by Trish Smith

Since the Industrial Revolution, people have assumed that more technology = more productivity. If the mimeograph is good, the photocopier must be better! If faxes are good, scanners are better! If email is good, texting is…well, you get the idea.

While these are (or were) useful tools, the belief that anything shinier and newer is going to automatically make “the job” (whatever job that happens to be) easier, quicker or more enjoyable is deceptive.

Here are five common myths about technology and productivity that most of us probably believe, to one extent or another.

Myth #1: Constant connectivity is a good thing.

We’ve all worked in those offices – where every employee expected to be reachable at every moment, and several hundred emails a day is par for the course. There are jobs and projects where that level of connectedness is necessary, but those are few and far between.

For everyone else, that level of “checking in” stifles, rather than encourages, creative thinking and productivity. After all, when most of the workday is spent emailing other members of the team and checking in with the boss, how is there any time left to actually do the job?

Myth #2: Email is better. For everything.

As much as email has changed our lives for the better, the idea that email works for every situation is patently false. Angry customer? Potential client? You might be better off reaching out to them via phone.

Work on curbing that reflexive need we all seem to have, to use email for any and every communication.

There are countless stories about conflicts that were caused – or aggravated – by a misunderstood email. If you want to avoid causing these types of situations in the future, remember that there are definite times when email is a bad idea: when you’re emotional, when you’ve wronged someone (an emailed apology can sometimes be perceived to be as insulting as the original affront), when you’re unsure what you want, or when you simply have nothing to add.

Email is nothing more than a tool – a potentially useful one. But like any other, it can be misused.

Myth #3: Everyone is as computer-literate as I am.

This is a myth that’s become more and more prevalent as the years have passed. After all, computers have been a part of our society for the past twenty years. How could any adult not have become fairly computer literate in that time?

Sure, in the beginning, there were holdouts – usually older people who had spent most of their adult life without computers. But now, when our own grandparents have computers, it’s assumed that everyone must be at least somewhat capable of using the basics – email, word processing, and the web.

Well, it’s simply not true.

The “digital divide” – the divide between those with access to technology and those without – is still there, shrinking though it might be. Those who are especially likely to be on the wrong side of this divide include low-income persons, the less educated, and children of single-parent households, particularly those who live in rural areas and central cities.

Business owners, politicians, and anyone who’s trying to reach the general population need to realize that potential customers and constituents may not be able to access email or a website, or order products online. We’re not all on the bleeding edge – or even the cutting edge.

Myth #4: Computers have replaced the pen.

This myth is related to myth #2, about email always being better. But it goes beyond that. The belief that “computers are better” often creates the belief that there is no place for pen and paper. But there are at least three times when pen and paper are superior to computers:

• Visual learners. For those of us who are visual learners, we benefit from using a whiteboard, flip chart, or even a pad and paper to physically map out our ideas.
• Speed. It is sometimes faster – and more productive – to scribble away on a piece of paper. Not every idea requires starting up the computer and creating a document. There’s something to be said for a small notebook for jotting down ideas.
• Tactility. There’s at least two sensory processes (touch and sight) involved in the writing-down of ideas on a piece of paper, that we don’t experience in the same way when we use computers. That experience can be essential to the thought process, and can’t be replaced by typing on a keyboard.

Myth #5: Newer is always better.

The rate of technology development is increasing exponentially. The time it takes for new hardware or software to appear on the market has gone from years to months. Last year’s “cutting edge” cell phone has already been surpassed by at least one newer model. Laptops purchased in 2008 have been surpassed at least twice by sleeker, faster versions.

But before running out to replace that “old” cell phone or laptop, think carefully.

If the newer version hadn’t come out, would the current versions still be enough? Are they able to get the job done?

This applies to businesses as well as individuals. Making purchases based simply on the fact that a “new version” now exists is a waste of money. Of course, there are times when newer technology is necessary to the business (such as with new versions of operating systems, which have important security updates). And who doesn’t love unwrapping that box with the brand new computer? But to assume that just because a newer version comes out, we need it, is an incorrect – and expensive – fallacy.

Ultimately, it’s up to us to decide how technology will bring us success in our lives and our careers. Remember that technology is a tool, like any other. How we use it – or how we let it use us – will be an important step toward that success.

Are you holding on to any of these myths? Have you overcome any of them, and if so, how? Share with us in the comments – we’d love to hear about it!



It is important to understand personality types and traits when working with and managing other people (check out my article about that here). There are two traits with the strongest influence on personality style. An understanding of these provides advantages for managing and communicating – advantages that are essential for success.

The two types?

You guessed it: extrovert and introvert

While the words introvert and extrovert are used often – and often used to justify behavior – it is useful to take a step back and consider the two types in a different light.

The extrovert
Extroverts are known for their assertive and outgoing nature. But extroverts aren’t assertive just because they like telling people what to do; they actually thrive on external sources of energy.

They seek out human interaction and lean toward the gregarious. They enjoy activities that give them the opportunity to interact with larger groups, both business and social, such as conferences, parties, community activities, public demonstrations, and highly active membership groups – all strong sources of energy they can feed on, amplify and contribute to.

In the workplace, extroverts are less likely to find reward in individual projects. They enjoy work that involves large groups and will engage in activities that introverts might consider risky, such as public speaking and assuming leadership positions. They are often comfortable expressing opinions confidently and vocally. This can give others the impression that extroverts have a greater self-image, which is not always the case.

The introvert
Classically, introverts tend to be more reserved in behavior. But consider this: introverts generate their own energy – and sometimes need to step back in order to do it.

They seek out fewer social interactions; this does not mean they are asocial, but rather that they prefer interacting with smaller groups or individually than with larger groups. They also take more pleasure in solitary activities such as reading and writing than their extroverted counterparts.

At work, introverts enjoy projects that allow them to work on their own or in small groups. They tend to prefer working on one project at a time (or on fewer projects at one time), and will be more likely to observe a situation before jumping right in. They tend to speak only after they can validate what they are about to say. Introverts need time alone to “recharge”; it is essential they be provided with opportunities to do this.

Successfully managing the two personality types
It’s important to leverage extroverts’ innate sociability. Their outgoing nature makes them naturals as salespeople, account managers, or in any other position where they deal with clients, potential clients, and other members of the organization – where they can thrive on available energy.

Take advantage of their leadership tendencies by providing them with opportunities to take the reins on projects.

Extroverts often make very good team members, so don’t feel that it’s necessary to always put them in a leadership position. Often, extroverts in team situations will serve to improve the energy of fellow team members.

Introverts, by contrast, usually prefer to be given projects they can manage individually, or with one or two others. They also tend to be more detail-oriented, and do better with projects that do not require them to perform many tasks simultaneously. Use their high level of focus to the business’s (and their) advantage. Introverts can often be quite taciturn until they produce desired results, so do not assume that lack of communication means they are not concerned with the outcome of the project; quite the opposite. Much of the processing that introverts do is internal, so they sometimes forget to communicate progress on the project to others.

As a team, these two temperaments can balance each other out well, if each can remember that the other has different work styles. Extroverts might find introverts’ natural analytical style to be too confining, and introverts might consider extroverts’ risk-taking to be too reckless. But if each can remember that the other has something to bring to the project, and that “different” can be beneficial, then these kinds of partnerships can be worthwhile – and even educational – for everyone involved.

Have you ever been in a position to manage these two temperaments? How have you used their natural strengths to the project’s advantage? And do you recognize yourself as one or the other – or do you feel you have elements of both extroversion and introversion in your own personality? Share with us in the comments!

If there’s one lesson Michael Santarcangelo has taught me, it’s that security (and business) aren’t just “about business”. They’re about people. People who we get along with, people who we (as much as we might not like to admit it) don’t always get along with. But unless we’re Steve Jobs, we don’t have much choice who we need to interact with (and I’ll bet even Steve has to deal with people he doesn’t get along with too well, sometimes).

It’s about the people, stupid.

This article shares information to become more flexible, adaptable, and resilient in dealing with others.

Imagine the power of being able to predict, prevent, and resolve conflicts. How about improving communications with co-workers, clients, and peers?

This might sound like a pretty big claim, but when learning about personality and how it determines the ways people interact, this information is invaluable.

What is a “personality type”?

In modern psychology, there are two ways to think about personality: “traits” or “types.” Personality trait theories suggest two people can both be extroverts, but be very different in terms of how strong the trait is in their personality (for example, Bob and Mike might both be extroverts, but the trait is much stronger in Mike than it is in Bob). This view of personality sees it as existing along a continuum, rather than as an “either/or”.

“Personality type” approaches suggest people either have a characteristic or not. An individual is an introvert or an extrovert, assertive or passive, someone who works well in groups or not. This view is the more popular one among those who study personality today, and as such, is the one we’ll explore in more depth.

Defining the Type

The most common instrument to measure personality type is the Myer-Briggs Type Indicator (MBTI). It’s widely used by businesses (and individuals) to better understand personality. It usually consists of about 70 questions that ask you about your likes, dislikes, opinions, and personality characteristics. It then groups people into several “types” based on four personality traits:

• Extroversion/introversion (need external contact to recharge, or time alone?)
• Intuition/sensing (trust more in own feelings or in external observations?)
• Thinking/feeling (the dominant force relied upon to make decisions?)
• Judgement/perception (the need to organize life or let the chips fall as they may?)

Although it would be useful to be able to administer this test to everyone we deal with day-to-day (as impractical as that might be), it’s not necessary.

Usually, it’s enough to simply understand which of the different personality types someone is, and keep that in mind when dealing with others. For example, recognizing that a team member is closer to the “judgement” end of the judgement/perception scale will help explain why they need to research and plan out every move of the project.

We can understand other people’s personality differences without making value judgements. John isn’t trying to drive you crazy by going with his feelings on a decision; he’s simply on the “feeling” end of the thinking/feeling scale, and that’s how he makes decisions.

This knowledge reduces frustration and improves approach to others – especially if an action is needed on their part.

Learning how to type others

So how do we figure out which personality type someone is?

We can’t very well hand everyone a Myers-Briggs test (although if the topic is brought up, it’s likely that at least one person in the group will volunteer not only that they have taken the test, but what their result was: That they are an “INTJ”, for example).

Observation is the key to success.

People’s personality comes out in a variety of ways, even when the person isn’t aware. Everything from personal style (how they dress), to their environment (how they set up their office), to social signals (verbal and nonverbal communication), reveals information about what personality type they are.

Want to type someone out?

Listen.

Watch.

Observe the things people are doing.

Recipe for Success

Then it’s simply a matter of being conscious of others’ personality styles and how your own (yes, you have a personality style too!) interacts with theirs, for good or for ill.

If you can do this successfully, it becomes easier to do all those neat things mentioned earlier – become more flexible in dealing with others, resolve conflicts, and improve communication with everyone.

So tell us – do you try to be aware of different personality types in your day-to-day life? Has knowing someone’s personality type ever helped you in your work, or has the converse ever happened – not being able to understand another’s personality style negatively impacted your business? Share with us in the comments!

Happy New Year! Has the year started with a bang, full of passion and excitement? Or is motivation lagging?

Last month we explored the concept of motivation and why employees’ motivation is important. As the year brims full of potential, the timing is perfect to develop and implement a motivational plan for your employees.

While there is no one-size-fits-all plan for improving employees’ motivation, there are some proven guidelines that simplify the process and lead to success. There are five factors considered essential to a successful program:

• Flexibility
• Increase positive behavior
• Decrease negative behavior
• Provide constant feedback and a framework for teaching skills
• Be an overall positive approach

Is the problem really about motivation?

Before developing a motivational system, determine whether the problem is actually motivation. Could it be something else, such as lack of access to the tools needed to do the job, or the working conditions of the job itself?

These aren’t motivational issues and cannot be fixed with a motivational system. These and other environmental challenges need to be addressed beyond motivation.

No Limits?

Improving motivation is an investment. Investments have limits – so what is the organization is willing to do to improve employee motivation? While this often boils down to cash, sometimes other investments can be beneficial, too. Regardless of the answer, it is essential to ask.

There is nothing more demotivating than to be promised something, only to find out afterwards that the company can’t or won’t do it.

Steps to create a motivational system

1. Analysis

The analysis is focused on determining what factors are in scope. Will efforts be to:

• Implement a program based on performance?
• Develop new ways to satisfy employees’ needs?
• Change discipline policies?
• Create new opportunities for employee learning?
• Make the organization more receptive to employee feedback?

These are starting points – and the program will likely be a blend. The key during the analysis is to focus on where improvements will occur.

Without focus, the risk is of turning the program into just another ineffective “flavor of the month”, and making the chances of any future, well-intended change programs less successful.

Including employees in this process is critical to its success. After all, they’re the ones who best explain what would improve their motivation. Making them allies in the effort to create a workplace where they can bring their best will increase the chances of program success.

2. Development

This is the nuts and bolts of the system. Use all the resources at hand to develop the actual motivation strategies and specific methods, such as developing a new feedback system for employees to share ideas, a new continuing education program, or a recognition system for outstanding customer service. Make sure to involve relevant managers, executives, decision makers and influencers in the plan. Buy-in is important: the last thing the company wants is to roll out a new program without approval, only to have it shut down before it even gets a chance to work.

3. Materials

What materials are needed to support the program and engage people? Does it require new forms (electronic forms might be a strong option), a new company wiki, or a new guidebook?

Make sure to enlist the skills and talents of anyone who can help you in this area, including HR, IT, and administrative support. Michael often talks about finding and amplifying the good; when it comes to developing an effective program that truly engages people, this can be accomplished by letting them participate in the development and improvement of the materials.

4. Monitoring

The goal is to get it right the first time. But even if that happens, monitoring is an important, often overlooked, element. Monitoring provides insights and guidance necessary to make changes and help the system evolve.

When considering what and how to monitor, include goals, objectives, and criteria for their success. If possible, set dates by which the goals and objectives must be met.

Develop methods for people to track their progress in the program, or by which others (for example, their supervisor) can track progress.

Remember to focus on effectively tracking behaviors, not attitudes; goals and objectives need to be things that are quantifiable, not vague concepts. “Number of staff attending afternoon meeting” can be more easily tracked than a vague concept like “employee attitude”.

5. Training

Conduct training with management staff. After all, they are the ones primarily responsible for employee motivation, and the ones who can best observe motivation levels. Make sure the team understands the purpose of the program; that it’s not to punish employees, or to create a falsely positive atmosphere, but rather to deliver those things that employees feel are most important to their work, in order to create a workplace that employees can do their best work in.

6. Implementation

Simply put, it’s time to roll out the program. In smaller organizations, it’s possible to do this in a centralized manner, but for larger organizations it requires a phased approach. Regardless of how, it’s vital to initiate the program in a way that shows people it’s fully supported and an integral part of the organization’s processes.

7. Follow-up

Hold regular meetings to evaluate the program’s progress. Incorporate employee feedback in the program, and make changes to it as needed. The program will need adjustment as time goes by, as motivation is a journey, not a destination, and what works for one employee at one point in time may not work for them six months later.

Flexibility – the first of the five criteria – is key to success.

Implemented a motivational program? Starting one? Leave us a comment – we’d love to hear about your own journey.

Sources:

http://docs.google.com/viewer?a=v&q=cache:S4_J9QwXOJYJ:slo.sbcc.edu/wp-content/uploads/motivation.pdf+how+to+develop+motivational+system&hl=en&gl=us&sig=AHIEtbTiEUmbld3vu7u73h2v5wNcLi3N0Q&pli=1

http://docs.google.com/viewer?a=v&q=cache:ltZWfJqyQIQJ:www.mooseheart.org/pdf/PacketOfEffectiveSkills.pdf+how+to+develop+a+motivational+system&hl=en&gl=us&sig=AHIEtbQ-2Sr1PVmIJi7fvM2NstQPZX0ZhA

• Less efficient use of resources
• Less creative solutions (at a time when creativity is even more vital)
• Less productivity

And worse, the possibility of security breaches and risks. Some companies learned this lesson the hard way: TMobile in the UK , Greengrocer.com, and the Office of the Attorney General of Maryland.

When employees lose motivation, they become less of exactly what the company needs: A creative, productive contributor. Worse, they might become angry and disgruntled, causing a loss or theft of essential company information.

Motivation – I know it when I see it

So what is this abstract concept called “motivation”? Is it like love – hard to define, but easy to recognize?

According to Webster’s, to motivate is to “provide with an incentive, move to action, impel”. Motivation is, put simply, giving others a reason to do something: To do their job well, to be creative, and to be an asset to the company.

Now that we’ve defined it, can we describe it? What are some common motivators? Some things that have found to be effective motivators are:

• Positive reinforcement
• Effective discipline
• Fair treatment
• Satisfying employee needs
• Setting work-related goals

Notice something missing from the list?

If you assumed that “more money” would be a lock, it turns out it isn’t. The Minneapolis Gas Company completed a 20-year study of motivation. They asked 44,000 employees what they desired most from a job and found that, surprisingly, wages were not highest on the list. Job security was, followed by advancement, type of work, and pride in the company.

But even without the study, we all know that providing motivation is a good thing. The challenge is “how?”

I’ve listed some basic concepts of motivation to help you devise a system to give employees what they need, so they can contribute their best work:

1. Be the change

Employees won’t be their most creative, energized selves – they won’t be assets to the organization – unless you are, first. As the Minneapolis Gas Company found, intangibles rank higher than wages, and they start with your attitude and energy. Simple actions can start the process. Ask yourself: “If I were one of my own employees, would I see myself as an asset to the organization? Does the work I do reflect my most innovative thinking?” Some ways you can start being the change you want to see are:

• Welcome challenges. See them as opportunities, not as limitations. After all, without challenges, we don’t get a chance to exercise our skills and talents to their fullest potential.
• Ask if there are better or different ways something can be done. Good innovators practice creativity; they generate solutions, ideas, and concepts in every aspect of their lives.
• Be curious, ask questions, and develop problem-solving skills by practicing them.
• Take action – have confidence in your ideas, and dare to express them. Don’t fear failure; it’s inevitable, and the only way we learn. Above all, be persistent – don’t give up.

Remember, the positive energy and creativity of your team start with you.

2. Size the motivation to the person

Despite what some people might try to tell (and sell) you, there’s no “one-size-fits-all” system of motivating employees. Each person is different, as is each organization. The key to effective motivation is to discover what moves each person to be their best and to be an asset to the company.

How?

Start by asking. Then stop to listen. Watch the quiet moments. Then continue the discussion.

3. Motivation is a journey, not a destination.

People and organizations change; what works for the employee and the company at one point might not be as effective months later. By listening to and observing employees, motivations can be adapted to their needs.

Treating motivation as a one-time event or a destination leads to a situation where it would have been better to do nothing at all. Commit to the journey and reap the rewards (and continue to read Security Catalyst to get ideas and support).

It might be dangerous and harmful to assume employees are motivated by “more money.” The “trick” is to figure out exactly what will move them to become greater assets to the company, then give it to them. In my next article I’ll explore in greater detail how to develop a motivational plan for your employees, and ways to overcome some common challenges in developing such plans.

What challenges have you experienced with motivation? What successes have you had? Share in the comments….

Sources:

• Merrian-Webster’s Online Dictionary: http://www.websters.com
• Accel Team Development: http://www.accel-team.com/motivation/
• The Journal of Extension: http://www.joe.org/joe/1998june/rb3.php
• The Free Management Library: http://managementhelp.org/guiding/motivate/basics.htm)

Recently, I had an experience in the “non-tech” world that I think has parallels to many people’s experiences with technology, so I thought I’d share it with you.

Several weeks ago, my husband and I decided that we had had enough of our mattress; it was only four years old, but it was a memory foam mattress that developed a distinct body impression on my husband’s side. It was uncomfortable, to say the least. The furniture company that sold it to us is a store located here in town, so we had them come out and take a look at the mattress to see if it was defective. Sure enough, when they inspected it, they determined that it was, and that they would reimburse the purchase price of the mattress (with a store credit, of course). At this point we needed to buy a new mattress, and this is where the story goes south.

We already knew we wanted to purchase a “traditional” mattress, and not another memory foam mattress (we might be slow learners, but we’re not THAT slow). When we entered the furniture store, we were imediately pounced upon by a salesperson, who escorted us to the mattress department and asked us what we were looking for. We explained the situation with the store credit, and told him that we had decided to purchase a non-memory foam mattress because of our recent experience.

At this point, I should explain that we were not entirely against a memory foam mattress. If we could have found one with a good warranty and reliability, we might have purchased it. But instead, the salesman proceeded to try to “hard sell” us a $3,000 mattress (which was $1,300 above the amount of the store credit). When I indicated that we wanted to try to stay close to the amount of the store credit and that we weren’t entirely sold on “newfangled” latex foam, considering our last experience, the salesman made an obnoxious remark about latex actually being an old technology (since it’s been around for thousands of years). At that point, if the store credit situation hadn’t forced us to buy the mattress at that store, I would have gone to a different store and they would have lost my sale (which ultimately turned out to total around $2,000).

So what’s the lesson here? It’s obvious – regardless of whether your job is to sell technology to the public or to provide IT services to your organization, DON’T HARD SELL. Believe me when I tell you that your client will recognize this tactic from a mile away, and will run in the opposite direction.

But what is a “hard sell”? According to Wiktionary.com, it’s “a sales technique of pressuring the potential buyer to agree to a purchase”. It implies that, instead of providing customers with valid reasons for making the purchase, and helping them understand how the product will improve their jobs or their lives, salespeople simply subject customers to high-pressure tactics to get them to agree to the sale.

We’ve all been victim of the hard sell. Our society has even developed a stereotype of the hard seller: The car salesperson. Most of us recognize when we’re being pressured to buy something, and our first instinct is usually to run the other way. It doesn’t matter if the salesperson is an expert in the field; we don’t like being made to feel as though we “have to” do something by another person (even if we really do have to do something). It might be our contrary nature, but it doesn’t matter if the salesperson knows more than the us (or just thinks he does); it doesn’t even matter if what we’re being sold is something we really do need. We will walk away from a hard sell.

So how do you avoid making a hard sell? Explain, explain, explain. Even if what you’re dealing with is a highly technical product, and the person you’re selling it to isn’t very technologically savvy, there are always ways to explain something in a way the customer will understand. Follow the therapeutic mantra, and “start from where the customer is”. Remember that when you don’t do this; when you instead attempt to pressure a client into a sale because you “know better”, I can guarantee you one thing:

Apply pressure tactics, and you can kiss that sale goodbye.

Although at times I complain about it, I do truly enjoy my status as the only person in the Catayst writers’ group without a formal background in IT. I believe that it does, as Michael tells me time and again, give me a unique perspective on the field.

It is from that perspective that I write my articles; none more so than today.

Recently, I had the not-so-pleasant experience of trying out different software for my blog. I run a personal website that I’ve recently expanded from a simple blog to a source for information on cooking and food preservation. Not only did I have some immediate needs for the new information I was puttting on the blog, but I also anticipated having needs that my current software (WordPress) would not be able to fulfill (things such as fillable forms, searchable lists, and more). At least, not in any easy or elegant way.

So the search began. I investigated two other website-building options: Joomla and Drupal. Well, to be perfectly honest, I only truly investigated Drupal; I looked into Joomla briefly and determined that it wouldn’t fit my needs. More precisely, I tried Scribd and found that it was too difficult for me to grasp quickly (of course, this is just my own experience; others may find they absolutely love it).

I spent an entire day exploring Drupal; I downloaded it and installed it on my server, and then began building my website.

Twenty-four hours later, I’m back on WordPress (much like a misbehaving spouse, grateful to their partner for giving them a second chance after having strayed: “Oh WordPress, I’m so sorry and it will NEVER HAPPEN AGAIN.”), and appreciating it more than ever.

So what have I learned from this experience that you could learn from (because really, why else woud I write about it if not to help all of you out)?

First, I learned that “more complex/difficult/advanced” does not necessarily mean better. I thought that the increased flexibility (and as a result, increased complexity) of Drupal would be an advantage to building my website, but this is not always the case. Think of this phenomenon as occurring on a curve; not enough flexibility will hinder you, but more flexibility is useful only to a certain extent. After that point, more flexibility/complexity will begin to get in your way just as much as not enough of it will.

Second, I learned (firsthand) the adage about test-driving software on a local host (such as your desktop computer) before installing it on your server (and deleting your old software). If things don’t work out, you’ll have a LOT less work to do. Think of this as a safety net, just in case you need to change back. I would have easily saved myself four or five hours of work, even though some of the work was unavoidable because I changed my theme.

Third, I learned that failure is always an option. Specifically, I learned not to be so tied to the success of any new venture that I can’t admit that it’s not working, and that I need to try something else (or even return to my old software). Perhaps a better way to think of it is not as failure, but as a way to explore and determine the best option for you and whatever you’re developing. Would it have been better for me (and my website) to stick with Drupal, becoming increasingly frustrated with my own inability to grasp it (and becoming increasingly vociferous about it on Twitter, which really helps no one)? In this case, giving up the Drupal experiment was the best option (for me and for all 1800+ of my followers on Twitter).

Finally, I learned the best lesson of all: Try it, try it all, because it’s the only way you learn. I may have switched back to WordPress from Drupal, but I’ve taken the lessons I learned from my Drupal experience and used them to improve my website on WordPress. And ultimately, isn’t that the lesson we should learn in all our endeavors – on- and offline?

As our clients and customers naturally become more computer savvy, we often assume that they know (and remember) the basic tenets of security, including good “password hygiene”: Ensure that your password is difficult to guess, that it is never given to an unauthorized party, and that it is changed on a regular basis. But something happened today that reminded me that even the more knowledgeable among us can forget to be cautious when we are online.

I was on Twitter this morning (my username there is @Astrogirl426, if you’d like to add me to your follower list) when I began seeing tweets about a new service called “Twitviewer”. This service offered to let Twitter users find out who had recently viewed their Twitter page. Curious, I clicked the link and was sent to the Twitviewer home page, where I was prompted to enter my Twitter username and password.

Hopefully, this is the point at which anyone with a moderate amount of experience online would stop and think, “Hmm, this might not be a great idea. Let me wait and see if this service turns out to be legit.” Let me state here that there ARE some legitimate Twitter services that require you to enter your username and password to access them (TwitPic is just one of several). However, a brand-new service that requires your login information should always be approached with caution – if for no other reason that to see if any reports of “suspicious activity” surface.

Unfortunately, over the next few hours I saw quite a few of the people I follow on Twitter using the service (I knew this because the service sends out an automatic tweet from the individual when they use it for the first time). Sure enough, later in the afternoon I began reading warnings from Twitter against giving Twitter login information to this service.

So what did I learn from this? What can YOU learn from this? That even as people become more sophisticated about computers in general, and security in specific, we need to revisit the basics with them from time to time to remind them that these lessons are still important, and still relevant. And if you were one of those who used the Twitviewer service – change your password!

As an avid blog reader, I often find myself wanting more information about the writers of the blogs I read. Most of the blogs I read are personal blogs, and so I learn most of what I want to know through the blog content itself. But on a professional blog, such as this one, you rarely read much about the writers. I know that the bios of the Security Catalyst writers do give you some information, but I’m sure you’ve caught yourself wondering, from time to time, just who we are.

In that spirit, I’m devoting this month’s blog posting to a little “Getting to know you (or rather, me)” session. Hopefully by the time you’ve finished reading this, you’ll know a little more about me and about why I became a Security Catalyst writer.

My computer experience began in 1990, when my high school installed a computer lab and began offering various programming courses. I quickly discovered that, although I wasn’t interested in becoming a programmer (a course in C++ confirmed it), computers could be very useful to me. Unfortunately, personal computers were still at a fairly early stage, and didn’t offer much by way of everyday usefulness. My first computer was a Commodore 64; I love to horrify my teenage nephews with stories about how we used to have to use tapes (which looked exactly like audio tapes) to store programs. It wasn’t unusual for it to take an hour for a game we wanted to play to download off the tape, frequently including some corruption of the data that forced us to repeat the entire process. Thus, at this point computers were (for me, anyway) still largely used for playing games and noodling around with Basic programming (I can still write a mean program loop using IF – THEN). But I believe that by beginning my computer education as a kid, I didn’t cripple my quest for information with the fear that I might “break something” (which, in my experience, is the biggest barrier to most people becoming comfortable with computers).

My experience with, and exposure to, personal computing continued through college, where computers finally became fast enough and powerful enough to be more than just a toy. This is where they began to make my life as a student easier.

I continued using computers through graduate school, along the way graduating to a 386, then a 486, and then finally (finally!) moving to a Mac. You’d never know it from my devotion to Apple computers, but when I first began using Macs (spurred by a then-boyfriend’s proficiency in them and easy access to his then-blazing-fast laptop) I resisted them vigorously. It didn’t take me long, however, to discover their appeal, and barring some necessary forays into the world of Windows PCs for work (and to fix my husband’s PC from time to time), I’ve stayed with them ever since. One little-known secret: Apple computers are great for those of us with compulsive tendencies. When I owned a Windows machine, I was forever “cleaning up” my computer by deleting all the weirdly-named little files that were installed on my hard drive with new programs. Inevitably, the files I deleted were ones I needed to run some essential piece of programming. So the fact that Mac programs tend to be fairly self-contained is a definite plus for us OCD-types.

The other significant aspect of my experience on computers has been my “online” experience, or what the kids today call “social media” (and yes, that was said firmly tongue-in-cheek). I began my own social media exposure on Compuserve, in chatrooms and private IM. I remember the beginning of AOL (and oh, how we all loathed it then, too), and IRC, and even farther back, BBS’s. I have that to thank for my own lack of crippling awe over websites such as Twitter, Facebook, and MySpace.

So generally speaking, my comfort level with computers (and, by extension, with computer people/geeks/techies/what-have-you) was developed through years of exposure to computers, and through the realization that they really aren’t very intimidating at all (computers, that is; computer geeks are sometimes an entirely different story).

This is probably the simplest reason that I’m here, the only non-tech person writing in a sea of tech writers. I suspect I should be more intimidated than I am; but as I said, a long education in and exposure to computers have removed most of my sense of awe. Fortunately, they haven’t removed my interest in and fascination with them, which is the other reason I’m here. I see all of this as your benefit: My non-tech perspective on the tech world, my lack of awe, and my continuing fascination with and interest in computers are all characteristics I gladly use in service of you, our devoted readers.

by Andrew Hay

My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. If you recall from my previous article, I attempted to impress upon you the need for organizations to support the continuous learning of their employed security staff. This article builds on the first article by explaining the need to support your employees’ training and certification goals.

One way to think about the costs of training your employees is to consider how much the United States invests in training individuals in the various branches of the military. The average cost to train a soldier is roughly $40,000 USD (http://wiki.answers.com/Q/What_is_the_cost_of_training_a_soldier_in_the_military). This figure doesn’t include the ongoing costs to learn new equipment, technologies, and to help them advance in their careers. That figure equates to roughly $400,000 USD for a career soldier serving in the most basic capacity. The United States military prides itself on is the competence of its personnel, which is fostered by training, training, and more training.

Allowing your employees to attend training does not need to cost $400,000, though. Some organizations, such as the SANS Institute, offer work-study programs that allow you to attend a 6-day course in exchange for assisting the instructor, working at the bookstore, or helping with other miscellaneous conference activities. A nominal fee is charged but it is far less expensive than paying the full fee.

The old adage states, “Those who can’t do, teach.” But one of the best ways to ensure knowledge is kept current is to learn how to teach the concepts to another person. This forces the teacher to become more knowledgeable himself and, in most cases, learn the answers to questions or problems he himself might have had. One way to promote this skill is to support transfer of information sessions. Supporting employee transfer of information helps the business in several ways. It shows employees that their knowledge is valued and that you view them as an expert on particular topics. Interpersonal learning also lowers the overall cost of training for your organization and helps practitioners work on valuable communication and presentation skills – something that most organizations agree is lacking in many security professionals today.

In subsequent articles in this series, I will help you understand the other options for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the tools they need to effectively manage the overall security of your business.

As recently as five years ago, if you worked for the tech department of most organizations, your job responsibilities were pretty clear-cut.  You were expected to fix the hardware when it broke, “fix” the software when someone crashed a program, and install updates and software as necessary. The skills required were cut-and-dry, and the surprises were pretty minimal. As far as information security was concerned, it was usually enough to simply hand down security measures and escape back to the sanctity of the IT “cave”.

We’ve come a long way, baby.

In the past few years, everything about the field has changed. Not only do job descriptions look drastically different, but the environment in which those jobs are taking place has changed. Budgets are smaller, the threats to organizations are greater, and the skills that are required have broadened. People in general are also more tech-savvy, which makes the job both more and less difficult. On one hand, IT is dealing less and less with people who are completely unfamiliar with computers and the internet; on the other, a little bit of knowledge can be a dangerous thing. People sometimes know just enough to create problems, and not enough to be able to fix them on their own.

In addition, we’ve come to the realization that it’s no longer enough to simply possess technical skills; IT workers now need to work with the rest of the organization to make security measures more successful. As I’ll discuss further below, success is much more likely when members of the organization are included in the process, rather than simply having security measures foisted upon them.

However, what this means for infosec employees is that they need a whole new set of skills, including the ability to communicate the value of what they do to fellow employees and to management. Job security is far from guaranteed for any member of the organization. Involving the rest of the organization in the development of security measures ensures buy-in from the organization for the measures and makes the success of these measures far more likely (and by extension, of the IT department as well).

How does involving those being affected by security measures in the process, make those measures more likely to meet with success? First, simply by going to the employees themselves to get information about they do their jobs, security measures become more specific to the people they’re actually supposed to help. A system that is designed around the people who are going to be using it is far more likely to be effective than one that isn’t.

Second, as people become more involved in the experience of creating these security processes, their fear of the measures that are introduced is diminished, making them more likely to comply and to be successful with such measures. They become partners in the security effort, and invested in its success.

True, change can be scary. But the opportunities inherent in such change make this an exciting time for the field. It’s not so bad out here after all.

by Andrew Hay

My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. What I’d like to impress upon you is the need for organizations to support the continuous learning of their employed security staff. The field of security is a constantly evolving entity and, to that end, requires its practitioners to be able to adapt. Most practitioners take the time to increase their knowledge by reading blogs, books, and papers in their spare time and by joining local security organizations. Some, depending on their geographic location, even pay out of their own pocket to attend local or domestic security conferences.

If your employees are taking the time to enhance their knowledge – knowledge that will inevitably be used to help protect the organization – shouldn’t the organization match that contribution?

That is the point of this, and future, articles. I would like to help you understand how you can contribute to the protection of your organization by assisting with the professional development of your security staff.

The first way to assist your employees is to allow them to attend industry conferences. Conferences are the best way for security practitioners to meet their peers, share war stories, and learn from the best minds in the industry. Many organizations are hesitant to send their staff to conferences due to the cost but the average entrance cost of a big ticket conference is roughly $1,500USD, excluding flights, hotels, and meals. You’ll note how I mentioned the extra costs – flights, hotels, and meals – as a separate line item. Often, the cost of the conference isn’t the pain point, it’s the associated costs incurred by those attending.

Attending a security conference does not need to be expensive, however. Several organizations, such as ISSA, ISACA, OWASP, and many others, offer local low cost one- or multiple-day conferences that cater to practitioners in a particular geographic area. The conference content is excellent, the employee has the opportunity to network with peers, and the employer need not worry about huge travel-related expenses.

Ideally, the business should budget for one major conference, which may or may not be local, and one or two local conferences per budget year. This nominal investment not only helps bring cutting edge knowledge back into the organization, it also boosts the employees’ view of the organization that they work for.

In subsequent articles in this series, I will strive to help you understand the other avenues for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the weapons to effectively manage the overall security of your business. Until next time.

by David McCartney

While I’ve always been blessed with employment, I haven’t always been given opportunities to advance my career and myself through the employer. During professional dry spells that can result from economic or job limitations, it can be a major challenge to gain or maintain your professional momentum. Knowing how to leverage affordable, easily accessible resources has served me well several times and broken the “professional funk” I’m sure most of us have suffered from or seen at some point.

Investing in yourself is a lifelong process that only requires a desire to improve.

In-Person Networking Opportunities
To start, look for local security gatherings in your area. Professional organizations such as the ISSA, ISACA, and Infraguard will typically let you attend as a guest for a minimal cost, giving you a chance to figure out if you can benefit from each other (yes, from each other… more on this below). I suggest you check out a variety of organizations before determining which, if any, you should join or become associated with.

Besides professional organizations, don’t discount less commercialized gatherings as well. Do you have a local Hacker Space, 2600, or DefCon chapter? I highly recommend checking out these communities as well. Although they may not always be something you’d list on your resume, the knowledge and experience gained will likely prove invaluable.

Once you’ve found an organization that fits your personality and interests, try to find ways that you can contribute. While it is unlikely you’d be able to quickly join early on in a leadership capacity, look for opportunities where you can contribute. Chances are, someone would enjoy learning what you know, so see if you can invest in others by lecturing, teaching, or mentoring. In addition to firming up your knowledge on a topic, you’ll increase your visiblity amongst your peers, possibly opening up other advancement opportunities as well. Furthermore, by not just focusing on yourself, you won’t dwell on your situation, which is empowering in itself.

Online Networking Opportunities
Many articles cover social networking in depth, so I won’t spend too much time here. Know that the boon has created many ways to increase your awareness of events to advance and enhance yourself. Look for ways to increase your professional networking and education through sites like Twitter and LinkedIn by watching for local events like BeanSec in Boston, Cowtown Computer Congress (CCCKC) in Kansas City, or the Security MBA (Masters of Beer Appreciation) in Columbus. These sites may also announce regional conferences and summits that can be affordable educational events.

Additionally, security-minded communities such as the Security Catalyst Community at http://www.securitycatalyst.org provide excellent discussion opportunities where people come together to help and assist each other. From the site:
The Security Catalyst Community is designed to support those responsible for protecting information by:

1. Providing a professional, supportive environment to ask for help
2. Foster a culture that welcomes ideas; share your experiences and insights regardless of your experience
3. Share your passion and blend your energy with others
If you are not already a member, you are missing out!

Training
There are extensive opportunities to increase your security knowledge on the interweb. Depending on your budget and space constraints (as well as significant- other agreeability), gathering some old equipment to experiment on may be practical. If space or budget limitations come into play, don’t discount using virtualization technology. Remember, very few things are a replacement for hands-on experience.

Need an idea on what to study? Explore online training videos through resources like The Academy Pro/Home (http://www.theacademypro.com/, http://www.theacademyhome.com/). Work through projects like the De-ICE.net PenTest LiveCDs (http://heorot.net/livecds/). Again, these communities are great places to contribute as well! Similarly, remember to explore your local library for books on topics you might be interested in. The materials might not be bleeding-edge, but that doesn’t mean the information isn’t valuable.

Lastly, another way to easily continue your ongoing education and training is to subscribe to podcasts and blogs. Many of the people and resources you encounter through In-Person and Online Networking may have involvement in an online presence where your energies could be valuable. Look for opportunities to give feedback and contribute in an area you’re passionate or curious about.

Hopefully I’ve given you some new ideas on ways to further yourself without breaking your budget. I’ve leveraged many of the resources listed above, so I know they can be effective if you want them to be.

Do you have other ideas or approaches on how to gain or increase your professional momentum? If so, I’d love to hear about them. By sharing our ideas and experiences we can continue to help each other improve, raising the bar on the security community as a whole.

by Trish Smith

Why do people fail to address security issues? We use the word “technophobe” to describe people who are leery and sometimes fearful of technology, but this is a misleading over-generalization. I believe there is another issue at work.

We use highly specialized language, or lingo, in many areas, including information security. To anyone not familiar with this area, the language can be alienating. But even the “plain language” we use can be unintentionally off-putting.

Language influences the way we think, whether we like (or even realize) it or not. Influencing the way an issue is perceived often becomes an exercise in semantics. Years ago, a study was done that looked at the effect of language on people’s perceptions. When different words – “hit” versus “smash”, for example – were used to describe the scene, observers changed their evaluation of how fast a car was traveling when it impacted an object. This study showed quite clearly how language affects even such “objective” perceptions.

But how does this impact our work as security professionals? How does this knowledge improve (or make worse) the process for our clients, our colleagues, and ourselves? Understanding the impact of language on our perceptions of our world, then, is one key to helping others become more willing participants in the security process. But more specifically, how does language prevent people from fully participating in the process?

One deceptively innocuous way is through the use of the word “data” to refer to the information we’re protecting. Clients are often told that part of their job is to “protect data”. The problem with that is with the connotation of data as cold, distant, and impersonal. It probably doesn’t help that Data is also the name of a character that’s an artificial life form on the Star Trek television series: Cold, distant, and impersonal. Data are abstract; they’re meaningless to people’s everyday lives. After all, outside of the tech world, how often do people use “data” to refer to themselves? Data are numbers and letters in a computer, as meaningless as code to the average, non-tech-oriented person.

Reframe it as “protecting information”, though, and it becomes meaningful. People now feel a connection to what they’re being asked to protect. Thus, they assign it a value. Things that are abstract and unknowable have no real value to people; but information is something they feel a connection to. It’s something they can understand, something they can perceive value in. Given the choice (or even if they’re not given the choice), people will not spend their time (which also has value) protecting something they perceive as valueless. And therein lies one of the major dilemmas in information security. Ask someone to protect something that they see as valuable, and they will probably do it even if they don’t receive an immediate reward. Ask the same people to protect something they see as having no value, and their desire to protect it drops dramatically, regardless of the reward you offer them.

Additionally, “data” implies it’s a computer issue, something for the tech department to worry about. It’s “not my job”, but rather part of the mysterious, unknowable (for most) world behind the door marked “IT”. People feel they have enough work to do as it is; if they think they need to learn something more (and a highly technical skill set at that), they’ll resist. So they distance themselves. Information, though, is everyone’s responsibility, regardless of position or department. Everyone manages some sort of information, no matter who they are in the organization.

Language can connect us; it can make us part of the process in ways nothing else can. We need to be aware when we use language that isolates people from the process. Small changes, such as moving from using the word “data” to the word “information” to describe what we’re asking people to protect, might seem a ridiculously insignificant step. But it might be the first step in helping our clients see information security as everyone’s job, and themselves as valuable participants in the process.

On January 13, 2009, the New York Times ran an article by Brad Stone on their website entitled, “Report Calls Online Threats to Children Overblown.” In this article, the Mr. Stone discussed a recent report by the Internet Safety Technical Task Force (a task force created by 49 state attorneys general to look into the issue of sexual solicitation of children online). This task force examined, among other things, social networking sites such as Facebook and MySpace, to assess the extent of sexual solicitation of children by adults.

The task force (which was led by the Berkman Center for Internet and Society at Harvard University) found that bullying among children is, in fact, a far greater threat to them than sexual predators. It also found that when teenagers do become involved with sexual predators online, they are typically willing participants and already at risk because of their home environments or risky behaviors, such as substance abuse.

Leaving aside the questions raised by that last sentence (is a child not a victim as long as he or she is a willing participant? Is a predator less a predator because his underage victim agreed to participate?), I realized after reading the article that Mr. Stone missed the boat entirely.

How did that happen? Well, first consider the following question. What was the point of this article? Admittedly, Mr. Stone may have simply decided to report what seemed to be an important news story. He probably thought he was writing a factual article, not editorializing. However, his opening sentence communicates the message of his article quite clearly: “The Internet may not be such a dangerous place for children after all.”

So is this the true story?

 

The idea that the internet is actually safer for kids than we thought it was? Before you answer that question, first consider this one: How safe SHOULD the internet be? How safe do we want it to be for our kids? As the mother of a five-year old, I can say from my own experience that there is no such thing as “too safe”. There is also no such thing as “not so dangerous”. 

Articles (and reports) such as these seem predicated on one thing: the idea that we can reduce risk, for ourselves, for our kids, for those we care about. The logical conclusion of that argument is that someday, somehow, with the right technology, we can reduce risk down to nothing. But the truth of the matter is that we cannot. Risk cannot be eliminated; it can only ever be managed. And so the idea that the internet is not “as dangerous” as we thought it was, is a non-argument. It implies that there is an acceptable level of risk to our kids on the internet, and that once we reach that level of perceived safety, we can reduce our safety measures. But no responsible parent is likely to say, “Well thank goodness, the internet isn’t so dangerous! Now I can let my pre-teen daughter roam the chat rooms unsupervised.” It does nothing to help parents make decisions about how to protect their children, whether the chance of something happening is 1% or 100%.. As far as helping those who most need information, this article fails miserably.

 

So what DO parents and other caretakers need?

 

We don’t need to be told that our fears are unfounded, when we know that the level of risk will always be too high, simply by the very nature of the internet. We need, instead, to be given ways – proven ways – to protect our children from the dangers that we know are out there. We need tools that will allow the internet to provide an experience that’s educational, entertaining, and that doesn’t put our children in harm’s way. If Mr. Stone had written an article about that, he’d have captured the real story of child safety on the internet.

 

Note from Michael Santarcangelo: This an other reasons have led to the creation of our “Building the Family Safety Net” seminar and our soon-to-be launched “Family Safety Net Salon.” Look for more details this Spring (and an invitation to join before the public launch). 

By Trish Smith

The recent activity in the economy has brought to the public’s attention some controversial issues regarding how organizations change (or in this case, how they don’t). The 700 billion dollar bailout (just for a start) of the financial and automotive industries has focused the spotlight on a very specific issue in the arena of organizational change management: externally directed change vs. internally directed change.

Every day, in industries around the world – financial, manufacturing, health, education, IT – change efforts are initiated. One of the most critical factors determining the success or failure of these efforts is whether the change was initiated from outside the organization (government agencies and legislative bodies) or from within (Boards of Directors, departments within an organization, or individuals). Unfortunately, significant change is often initiated from without, despite the fact that experience shows us that change from within is more effective, longer lasting, and more efficiently implemented.

Why drive change from within?

Why are internally driven change efforts more successful than externally driven change efforts? There are several reasons for this. The most important is the fact that nearly every organization, even one in need of major change, has the resources, knowledge, creativity, and drive needed to successfully implement a change effort. Failing to tap into those resources is not only wasteful, but communicates to the members of the organization that their abilities and knowledge are not valued.

Additionally, when change is driven from within by those at the upper levels of the organization, employees feel a connection with the change effort at every level of the organization. Their perception that there is buy-in on the initiative by those at the highest levels will lead to them committing to it more fully. Conversely, if employees feel that the “head honchos” are not fully committed to the effort, they will not fully commit to it themselves, and the initiative will fail.

Finally, for change to be truly persistent, it must be rooted within the culture of the organization. Organizational culture determines how people within the organization do everything from handling customer complaints to celebrating birthdays. The reality is that whether the culture is positive or negative, healthy or unhealthy, it will drive the manner and methods of everything that is done within the organization. Any change that is not connected to the organization’s values, beliefs, and behaviors will not succeed. A significant change initiative must, therefore, be solidly connected and in sync with the culture for it to succeed.

Three reason to initiate change internally?

1. To profit from employees’ skills, creativity, and resources.

2. To ensure a sense of buy-in at every level of the organization, which leads to employee commitment to the change.

3. To connect change on the deepest level with the culture of the organization, helping to ensure the success of the effort.

Successful change must be directed from within. Other factors also impact the effectiveness of a change effort, but without an internally-driven endeavor, such efforts cannot succeed, and valuable time and resources will be wasted. Perhaps this is a lesson that Citibank and GM could bear to learn.