Security IS Part of the Business

Something I’ve written about a lot lately is how companies don’t have a real “culture of security.” That applies not just to IT, in most companies: you see it everywhere. Printouts (containing important information) lying around on printers, no widely-available shredders, cabinets not locked, that kind of thing.

We tend to treat security as something we “have to do,” and especially when it comes to IT that attitude derives in part from most companies’ regard of IT in general as “overhead.” Security gets lumped in with sexual harassment training, diversity training, and other stuff we know we have to do, but that we don’t really consider to be a part of the core business. In fact, in most companies, security is something users try to work around, rather than work within, leading to them (for example) using Dropbox to transfer files with outside contacts, instead of using a company-provided, more-secure mechanism.

That’s a shame, because security is, and should be, very much a part of the business. Unless everyone is on board with security, all the time, security doesn’t happen – and that’s when things like Target, Marshall’s, or any of the other recent debacles happen.

So how do you make security a part of the company’s culture? It’s really hard. Maintaining a general sense of security essentially means being on “orange alert” all the time, and humans just aren’t designed to stay that alert all the time. In other words, you probably can’t make your users constantly aware of security. Instead, security has to become an ingrained habit – and building habits often means breaking old ones, and that’s what’s hard about it.

Take a construction site: any worker with any experience just pops on a hardhat, steel-toed shoes, and other personal protective equipment as a matter of habit. New workers have to be trained, usually through outright and continual nagging by their boss and coworkers. But eventually habit kicks in, and they stop thinking about safety and “just do it.”

Or consider folks who know it isn’t safe to drive a car and talk on a cell phone, and who instead develop a habit of walking around with a headset sticking out of their ear. Yeah, they might look like a dropout from Uhuru school, but it’s a worthwhile habit that prevents them from doing something stupid or unsafe.

Security has to be build up as a set of habits. Habit-forming can’t happen through company memos, once-a-year classes, or ubiquitous signage. Habits form through personal experience, and only through personal experience. They’re especially tough to form in areas where users work independently, like sending e-mail. One way to start developing good habits is, not surprisingly, through game-playing. For example, if you’re trying to break users of the habit of opening janky email attachments, start sending a few yourself. Make a little “virus” that logs the fact the user opened it… and keep track of users who do, and who do not, open it. Publicly acknowledge those users who do not open the email, and award them points or something; deduct points from users who don’t follow the rules. Get HR involved, and let users redeem points for an extra day off or some other perk.

Toys ‘R’ Us used a similar program to help deter shoplifting: cashiers are supposed to open and inspect any container that a customer purchases, like a small box or a lunchbox. The idea is to catch customers who are trying to sneak other merchandise into the container without paying. To enforce the policy, the company would insert a  voucher into random containers. Cashiers who found the vouchers would receive a small cash award – enough incentive that everyone wanted to inspect containers. That want quickly became habit for most cashiers. The carrot came with a stick, too: if a customer found the voucher and brought it to the store with their receipt (meaning the cashier hadn’t checked the container), the customer got a prize, and the cashier (identified on the receipt) got disciplined.

Regardless of the political or financial realities at your company (in other words, think “blue sky” here), what might you do to entice users to develop better security habits? It doesn’t matter if you think your organization would use your ideas or not – share in a comment, in case someone else might benefit!

 

 

 

 

 

 

Are You a Vendor or a Partner?

I have a friend who runs the purchasing department for one of Las Vegas’ larger casinos. His job, obviously, is to save the company money by negotiating volume contracts and the like.

He was telling me about a contract that was coming up for renewal, and about the discussion he’d been having with the vendor. It was something along the lines of, “look, we’ve been paying you our contract rate for the past however many years. In the meantime, you’ve been completely absent. You’ve never come in here and offered to help me save money elsewhere, never notified me of any new deals or offers, nothing. In fact, I’ve been purchasing far more than our contract required, and you’ve never dropped by to see if we could settle on a new price for our higher-than-expected volume. I give you more and more business, and you give me nothing. And now you want to renew at a higher price, even though I know you’re offering better pricing to others in town.” Vegas is a small town – you can’t be dishonest with someone for long, here.

Anyway, the whole conversation got me to thinking that there really is a difference between a vendor and a partner. In the case of my friend, a partner would try to make a good profit for his company, sure, but he’d also recognize the value of a long-term relationship and try to help optimize that relationship so that both sides benefited. He’d regularly check in to see if there was room for improvement, and proactively look for opportunities to strengthen and deepen the relationship. But he didn’t – he played the role of vendor and, if I remember the story correctly, lost the deal to another company.

I had a similar experience with my auto insurance several years back. I was talking to a financial advisor who used to work in the auto insurance industry, and he offered to look at my policy. “Your limits are way too low,” he said, “and you don’t need some of these other coverages.” Rental car coverage, for example, was costing me about $27/month. That’s actually what it would cost to just rent a cheap car per day, meaning I was paying for 12 days of rentals per year, and never using them.

And my insurance agent never said a thing. Never offered to review my policy, never suggested why I might need to raise my limits (which makes him more money), never suggested considering those other coverages. He wasn’t a partner, in other words – he was just a vendor. And, since he brought nothing of value to the table, he was easily replaced.

It’s something I think everyone needs to consider in their career. Imagine, for a moment, that our legal system allowed everyone to be an independent contractor, rather than being an employee. Would you be a partner to your current employer, or a vendor? That is, would you be providing a simple commodity service that could be replaced, or do you provide a unique value-add that makes you worth keeping around, and possibly paying a premium?

For example, do you look for ways to save your employer money? Do you automate and optimize? Do you invest in yourself to gain the skills needed to automate and optimize? Yes, those skills benefit your employer, but they also benefit you, and it’s worth investing that time.

Do you look for problem situations and try to solve them? For example, when I helped a former employer migrate from Lotus cc:mail to Exchange+Outlook, I came up with a little brochure that we distributed to company employees, helping them quickly find the most common functions in the new software. That saved a lot of help desk calls, so even though it wasn’t strictly my job, everyone benefited from it.

Your suggestions don’t always have to be implemented – and don’t get discouraged if they aren’t. Continue to suggest, to optimize, and to improve. Make yourself an indispensable partner, and never let yourself become an easily replaced vendor.

 

You Probably Shouldn’t Read This

UPDATE: The Air Force backed down, and allowed the airman to re-enlist by omitting the “so help me God” portion of the oath. Bravo, but it’s a shame it had to go down the way it did.

Seriously. This is about religion, so you should probably go back to whatever you were just doing. This is an opinion piece, and I’m entitled to mine. So.

I was aghast at today’s USA Today article explaining how an Air Force airman was denied re-enlistment for refusing to finish his enlistment oath. As an atheist, he objected to the “so help me God” portion of the oath, which the Air Force says is mandated by statue.

It’s such a crock, I can’t help but wonder who in the military is using this to make some kind of spiteful jab at Congress or the administration. Everyone knows that both the First Amendment and Article VI of the Constitution makes such a requirement patently illegal. I’m sure there are plenty of devout service members in religions other than Christianity who would also object to the oath, and I know there are plenty of Christian sects that object to any kind of oathmaking to God. Surely we’re not trying to exclude all of them from the military, right? And it seems a little disingenuous anyway. I mean, a truly devout Christian, who perhaps would have no objections to making an oath unto God, would also feel a bit nervous about the whole “thou shalt not kill” thing, right? Killing being a sort of implied requirement of joining the military?

According to our basic precepts of government, as outlined in the Constitution, our government cannot prescribe or dictate someone’s religion to them, and this USAF fiasco-in-the-making certainly seems like an attempt to do just that.

However.

This is the kind of news story that gets people up in arms about completely different religious-related things, and does so incorrectly. While our government is barred from dictating or establishing a religion, it is not barred from recognizing religions (plural), nor is it barred from incorporating religious precepts into government – provided it does so in a way that doesn’t force someone to join said religion. That “thou shalt not kill” bit, for example, is a pretty important underlying thing in our laws, which are not a big fan of citizens killing each other. In fact, Christianity’s Ten Commandments pretty much outline the core concepts that underpin the majority of our oldest and most significant laws. So it’s not like religion is unimportant, from a governance perspective.

But this whole “the government and religion can’t co-exist” gets taken too far, as (I feel) in this other USA Today article from a few days ago. Putting a cross or other religiously-significant monument in a public place isn’t necessarily violating the separation of church and state. Such a monument could easily be a simple cultural acknowledgement of the role religion has played in our country – which was, keep in mind, founded in part by folks seeking religious freedom. The cross in this Indiana state park doesn’t in any way detract from anyone’s use of the park, and it doesn’t “promote Christianity” any more than having “in God we Trust” printed on our money promotes Christianity. Atheists manage to be atheists while also spending money, so it’s difficult to see how a cross, on a war memorial, could be negatively impacting anyone.

And putting a cross on a veterans’ memorial doesn’t make the entire park into a religious shrine. That’s a ridiculous overstatement. It’s like saying a county council meeting has become a church, simply because it opens with the Pledge of Allegiance (which also includes the word “God,” something that’s cause no end of bickering in the past couple of decades).

The problem with this “remove religion at all costs” is that it’s just as wrong as trying to shove religion down someone’s throat. The idea that, in a country based on religious freedom (it was the first thing we added to the Constitution, remember), you can’t display your religion, is just ridiculous to me. Religious freedom doesn’t mean you don’t have to look at anything you disagree with. It means the government can’t tell you what to believe in. Your fellow citizens are welcome to try and convert you to their viewpoint – that’s in the First Amendment, too. You also have the non-enumerated freedom to walk away and not listen. 

You have a right to live in this country and practice whatever legitimate religion, or lack thereof, you wish. You do not have a right to force other people to join you – and that includes forcing them to join you in atheism. You do have the right, in a public venue, to stand up and proselytize – that’s a basic First Amendment protected speech thing – and that proselytizing could well including promoting atheism.

One of the biggest problems we have in our American culture today is a lack of respect, and a lack of tolerance, for other people’s perspectives. While I don’t want the government forcing any religion down my throat, I must not have a problem with other people practicing, displaying, and promoting their religions. I cannot find it in me to get upset about displays like the one in the Indiana state park, simply because Christianity – and other religions – are a part of our culture, whether I follow that religion or not. I’m not out to revise history by removing God from every possible public venue, because it wouldn’t be true.

And there’s a downside to these arguments. Christians increasingly feel attacked from every side simply for practicing their religion. It’s suddenly becoming unfashionable to be religious. As a result, they quite understandably push back – often in significant ways. You take my cross out of the park, I fight against civil liberties that contradict my religion. The rhetoric and intolerance simply escalates to ridiculousness. It’s unproductive. For the life of me, I just can’t get upset about a carving of a cross in a state park. If you get upset about it, maybe stand next to it and preach atheism or whatever you’re into. Equal time.

While the government has no business forcing an airman to say, “so help me God” in order to keep his government job, we as citizens don’t have (I feel) any right to force each others’ personal beliefs underground. If it isn’t detracting from your personal liberties, and if it isn’t demonstrably harming anyone, then let it go. Accept that we’re all different, and that we don’t all need to live according to some standardized script.

Our increasingly constant bickering, simply because those people over there don’t live like I do, and I don’t like that, is becoming annoying, distracting, divisive, and incredibly counterproductive. I almost think we should outlaw national news organizations simply so we’re not all so damn aware of all the differences going on around us!

Just because I don’t eat soft shell crab doesn’t mean I object to seeing it on the menu, and if we’d all spend less time worrying about small-time arguments like this, we’d all be a lot happier. And we could focus on the important stuff.

Anyway, there you are. Have a good weekend ;). Comments welcome, but keep ’em polite.

 

 

 

 

 

 

 

Changing the Conversation on Classroom Training

One of my personal interests is how we educate our kids and prepare them for the workforce. In general, I think we do a poor job. There’s an enormous emphasis on getting a college degree, driven both by the high-margin world of academia and by businesses who make a 4-year degree a “minimum entry level” for almost every job. It’s insane – we’re taking kids at the most vulnerable point in their lives, as they make the transition to full adulthood, and throwing them into massive debt. We’re forcing them through a program that simply wasn’t ever meant for every kid or every job.

As someone without a college degree, but who completed a four-year formal apprenticeship, I’m keenly aware of how many great-paying jobs there are that don’t really need a college education. The problem is that apprenticeships, especially in “white collar” jobs, are pretty much dead, and primary education simply doesn’t focus on preparing kids for those jobs.

When I think of what you need to know, for example, to be an entry-level IT help desk worker… it isn’t an insurmountable list of knowledge. Yet those jobs average $36k per year in the US, which is a great entry-level position. They also tend to offer growth opportunities, and almost by definition they support on-the-job learning. But kids simply can’t get the needed pre-req skills in K-12, almost forcing them to go to college. Where, by the way, they won’t learn what businesses need them to know, either. Instead, they’ll come out of college at which point a $36k job ain’t much, given their newly acquired student debt.

That’s why I’d like you to consider voting for Aaron Skonnard’s SXSWedu presentation. Aaron’s the CEO of my company, and a bunch of us at Pluralsight would love to change the conversation on IT education. We truly believe that quality IT education is something that should be available everywhere, to everyone, for an affordable price. I personally believe that a motivated high school student could, with the right supplementary training (probably done on their own), move right from Senior year into an entry-level IT job and excel. I’m personally agitating to produce more of the entry-level training those kids would need, because I think it solves a number of huge problems: the difficulty finding entry-level IT workers, the need to keep kids from going neck-deep in debt before they’ve even had a chance to live, and so on.

You’ll have to create an account to vote, but votes count for 30% of the selection process, so if you have a moment to do so, it’d be a big vote of confidence. And, expect to hear more from me on this topic in the coming year – it’s definitely something I feel strongly about. I’d love to see more kids going straight into IT after school, and I’d love to see more businesses feel confident in hiring them for those entry-level positions. There’s no reason IT can’t become more of an apprenticeship-style career path, with an emphasis on continuous on-the-job learning supplemented by timely, up-to-date formal training. 

(I’ll acknowledge, to my non-US readers, that many countries have different systems for higher education, many of which lack the disadvantages of the US system; I live in the US, and so my perspective is driven by what I see around me.)