct training with management staff. After all, they are the ones primarily responsible for employee motivation, and the ones who can best observe motivation levels. Make sure the team understands the purpose of the program; that it’s not to punish employees, or to create a falsely positive atmosphere, but rather to deliver those things that employees feel are most important to their work, in order to create a workplace that employees can do their best work in.
6. Implementation
Simply put, it’s time to roll out the program. In smaller organizations, it’s possible to do this in a centralized manner, but for larger organizations it requires a phased approach. Regardless of how, it’s vital to initiate the program in a way that shows people it’s fully supported and an integral part of the organization’s processes.
7. Follow-up
Hold regular meetings to evaluate the program’s progress. Incorporate employee feedback in the program, and make changes to it as needed. The program will need adjustment as time goes by, as motivation is a journey, not a destination, and what works for one employee at one point in time may not work for them six months later.
Flexibility – the first of the five criteria – is key to success.
Implemented a motivational program? Starting one? Leave us a comment – we’d love to hear about your own journey.
Sources:
http://docs.google.com/viewer?a=v&q=cache:S4_J9QwXOJYJ:slo.sbcc.edu/wp-content/uploads/motivation.pdf+how+to+develop+motivational+system&hl=en&gl=us&sig=AHIEtbTiEUmbld3vu7u73h2v5wNcLi3N0Q&pli=1
http://docs.google.com/viewer?a=v&q=cache:ltZWfJqyQIQJ:www.mooseheart.org/pdf/PacketOfEffectiveSkills.pdf+how+to+develop+a+motivational+system&hl=en&gl=us&sig=AHIEtbQ-2Sr1PVmIJi7fvM2NstQPZX0ZhA
When your employees don’t want to come to work anymore
What happens when people lose their motivation at work?
- Less efficient use of resources
- Less creative solutions (at a time when creativity is even more vital)
- Less productivity
And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.
When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.
Motivation – I know it when I see it
So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?
According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.
Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:
- Positive reinforcement
- Effective discipline
- Fair treatment
- Satisfying employee needs
- Setting work-related goals
Notice something missing from the list?
If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.
But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”
I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:
1. Be the change
Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:
- Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
- Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
- Be curious, ask questions, and develop problem-solving skills by practicing them.
- Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.
Remember, the positive energy and creativity of your team start with you.
2. Size the motivation to the person
Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.
How?
Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.
3. Motivation is a journey, not a destination.
People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.
Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).
It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.
What challenges have you experienced with motivation? What successes have you had? Share in the comments….
Sources:
- Merrian-Webster’s Online Dictionary: http://www.websters.com
- Accel Team Development: http://www.accel-team.com/motivation/
- The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
- The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)
How Not to Sell
by Trish Smith 
Recently, I had an experience in the “non-tech” world that I think has parallels to many people’s experiences with technology, so I thought I’d share it with you.
Several weeks ago, my husband and I decided that we had had enough of our mattress; it was only four years old, but it was a memory foam mattress that developed a distinct body impression on my husband’s side. It was uncomfortable, to say the least. The furniture company that sold it to us is a store located here in town, so we had them come out and take a look at the mattress to see if it was defective. Sure enough, when they inspected it, they determined that it was, and that they would reimburse the purchase price of the mattress (with a store credit, of course). At this point we needed to buy a new mattress, and this is where the story goes south.
We already knew we wanted to purchase a “traditional” mattress, and not another memory foam mattress (we might be slow learners, but we’re not THAT slow). When we entered the furniture store, we were imediately pounced upon by a salesperson, who escorted us to the mattress department and asked us what we were looking for. We explained the situation with the store credit, and told him that we had decided to purchase a non-memory foam mattress because of our recent experience.
At this point, I should explain that we were not entirely against a memory foam mattress. If we could have found one with a good warranty and reliability, we might have purchased it. But instead, the salesman proceeded to try to “hard sell” us a $3,000 mattress (which was $1,300 above the amount of the store credit). When I indicated that we wanted to try to stay close to the amount of the store credit and that we weren’t entirely sold on “newfangled” latex foam, considering our last experience, the salesman made an obnoxious remark about latex actually being an old technology (since it’s been around for thousands of years). At that point, if the store credit situation hadn’t forced us to buy the mattress at that store, I would have gone to a different store and they would have lost my sale (which ultimately turned out to total around $2,000).
So what’s the lesson here? It’s obvious – regardless of whether your job is to sell technology to the public or to provide IT services to your organization, DON’T HARD SELL. Believe me when I tell you that your client will recognize this tactic from a mile away, and will run in the opposite direction.
But what is a “hard sell”? According to Wiktionary.com, it’s “a sales technique of pressuring the potential buyer to agree to a purchase”. It implies that, instead of providing customers with valid reasons for making the purchase, and helping them understand how the product will improve their jobs or their lives, salespeople simply subject customers to high-pressure tactics to get them to agree to the sale.
We’ve all been victim of the hard sell. Our society has even developed a stereotype of the hard seller: The car salesperson. Most of us recognize when we’re being pressured to buy something, and our first instinct is usually to run the other way. It doesn’t matter if the salesperson is an expert in the field; we don’t like being made to feel as though we “have to” do something by another person (even if we really do have to do something). It might be our contrary nature, but it doesn’t matter if the salesperson knows more than the us (or just thinks he does); it doesn’t even matter if what we’re being sold is something we really do need. We will walk away from a hard sell.
So how do you avoid making a hard sell? Explain, explain, explain. Even if what you’re dealing with is a highly technical product, and the person you’re selling it to isn’t very technologically savvy, there are always ways to explain something in a way the customer will understand. Follow the therapeutic mantra, and “start from where the customer is”. Remember that when you don’t do this; when you instead attempt to pressure a client into a sale because you “know better”, I can guarantee you one thing:
Apply pressure tactics, and you can kiss that sale goodbye.
We’ve come a long way, baby…Or maybe not
by Trish Smith
Although at times I complain about it, I do truly enjoy my status as the only person in the Catayst writers’ group without a formal background in IT. I believe that it does, as Michael tells me time and again, give me a unique perspective on the field.
It is from that perspective that I write my articles; none more so than today.
Recently, I had the not-so-pleasant experience of trying out different software for my blog. I run a personal website that I’ve recently expanded from a simple blog to a source for information on cooking and food preservation. Not only did I have some immediate needs for the new information I was puttting on the blog, but I also anticipated having needs that my current software (Wordpress) would not be able to fulfill (things such as fillable forms, searchable lists, and more). At least, not in any easy or elegant way.
So the search began. I investigated two other website-building options: Joomla and Drupal. Well, to be perfectly honest, I only truly investigated Drupal; I looked into Joomla briefly and determined that it wouldn’t fit my needs. More precisely, I tried Scribd and found that it was too difficult for me to grasp quickly (of course, this is just my own experience; others may find they absolutely love it).
I spent an entire day exploring Drupal; I downloaded it and installed it on my server, and then began building my website.
Twenty-four hours later, I’m back on Wordpress (much like a misbehaving spouse, grateful to their partner for giving them a second chance after having strayed: “Oh Wordpress, I’m so sorry and it will NEVER HAPPEN AGAIN.”), and appreciating it more than ever.
So what have I learned from this experience that you could learn from (because really, why else woud I write about it if not to help all of you out)?
First, I learned that “more complex/difficult/advanced” does not necessarily mean better. I thought that the increased flexibility (and as a result, increased complexity) of Drupal would be an advantage to building my website, but this is not always the case. Think of this phenomenon as occurring on a curve; not enough flexibility will hinder you, but more flexibility is useful only to a certain extent. After that point, more flexibility/complexity will begin to get in your way just as much as not enough of it will.
Second, I learned (firsthand) the adage about test-driving software on a local host (such as your desktop computer) before installing it on your server (and deleting your old software). If things don’t work out, you’ll have a LOT less work to do. Think of this as a safety net, just in case you need to change back. I would have easily saved myself four or five hours of work, even though some of the work was unavoidable because I changed my theme.
Third, I learned that failure is always an option. Specifically, I learned not to be so tied to the success of any new venture that I can’t admit that it’s not working, and that I need to try something else (or even return to my old software). Perhaps a better way to think of it is not as failure, but as a way to explore and determine the best option for you and whatever you’re developing. Would it have been better for me (and my website) to stick with Drupal, becoming increasingly frustrated with my own inability to grasp it (and becoming increasingly vociferous about it on Twitter, which really helps no one)? In this case, giving up the Drupal experiment was the best option (for me and for all 1800+ of my followers on Twitter).
Finally, I learned the best lesson of all: Try it, try it all, because it’s the only way you learn. I may have switched back to Wordpress from Drupal, but I’ve taken the lessons I learned from my Drupal experience and used them to improve my website on Wordpress. And ultimately, isn’t that the lesson we should learn in all our endeavors – on- and offline?
Revisit the basics
by Trish
Smith
As our clients and customers naturally become more computer savvy, we often assume that they know (and remember) the basic tenets of security, including good “password hygiene”: Ensure that your password is difficult to guess, that it is never given to an unauthorized party, and that it is changed on a regular basis. But something happened today that reminded me that even the more knowledgeable among us can forget to be cautious when we are online.
I was on Twitter this morning (my username there is @Astrogirl426, if you’d like to add me to your follower list) when I began seeing tweets about a new service called “Twitviewer”. This service offered to let Twitter users find out who had recently viewed their Twitter page. Curious, I clicked the link and was sent to the Twitviewer home page, where I was prompted to enter my Twitter username and password.
Hopefully, this is the point at which anyone with a moderate amount of experience online would stop and think, “Hmm, this might not be a great idea. Let me wait and see if this service turns out to be legit.” Let me state here that there ARE some legitimate Twitter services that require you to enter your username and password to access them (TwitPic is just one of several). However, a brand-new service that requires your login information should always be approached with caution – if for no other reason that to see if any reports of “suspicious activity” surface.
Unfortunately, over the next few hours I saw quite a few of the people I follow on Twitter using the service (I knew this because the service sends out an automatic tweet from the individual when they use it for the first time). Sure enough, later in the afternoon I began reading warnings from Twitter against giving Twitter login information to this service.
So what did I learn from this? What can YOU learn from this? That even as people become more sophisticated about computers in general, and security in specific, we need to revisit the basics with them from time to time to remind them that these lessons are still important, and still relevant. And if you were one of those who used the Twitviewer service – change your password!
Getting to Know….Me
by Trish Smith
As an avid blog reader, I often find myself wanting more information about the writers of the blogs I read. Most of the blogs I read are personal blogs, and so I learn most of what I want to know through the blog content itself. But on a professional blog, such as this one, you rarely read much about the writers. I know that the bios of the Security Catalyst writers do give you some information, but I’m sure you’ve caught yourself wondering, from time to time, just who we are.
In that spirit, I’m devoting this month’s blog posting to a little “Getting to know you (or rather, me)” session. Hopefully by the time you’ve finished reading this, you’ll know a little more about me and about why I became a Security Catalyst writer.
My computer experience began in 1990, when my high school installed a computer lab and began offering various programming courses. I quickly discovered that, although I wasn’t interested in becoming a programmer (a course in C++ confirmed it), computers could be very useful to me. Unfortunately, personal computers were still at a fairly early stage, and didn’t offer much by way of everyday usefulness. My first computer was a Commodore 64; I love to horrify my teenage nephews with stories about how we used to have to use tapes (which looked exactly like audio tapes) to store programs. It wasn’t unusual for it to take an hour for a game we wanted to play to download off the tape, frequently including some corruption of the data that forced us to repeat the entire process. Thus, at this point computers were (for me, anyway) still largely used for playing games and noodling around with Basic programming (I can still write a mean program loop using IF – THEN). But I believe that by beginning my computer education as a kid, I didn’t cripple my quest for information with the fear that I might “break something” (which, in my experience, is the biggest barrier to most people becoming comfortable with computers).
My experience with, and exposure to, personal computing continued through college, where computers finally became fast enough and powerful enough to be more than just a toy. This is where they began to make my life as a student easier.
I continued using computers through graduate school, along the way graduating to a 386, then a 486, and then finally (finally!) moving to a Mac. You’d never know it from my devotion to Apple computers, but when I first began using Macs (spurred by a then-boyfriend’s proficiency in them and easy access to his then-blazing-fast laptop) I resisted them vigorously. It didn’t take me long, however, to discover their appeal, and barring some necessary forays into the world of Windows PCs for work (and to fix my husband’s PC from time to time), I’ve stayed with them ever since. One little-known secret: Apple computers are great for those of us with compulsive tendencies. When I owned a Windows machine, I was forever “cleaning up” my computer by deleting all the weirdly-named little files that were installed on my hard drive with new programs. Inevitably, the files I deleted were ones I needed to run some essential piece of programming. So the fact that Mac programs tend to be fairly self-contained is a definite plus for us OCD-types.
The other significant aspect of my experience on computers has been my “online” experience, or what the kids today call “social media” (and yes, that was said firmly tongue-in-cheek). I began my own social media exposure on Compuserve, in chatrooms and private IM. I remember the beginning of AOL (and oh, how we all loathed it then, too), and IRC, and even farther back, BBS’s. I have that to thank for my own lack of crippling awe over websites such as Twitter, Facebook, and MySpace.
So generally speaking, my comfort level with computers (and, by extension, with computer people/geeks/techies/what-have-you) was developed through years of exposure to computers, and through the realization that they really aren’t very intimidating at all (computers, that is; computer geeks are sometimes an entirely different story).
This is probably the simplest reason that I’m here, the only non-tech person writing in a sea of tech writers. I suspect I should be more intimidated than I am; but as I said, a long education in and exposure to computers have removed most of my sense of awe. Fortunately, they haven’t removed my interest in and fascination with them, which is the other reason I’m here. I see all of this as your benefit: My non-tech perspective on the tech world, my lack of awe, and my continuing fascination with and interest in computers are all characteristics I gladly use in service of you, our devoted readers.
A Multipart Letter to Employers of Security Professionals – Part 2
by Andrew Hay
My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. If you recall from my previous article, I attempted to impress upon you the need for organizations to support the continuous learning of their employed security staff. This article builds on the first article by explaining the need to support your employees’ training and certification goals.
One way to think about the costs of training your employees is to consider how much the United States invests in training individuals in the various branches of the military. The average cost to train a soldier is roughly $40,000 USD (http://wiki.answers.com/Q/What_is_the_cost_of_training_a_soldier_in_the_military). This figure doesn’t include the ongoing costs to learn new equipment, technologies, and to help them advance in their careers. That figure equates to roughly $400,000 USD for a career soldier serving in the most basic capacity. The United States military prides itself on is the competence of its personnel, which is fostered by training, training, and more training.
Allowing your employees to attend training does not need to cost $400,000, though. Some organizations, such as the SANS Institute, offer work-study programs that allow you to attend a 6-day course in exchange for assisting the instructor, working at the bookstore, or helping with other miscellaneous conference activities. A nominal fee is charged but it is far less expensive than paying the full fee.
The old adage states, “Those who can’t do, teach.” But one of the best ways to ensure knowledge is kept current is to learn how to teach the concepts to another person. This forces the teacher to become more knowledgeable himself and, in most cases, learn the answers to questions or problems he himself might have had. One way to promote this skill is to support transfer of information sessions. Supporting employee transfer of information helps the business in several ways. It shows employees that their knowledge is valued and that you view them as an expert on particular topics. Interpersonal learning also lowers the overall cost of training for your organization and helps practitioners work on valuable communication and presentation skills – something that most organizations agree is lacking in many security professionals today.
In subsequent articles in this series, I will help you understand the other options for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the tools they need to effectively manage the overall security of your business.
Coming Out of the “Cave”
by Trish Smith
As recently as five years ago, if you worked for the tech department of most organizations, your job responsibilities were pretty clear-cut. You were expected to fix the hardware when it broke, “fix” the software when someone crashed a program, and install updates and software as necessary. The skills required were cut-and-dry, and the surprises were pretty minimal. As far as information security was concerned, it was usually enough to simply hand down security measures and escape back to the sanctity of the IT “cave”.
We’ve come a long way, baby.
In the past few years, everything about the field has changed. Not only do job descriptions look drastically different, but the environment in which those jobs are taking place has changed. Budgets are smaller, the threats to organizations are greater, and the skills that are required have broadened. People in general are also more tech-savvy, which makes the job both more and less difficult. On one hand, IT is dealing less and less with people who are completely unfamiliar with computers and the internet; on the other, a little bit of knowledge can be a dangerous thing. People sometimes know just enough to create problems, and not enough to be able to fix them on their own.
In addition, we’ve come to the realization that it’s no longer enough to simply possess technical skills; IT workers now need to work with the rest of the organization to make security measures more successful. As I’ll discuss further below, success is much more likely when members of the organization are included in the process, rather than simply having security measures foisted upon them.
However, what this means for infosec employees is that they need a whole new set of skills, including the ability to communicate the value of what they do to fellow employees and to management. Job security is far from guaranteed for any member of the organization. Involving the rest of the organization in the development of security measures ensures buy-in from the organization for the measures and makes the success of these measures far more likely (and by extension, of the IT department as well).
How does involving those being affected by security measures in the process, make those measures more likely to meet with success? First, simply by going to the employees themselves to get information about they do their jobs, security measures become more specific to the people they’re actually supposed to help. A system that is designed around the people who are going to be using it is far more likely to be effective than one that isn’t.
Second, as people become more involved in the experience of creating these security processes, their fear of the measures that are introduced is diminished, making them more likely to comply and to be successful with such measures. They become partners in the security effort, and invested in its success.
True, change can be scary. But the opportunities inherent in such change make this an exciting time for the field. It’s not so bad out here after all.
A Multipart Letter to Employers of Security Professionals
by Andrew Hay
My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. What I’d like to impress upon you is the need for organizations to support the continuous learning of their employed security staff. The field of security is a constantly evolving entity and, to that end, requires its practitioners to be able to adapt. Most practitioners take the time to increase their knowledge by reading blogs, books, and papers in their spare time and by joining local security organizations. Some, depending on their geographic location, even pay out of their own pocket to attend local or domestic security conferences.
If your employees are taking the time to enhance their knowledge – knowledge that will inevitably be used to help protect the organization – shouldn’t the organization match that contribution?
That is the point of this, and future, articles. I would like to help you understand how you can contribute to the protection of your organization by assisting with the professional development of your security staff.
The first way to assist your employees is to allow them to attend industry conferences. Conferences are the best way for security practitioners to meet their peers, share war stories, and learn from the best minds in the industry. Many organizations are hesitant to send their staff to conferences due to the cost but the average entrance cost of a big ticket conference is roughly $1,500USD, excluding flights, hotels, and meals. You’ll note how I mentioned the extra costs – flights, hotels, and meals – as a separate line item. Often, the cost of the conference isn’t the pain point, it’s the associated costs incurred by those attending.
Attending a security conference does not need to be expensive, however. Several organizations, such as ISSA, ISACA, OWASP, and many others, offer local low cost one- or multiple-day conferences that cater to practitioners in a particular geographic area. The conference content is excellent, the employee has the opportunity to network with peers, and the employer need not worry about huge travel-related expenses.
Ideally, the business should budget for one major conference, which may or may not be local, and one or two local conferences per budget year. This nominal investment not only helps bring cutting edge knowledge back into the organization, it also boosts the employees’ view of the organization that they work for.
In subsequent articles in this series, I will strive to help you understand the other avenues for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the weapons to effectively manage the overall security of your business. Until next time.
Engage with Michael
-
Journey Into the Breach
