Why is communication so difficult? It should be easy. We start learning to communicate as soon as we’re born. We cry when we want food, warmth, cleaning, security, sleep. Then we begin to learn words and body language. How is it then, that when we are fully grown and educated we still can’t communicate very effectively?

Here’s a story to illustrate:

An engineer (Bob) wants to take on tasks that he has not been checked-out on. Bob’s boss, Fred, wants to make sure Bob understands the tasks before he allows him to do them unsupervised. Fred needs to put together a skills checklist for Bob so Bob knows what is expected, but before Fred can get that done, Bob asks Fred for permission to do these tasks. Fred’s busy fighting a fire so he says to Bob something like, “Not right now. You have to demonstrate that you can do these tasks before you can have access.”

Bob: “What do I need to know? What do I need to do?”

Fred: “I don’t know right now.”
Bob is a bit confused and frustrated, and walks away in an unmotivated state of mind. Bob complains to the next five people he sees and spreads his frustration, causing them to be unmotivated too.

Fred was completely honest with Bob; at that moment he didn’t know what Bob needed to do. Fred didn’t intend to cause any frustration for Bob or the other people Bob spoke to, but that’s exactly what happened. Now the whole department is distracted. What could Fred have done differently?

Good Communication Requires Preparation and Concentration

Fred could let Bob know that he’s happy that Bob is motivated, but that he (Fred) is busy at the moment and request that they talk when Fred has more time. Fred should use the chance to layout the process before he speaks to Bob. Fred should do this in a timely manner out of respect for Bob, and promptly get back with him.

If Fred did this, the result for Bob, Fred and the department would be completely different from the original outcome. Bob and Fred would have an agreement about the expectations. Bob would walk away from that interaction knowing what he needs to do to take on more responsibility, and he probably wouldn’t be complaining to his coworkers.

What You Can Do to Communicate Better

This story is not unusual, nor are the results. This was a seemingly innocuous interaction between Bob and Fred, but the result was frustration, bitterness, and disillusionment. As a leader, you have to understand that these simple interactions with your people can go very badly. It’s your ability to communicate that makes the difference.

• Look at every situation from their point of view.
• Take the time to give them your undivided attention. Shut off the monitor, blackberry, etc.
• Postpone the conversation if you do not have time to give it the attention that it deserves
• Ask clarifying questions. Did they understand you? Did you understand them?

It is not easy to communicate. It takes awareness, practice and energy. The ability to communicate is the most important tool the leader has in their tool belt, so remember to pack it and learn how to use it.

Do you have any stories like this to share? What did you learn from your experience? What advice would you give Fred or Bob? Leave a comment or talk with me on Twitter @true62.

An undervalued truth is that the urgent is the enemy of the important. Think about that for a minute.

• Urgent chokes out the important
• Urgent is firefighting, important is building and improving
• Urgent is a cost center, important reduces costs or increases revenues
• Urgent is reactive, important is proactive
• Urgent is stressful, important is managed

How to Win the Battle Against Urgent

1. Recognize that there is a battle.
2. Always be vigilant. Urgent is like the Terminator, it never stops, it never sleeps, it feels no mercy, and it can look like important – don’t be fooled.
3. Invest your time, don’t spend it. Invest your time on the important, don’t spend it on the urgent or frivolous.
4. Use good time management techniques such as GTD and tools like Outlook.
5. Have a game plan for each day. There is the occasional happy accident, but usually nothing important happens without thought and preparation.
6. Create your game plan the night before. Review your to-do list and your calendar. Identify what is most important, what you can delegate, and what can wait or be eliminated. Identify the 2-3 most important things that you must accomplish each day.
7. Timeshift what you can so you can focus on the important.
8. Eliminate the need to constantly fight fires. Firefighting is a tax on an organization and proportionally reduces the amount of time that can be spent on the important.

The wonderful thing about this battle is that you can use this is information  whether you are an organizational leader or not. Each one of us can make the choice to spend time on the urgent or on the important. We can choose to be a victim or to take responsibility for our day-to-day lives and our own future.

I hope this helps spur some thought on what is an often overlooked aspect of our lives. I’d love to hear how you wage your own personal battle, and I would especially love to hear what techniques and tools you use. Please leave me a comment, or chat with me @true62 on Twitter .

Why You Want to Create a Career Path

Everyone should have at least a rough outline for their career path. The last thing you want is to decide that you want to get into a field or specialty only to find that you haven’t prepared. For example, you don’t want to interview for a leadership position without having at least thought about why you want to transition into management.

From time to time, each of us needs take some time out to assess what it is that we enjoy and are willing to exchange our time for money. After all, our interests, desires and needs change over time. Once you decide what it is what you want to do, you need to decide how to get there. There are lots of ways to reach a destination, it’s just that some are more efficient than others. You can take the Jeffy route (I have) or take a more direct route – the choice is yours.

Certifications for Technical Leaders

Technical leaders are different from other leaders because we are responsible for using technology to deliver business results. That means we need to be adept at both technology and business (in addition to leading people – easy huh?). Since we need to be at least functional in those areas, it makes sense to me that we need to be trained and stay up to date in each area.

I like to alternate between technical and business or leadership training / certifications. I recognize that I still need to be at least somewhat creditable with my engineers, so I feel that it is important to get technical certifications or attend technical training. Consequently, since I just finished a Masters degree primarily business focused, I’m looking at technical training and certifications from SANS; specifically their Cyber Guardian program.

Please do not get me wrong, this isn’t some random technical certification that earns me a certain level of creditability with my engineers. Rather, this is a technical certification that helps me further down my current career path of becoming an information (cyber) security people leader.

SANS Cyber-Guardian Program

The SANS cyber-guardian program is a technically focused program that attempts to build a cyber special forces cadre, ready to protect and defend our information networks and assets. The SANS cyber-guardian program consists of baseline training in:

• Intrusion Detection
• Forensics
• Network Penetration

A candidate must pass each of the corresponding certification tests, and then they must pass the tests for their area of specialty:

• Blue team: perimeter protections, securing Windows, securing Linux
• Red team: Web application penetration testing, wireless ethical hacking, and developing exploits for ethical hackers.

Finally, to obtain the Security Expert certification, the candidate must pass the GSE exam.

What Do You Think

I’d love to hear what you think. Do you have a career plan? How often do you think about it? How do you make sure you keep up with technology and business or leadership skills? If you’re in the security field, what do you think about the SANS Cyber-Guardian program?

One of the things my fellow Norwich MSIA grads discussed during residency week was that we wished that we could review each other’s final papers. We all thought it would be very valuable because we learned so much from our classmates (cohort in Norwich terms) weekly postings, and thought we would learn even more from the final papers. The problem with doing so is that we signed an agreement to keep our company’s information anonymous, and the final papers were geared to be a consultant paper for our employers.

I changed employers part way through my coursework so I switched to a more generic approach to the topics. Therefore, I can post my final three papers here for anyone to review. I do claim copyright protection for them, but do allow anyone to use portions of the papers as long as you properly attribute the source.

I put links to the papers on my Resources page. The papers are:

• The Future of Information Assurance
  A discussion about the value of trust in business and how IA ensures trust.
• Computer Forensics: Steps to Ensure a Successful Outcome in the U.S. Legal System
• Creating an Information Security Plan for Small & Medium Sized Businesses I plan to build off this to write a how-to book for small businesses.

I hope posting these papers helps anyone considering a Norwich MSIA and hopefully adds to the general knowledge of IA.  I also welcome any comments or suggestions.

I’ve been thinking about workplace heroics and Star Trek again. As any regular reader knows, I tend to find inspiration in Star Trek. If you’ve ever seen any episode of Star Trek or its spin-offs, you’ve seen one of the main characters doing everything on the ship. There’s a problem with the transporters and Riker leaves the bridge to solve it. The ship is in imminent danger and the bridge crew solves the problem. There’s a need to discretely observe an unfamiliar culture so one of the bridge crew has their physical appearance altered and they beam down to the planet. No one else on the ship is capable of doing anything serious.

As much as I enjoy watching the Star Trek shows, I always wondered why there were more than 1000 people on the Enterprise when only 8 did any heavy lifting. It makes for good TV, but would be lousy if it were true. Those 8 people would be exhausted and the other 992+ people would be deeply demoralized.

Is this how it is where you work? Do the members of the bridge crew (heroes) do all the important work? If the bridge crew does everything important, why employ the rest of the staff? Are the rest of the staff akin to the Star Trek red-shirts – in other words, are they expendable?

Avoid Heroics

Although it can be tempting to rely on your bridge crew, resist the temptation. Heroes don’t scale well so this is a short-term strategy at best. Get your red-shirts up to speed as quickly as possible. Get them trained. Get your processes and systems documented. Hire the right people. Give them clear direction so they work on the right things. Build a team capable of performing their jobs and there is little need for heroes.

If I still haven’t convinced you to avoid a hero culture, remember this: you don’t have heroes in the absence of crisis.

Yesterday (June 11, 2010), I walked across the dais at the Norwich Field House and received my diploma for Master of Science in Information Assurance (MSIA), and I thought I would share my review of the degree program for anyone who is interested.

Feel free to comment or email me if you have questions about the Norwich MSIA.

The Norwich University MSIA Program Explained

Note: much of the information in this section is taken from this paper by Dr. Kabay.

Norwich University

Before discussing the specifics of the MSIA program, it is important to understand the Norwich University values. Norwich University has a long tradition of developing leaders dedicated to the service of our country and they take that tradition very seriously. Norwich was founded in 1819 by a former superintendent of West Point Military Academy, Captain Alden Partridge. Capt. Partridge believed in a strong militia and opposed a professional officer class. Consequently, he developed a system of learning that was experiential and focused on liberal arts, sciences, and military training. He created a system of learning that developed leaders who were able to think and apply what they learned in the classroom, as well as to act ethically and with courage. Norwich expects the same of its current graduates whether they are in the Corps of Cadets or not.

Norwich MSIA

The Norwich University MSIA program, now eight years old, is considered to be one of the best MSIA programs in the country, and is accredited as a National Center of Academic Excellence by the NSA and DHS. “The goal of these programs is to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines.[1]“

Who Should Consider the Norwich MSIA

The Norwich MSIA is a management focused degree. This program is targeted at the decision makers, or those who want to become decision makers such as CISOs, CIOs, and CTOs.

Do not consider this degree if you are looking to learn about configuring firewalls, IDS/IPS, or network devices. Do consider this degree if you are interested in learning about management topics such as how and where to use technical and administrative controls, privacy laws, governance, compliance, hiring, risk assessments, business continuity and disaster recovery, audits, and project management.

Personally, I think the most important thing that I learned is how to do a better job of translating between the technical and the business sides of the house. This is a supremely important skill that is sorely lacking in IT and information security, and I think that having this skill gives us a competitive advantage over those who do not have it. Those of us who can speak the business language are far more likely to be able to be effective and get what we need to improve our organization’s security and reduce its risk. Obviously, this skill is critically important for anyone working at or with the C-suite.

MSIA Case Study

The program is experiential with the student acting as a consultant writing a case study for their employer, or if that is not possible, they conduct an industry study. For example, one of the members of my cohort was employed as a contractor, so he wrote an industry case study as a guide to a manager in his chosen industry. He is planning to turn his work into a book (which I am anxious to read by the way).

This aspect of the program was terrific. I learned a lot about my business and was able to turn in professional papers that allowed my management to see my ability to perform a critical analysis of the specific topics that we studied. I actually found it fun to be a consultant.

Norwich MSIA Faculty

One of the main reasons that I chose Norwich for my MSIA is the quality of its faculty. The faculty are some of the top people in the information assurance industry, and they continue to work and contribute to the information security fields. Here is a brief list of the faculty:

• Dr. Mich Kaby – author, consultant
• Paul Brusil, PhD – medical informatics security
• Stephen Cobb, CISSP – prolific writer & consultant
• Rebecca Herold, CISSP, CISM, CISA, FLMI
• Don Holden, CISSP-ISSMP – standards organizations
• Jim Maloney, CISSP, CISM, GCIH – former CISO, Amazon
• Tom Peltier, CISM, CISSP – noted author &consultant
• Sanford Sherizen, PhD, CISSP – author, ISSA Hall of Fame
• Peter Stephenson, PhD, CISSP, CISM, FICAF –author and lecturer
• Michael Miora, CISSP, ISSMP, FBCI – expert in incident management and response, and disaster recovery

Residency Week

The Norwich MSIA is an online program, but they do require you to attend a one week residency session on campus. No one that I spoke to was looking forward to going to campus for a week “just to get my diploma“, but almost everyone I spoke to during the week was grateful for the requirement. We all enjoyed visiting the campus and learning about the history and tradition of Norwich University and its distinguished graduates. We also took time out to respect those graduates from the Corps of Cadets that lost their lives in the service of our country. Most of all, we enjoyed meeting our classmates face-to-face and spending one last week focusing on information security topics and debating specifics with our classmates and faculty. I found that I miss that aspect of school more than I realized.

Suggested Improvements

Here are some areas for improvement:

• More specific feedback from instructors that focuses more on the student’s analysis.
• Provide all course material on a USB drive in a format readable by an e-reader so students can more easily take their reading with them.
• Provide an opportunity for synchronous, web-enabled conversations among the cohort. Residency was so valuable because we could discuss topics face-to-face in a free-form format. The technology exists to do the same during the course, but requiring it on a weekly basis would remove some of the advantage of an online program. Perhaps require attendance of one such meeting per seminar.
• Provide a platform for the students to share their papers so they can learn from each other.

Conclusion

I am very happy with my decision to get a MSIA degree from Norwich University. I feel that I am prepared to contribute to my organization’s information assurance program, and to the industry itself. There is much work to do to improve our information systems’ security, and the industry needs trained, knowledgeable, ethical, and effective leaders. Our information security leaders have to be able to keep up with technology and laws. They have to be able to quickly research and assimilate information and then be able to critically think about and apply what they learn. These are skills that must be learned just as we learn anything technical such as configuring routers. I think the Norwich MSIA program provides the skills necessary to be an effective information assurance leader.

Finally, I am also proud to be part of the Norwich family and will always remember Norwich president Dr. Richard W. Schneider’s gift to our class – a quote from Thomas Jefferson, “One man with courage is a majority”.

I’d love to hear from other Norwich grads on what you think about the program, so leave a comment. I’d love to hear from people who think the MSIA might not be relevant or otherwise disagree with the Norwich approach.

I’m no expert on loss or how to deal with it. All I know is that I am experiencing loss and watching others close to me experience it. My former co-workers and I talk about losing the sense of fun, teamwork, family, and success that we often experienced while working together. We all know that time is gone forever and we miss it.

I lost a friend and co-worker to a stupid, senseless death; killed by a drunk driver who was back out partying days after killing my friend. He had just started working with us at my new job, but he made a great impression on his co-workers. He is gone forever and we miss him.

I lost my mother to cancer and several of my people have lost close family members recently. Our family members are gone and we miss them.

Many people in this country (and others) have lost their jobs, lost their homes, lost their retirement funds, had their salaries and benefits cut, and have suffered a general loss of self-identity and self-worth. Suicides and murder-suicides are now common in my city. People have lost hope.

Hope

It seems the rate of change is increasing and we are all having trouble keeping up. We are being squeezed both at home and at work. It is easy to lose hope. We Americans have been at war for almost 10 years, we are being polluted by oil, coal and chemicals, our schools stink, too many abuse our animals, children and elderly, our health care is outrageously cover-your-ass expensive and our food supply is disgraceful and abusive to both animals and people.

Nevertheless, I say that we need to have hope. Pain is the fulcrum for change. We need to say enough is enough, and stop believing that we have to keep doing what we’ve been doing. Enough of us have to believe that there is a better way. Believe that we can have a better home life and a better work life. Believe that we can have clean energy, clean, efficient public transportation, affordable, quality health care and quality schools. Believe that we can raise and eat healthy food, that we can have time with our families, that we can take care of our young and our old. Believe that we can work in a fun, respectful workplace where we each know what is expected, know how we support our company’s success and know what we need to learn so that we can do our jobs better.

You might think that this is kooky talk, but I’ll remind you that doing the same thing and expecting a different result is the definition of kooky.

Do you believe that we can do better? If so, what are you doing or going to do differently to change one thing to improve your home or work life?

One of the most overlooked leadership skills is hiring. Hiring is one of, if not the most important decisions we make as managers. Yet, very little time is spent teaching us how to hire successfully so we are left to do the best we can. Most of us take a canned job description, post it, and hire who we think the best person is based on a 30 – 60 minute interview. Is this really the best way to make such an important decision given that this person can make our work life easier or make it miserable?

Prepare to Succeed

Successful hiring, like most leadership skills, depends on preparation. You know the saying, “if you don’t prepare to succeed, be prepared to fail”. You prepare to hire by following these steps:

1. Know what you are looking for. What need are you trying to fill? Is this a new position or are you back-filling a vacated one? Are there any nice-to-haves that will round out your team?
2. Identify the skills needed for this person to be successful. The technical skills required should be obvious, but review them anyway. Less obvious skills are the softer skills. Does this person need to be good at time / project management? How about the ability to move between tasks several times a day? What type of leadership style do you have and does that match the way the candidate likes to be led? For example, assume you like to provide a framework for your people and let them make decisions within that framework; can the candidate work in that environment or do they need constant direction?
3. Refine step 2. Talk to your high performers and get their perspective on what makes them successful and happy. Review what made those less successful hires a bad match.
4. Update the job description. Now that you know what it is you are looking for, update the job description to include the skills you identified. Ideally, you would be able to describe your environment so you can attract the most qualified people, but this will be a decision for your HR department and recruiter.
5. Develop your interview questions. Take the information you gathered in steps 2 & 3 and develop your interview questions. Don’t forget to include questions that identify traits that won’t be a good fit in your environment. This is the time to find out that the person is not a good fit.
6. Include technical skills questions or logic questions in your interviews. Again, this depends on your HR policies, but lobby to include these questions. Can the person do the basic skills required? Can they find information for something they don’t know? Can they solve basic troubleshooting questions?
7. Conduct a panel interview. Include front line and management on the panel, and I strongly suggest that you include management from your partner / internal customer organizations too. Get as much perspective as you can, and then make your decision. You should have a good, strong feeling that the candidate you select is the right person. If not, keep looking until you find the right person.

Next Steps

Hiring is the beginning of a relationship, not the final step. From now until you or they leave, you need to keep working on developing that person and your relationship. These are subjects for future posts.

How many of these steps do you take? Are you actively participating in the hiring process? Does your HR department support you or do they dictate the process and questions that you can ask? Leave a comment and let me know how you prepare to hire.

Helpful Links

• Behavioral interview questions
• Sample behavioral interview questions
• Interview questions
• Tech interview questions
• Technical interview tips, techniques, and questions

In my last post I suggested that anyone considering the leap to management first consider at least three things:

1. Why do you want this job?
2. Money won’t fill the void
3. Know yourself and what you enjoy

If you do this job for money or prestige (ha!), then you are most likely very unhappy. So why should someone consider taking on the leadership role? Here are the main reasons I took the leap:

• To have a home life. I knew that there were processes and procedures that would help us stop reacting to the latest thing that broke so we could go home at night. My measure of success here was getting out of the office before 6 PM and to make it through the evening without being called by work. Previously, I was on the phone from 6 AM to 10 / 10:30 PM every week day handling trouble calls.
• To make a positive difference in my work place. I knew that if our support groups knew more about our systems and how to install and troubleshoot them, then all of us would be happier. We went from frustration and finger pointing to working together to identify, track, and fix systemic problems. My measure of success here was both subjective and objective: other groups brought problems to our attention so we could fix them, and all of our reliability metrics improved by 50% – 80%.

While these were the main reasons I took the job, the main reason that I continue to be in leadership is that I can help people. This has been my biggest surprise and source of enjoyment. I’ve hired many, many people and have helped develop most of them into good engineers. These engineers:

• have a deserved sense of confidence
• they understand their business
• they understand their roles
• they know which skills they need to succeed in their job, and the skills needed to be promoted
• they know communication is one of their most important jobs
• they understand that good change management prevents service interruptions (and being called into the office in the middle of the night)

Don’t go into management if you don’t want to spend time developing your people. They are your force multiplier. They police themselves and each other when you are not around. They are the ones who decide whether to do the right thing or to take short cuts, and you can’t achieve 5 9′s reliability, 95% change success and 5% time spent on unplanned work without having your people on board.

Still think you want to tackle this job? Keep reading as we talk more about making the difficult transition of going from subject matter expert to leader. It’s a wild, humbling and often rewarding ride.

I think one of the toughest professional transitions is going from a technical subject matter expert to management. This is a tough transition for many reasons, not the least of which is that the two jobs require completely different skill sets. The same thing can be said of an accountant or a marketing specialist, but I think it is more difficult for highly technical people because so much of our self identity is wrapped up in our technical ability. For example, we have a combination of degrees, certifications, project experience, and organizational knowledge. Each of these requires significant time and effort to acquire, describes a bit about who we are and why people might respect us and our work.

When a management job becomes available it is completely natural that a high performer considers applying for the position. After all, you probably are an unofficial leader of the group anyway. Here are three things to consider before you submit your resume:

1. Why do you want this job? Leading people is not the same task as planning, organizing and ushering a project to a successful completion. Leading people presents a whole new set of challenges and requires skills not naturally found in most technical people. Machines do exactly what we tell them, people do not. Are you prepared to spend a significant, and sometimes inordinate amount of your time on dealing with people and their needs? If not, you should reconsider whether management is the right job for you.
2. Money won’t fill in the void. I’ve sat on more than a few interviews for first time supervisors and the number one answer to the question of “why do you want this job?” is money. Money will not make you happy. This is a tough job under the best of circumstances and if you do not derive at least some satisfaction from developing others and all that goes with it, you will quickly discover that the money does not outweigh the headaches that come with the job.
3. Know yourself and what you enjoy. Most people do not take the time to sit down and think about what they enjoy and what they do not. Create a list of things you like and don’t like to help you decide. Do this over the course of a few weeks so you can get a decent perspective. Do you like solving problems? Good, do you like solving them as part of a group or do you prefer to work them out on your own? Do you enjoy sitting at the keyboard more than planning? Can you let go of the wheel long enough to let more junior people handle the situation? Here’s a hint: if you are a hero, you probably are not ready to lead people.

These are just a few things to consider before applying for the next management position. They are also import considerations for your career development. If you do choose the management track, you need to start developing the necessary skills now. Read books, blogs, ask a leader that you admire to mentor you; there are plenty of resources available.

Do you have any advice or stories that you would like to share with others considering this move? Please leave a comment so we can learn from each other.