For me, this means a lifelong study of communication – verbal and written – blended with human ecology and the fundamentals of security. It’s an odd mix, but with my focus on Awareness that Works™, it serves my clients well.

A few months ago, I started a column for CSO Online dubbed the “Career Catalyst.” It allows me to build on my background as a catalyst and role as an advocate for individuals to share ideas, insights and strategies to help shape and develop powerful, effective careers. It turns out to be a perfect compliment to my approach to advancing individuals and organizations at the same time.

My passion in serving others is the driving force for this column.

I routinely listen to the challenges, observe the trends and think about the skills, aptitudes and attitudes for career success. But I also view this as an effort to serve as the catalyst for multiple ideas, experiences and challenges of the entire community.

Looking to improve your career and advance the profession?

• Share your successes or ideas you’d like my take on
• Ask the questions on your mind
• Share your challenges

Connect with me by email, telephone, twitter or through this handy contact form.

You can find my column here: http://www.csoonline.com/topic/41515/security-career-staffing

Here are the last three columns:

Security Careers: The Mic is Always On. Always.

Like politicians who’ve been embarrassed by public microphone mistakes, security professionals need to remember comments that are made in bad taste can put both a career, and an entire security program, in danger

http://www.csoonline.com/article/597056/security-careers-the-mic-is-always-on.-always.-

Cultivating a healthy addiction for career success

Going beyond the typical interview answers and resume claims will help you demonstrate why you stand apart from the pack. Michael Santarcangelo shows the way.

http://www.csoonline.com/article/594229/cultivating-a-healthy-addiction-for-career-success

Are You Making a Security Career or Working a Job?

In his first column as CSO’s Career Catalyst, Michael Santarcangelo outlines three essentials everyone needs to consider to make security work more than just a job

http://www.csoonline.com/article/590096/are-you-making-a-security-career-or-working-a-job-

By Jill Van Zelfden

“Investing in Yourself”… I’m sure we’ve all heard this term at some point in our lives.  But what does it really mean and why should someone care?  And of all things: Why does my employer care?!

First, let’s start with a definition:

“Investing in Yourself” means that you are the driving force behind improving yourself in some aspect in your life in order to move ahead.

Examples:

1. Taking a college course to improve your job skills.
2. Reading a book to solve some problem at work or in life.
3. Listening to an audio podcast via iTunes to improve some aspect of your life.
4. Hiring a trainer to teach you something new.  (And no, although it could be a gym trainer to help get you into shape, I really mean hiring someone to teach you something new like Excel, or underwater basket weaving.)

Non-Examples:

1. Company sponsored training.
2. Company paid college course work.
3. Parent paid college course work.

Note: While it’s always great for these to happen and these all lead to something invested in you, these are examples of someone else investing in you.

Ok, so now that we’re clear on the definition, why is this important, how do I invest in myself, and why the heck does my employer care?!

So, why is this important?  Isn’t it enough that I am a parent, work full-time, do house work, make repairs on my house, eat, and sleep?  In short, the answer is “No.”

As human beings, we all want to achieve the next big thing.  Keep in mind that the next big thing is different for everyone.  What may be my next big thing could very well be different than your next big thing.  But human nature dictates that everyone has a next big thing.  None of us want to remain the same day in and day out.  We all want something more.

What’s your next big thing?

A month long trip to the Bahamas?

A new house?

A job promotion?

So, how to you go from the here and now to your next big thing?  You need to invest in yourself!  Take the time to sit down and figure out what is keeping you from that next big thing.  If you’re unsure, talk to someone who’s there and ask them how they got there or what they would have done differently.  Then take the steps you’ve identified.

For instance, if you’re after a job promotion, figure out why you haven’t been promoted.  Is it because your technology skills aren’t quite up to snuff?  Then take a look into community colleges in your area and find a class that will teach you the needed skills.  Is it because you don’t have experience with a particular skill?  Volunteer with a non-profit group that needs someone with that skill.  Then brag on the great job you’re doing for the local non-profit to your boss!

If I’m investing in myself, how could that possibly affect my employer?

Why is my employer wanting me to invest in myself?

Why does this topic come up in my annual reviews?

All great questions.

Here’s the secret that very few managers want to admit:

An employee who has an idea for their next big thing is more than likely an employee who is motivated in improving something.  This means that they want something from life, are happier, and are less likely to be here for just the next paycheck.

And if an employee’s next big thing is improving their job, then that’s an added bonus for the company.  After all, the more advanced work they can give you, the less they have to spend on hiring, benefits, training, etc on a new employee.  So, in the end, it usually proves to be a cost benefit to promote you instead of hiring someone else.  And if you’re in the right company, that cost savings flows down to you, the employee, in some form or another.  It might be a promotion, it might be a raise, or it might be both!  How awesome is that?!

But the key here is to let your new skills show!

And sometimes, that means identifying a hole in the company, learning the skill needed to plug the hole, and then spending an extra hour or two off the clock proving to management that you can handle more responsibilities.

Investing a few hours in yourself is very evident to those around you.  Because what you’re concentrating on and doing off hours will come up in conversation.  Think about a parent you know and the last time you asked them how their child was.  What was their answer?  Was it a one or two word sentence?  Or was it a story about how great they were at their last play/recital/soccer game/etc?

The same thing happens when you invest in yourself.  Your world all of a sudden becomes bigger and more exciting.  You start trying to relate your current knowledge to your new knowledge.  You start to say things like “See that rainbow?  Isn’t it amazing how light refracts like that?” instead of “Oh isn’t that rainbow pretty.”  And statements that show off your knowledge like that, is hard for your employer to miss.

So, I challenge you to:

1. Identify your next big thing.
2. Invest in yourself.
3. See how long before your family/friends/coworkers/boss notice or reward you in some way for working towards your next big thing.

About Jill Van Zelfden

After more than a decade in technology, Jill Van Zelfden found her passion for Information Security in 2008. Working to advance herself and the profession, she currently holds the Security+ and MCSE: Security certifications and is a member of ISSA.  She resides in the Dallas area and works for NetBoundary as a Security Operations Manager.  She’s available at twitter.com/JillVann.

Think back to the best leader you’ve ever followed.

For me, it was my Professor of Military Science when I was in ROTC during my college stint.

Look at him and at first you’d see him as an “average” Army officer. He’d had a bunch of good assignments, some not so good assignments, and was finishing up his career teaching young men and women the finer art of leadership. If you only knew him casually you’d be wondering why all of these young men and women were so dedicated to the program, the Army, and (in a lot of ways) to him.

The reason I did was simple: the Major was able to describe a vision to me of what the Army could be, what I could be, what all of us – together – could accomplish. He told the stories of what he felt we could do in such clear and compelling language that we were enthusiastic to do some pretty (in retrospect) amazing things. Things that, outside of the context of the vision, made absolutely no sense…like jumping out of perfectly good airplanes while still in flight…like marching through mud, dust, and pollen for kilometer after kilometer…like lying in cold rain for hours waiting for the ‘bad guys’ to show up…and so on and so on.

Casting Vision: It’s Not Just A Sales Job

Without a compelling vision a leader is hamstrung.

They can push and pull the levers of the team, they can make adjustments to the machine that is the team – but they cannot get the team to reach it’s full capability. Without a compelling vision the leader is simply reacting to events instead of shaping the events and circumstances. The leader, without a vision, is not really leading at all.

Just to be clear – we’re not talking about the simple “performance management” task of assigning goals and objectives to individuals and ensuring that there is a cohesive flow to them. We’re not talking about “mission statements” or “purpose statements” (although they may enter the conversation later). We’re not even talking about how to justify the capital expenditure needed to get the “new system” online.

When we talk about casting vision we’re talking about being able to tell a story that accomplishes some very specific goals.

Acknowledge What Is

Any vision must start at the beginning.

You must be able to acknowledge the good, the bad, and the ugly about the current situation. You have to be completely honest about where you are coming from. To do otherwise begins with a foundation that cannot support even the most compelling vision.

Vision, built on false assumptions or denial of the past, collapses in on its own weight. That being said, don’t flagellate yourself (or the team) unnecessarily either.

As Sergeant Joe Friday says “Just the facts”.

Describe What Is To Come

Vision, at it’s simplest, is a story describing how things should (or can) be.

The story needs enough detail without going to deep. It needs to be lofty and idealistic without sacrificing a real sense of reality. The story needs to reach out to your team and show them that they can be much more than what they are today.

But a simple vision is, many times, not enough.

Vision needs to take into account what you want your team to accomplish and also show how that plays into the goals and aspirations of the larger team. Vision, especially for larger teams, needs to be large and sweeping and dramatic and dynamic.

Most importantly, the vision must be Yours.

Demonstrate Your Belief

Only you can effectively get your vision off the ground.

If you do not share it convincingly, if you cannot show that you believe it in the deepest fiber of your being, if you cannot demonstrate you are willing to sacrifice personally to make the vision appear then: You. Will. Fail.

Think back to when you knew the boss was simply mouthing words that the boss thought you wanted to hear. Recall when you could tell exactly which motivational book the boss was parroting. Remind yourself of all those times that you knew (and I mean, YOU KNEW) the boss wasn’t believing what they were saying.

Do you want to be that?

Make The Mental Shift Yourself First

Once you’ve communicated the vision to your team you must make the mental shift in all your communications, thoughts, and presentations and ensure that the tenets of your vision are constantly and consistently communicated.

You need to make your vision, no matter what it is, the focal point of all your activities. You must be “living the vision” every day in every way.

Once your team sees that you believe, once they know that you are not just “saying words”, once they realize that the vision is for real – then you can move on to the next (and, to me, most fun) step.

Help The Team See And Act On The Vision

Once the team sees that you believe and that you are willing to act on the vision they will be prepared to begin really looking at the vision the way you do and will start to act on it in ways that they think will help bring it about.

Your job is easy – you get to be a cheerleader, mentor, and disciplinarian all in one. You get the chance to reinforce the vision with team members and experience what I think is one of the coolest parts of leadership: you get to see your team members grow as people and you get to see your team grow in it’s capabilities.

But that growth doesn’t “just happen”… In our next episode we’ll talk about how to take your vision and use it to build a stronger team.

by Martin Fisher

Those who know me have come to expect me to “correct” them whenever they say “manage people”.

“Objects are managed, people are led,” is my usual retort. Sometimes I am met with a blank look, sometimes with a exasperated grimace, and sometimes (and not nearly often enough) by a questioning stare.

“What?” the quizzical friend often asks. “There’s not a difference worth mentioning.”

Nothing could be further from the truth and nothing, in my opinion, has done more to impede the progress of the information security profession.

The abject failure of leadership, from senior ranks, through middle management, to front-line supervisors has led to a culture that glorifies “meeting expectations”, extols the virtue of “accomplishing goals”, and is satisfied with “getting the job done”. Don’t get me wrong – these things are important – but they miss the vital difference: That a dynamic leader can take a group of people and almost always “exceed expectations”, “surpass goals”, and “get the job done better” and still have a happier team and more satisfied customers.

“How does that happen?” asks the still-quizzical friend, “Isn’t meeting expectations what we’re here for? Isn’t that enough?”

Sadly, it isn’t enough.

All people appreciate leadership. Everyone inherently wants to belong to a team that accomplishes exceptional results. Nobody wants to be in an organization that doesn’t excel.

The key to this is the Leader.

Leaders determine, by applying their leadership talents, just how far the team will go. Setting a goal and managing to that goal ensures that any additional capability is forever lost. Managing to a goal guarantees that the exceptional capability that is native to any team will be lost in a desire to just do “enough”. When we manage people, instead of lead them, we are condemning ourselves to forever experience sub-optimal results, never knowing what could have been accomplished.

“But my team is happy and my customer is satisfied. Doesn’t that mean I’m succeeding?” asks the friend as their frustration with the conversations grows. “You’re making more out of this leadership thing than it really is, aren’t you?”

This is the point where the friend has reached an almost Matrix-esque moment…

“Take the blue pill and this conversation ends. Everything goes back to the way it was and you can believe anything you want to believe. But take the red pill, and I’ll show you how you can take the leadership skills and talents you have and use them to transform yourself and your team. I’ll teach you how to truly get more done with more satisfaction.”

Which pill, my friend, will you take?

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

A friend of mine recently had a very Dilbertesque experience at work.  The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling.  Sort of…

Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years.  The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office.  This was reasonable, and most of the staff saw this as a good business move.  Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.

Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date.  The new seating chart was printed, offices were assigned, and additional requests were made.  Here is where we take a turn for the weird:

Treating your people like they are worthless: Elimination of a position announced through the new seating chart.

One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks.  Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”.  Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s  mouths.

Generate a menial or pointless task.

Actually, this one is a little worse than pointless, it is counterproductive.  Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities.  This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1.  The company wanted real data for that entire time.  Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago?  6 days ago?  As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections.  They were told, effectively, not to worry about it and that the data analysis team would take care of it.  To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.”  Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.

So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works?  Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible.  If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say.  Don’t make decisions in a vaccum. If it impacts people, get their input.  Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.

by Bill Pennington

Maybe you didn’t see my last post in time to save your job, and you are now out on the street looking for one. I have been hiring people for close to 10 years now, and hiring today is a lot different than it was 10 years ago. These tips are based on what I see coming in these days in terms of resumes, and what I do when I see a resume that is at least passable.

1. Customize your email. Every resume I see these days comes in via email, either directly to me or from one of our current employees. Make sure that email is customized to the company and position you are looking for.  Nothing gets your resume ignored faster than an intro like, “I am really looking forward to expanding my role as a Snort IDS engineer,” when you are applying for a job as a web application tester. If you don’t care enough to change an email before you send it to me, then why the heck would I hire you?

2. Google your name and ALL your email address. That is what I am going to do.  What does that show? Can I find your Facebook profile, your LinkedIn profile, and your personal blog about raising 400 cats in your one-bedroom apartment? Step back and think about what all the data says about you. Are you raging about your current employer? Detailing how you just hacked your neighbors’ network? Talking about how much you really don’t want to work in security? All of those things are going to impact my decisions to even bring you in for an interview. Understand that and think about what you are displaying online. It is fine to be you and share, that is great, but understand that a stodgy insurance company might not hire a 30-something skateboarder (me) to be their CISO.

3. Use that network. There’s no faster way for you to get in the door than through a referral from someone I know or someone that currently works here.

4. Contact me via something other than email, such as Twitter, Facebook, or even the phone. I get about 400 emails per job posting, and nothing is going to make you stand out more than showing the effort to reach out to me in another way. In this market you have to show initiative and drive; simply reaching out to me on Twitter will put you in that top 1% real quick.

5. Read our freaking website!! This is question #2 after, “Did you have any trouble finding the office?”And don’t lie because question #3 is, “Tell me what we do.” If you can’t be bothered to find out a little about the company you want to work for before the interview, what does that say about your work ethic? Nothing good, I can assure you. I am not expecting you to be able to give me a perfect elevator pitch, but I do expect you to have made the effort.

If you are currently out of work please follow the tips above and let me know if they speed up the process at all. Every job opening is getting flooded with resumes; you have to make an effort to rise above the fray to get seen, even if you are a rockstar.

I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.

Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

By participating, you’ll be helping some grad students – and we’ll all get the results with a podcast! We only need 100 people to help – please take a few minutes and share your experiences.

Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.

Here is some additional background.

The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.

The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.

The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.

Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d