I just want to give a shout-out to my biggest referrer EVAR—those awesome Perl hackers at http://pentester.jogger.pl.
... Wait, what? That’s not Perl? They’re Polish? ...
EVEN MORE AWESOME.
Posted by shrdlu on Sunday, April 26, 2009
So Verizon Business released one of the hottest breach reports in the industry—and by hot, I don’t mean just that it’s in that cool black and red and has bubble charts galore. No, I mean that their executives can travel to conferences on it for the whole YEAR and if they play their cards right, nobody will get tired of hearing about it. I’m looking forward to seeing what the pundits say about the conclusions.
There are some awesome data points here, ones that puncture the conventional wisdom:
- A big majority of the breaches resulted from outsider attacks.
- You can prevent most of these breaches by doing really simple and cheap things, like CHANGING DEFAULT PASSWORDS (more on that later).
- 81% of the victims were not PCI compliant (ouch!).
- Nearly half their caseload comprised interrelated incidents (different parts of the same organization, committed by the same individual, etc.).
Now, let’s look at the visualization, which is really half the appeal of the report. There was a gratuitous use of bubble charts; most of these could easily have been depicted by bar charts, but I guess they wanted some variety in their geometric shapes (this led to my frequent impression that the data breaches were all coming from Jupiter). The only really stellar (heh) use of the bubble chart was figure 31, showing the different time spans for breaches, in which you could get an overall feel for the proportions of a complex data set at a glance. That one and the line chart showing threat categories were worth spending a lot of color on.
They mostly did a good job slicing and dicing the numbers, but they went a bridge too far when they trotted out their “pseudo risk calculation.” First of all, I’ve never liked the variations on “frequency x impact = risk” because I always ended up with a number in the “risk” category that sat in my hand like a Japanese vending machine snack: I had no idea what it was, didn’t want to consume it, and certainly didn’t want to foist it off on anyone else because I couldn’t vouch for it. In this case, the mystery gelatinous mass is still the “risk” column in their chart, which is simply a blending of their historical data—NOT likelihood—and the number of records breached, which gives you 28,000 Somethings. Now, I’m always suspicious when two columns of a chart have units specified and the grand finale column doesn’t. Is that supposed to be the average number of records someone can expect to lose next year with a probability of 1.00? They don’t SAY it’s the number of records, but that’s the most likely candidate, given the scale. Is this supposed to be a substitute for annualized loss measured in dollars?
Guys, if you have to call it “pseudo,” you’re already backing away from it yourselves. If you can’t vouch for it and tell me exactly what’s in it, I ain’t eating it.
On the upside, I was glad to see some other things confirmed, such as my belief that database encryption really doesn’t buy you a whole lot in terms of protection, because the attack pathways are the same ones that belong to legitimate users. (Encryption at rest is for protecting data that is TRULY at rest, i.e., the server is turned off.) It is depressing, but utterly believable, to see that the vast majority of breaches are aided by “errors and omissions,” also known as system administration FAIL.
Looking at the commonalities, we see the very elementary errors and misconfigurations, the lack of PCI compliance, and the fact that most of the breaches were detected by a third party. If you roll this all together, you could plausibly assume that the victims were all generally lackadaisical about managing their systems. This could be attributed to a lack of skilled resources—and by that, I mean that either they didn’t have sufficiently knowledgeable resources, or they had skilled ones but way too few of them to get the work done. You might be able to infer that these folks didn’t want IT management cramping their style; that would also explain why very basic security measures weren’t properly implemented. And finally, we see that third parties and their interconnectedness play a significant role, in that mergers and acquisitions make an IT environment more complex than it already was, and trusted third parties really shouldn’t be trusted when their own security house isn’t in order either.
All in all, there were enough interesting data sets in here to keep it from being another standard industry FUD piece. I actually learned some things from it, so color this one a winner.
Posted by shrdlu on Tuesday, April 14, 2009
I have to thank the kind and dapper Kai Roer for nominating me for the RSA Social Security Awards. Of course, I have no chance of beating any of the other blogs in the Most Entertaining category, but I already feel like a winner (wiener?) because at least one or more of the judges will have to look at this scrivening, where they ordinarily would never know it existed. That alone is just so freakin cool.
(Insert Photoshop mashup of Sally Field, dressed in an Oscar Meyer costume, being consumed by a LOLcat)
Posted by shrdlu on Friday, April 10, 2009
Sometimes I get pushback from my users when I’m doing a risk assessment and want to examine the risk associated with a particular partner. They frown and say, “They’re secure,” as if it were offensive that I should even ask. Of course, an executive that says this has never performed an audit of this party’s networks, or asked to see the results of a pentest, or indeed made any effort to collect information to bolster this assessment. He’s running purely on trust.
Lots of folks have explored the reasons why we choose to trust something in general; it’s part of our subconscious risk assessment engine. So I won’t go too deeply into it, except as it affects me and my own responsibilities.
We tend to trust something that we have known for a long time. An employee that has worked for us for 20 years; a vendor that has worked for us before; a barista we see every morning. Because of our history of experiences with them in which nothing bad has happened, we rely on that prior knowledge to estimate a lower risk.
We also trust something that is well-known. Big Three-Letter Vendor tends to get higher automatic trust than Bob’s PCI Shoppe.
We trust something that we see everyone else trusting. Fortune 100 companies can’t be wrong, right?
We trust something with which we feel an affiliation. If those folks over there are Just Like Us, they must be okay.
And finally, we trust something when we feel the anticipated benefits will outweigh the risk (that we haven’t examined all too closely, and won’t, because if we found something bad it would conflict with our need to get these great benefits).
All of these factors come into play when you’re trying to make a case for auditing a third party, or monitoring a user, or restricting access. And it’s very hard to come out and confront this, because if you have a CEO who has friends over at this vendor shop, he’s not going to be too introspective about it. People will look at you strangely when you ask for security testing of a product that people have been happily using for five years. Especially if you’re the only one who has ever thought about security, you’re going to be battling a lot of human nature in the name of objectivity and verification.
Quoting Ronald Reagan helps sometimes. That’s about all I can give you.
Posted by shrdlu on Monday, April 06, 2009
Well, despite my earlier misgivings about the utility of security certifications, I decided that the price was right, so I went and got my very first cert:
Won’t my momma be so proud of me?
Those are three letters I’ll be proud to list after my name in every signature line, blog posting, business card and CV.
Posted by shrdlu on Wednesday, April 01, 2009
Okay, so now that the “in order to feel cool I have to make fun of something”* crowd has finished piling on about Twitter, let me just step forward and say that I really like it.
Those who think it’s all about ego have completely missed the boat. Srsly, ppl, if it were expected to be profound it would be called Thunder, not Twitter. It is not a “micro-blog” since it does not fulfill any of the other functions of a blog, even in 140 characters or under. (I can hardly wait for Nanoblogging, in which updates consist of one word—followed closely by Picoblogging, with one-letter posts.)
It’s a chat client for people who actually have a life—who step away from the keyboard on a regular basis and just like to catch up and comment when they can. It’s an open-ended conversation in both senses of the word, in which you jump in and out of the neverending stream of chatter; and half the fun is hearing only one side of an exchange and figuring out that the other person must be pretty entertaining, too. It’s punctuated announcements, brief banter, and a way to pass on links without having to write a whole article around them. Short, people. Think short and pithy, like me.
I enjoy the public timeline too: it’s like sitting at a table in a sidewalk café and hearing one sentence as a conversing couple walks by. It’s out of context, and all you see is the person’s avatar and what passes for a full name. You make up a story in your mind to fill in the blanks. This people-watching is enhanced to great effect by Twittervision in 3D.
Twitter is the final vindication for all the people who used to be annoying on Usenet by posting one-sentence responses to something. It’s the CB radio of the information superhighway. Can it be used for serious purposes? Maybe, but I tend to think that the more seriously you try to take it, the sillier you end up looking, especially if you’re trying to keep follower scores.
It’s just fun, people. Remember “fun”?
*These were the same people who claimed for decades to hate disco. Come on, folks, I know I wasn’t the only one out on the dance floor back then. Get over yourselves, or I’ll have to dig up that picture of you with the tiny coke spoon on your hairless chest and the sock in your pants.
Just read Cory Doctorow’s “The High Priests of IT — And the Heretics”, and while I concede a little bit of truth in there, I also smell an awful lot of dairy air (as we used to call it during crop-fertilizing time in Europe).
Two things that Cory really misses the boat on when he roots for the “heretics” who bypass policies to bring in disruptive technology:
1. Whose policies does he think they are, anyway? If they’re done right, policies reflect the most senior management’s risk tolerance. Senior managers (of which he claims to have been one) not only want innovation; they also want stability, lower IT operational costs, and to keep their names out of the papers. It’s their job to balance these needs, and they do it by their strategic use of both policy and budget allocation.
2. There is no “sandbox” for new technology. Sooner rather than later, the users want to use it on real data, which means you’re putting corporate data at risk pretty much the minute you let something get hooked up. In fact, it’s been my experience that the senior executives (the ones who have access to the most sensitive data) are the first ones to want to bring in their toys. The riskiest part of your enterprise is the CEO’s iPhone.
Now, here in the US, we tend to go to extremes on just about everything. If something is new, it’s great. If it’s great, then we need as much of it as possible. And freedom? You’ll get my USB stick when you pry it out of my cold, dead hands (or steal it from my desk drawer, which is the more common scenario—thanks a lot). Innovation = good; stability = bad. Chandler Howell quoted Barry Schwartz’s TED Talk, “Rules prevent disaster, but what they guarantee is mediocrity.”
Come on, guys, this is bullshit. This is an extreme overreaction to the controls that every enterprise has and uses, and it doesn’t guarantee mediocrity except in the mind of someone who is incapable of innovation without running down the street buck nekkid.
In fact, this dovetails very nicely into Mike Rowe’s TED Talk, in which he points out that there can be no innovation without imitation: without steady workers replicating what one person created. Someone has to do the “responsible and sober” work, and in fact it’s utterly necessary to build the solid base from which “innovators” can safely launch themselves.
The two sides of the same coin have to work in partnership, and I’ll thank the “innovators” not to make my job harder by portraying my side as the uncool mainframe priesthood while pretending to be the cool, oppressed heretics. You want to bring these “innovators” into the church? Make them clean up their own messes (and everyone else’s) for a while; then they’ll appreciate maturity without mistaking it for mediocrity.
Posted by shrdlu on Tuesday, March 17, 2009
It hit home to me today, in a terrible way, how broken our security really is.
My mother has never been a technical person, never been a logical thinker. She started reading email about ten years ago, more or less—started with Compuserve, and dealt with that pretty well. But over the years, as her mental faculties have declined due to age and chronic illness, she has lost nearly all ability to navigate a system.
What do you do with a user who no longer grasps the concept of a folder? Who doesn’t know how to switch between two windows on a taskbar? Who forgets how to use the scrollbar, and who treats a computer as unusable if the sound is muted? Every little aspect of her environment stymies her now, whether it’s figuring out whether her newest messages are on the top or the bottom of the screen, or whether something needs a single click or a double click to function.
She’s the sort of user that most badly needs things like working antivirus, a working firewall, NoScript plug-ins, and all other kinds of features to protect her from herself. But given that she stops completely dead in the water if she sees an alert message, I can’t possibly set these things up. It would make the computer unusable for her.
So what do I do? Resign myself to the fact that I’ll probably have to clean up her computer every so often? I can’t tell her to stop using it; I can’t educate her; I can’t sit with her every day and guide her every move. I could try switching her to a Mac, but the change in GUI would discombobulate her.
This is an extreme example of what we as security professionals deal with every day: our security is too complicated for the people who need it the most. Just as our American health care system is too complicated for the people who need it the most and are least able to navigate it. It’s a full-time job, in both cases, to act as an interface between an average person and a system that is almost irreparably broken. Something’s gotta give.
Posted by shrdlu on Sunday, March 15, 2009
In retrospect, maybe I shouldn’t have joined FaceBook.
Someone said “Facebook is for the people you used to know; Twitter is for the people you will know,” and I find that to be very true. The two of them have very different uses due to their different functionality.
Because of the combination of persistent material, real names and global spread, Facebook makes it much easier to get in contact with people from your past (assuming they ever knew your real name, of course). It’s like a living yearbook. I’ve heard from people I literally haven’t seen, talked to or heard of since high school, which was *mumble* years ago. I’ve seen myself tagged in photos that I never knew existed (no, not that kind of photo—the advantage to you and your friends getting older is that everyone has common sense and a professional life). It feels kind of weird to have all these layers of friends from today, 10 years ago, 20 years ago, and 30 years ago all mashed up into one place.
Twitter, on the other hand, is a lot more like IRC in slow motion. The significant differences are that not everyone treats it like chatting (some people use it exclusively for passing on news links; why, I have no idea), and you can’t see all sides of a conversation because there isn’t any one channel or chat room to join. You’re always seeing parts of overlapping conversations. Half of the fun I have on Twitter is people-watching—catching just a snippet of one side of a discussion and trying to fill in the rest in my mind.
A: It works a lot better if you trim it.
F: Didn’t @B look great in that dress?
C: I thought the fishnet was a bit overdone.
M: Prithee, sir, abide a while; the darkness is not yet upon us.
A: @M Did you eat ALL the brownies??
It used to be that when we were not yet bound up in this intarweb, we were geographically discrete in our lives. It was easy to remember that J was your friend in kindergarten and probably knew K, L and M from your hometown; X was the person you met at that meeting in Chicago and never saw again; Q and R were your co-workers at that one job who then went to work for the other company you joined five years later. These were the friends from your first live-in relationship; these are the colleagues; these are your relatives. (There’s also the group that knows how to sing the title of this blog post, and the lines that come after it.) Everyone knew you by the same name, and if they didn’t know all the sides of you, well, that was only to be expected due to the context in which you associated with them.
Now that we are all connected, though, these neat little boxes collapse. Your kindergarten teacher sees what your boss wrote about you; the friends from your BBS days who knew you as “GonadsGalore” can post on your wall right along with your mom. The people you know from Singapore can gossip about you with the people from Sacramento. It’s possible to have known someone for years that you’ve never actually met in real life.
Even the net.life has had a chance to stretch over decades and accrete its own layers. I’ve had several noms de net over the years, and as the neighborhood grew bigger, I had to abandon them because they were no longer unique.* I can’t remember any more whether I met someone on Usenet, or while hanging out with those scallywags and libertines from a notorious mailing list (mwah), or from commenting on a particular blog. Sometimes I knew someone online and then worked with him later in bricks-and-mortar; sometimes he ended up meeting other people from other eras of my life completely independently of me. Sometimes someone friends me and I have no idea why, except that maybe our kids go to school together, or something. Even more worrisome is when someone who knows me under a pseudonym also connects to me on LinkedIn and I honestly don’t know whether he realizes it’s the same person. And I don’t know whether I want him to know!
We all leave tracks on the Internet, and mine are various and sundry, with really long tails. How was I to know that someone would scan in and post a college photo of me that was taken back in the days of 4.1 BSD? I’ve made a career of working for, shall we say, very conservative institutions, and I don’t know what will happen if my boss Googles me and discovers my Slippery Nipple Award just a few hits below my latest security magazine interview.
Someday, someone with too much time on his hands is going to sit down and write my unauthorized biography, based just on Google hits and archives. And it will probably be more entertaining than my actual life ever was.
*UPDATE: Just found out about this example of how it’s pretty much impossible to have a unique nickname these days. Boy, she sounds pissed, even though I’ve honestly never heard of her.
Posted by shrdlu on Saturday, March 14, 2009
Now, I’m no cloud expert, but it seems to me that asking for “visibility into the cloud” is kinda defeating the purpose of having one in the first place. Isn’t the whole point NOT to have to care about where your service is coming from, or how it’s being managed? If you’re looking to micromanage your cloud provider, it’s probably a good sign that you shouldn’t be using a cloud in the first place.
I’m going to go out on a limb and guess that as “cloudifornication” gets more widespread, people are going to pull back when they discover that there really isn’t as much that they’re willing to give up control over as they thought.
Posted by shrdlu on Wednesday, March 11, 2009
Okay, I just can’t take it any more.
If I hear anyone else billed (or worse, billing himself) as “one of the top security professionals in the country,” I’m going to do something drastic. I don’t know what it is yet, but you have been warned.
I know several of the “top security professionals in the country,” or at least read them on a regular basis, and almost without exception, none of them bills him/herself as a “top” anything. They describe what they’re really interested in, what areas they focus on. Their net.presence shows a lot of passion for what they do. But they don’t lay claim to any titles, unlike the poor schlub who thinks virtualization security is all about the hypervisor, and only speaks at conferences where his company pays for the slot.
Here are some signs that you’re dealing with a “paper tiger”:
- His CISSP is up front and center on everything that lists his name. I’m sorry, but a CISSP is like a bachelor’s degree: if you have to brag about having one, you probably have nothing else going for you.
- His LinkedIn profile describes him as an “expert.”
- None of the real deals has ever heard of him.
- He talks about everything in terms of compliance. (Ouch!)
- He can’t get passionate about any given security topic because he doesn’t know it well enough.
- If he’s published at all, he focuses on writing Security 101 articles for “management.”
- If there’s anything remotely technical to be discussed, he lets his staff or other managers do the talking.
- He’s billed as being great in security because he once worked for a “financial institution.” Really, as if that were the defining gold standard in security or something. Besides, do you know how many hundreds of thousands of security professionals work for some kind of bank?
- The definition of “worked for a financial institution” turns out to be “was put on a team that consulted to a financial institution.”
- He treats his name as if it were a personal brand and puts it on everything, as if it were more important than the actual topic.
(Oh, and he doesn’t have to abuse the word “cyber,” but it helps.)
What other telltale signs have you seen of bogosity?
Posted by shrdlu on Friday, March 06, 2009
When you’re in an enforcement position in security, you have to spend a lot of time balancing the carrot against the stick.
Do you ask someone nicely to stop doing something? Are you afraid of falling into the trap of saying, “Stop! ... Or I’ll say ‘STOP’ again!” Or are you a BSOFH, gleefully fondling your handcuffs and sending flame after flame to every poor sod who clicks on the wrong link?
My personal preference is to use the “carrot-stick”—heavy on the carrot, but with the stick just barely visible, or at the very least understood to be there.
Enforcement in security can backfire if you do it wrong: if you spank people whenever they make a mistake, they will just stop telling you about the mistakes—or, worse yet, stop looking for them altogether. (I suspect we will see at least some of this as the forced-disclosure laws reach a critical mass. You don’t have to disclose what you don’t know about.) On the other hand, you don’t want people mistaking a security policy for a suggestion. A lot of this is in the eye of the beholder: if a user comes from a background where security was up-front and mandatory (say, in the DoD), you’re probably not going to have a problem with him. On the other hand, someone who just made a $2 million bonus is less likely to care what ANYONE thinks, much less someone from the IT side of the building.
So you need to tailor your security reactions to your audience. What is your perceived ranking in the organization compared to theirs? Are they reasonable people, or self-centered twits? Is this the first encounter you’ve had with them, or the twentieth? Here are some different approaches to the same user who has been going to naughty sites and saving certain files locally:
All carrot, no stick: You go to their cube (or office) and explain nicely that you happened to notice that there was some unusual traffic coming from his computer and you’re worried that it might have gotten infected with a virus or spyware. You mention casually that this might happen if one goes to a non-business-related site, and ask if you can arrange a time to have tech support come and examine his computer. Then you go away. By the time you come back, the browser cache and history are magically clear, and the user has stopped whatever it was he was doing.
All carrot, no stick, but mild confrontation: You happen to meet up with the user alone in the elevator, and say, “We were doing an inventory scan of all the computers last week, and I was just wondering: what does ‘anal violation’ mean?” You drop the line of inquiry right there, and by the end of the day, the user’s desktop is, once again, sparkling clean.
Carrot plus visible stick: You ask the user to come see you in YOUR office. This is a mild power play that, if it works, is very effective. (“Oooo, you got called to the Security office!” the co-workers will tease.) Then you put the stick away, get out the carrot, and have Conversation #1 with him. If you’re feeling a little more stick-like, you might add at the end of the talk, “Please feel free to call if you have any questions. I’m sure this won’t happen again.”
Carrot plus more stick: You ask for a meeting in the user’s supervisor’s office.
Carrot plus even more stick: You meet with the supervisor first, without talking to the user. Then, depending on what the supervisor wants to do, you call in the user. When you have clearly already been talking to the supervisor first, it carries more weight.
There are plenty of permutations to this line of work, and they all depend on whether there is an ongoing problem that has momentum, and therefore needs a bigger action to nip it in the bud, or whether you are simply introducing a new policy that you need the right people to agree to. Whether you send out an announcement yourself, or have it sent out by the CEO, also speaks volumes. Putting something in writing is always using more stick than simply having a verbal conversation, especially if you start using language that sounds legal in nature and refers to particular policies or document sections by name. The user will suspect that you are formally documenting something to build up to an official HR action, so only use this if this is a plausible scenario.
Sometimes using peer pressure is more useful than supervisor pressure. If you are working with a certain level of management, it helps to call a meeting of their peers and make sure several of them are already on board with what you want to propose. You get to look like you’re asking for their input, where in reality you’ve decided on something and are simply nudging everyone to march in the same direction.
Finally, if you have actual control of system access, you have a large stick, but you have to be careful how you deploy it. It helps to make it clear with your boss ahead of time that you will only cut off a user’s access if you believe there is an imminent threat to the system itself, and you should notify the boss as soon as you do it. Even threatening to cut off access (say, if you get no response to a user recertification request) is powerful stuff, so make sure it’s a last resort, and make it clear to the audience that it’s a last resort: “If we cannot validate this account, we will have to disable it to maintain our compliance with audit requirements.” “We could not determine the nature of this traffic, so we had to block the source IP at the firewall.”
An ISO without enforcement abilities is like a Beanie Baby without a pencil sharpener up its butt: cute, but useless. Make sure you have a sharp edge somewhere, and when you finally have to show it to someone, it’ll be impressively shocking.
Posted by shrdlu on Tuesday, February 24, 2009
Apropos of very little, this was inspired by a comment on Wil Wheaton’s blog:
Neil Gaiman’s shopping list
(as copied furtively from a page torn from a mysterious bound notebook left in a taxi somewhere)
fuligin ink
Hanes black t-shirt 3-pack (qty 18)
Phoenix bbq sauce
spider web biscuits
Persian daēva (try that Middle Eastern Market on 5th)
elephant garlic
tomato paste
Greek style yoghurt
exotic spices from the cellar of a long-dead rajah whose only daughter wandered the steaming earth at night and, it is said, consorted with a hawk, bearing their children and setting them free as harvesters of monsoon-drenched souls before herself dying of consumption, forgotten and alone, in the rotting doorway of a hut in Lapland
daguerrotypes (assorted)
Halls mentholyptus lozenges
Psychoid archtetypes (2-3 pallets’ worth from Carl’s Club)
PG Tips
half gallon milk
Posted by shrdlu on Saturday, February 07, 2009
Okay, I just made up that title, but I can’t think of any other way to describe Thomas P.M. Barnett. I first discovered him through his TED talk on the Pentagon’s new map for war and peace and was enthralled. I’ve been working on his book of the same name, which is both intimidatingly sharp and makes obvious sense on a deep level. But I haven’t been working on it quickly enough, because he’s about to come out with his newest effort, Great Powers: America and the World After Bush next month.
His work resonates with me because I see parallels between his arguments for après-déluge system administration (building and managing new rulesets for our interactions with the rest of the world) and my focus on layer 8 (building and managing new rulesets for security based on our understanding of how humans use it, not based on how the technology is configured). Of course, I can’t pretend to his level of knowledge and strategic planning, but I try to adapt what I understand of his work.
Security isn’t always about war; it isn’t always about fighting off hackers. It’s also about “everything else,” the grand strategy for how we want to order and use our data that affords both utility and protection.
Anyway, if you want to have your perspective yanked 360 degrees at Mach 1, read his books. Or hell, just start with his blog.
Posted by shrdlu on Wednesday, January 21, 2009
Ax0n posted an open letter from geeks to IT recruiters and hiring managers that I found myself highly conflicted about. As a geek AND a hiring manager, I’ll put my own spin on what he wrote:
Try to measure productivity in output, not in hours.
Geeks automate. Geeks script. Geeks compile. They summon computing power to get things done quickly on their behalf. If your geek seemingly spends all day on Twitter and Fark but somehow manages to still complete tasks ahead of schedule, your geek is multi-tasking. This is normal.
Yes, this is true, but appearances still do count. If other members of the team who don’t understand this think that I’m just giving a geek a pass on goofing off because every time they walk by, they see them watching something on YouTube, I have to do something about it. Even more, if my BOSS or HIS BOSS walk by and think the same thing, I have to do something about it. I’m responsible for morale in the team as well as the output.
Assign tasks to the geeks who are most interested in them, not the ones with the most experience.
I’m sorry, but my job is to make sure the tasks get done as well as possible. If that means giving it to the most experienced geek because I think she’ll be the best executer of the task, then so be it. I care about your geeky interests, but not enough to override quality. Sometimes you get boring tasks handed to you. Deal with them. I know I do, every day.
Segregate the corporate, compensatory hierarchy from the leadership hierarchy.
With a team of geeks under you, one or more will eventually become to go-to guy (or girl) for certain things. You don’t usually need to assign a “team lead” - Through meritocracy, the Alpha Geek will emerge. That Alpha Geek may lack seniority, but will have the most influence. It’s best to let this occur naturally. It’s awkward when the one who best fits the role has to answer to someone else just because they’ve been around longer. Furthermore, the members of your team will still go to the Alpha Geek because the wrong person has the “Team Lead” label. As Paul Glen puts it: Geeks don’t hate hierarchy. They hate your hierarchy.
This really depends on what the “leadership” is for. I have geeks who are the “go-to” people for technical issues, but I would never trust them with a schedule, resolving interpersonal conflicts, talking to the business, or with managing other people. Got news for you: you’re part of the corporation whether you like it or not. You don’t have to like the hierarchy, but in most cases it’s there for a reason. Deal with it. If I find a natural-born leader in all aspects, I am more than happy to recognize that with an official appointment, but there are many dynamics going on in a team and department, and I have to manage them all, not just the geek tribal ones.
Have all screening and profile “paperwork” in one comprehensive online wizard or form.
Geeks do not like pens, pencils, or clip boards. We also despise giving you the same piece of information more than once on fifteen different sheets of paper. We’d rather not be sitting on an uncomfortable chair in a room that’s far too brightly lit just so that we can give you the information that you want. It’s easy to get the information to you electronically.
Get over yourselves. Sometimes the forms aren’t under our control (hello? government?). You want the job? Don’t get all prima donna over a form. I will drop your name from the hiring list sooooo fast, because it means you’ll get prima donna over the work I give you, too. There are plenty of other geeks out there who have a better sense of perspective AND the same talent and skillz that you have.
Only ask for information you need to make a hiring decision.
W2’s, Direct deposit information, full fingerprints, home address and all that crap can be handled during orientation. The only personally identifiable information you need before hiring is a name.
Again, that’s not always true. Home address, SSN etc. are often required before you can send out an offer letter. Fingerprints are needed if you’re requiring a background check.
Don’t grill us on our resume and work history.
You don’t hire a geek for what he or she did two years ago. You hire them for what they will be able to do for you now and in the future.
Excuse me, but this is bullshit. I’ll grill you on ANY part of your work history and qualifications that will help me decide whether you can do the job I need you to do NOW. In fact, I’ll often take a chance on someone BECAUSE of things they did ten years ago, not what they’re doing in their current position.
Instead of asking about skills that qualify them for the position, ask about their interest in the kind of work they think they’ll be doing.
Again, I care about your interest, but not as much as I care about whether you can do the JOB. I ask all sorts of questions, and often throw in things that will make you talk about something that interests you (and I’ll be able to tell), but I’m still going to ask about skills too.
In short, if you’ve ever actually BEEN a successful hiring or recruiting manager, I’ll be happy to listen to what you have to say, but advice from someone who’s never done it is probably as irritating to you as it is to me.
Posted by shrdlu on Wednesday, January 07, 2009
I'm an IT security manager who has worked in various places around the world and in the US. If I told you more, well ... you know.
