Sitting in the back of a dimly lit conference room for a client team meeting, I listened as each team member introduced themselves. I watched the reactions of their colleagues. Standing at the front of the room, the leader smiled and offered encouragement to everyone. As the line snaked to the front corner, he called for attention.

It was time, he explained, to introduce a new face. An  industry powerhouse. Brought in to consult. To solve some challenging problems. The leader ran down a list of his impressive history. Then he pointed and asked the slender man to stand and introduce himself.

When he stood, a sly smile appeared on his face. He repeated his name. Thanked the leader for the introduction. Said he planned to work hard. Offered to help anyone in any way he could. No self-aggrandizing. Then politely explained that when he asked the leader about the role, they discussed the desire for perfection. His suggestion, “lower your standards.”

The suggestion caused laughter. It deflected the build-up. He sat down. The next person introduced themselves.

The suggestion captured my attention.

Was he right?

The perils of perfection

Many people pursue perfection. Most to the point where it paralyzes. They produce poor results. Is the answer to lower standards? To accept less?

The answer is no. With caveats.

It is possible to practice progress over perfection — and maintain high standards. The approach defines the difference. Mindset matters.

Meeting with the sculptor

A few years ago, I attended a lecture with a sculptor-in-residence at Brookgreen Gardens. Renowned enough that much of his work is public commission, he works on tight deadlines. Curious how deadlines affected the quality of his work, I asked how he handled it.

He looked me in the eye and replied, “You do the best you can do in the time you have. You give it your all and move on.”

As our discussion continued, he revealed that sometimes he does go back and continue some pieces. Others line the studio, waiting for their turn to be continued. He explained that when the time was right, the work would be there and he could bring it where he wanted. Where it needed to go. If only for him.

Writing is the same way. In fact, any work in which we express ourselves through the work holds the same promise. In return, we endeavor to do the best we can in the time we have. Then move on.

How to practice progress over perfection

This means acceptance of the situation. Instead of lamenting the short timeframe, be grateful for the opportunity. There is no room for excuses. I continue to work on removing barriers and excuses. It takes constant effort. Over time, however, it becomes habit.

The key is presence. And preparation. It takes both. Establishing a routine for focus. A set time. A defined way. Without distraction. Sometimes, brilliant focus for ten minutes is all that is needed.

In my experience, a practice that emphasizes progress over perfection yields consistently better results. With the elusive goal of perfection, it is easy to overwrite. To overtrain. To overdo it.

Watch out for masked progress

A common mistake is accepting movement for progress. Progress is a mindful investment of focus, time, and energy to reach an outcome. To bring measurable change.

The move away from perfection liberates. I choose progress. And I retain high standards.

What do you choose? How does this work for you?

The key to learning and teaching new skills lies in a three-step advancement: awareness, training, and development. These steps guide learning new skills, including effective communication, how to build better passwords, and even activities like archery and yoga.

Understanding this advancement allows us to build better communication. To ease the process of change. It’s a construct to build on, to model specific concepts. Each step plays a role in guiding the journey from where we are to where we need to be. By focusing on the needs of individuals, the entire organization advances.

Getting the terms right is the first step in experimenting with and ultimately advancing through each of the phases.

Awareness

Awareness: the individual realization of the consequences of an action, in their own context of intention and impact. Awareness often leads to action, but the action needs to be guided and supported. 

“Once there is seeing, there must be acting. With mindfulness, we know what to do and what not to do to help.” ~Thich Nhat Hanh

Take passwords, for example. What does awareness of passwords mean? What does it look like?

Start by applying the definition of awareness to the concept of passwords. What is the consequence of selecting and using a password? Or of password reuse? The challenge isn’t the answer to the questions (especially from someone already aware). The problem is the lack of broad, individual understanding of the connection between intention and impact — in context. Instead, people know only that passwords are a pain to endure.

The key to awareness is to create an environment for individual realization.

Present familiar information readily embraced and understood by the audience. Focus on what matters to them. Guide a journey from a decision to an outcome. Allow them to work through the elements. Support the realization of the consequences — based on their intention, and with their impact.

I teach people how to build better passwords by providing a functional overview. No jargon. No math. A whiteboard diagram with boxes, arrows, and a discussion (not a lecture). For many, it’s the first time the information has made sense. It’s finally in context. Like light bulbs going off, people become aware of the consequences of poor passwords.

Awareness does not generally mean individuals have the understanding and experience to take the proper actions. Awareness is the realization. Nothing more. Once aware of the consequences, people often seek a desire to learn. They seek training.

Training

Training: a specific, timed situation to acquire and demonstrate new skills. Training is defined, measurable, and the outcomes demonstrable. 

Training can be formal, informal, scheduled or ad-hoc. Training can take minutes, hours, days or longer. The key is training is the learning of new skills. The result of training is the demonstration of those skills.

Aware of how passwords work, training to build a better password starts with strategies. Participants learn different methods. Armed with information, the key to the training is how they use it. Built using the Information Interaction Model (IIM), people form small teams, plan their strategy and then compete against others.

In a matter of minutes, participants upset about the insanity of 8-character passwords confidently build, share, and explain the methodology to create 32-character passwords. I’ve even had a person come up to me over five years later to recite the password learned on a Tuesday afternoon! They learn, practice, and demonstrate the skills they need to build and use better passwords.

The challenge of training is that the new skills are often shelved in favor of familiar routines when faced with a consistent (read: unchanged) working environment. In other words, just training someone may not lead to lasting change in behavior.

Development

Development: the consistent practice of skills gained in training, exercised for the purpose of improvement. 

Development can be formal or informal (personal, ad-hoc), structured or unstructured, long or short. Development must be adapted to the outcomes. Successful development incorporates a mechanism for measurement, assessment and recording progress.

During development, people gain experience and a deeper understanding of the skills and how to apply them. This often generates new awareness, inspires new (supplemental) training and encourages people to continue to develop their skills.

Effective development provides the right structure to guide individual improvement. Eases the process of change. Keeps development focused on applying the skills. Helps to prevent misunderstanding and bad habits.

The development path for passwords has a lot of options. It often starts as an extended dialogue. Build on newfound knowledge and skills to build better passwords. Talk about password reuse, proper development and operation, handling exceptions, and candid insights about common challenges. Encourage questions. Amplify experiences. Look for experiences to allow people to continue to apply and develop their skills.

Place emphasis on progress over perfection. 

The more the organization supports and promotes development, the more successful the efforts to encourage new behaviors.

Shifting the culture, focusing on individuals

People make up companies. To shift the culture and influence change, use the advancement through awareness, training, and development to target and shift specific, individual behaviors. Address the needs of individuals to advance the organization.

I use these steps for my own learning. I guide clients, audiences, and workshop participants through this advancement. Understanding these three steps creates better outcomes.

Test it out. Let me know how it works. Get stuck, have a breakthrough or want to chat about it? Let’s connect and revive the art of conversation!

Ever ask someone “How does a password work?” I’m curious what the response is.

I’ve spent the last decade working with companies to successfully change the way people build, use, and maintain passwords. I ask that question all the time. Seldom do I get the right answer. And even then, it takes some work to get the pieces right.

Authentication is complex. Explaining the role of passwords in a meaningful way to influence and measure behavior change has eluded us for over 20 years. Done right, it requires an understanding of identification, authentication, assurance and privileges. Dry topics that need to be brought to life and presented in a way that makes sense.

The principle challenge of passwords is misunderstanding and a failure to communicate personal and business value.

In an effort to make a connection with others, I’ve started to notice recommendations that people go to websites to check the strength of their passwords. This isn’t phishing. It’s not a clever, but simple attack. It’s well-intentioned advice coming from the mouths and keyboards of security practitioners.

When I asked about it, I was told it was a way to help people check the strength of their passwords with a visual result.

The problem is that the best intention often leads to a bad outcome. 

Who owns the website? How it is it structured? Does it store the passwords? How is it checking the strength? Does it capture domain information? Is it handling the passwords in plaintext?

I applaud anyone taking an effort to educate and support others. But suggesting someone go to a website they don’t control and typing in their password is bad advice.

If someone gives you this advice, politely decline.

Even if the intentions of the site are good, does it become a target for attackers to compromise?

Worse, does this encourage otherwise promiscuous password habits? How is giving your password to an unknown website any different than giving it out over the telephone?

As we continue to empower and enable people to build better passwords, it is important to consider the unintended consequences of advice.

I’m always available for a quick chat through social media or by telephone to talk through better strategies. I’m even building out a scenario to share how I solve this problem for organizations.

Worried about passwords? Let’s connect and explore.

A barrier to effective communication, the Perfect Message Fallacy is the misguided attempt to create one message that offers something to everyone. Despite the best effort put into the messaging, it results in no value for anyone. A message easily ignored.

The gap between expectation and experience, much like the illusion of communication, leaves people confused, frustrated, and disconnected. It happens as much with internal communication as with external marketing and sales. It afflicts a lot of communicators regardless of their experience or the medium of delivery.

The attempt to craft the perfect message to speed efforts forward has the opposite effect: confusion that prevents people from understanding. Lack of understanding prevents action. For vendors, this means a longer sales cycle and a smaller deal. For internal teams, this results in rejected requests, diminished funding, and delayed projects and programs.

The quest for the perfect message

The daunting task of crafting a message to varied, multiple audiences leads communicators into a trap. Overwhelmed by the idea of creating tailored versions of the same message, they decide to create one message to meet the needs of everyone.

Packing in as much information as possible forces out context and other connective tissue. The focus turns from delivering a distilled message that resonates with the specific audience to spewing forth as much data and detail as possible.

It creates an information buffet and places all responsibility with the audience to choose what suits them. The expectation is that each person will consume precisely what they need out of the stream of information flowing by.

It doesn’t work as expected.

The experience of the perfect message

Panning for gold is a fun experience when exploring Alaska on vacation (truly, it is). For an audience with deadlines, stress, and a mound of work waiting for their attention, sifting through a mountain of irrelevant information to find a nugget of value is a task easily ignored.

While the experience promised value, the deluge of unfocused information caused the audience to tune out. Without the context to connect to something that matters to them, the best use of their time is to focus on other tasks.

Presenters attempting a “perfect message” often remark that the audience showed more interest in their smartphones, tablets, and laptops than the information shared. Chalked up as the challenge of engaging people today, it’s actually a sign of common communication and the perfect message fallacy.

Why the perfect message isn’t

Effective communication is a process, not a product. The process includes creating the right message, delivering it the right way, and navigating to mutual understanding.

The process requires the communicator to take responsibility for making the right decisions based on the audience. Each audience is likely to value different things, or to experience them in different ways. That requires the ability and effort to capture and distill essential information for each audience.

It is possible to have a set of key points for all audiences. However, the ability to deliver the right message and foster mutual understanding depends on using the right context, stories and examples relevant to the audience.

Avoid the Perfect Message Fallacy

Recognition that creating a perfect message is a fallacy is the first step. Taking time to distill key points helps to focus the effort. Capture the right elements, distill them, and present them to the right audience.

Establish a connection — the right connection — to present the information people care about, in the way they naturally absorb the information. Take people out of the buffet and treat them to a tailor-made feast of insight they are sure to enjoy.

This is a continuation into the exploration of business stories. Check out “Why we need better business storytelling,” “How to build better business stories,” and “Why stories need to be liberated” for additional insights. 

As a catalyst, I listen to and learn from the stories of others. Engaging individuals in comfortable and safe situations to allow their story to emerge and take shape yields valuable insight into the individual, and often into the organization.

As explained in “Why stories need to be liberated,” too many people are disconnected from the definition of story and experience of storytelling. As a result, they are unable to realize and articulate their own story, let alone relate the stories of others.

My personal mission is to meet people where they are, and if possible, guide them on a journey to discover and share their stories. This is how I honor my belief that each individual has a story. Their story is worth telling. Every person’s story deserves to be heard.

Three steps to liberate and share stories

With over two decades of working with people and organizations to free the story within, I’ve discovered a pattern. Most people need:

• Help discovering their story
• Structure and confidence to give voice to their story
• A platform to amplify their story

The path through these steps is usually non-linear and involves a lot of discussion, incubation, and exploration. This is one of those situations where the journey is the destination, and it takes time. As a benefit, even a quick pass through generates increased self-awareness.

Liberating individual stories is important. Understanding our own story makes it easier to connect with and understand others. It improves the ability in each of us to tell and learn from better personal and business stories.

Each of three steps is simple and nuanced. Here are some ideas on each of the steps to guide a personal liberation of story.

Personal story discovery

Consider the dread that comes with crafting a bio, writing a resume, or completing the self-assessment portion of the annual review. Despite our natural affinity for story, when it comes to discovering and celebrating our own, we are woefully uncomfortable. And silent.

“We are all born originals – why is it so many of us die copies?” – Edward Young

Often, the need to belong, to fit in, corrupts the process of discovering the inner story. It feels safer to use common words, phrases, and concepts without clear meaning. Staking a bold claim, sharing personal details of conflict, emotion, and the resulting transformation is scary. We move to avoid feeling vulnerable.

Discovery asks people to step outside their comfort zones to truly examine themselves. The more willing a person is to push the bounds, the deeper the insight, the more powerful the story that emerges.

The challenge — for individuals and organizations — is moving past common answers without meaning to uncover value. The key to discovering the story within is to change the lens by which people see themselves. Shift the perspective to capture details that truly stand out.

This often means asking the same questions multiple times, albeit in different ways. This process requires time and patience. Ideas need space to incubate. Details take time to surface. After multiple rounds, the core elements of the story begin to form.

The work begins when the initial elements are realized. It takes disciplined effort to explore further. To consider details. To add missing elements. To subtract the unnecessary. Too often, people pause their journey after the first round.

We need to provide open ears and open hearts to listen to more stories, encourage people to dig deeper and distill more. We need people to do the same for us.

Structure and confidence to give voice

Successful stories rely on proper structure. As individuals discover the elements of their story — characters, conflict, resolution — structure guides clarity. It helps put the pieces together in a way that makes sense. It increases insight for the individual while preparing the story for sharing. Structure makes the story come to life.

Encourage is as important as structure. Individuals need confidence to give voice to their story. Presenting to others in any medium is stressful and risky. The risk is amplified when sharing personal details and thoughts. I still pause before publishing a column, taking the stage for a keynote, and still vividly recall the fear of publishing Into the Breach.

The right blend of structure and support helps move people past the natural fear to share their story.

Platform to amplify the story

We have an innate need for our stories to be heard. Sharing allows validation, learning, and human connection. Stories told well create a demand for more. As others share, it turns into a routine of swapping stories. Story-swapping is a great way to learn and reach mutual understanding.

The key is finding the right platform to share and amplify the story. Platform is a wide-ranging concept. Social media, the water cooler, blogs, newsletters, public speaking, radio, television, and others are all platforms. Some stories thrive around the campfire, and others fill the airwaves.

There is no right answer. Individuals and organizations both benefit from a variety of platforms and opportunities to share and swap stories. All stories have value and deserve to be heard.

Let’s start a story liberation movement!

Stories untold are a tragedy. Stories need to be liberated to have value. My quest is clear: continue to engage, empower, and enable people to free the story within.

What is your story? Connect with Michael and share!

This is a continuation into the exploration of business stories. Check out “Why we need better business storytelling,” and “How to build better business stories” for additional insights. 

Stories are important. Throughout history, stories serve as the primary means to share information. Good stories put information in context. Powerful stories move people to action.

The reality is that while familiar with the term, most lack even a basic definition of a story. Unable to define a story leads to the inability to tell a story. Worse, it means most individual stories remain hidden.

Stories left untold are a tragedy.

Examples are not stories

When working with clients to craft better business stories, the first hurdle is helping individuals realize the difference between stories and examples. Most organizations relay examples — size of company, title of person, business challenge, results of solution — in a perfunctory way.

These are not stories. A basic story has characters, conflict, and resolution (learn three steps to build better stories). A business story leads a journey and shares the right mix of emotion to connect and move people.

The flood of examples leads to a predictable call for more stories. This results in more examples labeled as stories (learn more in Why we need better business storytelling).

Why the call for more stories leads to more examples

The steady call for more stories in business is based on faulty presumptions:

• People know what constitutes a story
• Knowing what a story is leads to the proper development
• Proper development of stories leads to powerful storytelling

Optimistic, but not the experience of most people. As a result, people struggle to figure out the elements. Without much insight or training, the resulting examples are passable and embraced as stories. The cycle continues.

The challenge lies in freeing the stories inside each person.

Why stories need to be liberated

I am driven by a simple belief: each individual has a story. Their story is worth telling. Every person’s story deserves to be heard.

Onsite client engagements often provide the opportunity to dine with my hosts. A glass of wine, a relaxed atmosphere and time to get to know one another usually primes the storytelling process. A few simple questions about career paths or life outside work usually gets the ball rolling.

Except the answers are not usually stories. Initially, they tend to be a series of story fragments. Concept without conflict. Challenges downplayed. Resolution left out for fear of bragging. Rather than a compelling story that draws us in, people resort to listing off accomplishments like reading off their resume. Most people politely listen as they mentally prepare their list of accomplishments to share.

This is the moment when the story is crying out to be liberated!

The fragments are clues. When absorbed and processed, they lead to a natural line of questions that allows us to coax the story out of someone. It’s a delicate balance to ask the question in a way that frees the story. Otherwise, it comes across as grilling or judging someone, and that has the impact of shutting them down, driving the story deeper.

The process is a natural discovery that enriches everyone. Better yet, as the story emerges, the pace of the conversation often quickens as participation grows. People relate to the story, and want to share their insights and experiences. The power of stories to unite people on display!

Individual stories are the core of powerful business stories

Organizations are comprised of individuals. In my practice (and nearly two decades of experience), I’ve learned that to advance the organization it is important to address the needs of the individual. Working with people to liberate the stories inside them is a powerful way to give them a voice, to contribute to the fabric of the business.

Powerful business stories are, or start with, strong individual stories. Perhaps they detail how a product was discovered, a solution developed, or how a person (or team) overcame a struggle. Sharing the story validates the person and provides a time-tested way to connect with others.

People want to be heard. We have an innate need for our stories to be told. The challenge to overcome is that simply asking for the story doesn’t normally work. We need to adopt a different approach to liberate the stories of individuals, to build better business stories.

Next, learn “Three steps to liberate and share stories“

This is a follow-up to “Why we need better business storytelling.” 

Lack of clarity over the three basic elements of story — character, conflict, resolution — lead to attempts to tell business stories that are mere listings of events. Words without emotion, as if connecting with people is not part of business.

People are the core of an organization! We are fueled by stories. We thrive on emotion. We make emotional decisions (backed, of course, by sound logic). We need better business storytelling.

We need better business stories.

Current attempts to tell stories in business focus on environment instead of characters, symptoms over challenges, and present a resolution without the journey and transformation (if appropriate). All without emotion, insight, or connection.

Small shifts create big changes.

While training and development in effective communication and storytelling yield undeniable benefit, anyone who follows three basic steps demonstrates dramatic improvement:

• Capture and share the details of the characters
• Explain the challenge
• Guide the journey through the challenge to the resolution, showcase the transformation

Business stories are non-fiction, but that doesn’t mean they have to be dry. Boring stories are boring. Period. Consider the three points and how incorporating these elements improve current and future business stories.

Capture and share the details of the characters

Move beyond the name and title and share the essence of the individual or people of the story. Include details about interests, hobbies, or something colleagues equate with them. This isn’t fiction, no need to focus on internal monologues, deeply held secrets, and the work of novels. Keep it simple. Focus on positive, relevant elements that foster a connection between the audience and the character.

Explain the challenge

This is where it pays to take a risk. Capture the real challenge, share the emotion. While work has moments of thrilling excitement, most people also experience extreme frustration, fear, and disappointment. The challenge, then, is not just the “business problem requiring resolution,” the emotional ride through the process of asking for help, finding a solution, getting the budget, implementing the project, and then, hopefully, realizing results.

The key is to share relevant emotion. It’s not a Hollywood screenplay. Revealing genuine emotion — including the way people evaluate solutions in terms of risk to themselves — provides a real connection. This is not one-size-fits-all, either. Just incorporate some basic emotion that most folks feel.

Aside: If telling the story in person, this is a great opportunity to confirm or alter the story based on audience feedback. In the event the emotion doesn’t connect fully, ask them what they think and feel. Ask them to share their story. When they’re done, build on the relationship and their insights to explore how to guide the journey. 

Guide the journey

Explain how the character(s) navigate the emotional challenge. Place focus on showing how specific excitement or concerns played out. If someone was worried the system would cause a disruption, first set up the concern, then explain how it played out. As long as the narrative is real, this offers proof that the problem is understood on a personal and business level.

Just like explaining the challenge, it’s okay if the journey of the story isn’t a perfect match. Sharing the emotion experienced on the pathway is a starting point for a more detailed and productive conversation. It sets the stage to explore how the solution would work in the environment of the audience.

What a better business story could look like

Note: this is not based on any specific person, client or situation. Probably as close as I come to writing fiction, it’s a brief attempt to illustrate the difference between the example here and better stories. In client situations, I profile real people (changing appropriate details), capture actual emotion and distill the right elements on the journey to resolution. I love talking about this approach – want to connect? 

Rather than setting the scene of a “generic client” with a “specific business problem”, introduce real people into the situation. Invite the audience into the world of the character, for example, the security administrator.

Harry is the security administrator for a medium-sized financial firm in the Midwest. Last year, a typical morning started at 7a with a trip to the company gym. After a fresh cup of coffee, Harry attended project and status meetings to represent security, handled routine and requested security reviews, connected with others on twitter (he loves that @catalyst guy) to catch up on the latest threats and ended his day around 5pm. 

But now, an endless barrage of attacks and shifting threat landscape means more manual tasks. Now the day starts at 7a – but Harry skips the gym to get right to his desk to find out what emergencies need attention. Skipping lunch and heading home after dark, Harry is putting on weight, stressed out, and most importantly — missing the soccer games of his daughters, and date nights with his wife.  

Consider the scenario above. Is Harry relatable? Does it hit home or seem like someone you know? What details would you add? I quickly created Harry based on personal experience and witnessing the toll on friends. Ideally, we profile real people (but change the names and some details as needed).

Modified as needed, the main character is introduced. By capturing the contrast in the environment in the last year, the stage is set to introduce the challenge. Noting the physical toll and impact to Harry’s personal life is a detail that most who have been there know well.

Faced with the reality that he is unable to keep up with the workload, Harry starts working later and later into the evening and on weekends to find a solution. After narrowing down potential solutions to three, he has to find a way to convince his boss to approve the time and effort for evaluation. Worried that his boss will see the request as a sign of failure, Harry mulls how to get the approval. He won’t even consider the budgeting until he sees if something can actually help without causing an even bigger headache. 

Now the real challenge surfaces: it’s not just the change in the external environment, but the personal realization that the current situation is not working. Harry has to admit he needs help. He has to ask his boss for approval just to evaluate solutions. A lot of people are uncomfortable admitting they need help — and fear the repercussions from a superior who may choose to question their work ethic and abilities.

This is a real, rich canvas upon which to create and explore. It’s also potentially dangerous and takes some time and effort to capture just the right amount of challenge without scaring people. It is important to capture the right amount of real emotion without overdoing it.

Now guide the journey through to resolution. Despite what people might suggest, solutions aren’t magical. Part of the challenge, the struggle, is to assess whether the solution helps or hurts. We’re working with people trying to cram too much into too little space. Even a solution that looks good on paper is a risk: maybe it won’t work, there is no budget, and if it doesn’t work, what personal embarrassment will they face?

Overworked and worried about the potential to disrupt the network, Harry was surprised that the initial setup only took two hours – and didn’t even cause a hiccup. An hour after the install team walked him through the system, Harry was able to see changes in the environment and take action from a central console. Suddenly, what used to take the entire morning was done before his first cup of coffee even got cold. 

What really impressed Harry was how easy it was to demonstrate the value to his boss. VENDOR was able to help Harry produce reports and show how the system would pay for itself in the first year. More importantly, it freed Harry up to work on other pressing responsibilities. Initially worried that his boss would penalize him, Harry found an accommodation of excellence on his desk and a better relationship with his team. The real prize, though, was getting back to the gym and seeing more of his family. 

I may have embellished that part a bit. I also glossed over a lot of details that a real solution must capture and demonstrate. But I made this up to showcase the journey and explain how it allayed fears.

Inherent in the struggle is finding find the time and energy to properly assess the solution and come to a decision. As they work through the conflict… what do they do? More importantly, how do they feel? What are their fears? Excitement?

What prompts the decision? Once the solution is decided on, and the system installed and running, what is the resolution? Did they get the time back in their schedule? Did they get back to regular date nights with their spouse? Back in the gym and losing weight?

Too perfect? Well, it has happened. I interviewed some individuals last year on behalf of my clients and found two people that relayed stories just like that. One individual even got a promotion out of the deal. When I asked what they would do different, both told me they wouldn’t have waited so long!

Liberate and share better business stories

We all have stories waiting to be discovered, liberated, shared. The key to telling better business stories is to build better stories. Start with the basics. Consider the reality of character, conflict and resolution to distill and guide the emotional journey to successful conclusion.

I live to liberate stories. Have a question or want to talk about how to make a difference? Let’s talk!

Stories are the creative conversion of life itself into a more powerful, clearer, more meaningful experience. They are the currency of human contact. — Robert McKee

Popular throughout history as the primary means of communication, storytelling is getting a lot of attention lately. Seems that everyone is calling for more stories for the business world.

I believe in the power and importance of story. Essential to effective communication, we need stories to connect, to foster understanding, to move people to action. And yet, while everyone is talking about stories, few people are actually engaging in business storytelling.

In the last two years of working with clients to distill and effectively communicate complex topics, the search for stories revealed three findings:

• Few of the dozens of people I worked with directly were able to define “story”
• Less people were capable of telling a story; this wasn’t limited to the business context,
• Each organization — and most people — were convinced they had stories, and were dismayed to learn they didn’t

Despite a culture rich in professionally crafted stories delivered through books, television, and movies, business “storytelling” is a nothing more than a transactional listing of events.

How organizations tell stories today

When asked for stories, the organizations I work with often send me documented examples of the success of their solution.

These documents generally chronicle how CLIENT (ideally a recognizable name), working with TECHNOLOGY (the platform and other relevant details) was not getting promised results. Good news! When CLIENT implemented VENDOR solution, CLIENT was happy. Sometimes it includes quantitative proof of results. 

Under the guise of story, these documents merely provided a series of facts, leaving it to the reader to surmise the details, and if possible, tell their own story. The reality is most readers don’t. They lack the desire, the time, and the experience to craft their own story from the presented facts.

While the example is common with vendor literature, I’ve seen worse when it comes to internal projects at large enterprises. The use of stories to improve adoption and implementation of project is in short supply. As a result, projects get bogged down, efforts get derailed, and sales take even longer.

Houston, we have a problem.

In order to tell stories, we have to know what a story is. 

What constitutes a story?

Storytelling is a broad discipline with different approaches, models, and types of stories. As a basic guide, a story has three parts:

• Character(s)
• Conflict (too aggressive? use challenge)
• Resolution

The power of story is the limitless ways these three elements can be combined to connect with people emotionally, convey information and even inspire action. In stories, one or more characters work through a challenge to reach resolution. Often, the characters experience a transformation as a result.

Why tell business stories?

As we journey with the characters, we feel something. We understand. Whether we root for, against, or both, we get vested in the outcome. It becomes important to learn how they handle the struggle, and what happens to them as a result.

When the story hits close to home, it becomes an opportunity to learn. Good stories told well are a lens by which we can view ourselves.

When selling a concept, process, solution to someone else, a story helps put it in context. Make no mistake, everyone sells. Every project. Every idea. Every effort requires convincing someone else to take action, show support, or adopt a different approach.

Stories allow us to share information in a way that makes sense. Stories bring ideas to life.

Change is scary. Change is risky. Stories connect with those fears and concerns and demonstrates how they may or may not come true. Used properly, stories reveal a pathway to change.

Update: learn “How to build better business stories” , “Why stories need to be liberated,” and “Three steps to liberate and share stories“

“The single greatest problem in communication is the illusion that it has taken place.” – George Bernard Shaw

When I share this quote in keynotes and training, almost the entire audience nods their head and smiles. They signal agreement.

Why the illusion?

Every day, people say things. The person sharing their brilliance remains confident in their ability to communicate. The audience remains equally confused, confident only that nothing was gained.

There is more to this quote than a tacit agreement of a common experience. The reference to an illusion cleverly teases out the difference between definition and expectation.

To understand the impact of the quote requires three elements:

• literal definition of communication
• implied expectation of communication
• common experience of communication

The difference between definition and expectation

Communication is defined simply as the act of imparting or sharing information between parties. When someone says something to another, communication did take place. It just wasn’t very good.

No illusion. Communication only stipulated information is shared. Cue confusion.

The word communication carries an implied expectation of understanding. When a communicator shares a message, they expect the audience to understand. Generally, they expect an action as a result.

What happens when the audience doesn’t understand?

The common experience of communication

A hotel lobby provides a perfect backdrop to consider the experience of communication. Sit in the middle of the lobby (in a socially acceptable manner). No cell phone, tablet, or laptop. The goal is to be present, but to observe. Try it out.

When I did this a while back in a hotel in Los Angeles, I experienced the flash and glow from ten television screens, each on a different channel. I saw three different newspapers available, two hotel kiosks, an ATM, and three public computer work stations. I counted on one hand the number of people without a cell phone attached to their ear (or headset).

The reality of communication confusion

People are inundated with “messages” and communication seeking attention. Easy to observe in a hotel lobby, airport terminal or other gathering spots, the distractions continue in the workplace and at home.

Overwhelmed and distracted from the beginning, what a presenter considers communication is often ignored, registered as noise, or misunderstood entirely. Expecting the audience to invest the time and effort to discern value and act accordingly is a common fallacy (I call this the Perfect Message Fallacy).

The reality of the experience of communication is that the audience rarely understands a message in the way the communicator expected, if at all.

The downward cycle of communication confusion

The conflict between definition, expectation, and experience results in a perpetual downward cycle. Each communicator remains confident in their ability and clings to the expectation of understanding. Each audience, comprised of communicators, remains confused.

Ultimately, people grow frustrated, disconnect, and focus on what matters to them.

Consequences of communication confusion

As people disengage, they grow more disconnected from the consequences of their actions (see: Human Paradox Gap). Worse, future efforts to influence behavior change are resisted. The struggle to realize and demonstrate business value grows more complicated, and more expensive, too.

Desensitized to the current approaches of communication, everything takes longer, requires more effort and often results in more frustration.

Break the cycle to end communication confusion

Everyone communicates. Everyone is an audience. Caught in the conflict between the illusion and the experience, people recognize and cite the on-going challenges of communication as a barrier to organizational success.

While most people believe communication needs to change, few see it as their role. Confused, frustrated, people feel powerless to change. This is further exacerbated by a constant demand for better — and more — communication without explanation of what, how or why.

To break the cycle, we first have to step back and reconsider communication, define terms and model results. Stay tuned for more.

As the fog lifts, my journey continues with a sense of clarity and purpose. It’s exciting, invigorating, and feels like starting over again. This post shares details from my three-year journey, introduces my focus on effectively communicating value and explains my vision to benefit those struggling to address challenges related to people, value and communication. I realize it’s a bit long for a conventional blog post, but after a year of silence, some things needed to be written… each with sincere gratitude and an open invitation to engage with me. I’m back and ready to rock.  

Word Count: 1644 words

Reading time: a little under 8 minutes

In December of 2009, a few weeks before we embarked on our RV Adventure, a friend called, unexpectedly. He quickly explained that I was on his mind, and he felt that he needed quote Bruce Lee to me, “I do not fear the man who practices 1000 kicks, but I fear the man who practices one kick 1000 times.”

He then asked, rhetorically, which I was, and which I wanted to be. At the time, I was definitely the man who practiced 1000 kicks. Discovering my “one kick” to practice for a lifetime is the question that fueled a personal quest of discovery.

The first stop on our journey was Myrtle Beach. Intending to rest for the night before heading to Florida, we ended up spending three months at a beautiful campground surrounded by nature, great people, hot showers and campfire conversations. I used daily walks around a spring-fed lake, marveling at bald eagles, counting turtles and talking to myself.  The now-external monologue recounted my history, experiences and marked the early stages of the search for my purpose.

Looking back, focusing on effectively communicating value is obvious. But isn’t that the beauty of important discoveries? In hindsight, it’s obvious.

As with the best laid of plans, our intention to leave Myrtle Beach was thwarted by a small fire in the inverter. Ultimately, we’ve remained here among the tourists, gardens and the call of the ocean. According to the local chamber of commerce, every day is 85 degrees, sunny, and with a perfect breeze. For me, the ocean is the perfect backdrop upon which to ponder and explore my purpose, to narrow down to one kick.

While this journey was mine to take, I’ve never been alone. Beyond my soul mate, countless friends, colleagues and clients have reached out, shared meals, entertained discussions and helped to guide my focus. Turns out most of the folks on the journey saw in me what I now recognize in myself. To those who participated in this journey, I am forever in your debt.

This January marked 11 years of running Security Catalyst. I took a moment to quietly celebrate and reflect back. In the process, it was clear realize that my quest produced an answer, and the time to move forward had come.  I feel like I’m starting over – but with more clarity, experience, energy and drive than I had over a decade ago.

My passion, my purpose and my focus is to work with individuals, teams and organizations to capture, distill and effectively communicate value. This allows us to engage people, connect them to the consequences of their actions (by modeling positive behavior) and influence behavior change. 

It turns out the underlying challenge in most organizations is how to engage people, influence behavior change, demonstrate value and effectively communicate that value – internally, with partners and into the marketplace.  It’s more than a noble challenge; it’s an essential component of successful organizations.

Despite persistent myths that suggest communication improvement is out of reach, I’ve found a way to blend the science of human ecology with the principles of effective communication… and a dash of common sense.

The result: a system to effectively communicate value

For over a decade, my practice has centered on the role of people in security. For almost as long, clients have called on me to help craft communication to connect with people and improve the outcomes of security initiatives, projects and programs. Whether speaking, training, writing or directly leading efforts to engage people and influence change, I started to sense common underlying elements.

From the beginning, it was clear to me that the key to working with people was communication; more importantly, we needed to realize and demonstrate value while improving the ability to communicate effectively. As a result, I began to research and develop models, methods, frameworks and simplified approaches that made it easier for my clients to improve in any situation by modeling what to do, showing how to do it – and most importantly, explaining why it worked.

The result of over a decade of effort is a flexible, adaptable and scalable system that I use, teach and improve that allows any person to capture, distill and effectively communicate the value of any topic to any audience. Based on some astute feedback, I named it the Effectively Communicating Value System.

I realize this is a bold claim, but the system works. In the coming weeks and months, I’ll share insights, resources and models to prove it. But there’s no need to wait – schedule a call with me and we’ll talk. I’m happy to share.

The benefit: solve three core challenges every organization faces

People are at the core of each organization, and rightly so, the core of the Effectively Communication of Value System.

By searching for better ways to engage people, I learned better ways to assess the impact of actions on people, but also the influence of people on actions. That understanding leads to more accurate realization and demonstration of value, and ultimately the ability to effectively communicate value.

As a result, the Effectively Communicating Value System is a standardized way to address the challenges of:

• Working with people: by bridging the gap and unifying people, business and technology, we’re able to connect people to the consequences of their actions by modeling and amplifying good behaviors, inspiring, easing and influencing behavior change. This covers a lot of terms and concepts that deal with people.
• Realizing, demonstrating and connecting value: an elusive, shifting concept, we work to realize, demonstrate and connect value to audiences, outcomes and in most cases, business benefit (what I call the three pillars and two supports)
• Capturing, distilling and effectively communicating value: a systematic approach to creating the right message, delivering it in the right way, at the right time and navigating to understanding

I’m fired up, and I need some help

It’s time for me to focus on writing, speaking, training and applying these concepts. To that end, I’m working on a series of resources and opportunities to help anybody in any situation. The plans are still forming, and I easily have a few years worth of work, content and opportunity to share.

As I embrace this focus, I seek:

• Clients: organizations that realize the status quo isn’t working, and the key to success requires influencing people by demonstrating and effectively communicating value
• Referrals: personal introductions to people struggling to successfully address these challenges with the suggestion to explore how this approach benefits them is a huge help and supports my efforts to benefit everyone
• Discussions and insights: while I’m not a fit for every organization, most experience these challenges – and I look forward to conversations that allow me to share and explore how to help more people.

I believe in my ability to make a difference in any organization. I also understand that working with me requires an investment, and a lot of folks are still skeptical on solving what appear to be elusive challenges.  The natural fear, then, is that by reaching out to me, the conversation focuses on a hard sell.

Except that’s not how I roll.

Like most, I enjoy buying the right solution, but dislike the process of “being sold.” While I have to sell to build the business, I’m not interesting in selling as much as I prefer to share, educate and explore. In my experience, if I’m the right fit to solve a challenge, we’ll find a way to work together. If not, then I’ll do what I can to make a difference in the time and space available to us.

To learn about what I’ve been working on and how it might work in different settings, simply reach out and we’ll speak.

No strings, no sales pitch. Seem too good to be true?

Best way to find out is to call me on it; well, to schedule some time to speak with me.  If during the conversation, it seems I might be a fit, then we can either shift the call or schedule a follow-up to explore working together.

My intention is a call worth more than the time invested.

What to expect in the coming weeks and months

Here is some of what I have planned for the immediate future:

• More consistent content production to include writing, speaking, podcasts, resources and other ways to share and support people addressing these challenges
• Along the way, I plan to experiment with different ways to create, deliver and navigate understanding
• More opportunities to engage; besides what I have planned, I’m open to ideas and suggestions
• A new look and feel to the website, complete with better navigation and more clear explanations of what I do and how to work with me
• Bringing back some old ideas with a new twist (catalyst community… but different)

The journey has just begun; join me?

As I shift from figuring out my purpose to fulfilling my destiny, my goal is to serve others to make them more successful. My journey, then, is the destination. I gratefully accept where I am and am receptive to where the path leads.

Driven by a belief that everyone has a story, each story is worth telling and deserves to be heard, I am focused on liberating and amplifying the narrative in each of us.

Let’s talk, swap some stories and find a way for a better tomorrow.

A few years ago during a workshop, an exercise turned into a lesson learned for me. This column shares the story, the lesson learned and some tips on how you can improve your definition of security to ensure success.

Related to this challenge is a google+ thread I started. Before reading it, take a few minutes to read the article, write down your definition of security and then contribute to the google thread post [click here for the post]

Read the column here: http://www.csoonline.com/article/700074/is-your-definition-of-security-holding-you-back-

Is your definition of security holding you back?
Without a clear definition of security that is consistent through out your team, how can you expect the people in your organization to comply? Michael Santarcangelo explains

Read more of Michael’s CSO columns

Get a list of CSO columns by Michael Santarcangelo by clicking this link: http://www.csoonline.com/author/691051/Michael+Santarcangelo

From an otherwise innocent dinner table conversation, I penned this column examining the value of asking risky questions in the quest to reduce risk… what do you think?

Read the column here:  http://www.csoonline.com/article/699119/three-reasons-why-asking-risky-questions-reduces-risk

Three reasons why asking risky questions reduces risk
Business professionals are often afraid to ask uncomfortable questions and will avoid certain topics entirely. But Michael Santarcangelo explains that by evading difficult issues, we actually increase our risk

Read more of Michael’s CSO columns

Get a list of CSO columns by Michael Santarcangelo by clicking this link: http://www.csoonline.com/author/691051/Michael+Santarcangelo

This column explains how an afternoon at a car show revealed the power of literally signing your work. When not building engines and engraving your name for all to see, is your work signature ready?

See what I learned and consider how it might work for you, too.

Read the column here: http://www.csoonline.com/article/693435/how-your-signature-can-propel-your-security-career

How your signature can propel your security career
Skip the cookie-cutter approach to security! Tailor your work and make it worthy of your signature

Read more of Michael’s CSO columns

Get a list of CSO columns by Michael Santarcangelo by clicking this link: http://www.csoonline.com/author/691051/Michael+Santarcangelo

“The problem with communication is that it is too ‘squishy’ to be measured. It’s just easier to focus on technical efforts with project plans.”

This is an actual comment from a client about the challenge of security awareness and broader communication supporting technical projects. The irony is that at the time of the comment, the technical project was hitting delays and at risk of failure – due to poor and ineffective communication.

Time to put another myth to bed.

The myth: communication is a “soft skill” that cannot be measured

The Reality: effective communication is a reflective process; carefully selected benchmarks ground all aspects of communication, including: creation, delivery, navigation to mutual understanding, and even (or especially) outcomes

Why the myth?

I once asked a potential client how he measured success of security awareness. After a long pause, he calmly answered that he “didn’t waste his time measuring. He figured it was a waste of time, and preferred to cherry pick some stories to make sure his boss was happy.”

Unsatisfied, I pressed deeper. He revealed his concern that measuring actual results might demonstrate he wasn’t doing a good job. It was easier to manipulate the outcomes (and budget) with carefully timed stories.

This is similar to the often-accepted myth that it is not possible to teach or learn effective communication. Smashing that myth explored some of the ways in which communication is written off as “inborn and untouchable”, fostering perception that improvement is impossible.

With this way of thinking, it’s easy to dismiss the process of measuring and reflecting on communication as not being worth the trouble.

The assumptions are not true.

Although something may seem challenging doesn’t mean it is impossible; it often requires a different approach or set of tools.

It is possible to measure communication; in fact, it is essential to effective communication. Here are three important aspects of measuring communication:

• Baseline: in order to measure the outcome and demonstrate results, it is necessary to have a baseline; further, determining the baseline helps solidify the measurement plan (and sometimes even the essential elements outlined below)
• Periodic feedback: a key component of effectively communicating value, periodic feedback yields insights that inform the overall process; as a result of these measurements, it is possible to adapt and modify messages in a variety of ways to produce more successful outcomes
• Reporting: ECV is outcome-oriented, which naturally begs the question of success. The reporting measurement details the final breakdown of the messaging and if it was successful or not – and why.

Three essential questions to measure value

Measuring communication draws on a variety of fields and skills, as well as tools. The most important aspect is to clearly define three essential concepts:

What does it mean to be successful?

The first step is to clearly define the expected outcome of the communication. Without this definition in place, measurement is elusive and often left to subjective judgment (and the ability to tell a good story using anecdotal evidence).

What is the value?

Value varies based on audience, context, timing and a few other key factors. To effectively communicate value requires exploring, distilling, documenting the significance of the message – in the context of success (defined above) to the audience.

How to measure what matters?

The key is measuring what matters. What matters is defined by the success criteria and the determination of value. From those, it is possible to use a variety of direct and indirect measurements and metrics to determine the baseline, periodic reporting intervals and final reporting process.

The purpose is to use available resources and opportunities to measure outcomes based on success in the context of value. All three work together.

Quick aside: measurement and metrics are related, but not the same. Measurement is action, the art and science of determining what and how to measure, including interpretation. Metrics are the gathered observations and collected elements often used for subsequent analysis.

Advanced Measurement of Communication

With the right structure in place – including a defined process for creating, delivering and managing content (and messaging) – it is possible to discretely measure the cost and value of specific messages, correlated to outcomes. It is possible to measure costs, efficacy and value of elements like:

• Creation of content
• Delivery of content
• Consumption of content
• Management of content
• Engagement and outcomes

This means it is possible to develop an accurate understanding of how to best reach different audiences and outcomes for specific budgets and timeframes. Over time, this leads to less waste and a renewed focus on what works.

This column shares a true experience from over a decade ago and the insights I’ve learned over the years on more effective ways to engage people in the practice of protecting information. This is an important element in effectively communicating value to engage, empower and enable people to be successful.

Check out the full article here: http://www.csoonline.com/article/690715/finding-security-s-opportunity-to-engage

Finding security’s opportunity to engage
Sometimes security can find surprising places to connect and engage with others in an organization. Michael Santarcangelo offers some tips on how to identify them

The practice of effective communication is essential to properly inform the process of decision-making. Without a clear understanding of risk and the consequences of potential actions, people (executives and individual employees) may make decisions based on unrealistic assumptions or a poor understanding of the solution.

It’s time to smash a myth about communication holding back the ability to connect with people, demonstrate business value and influence behavior change.

The myth: communication, let alone effective communication cannot be taught or learned; people either have it or they don’t.

The Reality: despite a commonly held belief that effective communicators are born, anyone willing can learn the art and science of effective communication.

Success requires guidance and practice to develop the skills of an effective communicator — but it is entirely possible for individuals and organizations to learn and embrace the use of these principles.

Why the myth?

Every myth has a life of its own, and it takes different shapes in the culture and in the individual.

For the individual, the myth probably started as a useful defense mechanism when an attempt to communicate didn’t go as expected. The experience was significant enough that an internal story about it was created to manage self-expectations and reduce the pain of failure.

At a cultural level, we reinforce the myth. People with less experience compare themselves to people with more experience. Individuals are told of their errors (spelling, grammar, ums, uhs and the like) without guidance or feedback to help them learn a better way.

Admittedly, the explanation is oversimplified, but that’s not to say we can’t learn from it.

There is no need to accept the notion that good communicators are born and the skill cannot be learned.

It isn’t true. The myth is false.

It is possible to teach and learn the art and science of effective communication.

While the myth is wrong, it does contain a thread of truth: the skills of effective communication cannot be bottled. The learning process is as unique as the life experiences that have shaped each individual and organization.

The good news is that learning about the principles and putting them to practice has a positive impact. But it also means that effective communication takes effort – though it doesn’t always have to be “hard.” The progression of communication is nuanced; consistency and quality of outcome is a function of understanding, practice and proper guidance.

Those who effectively communicate value at the top range of the scale (generally considered professionals) are often students of the craft, routinely engaging in coaching and other guidance and continue to seek out opportunities to improve.

While it may seem ‘hard’ in terms of time, effort and skill invested into the outcome, not everyone is a professional (or needs to be).  Anyone can improve his or her ability to communicate and successfully work through the progression.

Putting the myth to rest, with proof

Two simple steps to end this myth:

1. Stop believing it
2. Stop repeating it

It’s possible to advance from common communication to effective communication by simply gaining awareness, incorporating purpose and using simple feedback to confirm if the message received matches the message sent.

Try it out today.

Here are three steps to craft a personal experience that this myth is busted. This is meant to offer a personal insight into the process of communication – it creates awareness and demonstrates that learning is possible.

Start with a 20-30 minute time constraint (less is fine, too). The key is to do the best possible job within the time and then reflect on the experience.

On a current communication or something new, do the following:

1. Set an intention: write down, with a pen on paper, the purpose of the communication
2. Take responsibility: think about the message and the audience – consider the best approach, which might include a good story and the right time/method to deliver the message
3. Get feedback: deliver the message, pause, and then ask for feedback with a simple question like, “Does that feel right?” Then listen.

If someone understands, they often start by confirming that it “makes sense.” Keep listening. They need that added pause to fully process and evaluate the information against their range of experiences.  Most people will offer a story or a ‘counter-story’ to test their depiction.

The same approach applies if they don’t understand. In either case, listen closely.

This point cannot be emphasized enough. The stories that get shared help to clarify the message. They offer clues for refining the communication to make a more accurate connection (now and in the future).

Feedback and reflection improve the practice of effective communication

Want to get better at effective communication?

Reflect on the entire experience – stated intention, preparation, delivery, feedback and resulting navigation to understanding.

Be curious.  What worked?  Where might a new approach work better?  Following the original process, create and deliver a revised message to a different person.

Did you complete the exercise?

Myth busted?

If you didn’t, take a few minutes to share the reasons. I find that these reasons speak volumes about my own relationship to the myth.

Improv is great to watch and even more fun to learn and play (perform). There is a fundamental concept of improv that is essential for success — in improv, in life, and definitely for security leadership.

This article explains how.

Read the column here: http://www.csoonline.com/article/687570/improve-your-security-leadership-with-one-simple-lesson-from-improv-

Improve your security leadership with one simple lesson from improv
Leading from the front is a regular series from Michael Santarcangelo that shares practical tips, insights and solutions focused on security leadership, security awareness and effective communication. In this article, he reveals how theatre improv techniques can be applied to security leadership

Want more of Michael’s CSO columns? 

Get a list of CSO columns by Michael Santarcangelo by clicking this link: http://www.csoonline.com/author/691051/Michael+Santarcangelo

Want more insights?

• sign up for the weekly Curated Catalyst Newsletter [read more] [sign-up - NOTE: check the Curated Catalyst Newsletter box]
• engage with Michael on twitter (@catalyst): [click here]
• share concepts on google+ : [click here]
• get blog updates by RSS: [click here for the RSS feed link -- for your favorite feed reader]
• get blog updated by email: [click here for to subscribe by email - NOTE: check the blog updates box]

Among the challenges of wearing the multiple hats necessary to successfully to manage information technology and security in a mid-market company is the nagging perception of being a cost-center provider of infrastructure services.

Since business has a natural tendency to reduce costs, it increases the challenge of providing the right services, growth and proper level of security to meet the changing demands of business – while doing “more with less” budget, time and staff.

The rise of cloud solutions provides a unique opportunity to continue to provide necessary infrastructure services – but in a way that shifts the role from “provider of IT” to “trusted business advisor.”

Understanding three key business drivers

In my experience, a business is necessarily focused on three core elements:

1. Make more money (commonly called top line revenue)
2. Save more money (often called the bottom line)
3. Use existing resources better (I call that common sense)

Key to making the transition from cost-center to trusted business advisor is understanding how each of these three elements impacts the business – and how the infrastructure, including security, impacts them.

Cloud computing provides a range of benefits; one of the more attractive draws is the opportunity to take advantage of the enterprise-quality security built into some solutions in a way that provides an advantage to the business.

The opportunity goes deeper: shift perception of role and value by engaging the business and involving them in a solution that successfully solves one (or more) of their challenges resulting in:

• Increased efficiency (and/or reduced costs): with the right planning and implementation, this means it’s actually possible to do more with less, freeing up time and energy to focus on other issues
• Improved security: selecting a cloud provider that adheres to industry standards to protect information can bolster overall security efforts for a lower cost, all while improving efficiency and benefitting the business
• Improves the business in a direct and demonstrable way: solving someone else’s problem while also addressing challenges of securing the infrastructure is a smart way to demonstrate a broader role in helping advance the business

Three ways to make the switch from cost-center-provider to trusted business advisor:

• Look for an opportunity to solve a business challenge, with a twist: prove it is possible to be secure and innovate while meeting one of the three core needs (outlined above)
• Invest in effective communication: effective communication puts the onus on the communicator to ensure the right message was delivered, mutually understood and acted on; it takes a disciplined approach, but the outcome is what drives success (stay tuned to this blog [RSS feed] and weekly newsletter [subscribe here] for continued focus on effectively communicating value)
• Translate experience and insight into functional outcomes: instead of talking about technology, place emphasis on the functional outcomes and the experience; use this to both gain buy-in (and recognition as an advisor) and to drive selection of the right solution provider [gain some additional tips from this recent webinar]

This transformation starts with a fundamental shift in mindset. By considering key drivers and the current business challenges, it’s possible to find a cloud provider that increases security, improves operations and directly benefits the business – and your career.

The key is to get started – and you are not alone. You have my support, as well as the support of an entire community of people focused on addressing the needs of mid-market challenges.

How can I help you pick the right path, communicate the value effectively and make the switch?

Leave a note in the comments, schedule some time to speak with me (no strings) or engage with me on twitter (@catalyst).

 

 

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

“The single biggest problem in communication is the illusion that it has taken place.” ~ George Bernard Shaw

From ballet to baseball, coding to construction, and even coloring to communication, everyone starts with a blank slate. World-renowned artists, athletes and leaders all started in the same place: learning the fundamentals, including how and when to apply them.

While often noted for the remarkable and extraordinary feats they achieve, those abilities squarely rest on a firm foundation. Success is often attributed to a team of people who teach, coach and skillfully guide a disciplined practice that includes goal setting, measurement, feedback, and the desire to reach for new heights.

Communication is like that, too. At least it can be.

Everyone is a communicator, engaging in thousands of communications daily across a myriad of devices, in a multitude of situations. And yet, communication generally occurs without thought.

A primal ability sometimes taken for granted, for many, communication “just is;” minimal, reflexive effort is often considered “good enough”. To the contrary, most surveys of employee engagement and organizational challenges list poor and ineffective communication as a top reason for disengagement and poor performance.

Right now it is important – arguably necessary – to reconsider communication and the role it plays in personal and professional success.

Investing time and energy into learning the principles of effective communication and how to best apply them holds a substantial immediate payoff with lasting and expanding benefits.

This is the beginning; more than a 10-part series to reconsider communication, this is the start of a journey to explore and improve from basic to the ability to effectively communicate value.

This is the first of the 10-part series on the need to reconsider communication and the role it plays in driving security success. This series puts communication myths to rest, lowers barriers to effectiveness and reframes the benefits of effectively communicating value.

Get the entire series (and more) by subscribing to the RSS feed [click here], or have each article emailed [click here to for blog by email – select the blog by email box] or take advantage of the weekly Curated Catalyst Newsletter [click here to signup – please select the newsletter box]

What does it mean to communicate?

Seems silly, right? After all, communication is part of the daily routine.

Yet we don’t often make the time to step back and ponder something as basic as communication.

We should.

In the simplest of definitions, communication is the sharing of information between parties; three required elements include the sender, a recipient and a message.

Common communication is instinctive, reflexive, and engaged in without awareness. For example, people tell stories at meetings and share examples with others to learn, to laugh and to persuade action. Lacking awareness, stories are not prepared, jokes are ‘off-the-cuff,’ and the examples shared tend to be spur-of-the-moment.

Sometimes the message connects, while other times it misses; sometimes, it misses BIG and creates a crisis that requires a lot of extra time, money and attention to address.

The demonstration of common communication includes an aptitude of skill; some people are quite effective – and funny – in spontaneous situations. Unfortunately, this skill and ability is often confused with effectiveness, leading to some myths to be dispelled in a post later this series.

Writing and speaking are popular forms of communication; however, music, dance, sculpture, art and others are successful and powerful methods to convey emotion and information.

Due to the unstructured nature of common communication, a premium is placed on real-time, face-to-face or other coordinated exchanges; it has to in order to correct for the high error rate. However, like a sign painted on a wall, a note left in a lunch box, or a message floating downriver in a bottle, communication can be fleeting or persistent, synchronous or asynchronous, and designed for one or many recipients.

Reaching mutual understanding is a challenge of common communication.

Progressing from communication to effective communication

Deliberate in purpose and in process, effective communication incorporates a feedback mechanism to ensure understanding of the message received matches the intent and purpose of the message sent.

Effective communication properly places the onus on the sender to correctly form and deliver the message. The effort invested into preparing, delivering and validating the message increases awareness and creates an opportunity to improve.

The effort invested into effective communication results in less misunderstanding and a more efficient overall use of time and resources.

Typically, effective communication is improved over time as a result of trial and error that leads to the experience necessary to distill key concepts and seek better ways to connect with the audience.

Progressing to effectively communicating value (ECV)

Effectively Communicating Value (ECV) is outcome-oriented; messages are designed and engineered according to models, methods and frameworks that allow measurement mapped to defined outcomes with adaptability in design and delivery.

By blending science with the principles of effective communication, ECV is both more precise (to the specific audience) and more flexible in terms of delivery mechanisms. The focus on measurement improves the feedback mechanism by incorporating a range of variables into a more comprehensive – and accurate – understanding of results.

With an increased focus on the practice and process to distill to value, ECV reduces communications errors and improves mutual understanding. This is an essential component to successfully helping individuals realize the consequences of their actions in the context of intention and impact, vital to bridge the Human Paradox Gap (HPG) [learn more here and in an upcoming series, or schedule time with Michael for a private briefing].

More than a single process, model or construct, ECV is actually an entire platform (or ecosystem) comprised of structure, substance and support. Called the ECVx Platform (effectively communicating the value of x – whatever we need), it provides the tools and guides implementation to ensure successful adoption of an improved way to communicate.

Exploring the value and use of a platform to guide ECV is the focus of the next series; it’s an exciting concept that lowers the barriers and solves the challenges the balance of this series explains.

Next, it is important to first dispel some myths about effective communication, starting with the notion that effective communication cannot be taught.

Engage and grow

Communication is essential; as this series continues, we can work together to explore the concepts, challenge conventional thinking. Engage directly by leaving comments, asking questions, challenging assertions, sharing information – using the comments below, through Twitter (@catalyst), Google+ or even schedule time to speak with me directly (no strings attached).

A reflection on the challenges of open mics and social media — and how they impact our efforts — was the topic of an early column penned for CSO Online.

Read the column here: http://www.csoonline.com/article/597056/security-careers-the-mic-is-always-on.-always.-

Security Careers: The Mic is Always On. Always.
Like politicians who’ve been embarrassed by public microphone mistakes, security professionals need to remember comments that are made in bad taste can put both a career, and an entire security program, in danger

Read more of Michael’s CSO columns

Get a list of CSO columns by Michael Santarcangelo by clicking this link: http://www.csoonline.com/author/691051/Michael+Santarcangelo

Get more insights and engage with Michael

• sign up for the weekly Curated Catalyst Newsletter [read more] [sign-up - NOTE: check the Curated Catalyst Newsletter box]
• engage with Michael on twitter (@catalyst): [click here]
• share concepts on google+ : [click here]
• get blog updates by RSS: [click here for the RSS feed link -- for your favorite feed reader]
• get blog updated by email: [click here for to subscribe by email - NOTE: check the blog updates box]

“I invited Michael to present as a featured speaker for the BrightTALK™ Cloud Security Summit. I was very impressed by the amount of preparation he put into the presentation, as well as the emphasis he put on making sure that the audience are able to walk away with actionable insights after watching his webinar. Michael was an energetic and engaging presenter, and his webinar was well-structured and well-received. I’m very excited about having him involved again next month!”

Ahyoung An

“Michael has an unwavering passion for helping individuals harness the human side of security. I approached Michael to create a series of Focus roundtables on security awareness topics. He continually went above and beyond the call of duty, spending hours preparing for the live event to ensure the roundtables would be flawless. In addition, Michael would take time to create additional content for his listeners. He has a gift for effectively communicating the value of security awareness and his passion for the topic is truly contagious. It has been an absolute pleasure working with Michael during my time at Focus. I would work with him again in a heartbeat.”

Brielle Nikaido, Community Manager, Focus

“Michael is one of a kind. His energy and enthusiasm for his work knows no bounds. Michael’s hands on approach to complex problems is priceless in today’s economic climate. I was blown away by Michael’s presentation in Clearwater earlier this year. Finally an expert who wants to get to the root of the problem and resolve it in the most efficient manner possible. His ability to impart knowledge in non-technical terms ensures that everyone can understand how the process can be applied to any situation.”

Sharon M. Shaw, CFE, Director Tampa Bay Chapter, ACFE 

Perplexed by the challenge of cloud security, let alone how to use effective communication to demonstrate the business value of taking an approach that secures information?

The rapid growth and adoption of cloud computing leads to sometimes confusing situations where security remains an afterthought.

At a time when everyone is expected to do more with less, the difference between success and failure hinges on effective communication. In fact, many people now realize the ability to communicate the value of security, and of their efforts, is the difference between career success and failure.

I recently considered how to cut through the confusion surrounding “cloud security” to use effective communication to demonstrate the business value of our efforts and shared some insights during the BrightTalk cloud security summit. Special thanks to Trend Micro, Symantec, Dave Shackleford and Lori MacVittie for sharing time, research and experience with me.

Blending their insights and experiences with my studies and models of how to effectively communicate value resulted in some interesting findings, including the need to translate our security experiences into the cloud is as (maybe more) important than selecting the right examples. The result is a 45-minute briefing, shared below.

Check out the recording here:

I work to help harness the human side of security; without a doubt, the challenges we face in our journey to the cloud is less technical and more dependent on our ability to successfully communicate with each other, with decision makers and with our colleagues who use the solutions we design, deploy and maintain.

This presentation is only the beginning.

I continue to research, test and help industry, enterprise and individuals to improve how we distill and and effectively communicate the value of security.

How can I help you?

Reach out with comments, questions and suggestions or share your communication challenges with me and we can explore how to solve them together.

Ever wish someone took the time to curate the best ideas and insights on the human side of security and shared them in a weekly briefing?

It’s something I’ve looked for; the challenge is finding a way to review, distill and curate the best information from a myriad of topics and fantastic conversations. In order to fulfill my passion and purpose to help others harness the human side of security, I devote time each day to consume and process a lot of information.

A few months ago, I started thinking about how to best curate — distill down to the essentials – and share that information with clients, colleagues and friends. More than a simple list of “things I’ve read,” the purpose is to provide some light analysis and ensure the information can be more easily consumed, shared and discussed.

I think I found a format where I can share value and benefit your efforts. I invite you to subscribe to the Curated Catalyst Newsletter and help shape the experience by engaging in the conversation.

Each week, I’ll select and share highlights from articles and resources likely to be of interest to those working to harness the human side of security with a focus on communication, awareness, leadership and the multitude of fields that inform these areas. 

The underlying goal is conversations that count about the insights and ideas that shape our experience. By the way, part of the invitation to engage includes the desire for you to send me ideas, questions and resources of interest, too. I’m the curator of the newsletter, but it’s a larger effort.

While I experiment with the actual format and process (technical and procedural) over the next few weeks, I’m focused on putting forth a weekly summary expected to take 5-10 minutes to scan. More, each should have the analysis/context included to help guide focus and serve as a pre-formatted cut and paste to share with others (individual stories and thoughts).

Sign up for the Curated Catalyst by clicking on this link. Note: your information will not be sold, spammed or treated any differently than I expect my information to be treated. 

More information about the format, schedule and audience is included here: http://www.securitycatalyst.com/blog/curated-catalyst-newsletter/

I look forward to working together and learning from each other!

October is declared “security awareness month.” For some, it’s a day, others a week. For many, it’s a concept that provides little benefit.

During the roundtable in July, we defined “security awareness” (recording at link) – an individual’s realization of the consequences of their actions with the ability to assess intention and impact.

So does emphasizing security awareness for a day/week/month make a difference?

Join us on Wednesday, September 21, 2011 at 11am Pacific, 2pm Eastern to find out which members of our panel don’t see the value (and why).

http://www.focus.com/roundtables/security-awareness-roundtable-security-awareness-month-trans/

Then stick around to find out why I now have a different opinion: I see this as an opportunity to turn a lackluster event into a transformed security awareness program.

Join our roundtable and engage with us to find out how to:

• Get buy-in for an event
• Structure an event to solve a single problem (and some suggestions on the problems to solve)
• Set the stage for and define success: why this isn’t a diet, but a lifestyle change
• Determine what elements to include, what elements to skip
• Measure the results to build an effective business case

Get engaged with security awareness

Each month I’ll invite select experts with hands-on experience with security awareness to the roundtable for our discussion. Designed to be more interactive than podcasting, here are some ways to get involved:

• Ask questions in advance
• Participate during the process on the event page or using twitter
• Make comments
• Follow-up with questions and comments after

A common concern voiced in the industry is that people simply do not, and sometimes cannot, understand why they are asked to take actions for the sake of security. However, the challenge lies less with the individuals themselves than it does with a paradox introduced in Into the Breach and expanded into an applied model [click here to learn more].

The current accepted approaches to security awareness mask the real challenge.

Without understanding and addressing the Human Paradox Gap (HPG), so-called awareness efforts are more likely to increase risk instead of decreasing it. 

In this security awareness roundtable,  Steve Ellis and Chris Carpinello join me to explain and explore the real challenge underlying security and security awareness: the “human paradox gap” (HPG).

Listen to our recording to learn:

• The human paradox gap (HPG)
• How the Human Paradox Gap impacts security and security awareness
• Why the gap has to be bridged in order to gain effectiveness

The audio of the roundtable is now available for download and enjoyment. Don’t forget to explore why the definition of security awareness matters.

This is only the beginning.

Learn more about the Human Paradox Gap and other models and methods of the System to Effectively Communicate Value.

To learn how to connect people to the consequences of their actions with effective communication and positive approaches that inspire behavior change:

• Explore how to learn effective communication from Michael
• Inspire colleagues with a keynote presentation on how to bridge the gap,
• Work with Michael to upgrade existing materials and training to effective communication.

Ask questions, share ideas and join in the conversation:

• Engage with Michael on twitter [@catalyst]
• Connect with Michael (not contact, connect)
• Include me in your Google+ circle(s) [click here]

The first episode of the Security Awareness Roundtable addressed the importance of defining security awareness the right way.

The audio of the roundtable is now available for download and enjoyment.

Joined by Justin Bovee and Steve Ellis, we presented the definition of security awareness, explored how it sets the stage for success and offered insights into using the definition to build an effective program.

We also talked about how this definition makes it possible to turn what is often considered a cost into an investment — while satisfying compliance issues and a sometimes sour attitude toward “security awareness training.”

We covered a lot of ground in a short period.

Check out the event page to see what others contributed, ask questions and offer your thoughts (I keep tabs on all questions, comments and contributions for future roundtables): http://www.focus.com/roundtables/security-awareness-roundtable-defining-security-awareness/

This is only the beginning.

For more insights on how effectively communicating value connects people to the consequences of their actions, effectively bridging the human paradox gap, check out the Reconsidering Communication Series: why effectively communicating value drives security success.

Ask questions, share ideas and join in the conversation:

• Engage with me on twitter [@catalyst]
• Schedule a conversation with me [click here for schedule] - no strings attached!
• Include me in your Google+ circle(s) [click here]

Starting Wednesday, July 20, 2011 at 11am Pacific, 2pm Eastern I host a new monthly roundtable series focused on Security Awareness at Focus.com.

The first roundtable addresses a basic challenge: what is security awareness? 

When the concept of security awareness is tossed about without a clear understanding or vision, the results are mixed. The first step to build an effective program is to have the right definition of security awareness.

Join us to explore:

• The definition of security awareness
• How defining security awareness sets the stage for a successful program
• Why the right definition of security awareness moves the program from cost to investment

Check out the details and register here: http://www.focus.com/roundtables/security-awareness-roundtable-defining-security-awareness/

There is no charge to listen in and participate live, and if the time doesn’t work, an on-demand recording will be made available.

Get engaged with security awareness

Each month I’ll invite select experts with hands-on experience with security awareness to the roundtable for our discussion. Designed to be more interactive than podcasting, here are some ways to get involved:

• Ask questions in advance
• Participate during the process on the event page or using twitter
• Make comments
• Follow-up with questions and comments after

Just last week, a friend pointed out to me that only drugs and information technology (IT) have “users.”

A week before that, a colleague was explaining his challenge of creating a security awareness program in a firm that “operated less like a business and more like a law firm.” Specifically, the big-dollar revenue producers in his company took exception to being considered “average users” and refused to participate.

No one wants to be average. No one enjoys being called user. And given the connotation of users, no one wants to be consider a loser.

Maybe it goes back to the catchy tune belted out by McGruff the crime dog when he sang, “Users are losers, and losers are users…”

The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users, eventually shortened to “users.” Maybe.

Today the situation is different.

Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users, I feel like singing some McGruff.

And I would sing, except McGruff was wrong: users aren’t losers.

We need to break this bad habit, immediately, to advance our practice of security and influence how people protect information.

Why the label of users creates a distance that makes it harder to practice security

The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.

Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claimingIt’s time to reboot the security industry) that reinforces our knowledge, experience, and power while shielding us from the knowledge, power and experience of the individuals we work with.

When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex — and expensive.

Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the Human Paradox Gap.

Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we are powerless to hold them accountable (explore this a bit further in: Why people are not the problem and where to look).

Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.

Dropping the label (protection) of user allows us to build the relationships we need to be successful.

If not users, then what?

We work with and serve people.

As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.

When possible, use direct names or descriptions of real people.

It is important to remember and keep focused on the point that we serve people, not users.

Change the words to change the perspective

By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.

It is a simple, yet powerful shift. Small changes lead to big results.

In turn, it changes our demeanor and approach.

For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences (positive, neutral and negative) of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.

McGruff sang a catchy tune. But when we realize our users are people, nobody has to lose. In fact, we can all work together to bridge the human paradox gap and make our jobs just a little bit easier.

This morning, Symantec released a new paper written by Carey Nachenberg addressing Mobile Device Security [link]. Last week, John Harrison from Symantec offered me a preview and a briefing to discuss the findings as they relate to my passion and focus on the human side of security.

When papers like this are released, most of the announcements focus on some quotes, perhaps a general impression and link. After my briefing, I took something else away – and I wanted to share.

Below, I break down my notes in terms of security awareness, security leadership, effectively communicating the value of security and a few thoughts on how a paper like this advances a security career.

The basic concern is clear: smart phones are gaining market share; increased reliance means they are loaded with personal and corporate information. Considering the continued growth of mobile computing, attackers are going to “follow the money” by turning their attention to mobile malware in search of easier, more profitable targets.

The challenge is determining where mobile device security fits into an already crowded and ever-expanding threat landscape.

How big is the risk; how fast do we need to move?

To put it into context, consider the magnitude of the risk: according to the Symantec Internet Security Threat Report there were 163 documented vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. The growth demonstrates the rising attention of attackers.

Overall however, Symantec documented 6,253 software vulnerabilities in 2010 (additional context can be found in the most recent ISTR starting on page 15).

The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.

[pullquote]The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.[/pullquote]

Security Awareness

At this point in the year, the security awareness programming plan should be in operation – and no immediate changes are required at this time. The topic, however, does present itself as a good secondary or opportunistic topic – especially if people are starting to ask about it.

To get started, redefine the concept of mobile telephones: they do more than dial numbers these days. Ask questions about the type of information people store. A simple question gets this dialogue started, “what’s on your device?” Follow up with, “what happens if your phone is lost or stolen?”

Asking, “What happens if a rogue application gets installed on your device?” prompts a more advance discussion. The challenge to this level of security awareness discussion is preparing to talk about how this happens without accusing the individual/audience of being stupid.

Start the dialogue this year, if it makes sense, as an opportunity to learn the challenges people are facing and the language they use. This becomes valuable input for next years programming plan (where it still might not be a prime topic).

Security leadership considerations

Like it or not, mobile devices are connected to the enterprise. The growth of mobile computing coupled with the growth of “the cloud” means personal and corporate information is necessarily stored on the smart phones — approved or not.

Reconsider how devices are treated and then review current security policies, standards and procedures to understand how information is protected. Ask questions and consider how the policies address lost or stolen phones and mobile devices. The user experience matters.

Aside: I’ve tested “remote wipe” with clients before. Despite their assurances it would work perfectly, in each case, I was able to turn off the radio transmitter before the wipe and enjoy full access to the information stored conveniently on the memory card inside the phone. Lesson learned: check the policy, and then test to see if it matches reality.

Making the time now — before this becomes a hurried rush that never leads to good decisions — means the opportunity to consider changing functional and technical requirements.

Given the current average time to change policies and procure new technology solutions, this little bit of a “head start” might make the difference between future success and continued on-going struggle.

In short: do the work now, reap the benefit later.

Effectively communicating the value of mobile device security

As security leadership reviews and makes decisions, consider how to effectively communicate and incorporate the changes to the various audiences in the best possible way (hint: email may not work for everyone).

The key to effective user experience is striking the blend between connecting people to the consequences of their actions — restoring their ability to take responsibility — while providing a technical and procedural backstop that helps make it easier for people to do their jobs.

How this helps advance a security career

We’re in a profession where we need to know something about everything (aside: I believe the path to success, however, requires finding a niche and getting good – in addition to knowing a bit about everything).

Mobile device security and cloud computing are both on the rise. Investing time now to amass and understand facts, figures and the ability to explain the importance of these details to different audiences is important.

Breaking down the salient concepts of mobile device security to be able to teach these basic concepts to others in meaningful and appropriate ways is a way to advance a security career.

Your Turn

What do you think? How are you handling the rise of mobile malware, and the continued integration between mobile and cloud computing?

Share your challenges, and if my perspectives on this paper benefit your efforts (or what you’d like to have seen more of).

Last week I shared advice in my CSO “Career Catalyst” column [Teach, don't just learn, to build your security career] from the movie We Were Soldiers and how that advice advances a security career.

Can advice from a movie actually benefit a security career?

Short answer: yes, yes it can. In fact, I applied this advice to my own career long before the movie was ever made.

Building on what I shared in the column, here are two examples of how this advice worked for me, with some insights on how it could work for you, too.

Applying it the first time: Bartending for the win

The first time I really applied this advice was while working as a server at a Ground Round restaurant while home from college on summer break. My role was to provide an exceptional dining experience — the better I did, the better my tips (on average).

As a hungry college student, I picked up as many shifts as I could. Somehow, it dawned on me that the more I knew about the restaurant, the better service I could provide, the more money I could make.

I set out to learn as much as I could.

I volunteered to learn how to host (greet and seat), prep cook, line cook and wash dishes. In turn, I taught others how to take orders, present food and the like. The more I contributed to the restaurant, the more opportunity I got.

And I was right: the more I knew about how to seat people (and set the experience), prepare the food, wash the dishes and handle the entire experience, the more I communicated effectively with everyone around me.

The best part came on what felt like a daring offer: I walked into the general managers office with what I considered a great deal: I would work shifts “off the clock” in return for being taught and certified as a bartender.  In the end, he accepted and my training – which also including training on ordering for the restaurant – began.

For the rest of the summer, I worked pretty much around the clock – waiting tables, pitching in wherever needed and got certified as a bartender before heading back to school.

When I returned to school in August, I happened to meet the owners of Johnny’s – a local bar (and one-time staple in Ithaca; it’s not there anymore). I explained that I had just been certified in bar tending — including setup, ordering, pricing, etc – and asked if they needed a hand. After explaining why they didn’t need help, they asked for my telephone number, “just in case.”

I got a call a week later – they needed help. It turned out they bought the bar without a shred of bar tending experience. My efforts to learn all aspects of the restaurant and bar business turned into a job as the head bartender, with the opportunity to teach what I knew as we worked together to setup, open and run a successful bar.

How this helps you: learning the job of others in security careers is important; but sometimes, it’s the other jobs in the organization that hold the most promise. Learning how others do their jobs — and perhaps getting an opportunity to teach them yours — is a powerful way to build bridges, improve communication and set the stage for a successful career in security.

Source code version control launched my career in information security

After graduating college (and one more brief stint in the restaurants), I landed a job working for Andersen Consulting (now Accenture) on a large software development project. My initial role was manual source code version control: developers would email me requests for code and submit code changes to me. Prior to automated tools, this was a bit of an “interesting” position.

After documenting the process – initially so I had a personal checklist to work from – I started to make improvements in speed and quality. I improved the documentation and started to teach the process to others. While I didn’t necessarily enjoy the role, turns out someone I taught LOVED it. At the same time, I lived locally, and offered to come in early, stay late and work weekends to cover others and help out. I was always learning new roles — to the point where I could backup any member of the team.

It didn’t take long before one of the people I trained was in charge of source code version control and I was moved on to bigger and better things. In fact, one of the roles I got moved to was the direct start of my career in information security (a story for another day).

How this helps you: despite an irrational fear of losing your job because you taught it to someone else, one of the best ways to advance your security career is to actively document your current role. Once documented, teach the position to others. I’ve found no better way to backfill your efforts and free up time to focus on other elements, learn from others and create a path to a new role.

More than advice, this is a mantra

My focus is clear: security awareness that works and effectively communicating the value of security. In my role, I work with organizations of all sizes and audiences of all types and experiences from around the world. As a result, I continually seek out people to learn from, and even offer to “intern” with other professionals to learn their jobs. In the process, I gain the insight of their experience, learn the language of their position and come away a more effective communicator.

This advice makes me a better catalyst, allowing me to better serve others. The more I learn, the more I am able to share what I’ve learned with those I come across… and through keynotes, seminars and consulting.

So while it made for a poignant scene in a movie about war, the observation of Lt. Col Moore is a powerful mantra for building a successful security career. Today is a great day to get started.

It works for me, and it works for you, too.

Let me know how you’re putting this advice to work or if something is holding you back. I’m here to help.

If you think that your tangled Cat5 in the server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices, Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup. Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Sometimes breaches happen when the internal network is not properly segregated. Only individuals or departments with a “need to know” should have access to sensitive information. The Human Resource department should never have access to trade secrets, while the R&D department shouldn’t have access to HR data. The Executive team should have access to confidential client information, while that information might be best kept away from the Sales department.

Aside from inappropriate network segregation network drives, like all computer devices, are eventually replaced. Old hard drives are sometimes donated to schools, sold on Ebay, thrown away, recycled through Best Buy or a similar program, or just stored and forgotten.

Several researchers, including Simpson Garfinkle, have demonstrated that with a small budget you can recover hundreds of thousands of pieces of personal information from used hard drives. Like other computing devices, old network drives must be scanned and completely wiped of all sensitive personal information before they leave your possession.

Remember the fundamentals rules of all data breaches: 1. If you don’t have it, you can’t breach it. 2. Old, forgotten data is dangerous data. Regularly scan these seven types of devices for personal information so that your next breach doesn’t originate from your own computer.

Cloud backups are like giving your house keys to your neighbor; Except that your neighbor then gives it to his neighbors, but doesn't tell you which ones. Licensed from Stock Exchange.

This is the sixth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, and Your Old Computer. Next we’ll discuss Your Cloud Backup.

Online cloud computing gives individuals and small businesses access to Fortune 500 computing services, for dirt cheap or free. Consumers have the choice of hundreds of cloud backup and file sharing programs.

A cloud backup is much like giving a copy of your house key to your neighbor. By choosing a trusted neighbor, you can be sure that your house key won’t fall into the wrong hands, and you will be able to use it you ever lock yourself out. You will also be able to change your lock if your neighbor’s house is robbed, or retrieve the key if your neighbor’s house is foreclosed.

If a cloud provider is like your neighbor and your personal information is like your house key, cloud backups go one step further. Each time you give your key to the neighbor (that is, back up a file in the cloud), your neighbor then makes several copies of your key and gives it to several other neighbors he trusts. While this means your key will probably never be lost, you have no way to know who exactly has your key, and retrieving all of the keys may be impossible.

Online cloud computing is still in its infancy, and the legal status of cloud backups can get rather, shall we say… “cloudy.”
You must recognize that once the information leaves your computer, you have very little control over where it goes, who owns it, and how many copies are made, or in which countries the files are stored. You may even forfeit your right to permanently delete a file once you put it online, in the “cloud.”

This issue recently came into focus after what has been called the first documented Cloud Data Breach. A bug in Microsoft’s cloud systems exposed confidential information and caused PC World to lament, “You’d better get used to this kind of thing because we’ll be seeing a lot more of it in the future. All any of us can do is pray we’re not a victim.”

Be sure to scan any files you backup online for sensitive information. If you choose to use a cloud backup service, always encrypt personal information, trade secrets, confidential data from third parties, and other sensitive information before backing it up online. Encrypting this information will ensure that should a breach occur, the information will be unusable to an adversary.

I use a cloud backup service called Dropbox. I love it. I use the program to share non-sensitive pictures with my family who lives 2,000 miles away, and share corporate documents with co-workers.

However, if I really need to back up truly sensitive information, I always encrypt the files before I put them online. Before you do a wholesale backup of your entire “My Documents” folder, make absolutely sure that you either encrypt sensitive data, or exclude it from the online backup. That way if a Cloud breach happens, you can rest assured that you won’t be at increased risk.

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.

Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.

I see this problem haunt people across the country. Once a week a university professor somewhere in the United States copies an archived copy of an old hard drive to a web server, without realizing that the hard drive contained social security numbers of students who graduated a decade earlier. Within weeks those social security numbers can be available to the world via Google.

If you’re a digital pack rat, make sure you scan those old hard drives for sensitive personal information before making backups. Your old hard drive is one of the biggest sources of preventable data breaches you’ll never hear about.

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Readers of this blog no doubt assiduously delete sensitive information from portable devices on a regular basis. But simply deleting files doesn’t actually erase the data. Just like cranberry juice on white linen, personal information stains hard drives.

Simply throwing a stained table cloth in the washing machine won’t remove cranberry juice stains. Likewise, simply hitting the “delete” key and emptying the recycle bin won’t completely remove personal information from your thumb or external hard drive. The hard drive usually remains stained with the sensitive information, which may be recovered until you proverbially “scrub” the drive. This scrubbing is called “shredding” the file, and typically requires at least a three-step deletion process whereby each byte is individually overwritten.

You should always think twice before copying sensitive files, such as tax documents, pictures, passwords, or confidential documents to removable media. Regularly scan removable media forgotten personal information so that when you leave your thumb drive in the taxicab, you don’t accidentally cause your own data breach.

Do you really know where that 2007 list of emailed SSNs is? Licensed from Stock Exchange.

This post is the third in a series about data breaches you can prevent. We’ve already covered Phones and Personal Computing Devices and Your Browser. The next source we’ll explore is Your Inbox.

Many people use web email as an extra online hard drive, saving important files and attachments in an easy-to access location. Yet because other people send you information via email, ironically you have less control over what’s in your inbox than on your hard drive. And the fact that the each email is stored in multiple places makes your inbox an important and often overlooked source of breaches.

Every email can be copied and stored on more than a dozen devices, many of which are not secure. Every time Outlook or Thunderbird checks for new email, a copy of that email or webmail is stored on your local computer. Smart phones also create local copies of your email so that you can open an attachment or read notes from your boss even if you don’t have access to the internet. A copy of every email you write is often stored on your local device (such as your phone), local servers (such as a work server), remote servers (like gmail.com), your desktop, your laptop, as well as all of the devices belonging to the recipient. The “Send” button should be more appropriately labeled “Make more than a dozen copies of this email and send them to insecure devices across the world.”

Keeping track of everything in your inbox and sent folder is a super-human task. Though most of your hundreds of daily emails are mundane, occasionally an unenlightened coworker might send you excel file entitled “Client Social Security Numbers,” or “Customer Username and Passwords.” Once your coworker hits send, the rogue file is copied to hard drives, cell phones, and servers across the world. Without your knowledge, the sensitive information quietly copies itself to your computers and cell phones.

With every copy of the email or personal information, the risks of a breach increase. And each day you receive hundreds of new emails, it is easy to lose track of old emails you were meaning to delete, but are now buried and forgotten. Old, forgotten data is dangerous because it is easily lost or misplaced. Lost email may create a significant breach of personal information, so make sure you are aware what’s in your inbox, because you shouldn’t expect to get a notification if your sensitive email ever falls into the wrong hands.

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

This post is the second in a series about data breaches you can prevent. We’ve already covered Phones and Personal Computing Devices. The next source we’ll explore is Your Browser.

Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.

Aside from browser hacks and viruses, it’s important to remember that your browser caches remain intact and accessible even after the machine is lost, stolen, or sold. That’s one reason why it’s important to scan your browsers for personal information and delete unnecessary information, and use a master password whenever possible.
I fancy myself a fairly savvy and privacy-aware individual. I use Firefox and have installed several plugins to help me manage my privacy, including Better Privacy, GoogleShairng, a few PrivacyChoice Plugins, and Abine’s TACO. But when I ran an Identity Finder search, even I was shocked to see the depth of information that my browser stored. It was very sobering to see that my usernames, passwords, and credit card numbers were accessible in plain text. Fortunately, Identity Finder allowed me to delete or secure all of that information.

If your browser caches are ever lost, it may represent a significant breach of personal information. So make sure you are aware what information your browser is storing, because you shouldn’t expect to get a letter in the mail if it ever falls into the wrong hands.

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Your personal computing devices perform almost all of the functions of a laptop computer. Smart phones, iPads, Kindles, and other devices are notoriously easy to lose, and store gigabytes of files, passwords, credit card numbers, social security numbers, digital photos, address books, and email attachments. Because of the wealth of personal information on a cell phone, most people would rather lose their wallets, and nearly all respondents to a 2009 survey said they would be “devastated” if they lost their phone.

Upgrading your phone can be as risky as losing it. Some people donate their old phones to charity or sell them on Ebay, and experts warn that personal information on the phone could easily be mined and re-sold. Periodically search your cell phone for personal information, and make sure that you digitally shred the entire contents of your mobile device before you get rid of it.

In the previous segments, we focused on special-case transfers that may be hard to recognize. At the macro level, when a user transfers between HR systems, a legitimate transfer can be mistaken for a termination, leading to poor customer service (and the trouble that ensues).

At the micro level, when a user transfers within a department, the transfer may be missed altogether if the affected job codes are not flagged in some way as needing additional information.

In this segment, we focus on two special-case terminations:

• The terminated user takes a leave of absence (LOA) prior to termination
• The terminated user is laid off as part of a reduction in force (RIF)

In each case, the user no longer needs access, but remains active in the HR system because they continue to be paid by the company.

This can pose a security threat, especially in the case of the laid-off employee.

The solution lies with HR…

In these cases, the simplest solution lies with HR: ensuring that the system has – and that HR representatives and hiring managers actively use – a “last day worked” field.

This field is ideal for access management because when it comes down to it, if the employee is no longer working, they no longer need access – irrespective of whether they’re still getting paid.

I strongly recommend working with the HR team to implement or clean up the last day worked field as needed to make it usable with identity management – it simplifies terminations tremendously. If it’s not an option, processes should be developed to handle the afore-mentioned special cases. For example:

• Design a process that will review the termination reason on the day that the termination is entered into the system. If the reason is RIF, determine when the access should be cut off (since RIF information is so highly sensitive, it is normally not entered into the HR system until the user is notified, so the date of entry might be usable as the last day for access)
• Alert on any user that goes into LOA status but that also has a termination date entered into the system, and design a process for verifying if the user is returning from LOA or going straight to termination, and process accordingly. Some manual intervention may be required here – some employees on LOA may still require their access, while others will not. HR should be able to help with this.

…but IAM configuration plays a part

When designing the interface between identity manager and HR, it’s important to consider how terminations will be identified.

If the HR system stores a reliable last worked date, the configuration of identity manager will be simple. If not, careful thought needs to be put into the design of the interface.

Simply going by the effective date of termination without any additional validation will preclude automation of the special cases mentioned above, and although they are relatively rare, these special cases can pose significant security risk if not properly addressed.

In summary

When properly configured, de/provisioning workflows help realize a significant portion of IAM’s value by reducing the time and effort of managing access, while tremendously increasing the accuracy.

However, in the case of transfers and terminations, there are some special cases that need to be thought through to ensure that the de/provisioning workflows are truly complete.

The activity this month was primarily to think about these special cases, and document how they will be handled. It’s possible that a “do nothing” or manual processing approach will suffice, but some organizations will want to spend some time designing automated solutions so that these special users don’t slip through the cracks.

Populating the requirements list

This month, most of the requirements (with the exception of the SoD requirements mentioned in Part 2) are not for the product, but rather for the design team.

Be sure to specify the needs when it comes to special cases for terminations and transfers. Engage HR and management to come to an agreement about how much effort will be put into handling these cases in an automated fashion versus simply implementing manual processes. As usual, there is no right answer here – as long as the right people are involved in the decision and they get a good understanding of the risks and rewards, the right answer for your organization will be reached.

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

In the first segment, we looked at one extreme of transfers – a job change entailing a move between HR systems. In this segment, we’ll look at the other extreme of transfers – a job change that may fall under the HR radar.

When we talked about the implications of HR as a source of record for identity management, we discussed that HR’s purpose is to pay people, not determine their access. The example given was that of a finance analyst – in HR terms, there’s no distinction between an accounts receivable analyst and an accounts payable analyst – they’re both finance analysts and they get paid the same way, so they have the same job code. In access terms, there’s a very big and important difference between accounts receivable and accounts payable.

When granularity is needed beyond what HR can provide through a job code, additional analysis is needed to ensure that these types of transfers are caught and handled.

Augmenting job codes

There are a number of ways to augment a job code to distinguish between roles when it is access-relevant but not HR-relevant.

The additional information *should* still be available from HR, as well. For example, consider the location of the individuals, or the manager’s job code or title. Manager name could be used as a last resort, but only if vacancy management is already in place.

The IAM team will need help from the HR team to determine what additional information can be used to accurately identify intra-departmental roles for transfer purposes. This can be quite challenging, and it may be a foreign concept to the HR team at first. This is again where prior relationship building will really come in handy.

As a last resort, identity manager can be configured with additional flags that can be set manually by an HR representative or manager if appropriate information is not readily available in the HR system. This, of course, will require the creation of one or more workflows.

Don’t forget the cleanup!

Once the job code augmentation parameters are identified, it’s good to run some reports and double-check current members of intra-departmental roles of interest. You may be unpleasantly surprised by what you find, but that’s always better than being unpleasantly surprised by what the auditors find. J

Populating the requirements list

Many IAM systems have built-in functionality to handle segregation of duties (SoD), but as with everything else, not all systems are created equal. If SoD is of particular concern in your organization, be sure to add the specific requirements to the master list so that they are addressed in the product evaluation.

In the next segment, we’ll take a look at special-case terminations and how they can affect access, and wrap-up the month’s activity.

In the previous series, we started prepping for the key workflows that make an IAM implementation worth the cost and effort. Implementing workflows effectively is critical to achieving the desired value in terms of time savings and effort/cost reductions. It also gets the organization excited about IAM and makes them willing to keep maturing the implementation and expanding its use.

To have truly effective de/provisioning workflows, however, we need to take a closer look at terminations and transfers. There are some “gotchas” that – while rare – can cause angst and give the IAM program a significant black eye. Namely:

• Handling cross-HR system transfers
• Transfers within a department
• Termination of employment vs. termination of access

This series focuses on these gotchas and shares strategies to avoid them.

The reality of multiple HR systems

It’s not uncommon for large organizations to have multiple HR systems – especially when there has been merger & acquisition activity. It takes time to convert new parts of the company to the standard tools, and in some cases it never happens. Worse, multiple HR systems doesn’t necessarily mean separate instances of the same system, but possibly different versions of the same system, or even different brands of HR system.

Clearly, dealing with multiple HR systems – whether they are the same version, different versions, or different brands – adds a level of complexity to the IAM implementation because HR is such a critical interface. This situation can be handled in a variety of ways – some more feasible than others.

Options for handling multiple HR systems

The best solution (but also the least feasible in many cases) is to consolidate the HR systems in preparation for the IAM implementation. This may be a situation where IAM can help HR – if this is a desired HR project — but they might need help convincing management to go for it. The cost savings that will be achieved in the IAM implementation by having a single HR system may give the consolidation project just the push it needed (aside: this is an opportunity to increase “security” with a focus on operational efficiency).

If consolidation is either not possible, or likely too distant to be useful, consider keeping the systems that will be consolidated (and their employees) out of scope of integration with IAM, and focus only on the system that everyone else is consolidating to.

In this case, the non-employee management workflows described previously can help manage the out-of-scope employees until they are brought into the master system. Some modifications might be needed, but they tend to be straightforward.

For example, ensuring that the user input form has one or more appropriate user types to accommodate out-of-scope employees. It’s best to have one entry for each out-of-scope HR system to be able to easily identify which employees come from which system.

Another option is to manually enter and manage out-of-scope employees in IAM until the HR automation comes into play. This is the least desirable alternative, but it’s better than nothing, especially if the non-employee management workflows haven’t yet been implemented.

Dealing with cross-HR system transfers

Ultimately, the problem with multiple HR systems is properly recognizing and handling inter-system personnel transfers.

Typically, when an employee transfers from one HR system to another (and the systems don’t communicate), they show up as a termination in the first system, and a new hire in the second system. From a customer service perspective, there’s nothing worse than terminating someone’s access when they’re still with the company – especially if it happens to be a senior executive.

The best way to handle this is actually to request a modification in the HR systems.

HR systems typically contain reasons for termination – add one called “transfer to another HR system,” or even add one for each additional HR system (e.g., “transfer to HR system x,” “transfer to HR system y,” etc.). We’ve discussed that HR teams may be reticent to change their system – this is where the past relationship building with the HR team can really come in handy.

Having a flag to indicate that a terminated user is actually a transfer can really help – identity manager can be configured to read and understand that flag, and trigger a transfer process/notification instead of a termination. Even if handled manually by the access services team based on HR reports, this flag will alert them that special processing is required.

If changing the HR systems to add a flag is not an option, then a clear process must be established with the HR representatives that process terminations. Access teams must be notified when an inter-system transfer is about to take place. The access services team will also need to document a process for receiving and handling those requests, especially if it entails over-riding or pre-empting automated processes. Care in coordinating these two teams pays large dividends.

A special case of a special case

Transferring from employee to non-employee is one more special case to consider. This can happen if an employee retires or is laid off but is retained as a contractor, or when a portion of the business is outsourced so the employee becomes a non-employee. In most cases, the user’s job function – and access – stays the same. The problem is that they are terminated in the HR system.

The solution to this is similar to the solution for handling inter-HR transfers. Ideally, the HR system can be modified to include a termination reason of “converted to non-employee.” The other alternatives described above can also be applied.

Looking ahead – unique employee numbers

Another key challenge of multiple HR systems is unique employee numbers.

Separate systems may use the same numbering scheme, which could result in different employees in different parts of the organization having the same employee number. When consolidation occurs, this is a problem – both in the HR conversion, and the linking with identity manager.

If the IAM implementation begins before the HR consolidations are complete, it is critical for the IAM team to work with the HR consolidation project to obtain the mapping of employee numbers from old system to new in advance. Once the employees are converted in HR, their employee numbers can be bulk-updated in IAM, which will allow for smooth automated linking.

If out-of-scope employees are manually maintained in identity manager for any length of time before the HR feed takes effect, some cleanup will be needed – undoubtedly employees will have terminated or transferred without notice – that’s the nature of manual processing.

It’s important to fully clean up the users before attempting to update the employee numbers and linking them to HR to ensure a clean linking.

In the next segment, we’ll take a look at transfers that occur within a department.

This month, we focused on one of the key functionalities of identity management – workflows. Specifically,

• Provisioning and deprovisioning (which I abbreviate as de/provisioning)
• Non-employee management
• User and access recertification

These workflows build on each other – it’s necessary to identify how access is de/provisioned before any recertification can be set up, because ultimately once the reviewer completes their recertification, the de/provisioning workflows are kicked off in some capacity to make the indicated updates to users’ access.

It’s possible to go after recertification first, but it’s a lot less powerful without closing the loop with de/provisioning.

Recertification is further broken down into non-employee management and everything else. Non-employee management is a fairly small and relatively simple sub-set of the larger recertification workflow set. By addressing it first, valuable experience can be gained and this is a high-visibility quick-win that’s desirable not only to the access services or security team(s), but likely also to finance, and possibly HR.

There is a lot of work involved in preparing for the implementation of these workflows. By spending some time up-front, it will not only speed the eventual implementation when a system is selected, but it will also generate invaluable requirements that will be critical to the selection of the right system.

The approach this month was as follows:

1. Identify ways in which the workflow set could be developed, ensuring that the right scope is identified for your organization’s specific circumstances
2. Populate the requirements list accordingly. This is critical – miss these requirements and the product selection could be flawed. Select the wrong product and at best ROI will be reduced – possibly significantly; at worst, a rip-and-replace may be needed.
3. Execute the prep-work that can be done in advance of obtaining a system.

Yes, this month “prep-work” can be considered a euphemism for “cleanup” but not entirely. And no matter what you call it, it’s gotta be done.

For de/provisioning, this means reviewing any current de/provisioning processes, streamlining them, and understanding the technical details in the access. The more work that’s already been done with role- and rule-basing (as discussed in June), the easier this will be. Now is also the time to start preparing target systems as needed – such as by cleaning up UNIX UIDs.

For non-employee management, the key prep-work is ensuring that the user entry forms in identity manager have the needed fields designed into them, and that timelines have been considered for handling renewing fixed-duration non-employees. It’s also important to begin working with the appropriate internal groups (e.g., security, audit, affected business groups) to determine an appropriate frequency for recertifying ongoing non-employees.

User/access recertification may have the most time-consuming and difficult prep-work: defining the mappings between the technical permissions and the business access that they provide. This will likely require significant collaboration with business “power users” and can be very time-consuming in database and mainframe systems where permissions are highly granular. It’s also important to think about frequency of recertification, and whether the line manager or data/access owner will be the reviewer for any given application/permission set.

Next month, we’ll take a closer look at some special cases related to terminations and transfers, and how those circumstances can affect the de/provisioning workflows.

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

In the previous segment, we worked through the non-employee management workflows. These are a special-case of user recertification and relatively less complex, making them a good place to start.

Having built some experience and achieved a quick-win, we’ll now move on to discuss the full user and access recertification workflows. This has become a key control for many audits, and it’s probably the most time-consuming of the controls to execute. Automating user/access recertification using an IAM product can save a lot of time and effort on the part of the access services team(s), and it will also make things easier for the reviewers.

Objective 1: Determine the appropriate scope

There are three decisions that influence scope. The first decision to be made is whether or not user recertification is needed. Sometimes it is sufficient to simply recertify access.

The ability to recertify access is based on the accuracy of the HR data being fed into identity manager. If HR is clean enough (possibly with the help of vacancy management), then it can be assumed that the right people will show up in the right job functions, and the reviewers don’t need to check for this.

The second scope decision pertains to access: the scope for access recertification may be smaller or otherwise different from the scope for de/provisioning. For example, security auditors don’t look at devices de/provisioned to a user, but internal financial auditors who are concerned about how money is being spent might. If automation of recertification were used purely for external audit purposes (e.g., SOX), then equipment would likely be out of scope.

The third scope decision is identifying the appropriate reviewer for the items in scope. For those roles that are well defined with role- or rule-basing, the reviewer might be the individual(s) that helped to design the roles/rules (e.g., the data owners). In the absence of role- and rule-basing, the reviewer should be the line manager.

This determination is important because the data owners tend to be more technically familiar with the system, so they can be presented with a list of permissions and they will understand what that means. Line managers will have no idea what the permissions mean, so they need to be translated into business functionality.

Objective 2: Populate the requirements list

When it comes to recertification, be clear in the requirements about what is important. Consider the following:

• Ability of the system to pull line management information from HR
• User-friendliness of the reviewer interface, including ability to display technical permissions or business translation
• Ability of the system to generate reports (and how customizable those reports are)
• Ability of the system to trigger manual or automated tasks to action the changes requested by the reviewer
• Ability of the system to handle escalations without human intervention

Objective 3: Identify prep-work

The most important prep-work that can be done in preparation for automating recertification is to generate the permission-to-business-function mapping.

Line managers don’t know what MECGRP60 is, nor should they have to learn. A key advantage of a good recertification tool is the ability to translate the techno-babble into meaningful information for a line manager: MECGRP60 grants write permissions to screen X in application Y.

In some systems, this mapping is easy – if there are just a few permissions. But in most database and mainframe systems, the numbers of permissions and groups are enormous. Worse, it’s likely that no one on the business or the IT side knows which permissions go with what access.

It could take a series of working sessions with business and IT working side-by-side to figure it all out. This could take months, but will pay big dividends when it’s done. And just as with the other cleanups we’ve discussed, once it’s done, it’s fairly easy to maintain going forward.

Other prep-work that can be done in this space includes identifying how frequently the recertifications need to be executed, and which data owners will be reviewers for what roles/rules.

In the next segment, we’ll summarize this month’s activity and wrap up.

In the previous segment, we worked through the de/provisioning workflows. These are foundational to the non-employee management workflows in that a key objective of the non-employee management workflows is to terminate access when the non-employee departs. Without the de/provisioning workflows to trigger manual or automated tasks for access removal, the timely knowledge of a non-employee’s departure loses a lot of its power.

Non-employee management is a problem that many companies have because non-employee data is typically not centrally stored in an HR-like system as employee data is. By implementing this set of workflows, it creates a closed loop which allows identity manager to be the source of record for non-employees and closely track their comings and goings in a timely fashion.

Objective 1: Determine the appropriate scope

The scope discussion for non-employees is pretty cut-and-dry: the scope is non-employees. J But there are a few nuances.

For example, if there are employees whose HR system will not be integrated with identity manager, they may be managed like non-employees and be considered in scope.

There’s also the distinction between fixed duration and ongoing non-employees as described in this month’s Introduction. Fixed duration non-employees are those that are around for a specified timeframe to do a specific piece of work – such as a project resource or temp. These individuals should be tracked according to their projected end-date.

Ongoing non-employees are those that provide a continuous or intermittent service – such as a supplier, and outsourcing provider, or the Cisco guy that the network team calls at 3am when something bad happens and the fix is beyond their expertise. In this case, the company has an ongoing relationship with the employer of the individuals in question, but the specific individuals may change.

For example, the Cisco guy may get a job elsewhere and be replaced by a new Cisco guy – the company still gets support from Cisco, but it’s important to know if this year’s guy is the same person as last year’s guy. In this scenario, individuals are recertified periodically on a schedule.

Objective 2: Populate the requirements list

The requirements for non-employee management are more internal. The associated workflows are straightforward and possible with any of the better products. But, there will be some configuration requirements. For example, the identity manager form that’s used to enter non-employees into the system should ask what type of non-employee it is (fixed duration vs. ongoing), and prompt for an end-date for fixed duration individuals. The end-date will be needed to trigger workflow tasks, asking the line manager if the person is leaving on time or if they are being extended.

The individual’s company should also be a required element on the entry form – it’s helpful to recertify all individuals from a single company on the same schedule.

Objective 3: Identify prep-work

Hopefully, the non-employee cleanup occurred as part of the activities outlined in February and March. If not, it’s time to get cracking on those – it’s important to know who all of the non-employees are, who they work for (their company’s name and your company’s line manager), what type of non-employee they are, what they do, and what their expected end-date is (if applicable).

This may be especially challenging for IDs of vendor support personnel like the Cisco guy, since they typically aren’t around very often, and are rarely if ever on-site. With this type of non-employee you typically have to go find the one manager who recognizes their name, and even the manager who should recognize the name might not. But having a good, clean list of non-employees and their associated data will make implementing the workflows a breeze.

It’s also good to start thinking about the timings of the workflows:

• How long before an end-date does the line manager first get notified?
• How many times does the line manager get notified before there’s an escalation?
• What if no action is taken by the due date – does the user get submitted for full termination, or are they just disabled?
• What is the cut-off for re-starting the workflow for an extended individual? (E.g., if the person is extended a week, it’s probably safe to trigger termination on the new end-date. But what about if they’re extended a month or more? In that case, it’s probably best to re-start the workflow and ask if there will be an additional extension.)
• How often should ongoing non-employees be recertified – quarterly? semi-annually? annually? This is a policy question that may take some discussion and vetting.

In the next segment, we’ll discuss the full set of user and access recertification workflows.

In this month’s Introduction, three workflow sets were introduced:

• Provisioning and deprovisioning (which I abbreviate as de/provisioning)
• Non-employee management
• User or access recertification

This segment explores the first of these, de/provisioning)

De/provisioning is the most common of IAM workflows. Done right, this workflow delivers tremendous ROI, improved audit results and improved customer satisfaction by significantly speeding up the de/provisioning process. It is also the most complex, as a workflow has to be identified for each access or equipment type. Furthermore, for those access items that will be automated, instructions may have to be provided to the IAM system on how it needs to grant or remove access.

Let’s now run through the objectives outlined in this month’s Introduction segment for this set of workflows.

Objective 1: Determine the appropriate scope

A workflow can be created for just about anything, but does it make sense to create one?

To begin answering this question, refer back to the previous lists of systems (created about seven months ago). Begin with the primary systems and move on to the secondary systems. Chances are, some degree of workflow will be needed for each one of these systems.

Also consider what manual workflows might be appropriate – for example, for computers, mobile devices, application licenses, etc.

Another important input here is the company’s service catalog. If one exists and it has built-in workflow, a good portion of the work is already done. Not all of it, since the service catalog triggers tasks for manual de/provisioning only. But at least the workflows in the service catalog should give some sense of order of operations (i.e., which tasks can be performed concurrently and which must occur sequentially), and it should contain the names of the teams involved in each workflow.

For equipment workflows that will stay manual, the services in the service catalog may be replaced by or augmented with similar workflows in identity manager. For access workflows that will be automated, those teams will need to be engaged to better understand the technical details.

A note of caution – be careful when approaching teams with an offer of automation. Those teams that are overwhelmed with work will very likely welcome the offer, but those that are less busy or if they perceive that their entire job will be automated will be understandably reticent to participate. They will perceive that you’re coming in to eliminate their jobs. And yes, it will be that personal – anyone on the IAM team will become persona non grata, bringer of pink slips.

It is worth spending time understanding how the IAM team’s efforts will be received, and engage management appropriately. This may also impact the scope of work, as items that should normally be included in scope or fully automated may have their scope reduced or be eliminated from scope if the political situation gets too volatile.

The questions that need to be answered for this objective are:

1. Is a workflow going to be created for this item?
2. If yes, will there be automation, or manual task assignments?
3. What are the teams involved?
4. How will the teams receive our efforts?
5. Is there an existing workflow that can be leveraged?

Objective 2: Populate the requirements list

The requirements list must be clear based on the determined scope. If full integrations are expected with any systems, the technical expectations should be documented (if they haven’t been already). Remember, not all IAM products are created equal, so selecting the one that best meets the requirements is vitally important.

Objective 3: Identify prep-work

There is quite a bit of prep-work that can be done to speed up implementation once a tool is selected. For example:

• Working with the people familiar with the de/provisioning processes to understand and streamline those processes – are the processes usable as-is, or are they a mess or outdated?
  • In particular, it’s important to understand the deprovisioning process: can an account simply be deleted, or does it first need to be disabled for a time (e.g., to allow for data backups)? If there is a disabled status, what will be the duration for that one week? two weeks? a month?
  • Similarly, can a piece of equipment be taken away directly, or are there data backup needs there too?
• Cleaning up existing service catalog workflows so they can be more easily transitioned (if applicable)
• Preparing target systems – this is especially important on UNIX. Integrating UNIX systems will be much easier if the UIDs are already syncrhonized across the enterprise. If not, this is a good time to begin the cleanup effort. If this already got done as part of the March activity, great job!
  • Also consider if directly integrating each UNIX box with IAM is optimal, or if an intermediary tool will be used to manage UNIX access via LDAP, Active Directory, or the mainframe.

In the next segment, we’ll explore the user/access recertification workflow set.

We started developing workflows in last month’s activity to manage vacancies. Relatively speaking, vacancy management workflows are comparatively simple and provide business-relevant quick-wins, which give credence to the IAM program. Since a full IAM implementation is typically a multi-year process, being able to point to tangible benefits along the way (other than, “hey – check out all the infrastructure we’ve installed!”) will keep management interested and budgets flowing.

This month, we continue down the workflow path by considering the more traditional workflows:

• Provisioning and de-provisioning (I like to abbreviate this as “de/provisioning”)
• Non-employee management
• User or access recertification

These workflows can be significantly more complex than the vacancy management workflows described last month. But as with vacancy management, decisions need to be made as to the level of automation that will be implemented as this may impact product selection. For example, if the organization relies heavily on mainframe applications and a high degree of automation is desired for mainframe de/provisioning, then this should be front and center on the requirements list, as not all products handle mainframe integration equally.

Workflows, if designed and implemented correctly, can also provide significant ROI in terms of de/provisioning speed, reduced effort for audits, elimination of future user cleanups, and decreased costs for things like licenses and equipment.

Let’s look at the benefits of each workflow type in a little more detail.

De/provisioning

As discussed before, there are two categories of “things” when it comes to de/provisioning: those things that can be automated (e.g., access – it just depends how much money and effort you’re willing to spend on the automation), and those things that can’t be automated (e.g., equipment – a new laptop will never float down the hall to the waiting hands of a new employee, someone has to deliver it or at least call the employee to come pick it up).

Clearly, any de/provisionable items that are automated save time and effort if the system can automatically do something in a few seconds that might take a human being minutes to do. The trade-off is the complexity of the integration as compared with the expected usage. An application with ten users will likely never have de/provisioning automated – it’s probably too expensive. Then again, if it’s a critical application and likely to get overlooked since the access changes rarely, maybe it’s a prime candidate.

Items that can’t be automated are still great candidates for inclusion into a workflow, because it builds accountability and helps with tracking. The workflow would simply trigger manual tasks in this case, but by requiring the person completing the task to mark the item done in the system and tracking that, it helps with the following:

• Identification of what equipment was provided (or collected back)
• Monitoring of Service Level Agreements (SLAs)
• Accountability – the individual is less likely to mark the task complete if it isn’t, since they know it could come back to haunt them.

Although out of scope of this series, consideration should be given to integrating IAM with the asset management system to help with tracking of equipment and licenses over time.

Non-employee management

There are two types of non-employees at most companies: those that are there for a limited time (such as temps, consultants, etc.) to provide specific expertise on a project or act in a staff augmentation capacity, and those that are there indefinitely, because they are some sort of business partner (supplier, outsourcer, vendor technical support, etc). As such, workflows must be designed to support both conditions.

Ultimately, non-employee management is a special-case user recertification, which is discussed below. It’s helpful to begin with non-employee management for two reasons:

• It’s a relatively small and simple sub-set of user recertification, so it’s a good place to start and get some experience
• It’s a valuable quick-win, since non-employees tend to be a significant blind spot because non-employees are typically not centrally managed in an HR-like system as employees are.

In fact, managing non-employees will be of value not only to the access services or security group because it provides better control over a group of users that is generally less trusted, but it will also be of value to other groups – like HR if they’re trying to reign in management of non-employees from a presence perspective, and finance if they’re having trouble determining when non-employees come and go (to ensure they’re being paid – or not – appropriately).

User/Access Recertification

Many companies still do user or access recertification by hand – generating and emailing unintelligible spreadsheets to business managers asking them if the people on the list still report to them and if the access on the list is still appropriate. Not only is the initial data collection and distribution arduous, but the effort increases dramatically when the managers come back with countless questions in their attempt to understand the access listed, or when their frustration with the process leads them to become unresponsive, requiring repeated follow-up.

Many IAM products offer automation for recertification, but not all solutions are equally elegant. The top systems offer a variety of benefits:

• Web-based view of individuals and their access
• Individuals have already been compared against HR to ensure that they’re current (and if vacancy management is already in place, then the HR records can be trusted and “user” recertification is no longer necessary)
• Access is presented in business terms, not as technical permissions, so that reviewers understand what they’re certifying
• Whatever changes are indicated by the reviewer automatically trigger automated or manual implementation tasks which are tracked to completion and logged for easy reporting
• Non-responsive reviewers are reminded automatically, and the line management hierarchy is used for automated escalations
• Reports for the auditors are easy to generate

Sounds great, doesn’t it? At a large company, this workflow set can easily save several FTEs worth of work for several months each year.

Approach

This month, we’ll discuss each workflow set in part, with three objectives in mind:

1. Identifying ways in which the workflow set could be developed. There aren’t any right answers here. The goal is to ensure that some thought has been put into what the right answer is for your specific situation
2. Populating the requirements list accordingly – this is where a lot of ROI can be found, if the right product is selected that can support the requirements. It’s critical to make sure that the requirements list is well-updated this month
3. Considering some prep-work that could be done in advance of obtaining a system.

We’ll begin in the next segment by working on the de/provisioning workflows.

Tokens, Shopping Carts and Security Awareness

What can grocery-shopping carts teach us about building security awareness that works to influence behavior change?

Turns out perhaps more than imagined.

During a recent hotel stay, I took a trip to a local grocery store to buy some snacks. I pulled into the lot, parked and headed to the store. Since I only needed a few items, I walked past the carts toward the entrance.

At the entrance a rather LARGE sign explained, “change machine for the carts inside store.”

Something about the sign encouraged me to stop; I needed to understand the need for change for a cart.

Turns out that the carts had a strapping mechanism that essentially tethered them together when stacked properly. Unlocking the cart required a quarter. When the cart was properly returned, the quarter was released and returned.

But a quarter is only $0.25

At first, this struck me as silly. Even in this economy, a quarter isn’t much and I thought it lacked the value to influence cart behavior. And it seemed like an inconvenience.

In the thick humid dusk of the evening, I took a few moments to look out and scan the parking lot. Not a loose cart in sight. So I looked harder and longer for a loose cart to prove someone bucked the trend and “just didn’t care.” Yet all of the carts were either in use or put away.

The token is engagement

Then it hit me: the quarter was only a token, a gesture. The money, in all reality, meant nothing. People put a quarter in, but they got it back. They weren’t renting the cart. At play was the physical act – the token – to connect individuals to the cart.

The token (the quarter) engaged people, connected them to the use of the cart and essentially redefined normal.

The use of a quarter to unlock and use the cart connected people to the process. Awareness of the condition to use the cart ensured people carried a quarter, sought change from the machine (inside the store) and served as subtle reminder to return the cart – if only to get their quarter back.

So how does this apply to security awareness and influencing behaviors?

With a different perspective, these carts taught me a lot about the value of engagement and commitment. By asking for a small value – which will be promptly returned, in full – the interaction changes.

The key here is the token.

It was more than symbolic – and it required some thought or action, but it was not onerous. I suspect shoppers at the store routinely had a quarter or two in their pockets, purses or cars… without complaint.

The low economic value of the token is important to the function. Engaging people in this way does require a shift in behavior (and the first shift is sometimes the hardest), but make it too complex or otherwise costly, and it will be summarily ignored or revolted against.

In the coming weeks and months, we will continue to explore parallels, amplify the good and advance our ability to address the human paradox, shift thinking and inspire behavior change through security awareness that works.

How are you using “tokens” in your efforts?  More importantly – how did you figure it out, how is it working and how is it evolving?

Share your experiences in the comments, engage me on twitter, send me an email or pick up the phone and call. I’d love to learn about the token in your efforts.

This month we focused on vacancy management, shifting from the functions of identity manager to role manager. Vacancy management is difficult to control manually – in many cases an approval or ownership function is a minor part of someone’s job, so the task of finding a replacement when there is a transfer or termination often goes overlooked. It’s easy for the role data to get out of date, resulting in big cleanups when the data is absolutely needed (such as during the annual performance process for line management), and a scramble to save face when a customer is waiting for a request to be approved.

Ultimately, managing the vacancies is dependent on building three key hierarchies…

• Line management
• Data/access ownership
• Cost center ownership

…and building the hierarchies is best done using a five-step process:

1. Determine the needed granularity
2. Collect what data is already available
3. Obtain the data that is not available
4. Develop the workflows for filling a vacancy when it arises
5. Establish the notification processes/integration with other groups/systems that have a need to know

Clearly, this can be another round of fairly arduous cleanups, but once established, the identity management team will truly demonstrate value to the business. By helping key teams like HR and Finance solve a problem not directly related to access that has plagued them for years (although there are clear access implications).

As we continue in the series, we will focus on workflows as they pertain to provisioning and de-provisioning, user-recertification, and managing non-employees.

Populating the requirements list

In the course of designing workflows or notifications, some desired integration points may have been identified, for example, where identity manager should directly interface with certain target systems to carry out the notification function(s). If this is the case, be sure to note this on the requirements list, including relevant technical information about the target system (e.g., which protocols it can use).

How can I help?

Do you need some clarification or additional assistance? Do you have an experience to share with others? Leave a comment below so we can all improve together.

I once talked to a finance manager and asked her why her group couldn’t produce an accurate list of cost center owners. Her response was simple, “I would love to have an updated list, but no one ever tells me when there’s a change, so I have no way of maintaining a list.”

As with data and access ownership, cost center ownership is typically a minor component of someone’s job, so when they leave it’s not the first thing that comes to anyone’s mind.

Worse, although there could be more cost center owners than data/access owners (especially in large organizations), there are significantly fewer cost center users – many people in a company have systems access, but only a few people knowingly hit a cost center by buying things. So whereas a data/access owner vacancy is likely to be noticed fairly quickly, it could be months or more before a cost center owner vacancy is noticed – making it that much harder to figure out who the replacement should be.

This segment is about managing vacancies in the cost center ownership arena, to ensure that these vacancies are proactively managed, rather than reactively. We’ll again work through this hierarchy using the five steps I outlined in the Approach section of this month’s Introduction segment.

Step 1: Determine the needed granularity

As with our previous hierarchies, granularity speaks to ongoing management. A one-to-one mapping of cost center to role could result in thousands of roles at a large company, which is not sustainable in the long-term. So as with data/access owners, a middle ground needs to be struck. It’s less likely that a single role of “cost center owner” will suffice – some sub-division will likely be needed – perhaps on a functional or geographic level.

The finance team definitely needs to be involved in these discussions – they are the right ones to advise on the appropriate level of granularity.

I use the term “finance team” generically – it may be that there’s a different finance team for each functional or geographic unit.

Step 2: Collect available data

The finance team is also the group that will be able to provide any existing cost center ownership data.

Step 3: Obtain missing data

In some ways, determining missing cost center owners may be more challenging than obtaining the line management hierarchy. In the latter case, the difficulty comes from the sheer number of people involved. With cost center owners, the difficulty is figuring out where to look. How do you equate a number with a person?

You first have to understand what that number means before you can even begin determining the person.

Just as it should be HR’s responsibility to fill out the line management hierarchy, it should be the finance team’s responsibility to fill out the cost center hierarchy.

However, unlike HR, the finance team will be much less familiar with the employee population, so they will need a lot more help getting from number to person. In fact, the HR team may be needed to help bridge the gap, although if the line management hierarchy is already complete, it’ll be a lot easier.

Step 4: Design the workflow

The cost center ownership workflow design principles are the same as those for the data/access ownership workflow:

• Determine if the person authorized to fill a vacancy is a line manager or a finance manager
• If the authorized person is a finance manager, determine the course of action for upward vacancies
• Specify the default action if an approval is pending and a vacancy hasn’t been filled.

Step 5: Notification

The group most likely to require notification on cost center ownership is finance, although as mentioned previously there could be many finance groups across a large company. HR may also have a need for this information.

As with the other hierarchies, email notification is a cheap and simple solution for notification, but you get what you pay for – there’s no guarantee that the updates will be made. A better solution is again a closed-loop task at the end of the workflow, although finance people are typically so far removed from IT and identity management that receiving and completing tasks from an identity management system may not be well-received.

Updating the finance system automatically may be possible if an integration is already planned between the finance system and identity management. Otherwise, automation could be costly. If HR needs to be updated, that should be possible since HR and identity management must be integrated anyway. If HR and the finance system are integrated, it may be possible to auto-update the finance system indirectly via the HR system.

In the next segment, we’ll summarize the month’s activities and wrap up.