The single most important decider in your success at any job is your attitude…

I find this quote very naive:  “The single most important decider of your success at any job or company is how much your boss likes you or wants to succeed.”

This quote is more realistic:  “The single most important decider in your success at any job is your attitude.  This includes willingness to work, to improve, and learn from failures or adversities.” — Frank Walton, Saxon Global

Pro Tips On How To Do Tactical Meetings…

From the mailbag, here is an old email given to team members, old and new, pro-tips for how to approach the Tactical meeting every Monday.

Why?

If your curious where this comes from, check out the book Death By Meeting, by Patrick Lencioni.  His suggested meeting structure mentally optimizes and focuses on the tactical subjects of the week.  It’s far too easy to stray into the strategic or get into the weeds, which traditional meetings suffer from.

How?

Here are my tips for team members

1.    Lightening Round – Round table allowing 2 minutes per speaker to give what was accomplished last week and what is on your task list for this week.

The lightening round asks two questions:  What you got accomplished last week and What you have on your plate for this week.

  • Come prepared before the meeting. Don’t muddle through.  It’s obvious when it happens and doesn’t reflect well.
  • Talk about the top 5 or most significant things you accomplished during this round.  Think about your audience and what you would like the team members to know. Especially if it’s project work, client-related work, or tasks of high importance.
  • Don’t waste the teams’ time by telling the teams the obvious things, like “Did my security training” or “Cleaned up my tickets”, or “Went to Team Meeting”. This is what is expected of you.
  • It’s ok to say “Tickets” and/or “BAU” (Business as Usual).  This indicates you were head down focusing on what’s in your queue and don’t have anything of significance to share.

2.    Metrics/KPI Review – 10 minutes to review last week’s SLAs and KPI performance.

The teams leaders are responsible for asking team members what is important to measure.  If you’ve been asked to create a slide for KPI review, consider these points:

  • What is your KPI trying to communicate? What is “good” performance?  What is our current performance?  State the “good” on your slide.
  • Avoid busy or cluttered slides. Jamming a bunch of charts and graphs on your slide does not communicate or relay the message well.
  • Don’t “Wing It”.  KPIs are designed to get everyone on the teams aligned, goal in hand, and hitting targets.  If the KPI isn’t relevant to those ends, then skip it.
  • Use KPI’s to communicate problems. Got a particular problem you need to communicate but no one is taking notice?  Use KPIs to measure the “bad”.

3.   Adhoc-Agenda – Group comes up with an agenda on the spot based on time remaining.  Keep topics tactically focused.  No strategic discussions during this meeting.

Adhoc is where questions, answers, or announcements that pertain to the coming week are had.  Key goals are ensuring alignment and communication between our two teams!

  • This is not the venue to vent or rail against “something”.  Again, show professionalism by using time wisely, refrain from bloviation, and overly wordy.  Straight, to the point, and informative/questioning.
  • This is not the venue to challenge or have academic debate.  Take those topics offline, if needed.
  • Keep Adhoc discussion focused on items needing to be discussed tactically this week.  Shift “strategic” items somewhere else and talk to your manager about when/where.

Always forward, team!

\\ JMM

Compliance is not Security

From: https://www.armor.com/blog/achieving-security-compliance-healthcare-world/

A few compliance and security factors to consider in your environment:

Compliance:

  • Do you know your scope?
  • Do you know your data within that scope?
  • Is compliance your baseline or objective?
  • Do you understand the compliance requirements?
  • Have you mapped to external requirements?
  • Are you following audit best practices?
  • Do you have the right security partner?

Security:

  • Do you know your adversaries?
  • Do you have the visibility you need?
  • Is your Operations appropriately configured and staffed?
  • Have you built a culture of security across your business?
  • Have you combined people + processes + technology?
  • Do you have appropriate measures in place?
  • Do you have trusted partners?

The guys at Armor are solid, btw. Enjoyed meeting them a few times in 2018 at their CTF events. And very recently at the Dallas Cyber Security conference.

\\ JMM

Begin Your Culture With a Mindset that you Cannot Force Culture…

“Begin your culture with the mindset that you cannot force a culture into existence.  Think of culture as needing a set of boundaries, but allow the culture to build itself using those brains that you have brought into the company to share and mold it into something that is a living breathing thing.  If you expect to build a culture of a PowerPoint presentation – you will be sorely mistaken that anyone will take you seriously.”
– Chris Hatley, Produt Manager for AT&T at Austin CSI.

I talk a lot about the importance of culture. More importantly about how leaders influence culture. But, never enough time talking about how to put the desired culture in place. It’s not easy. Arm chair quarterbacking culture produces a lot of hot air…

Here is my top 5 observations on planting effective culture roots:

5. Vision, Mission, and Values.

It all starts here. What is the vision and mission of the organization? Department? What are the organizations’ values that drive our actions? Where is it in writing? Ink signatures for acceptance. The absence of articulation and promise leads to gray areas.

4. Hire Leaders Who Are All In.

Leadership needs to not just talk the talk, but are all in on vision, mission, and values. Do you have their commitment? Are they driving not just results, but growing their people? Are you watching your leaders? Are they effective?

3. Eliminate “Toxic” and “Donkeys”.

Somehow, they seep in. Whether by best intentions, accidents, or inheritance, culture is most deeply affected by toxicity and donkeys. Kill toxicity where it grows, quickly. Let go the donkeys. Replace with thoroughbreds who can connect to vision, mission, and values.

2. Live and be Accountable to the Values.

People watch their leaders carefully. The best leaders attract disciples and model the desired behavior. The worst, drive people away. How do you model the culture? Are you accountable to yourself? To your team? Time to be real about culture: Are you a part of the problem? Fix it.

1. Reinforce Culture At Every Turn. Teach, Rinse, Repeat.

We joke on my current team about talking/forgetting about things said and “must say it ten times” for it to sink in. There is truth to this. To make change, you must drive it, and drive it, and drive it. Monthly, quarterly, annually. If culture is truly important to you, then make it a priority to teach it, display it, reinforce it, and award it.

\\ JMM

Understanding the Why Behind Blocking Social Media

Below is an article I republished to our internal employees via our monthly news letter, which I felt is very applicable these days. The why is an interesting topic. Companies operating today varying opinion on social media in the work place is truly a mixed bag. Ultimately, it depends on culture. Internet access and social media coupled with privacy data equal a degree of risk. This article highlights the legitimate reasons, where privacy and risk collide.


Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals.

Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.

It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.

Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.

Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users and the Twitter CFO. Indeed, if one of social media’s own executives isn’t even immune to this risk, this demonstrates the realistic situation every organization faces.

** This article was republished.

\\ JMM

Making the Case for Draw.IO

Is Time To Say Goodbye to Microsoft Visio?

Diagramming is a very large part of how we communicate.  Flow charts, process diagrams, UML diagrams, network drawings, on and on.  Pictures are truly worth a thousand words.  And the go-to software standard for most organizations needing to diagram is Microsoft Visio.  However, working with different teams, I’ve encountered feedback where Visio wasn’t the preference.  Digging in, there is many pros and cons presented and let’s lay them out here:

Visio Pros Visio Cons
1. Market Leader in diagramming.
2. Wide variety of shapes.
3. Many IT Pros already familiar with Visio.
4. Been around for a very long time.
1. $533 per year licensing.
2. High learning curve.  Arguably, un-intuitive.
3. No Linux or Mac support.  No mobile support.
4. Office365 bolt on, versus integrated product.

Enter Draw.IO…

Application Development introduced use to Draw.IO in 2018.  After spending some time with the product, I find it very comparable.

Draw.IO Pros Draw.IO Cons
1. Open Platform for diagramming.
2. Diagram anything.  Practical.
3. Linux, Mac, and Windows.
4. Free.
1. Opensource. Slow to fix bugs.
2. High learning curve, but training helps.
3. No OLE or Windows Integration.
4. Heavy Java dependency.

Is the shift from a paid product to a no-cost product that meets or exceeds the existing standard a good idea? Granted, learning the tool is a must to become a competent diagrammer.  Are you willing to let Visio go?  Care to take on Draw.IO?

Get Draw.IO here:  https://www.draw.io/

Support/Training Videos are here:  https://about.draw.io/support/

What happens if we don’t invest in developing our people…

CFO asks CEO: “What happens if we invest in developing our people and then they leave us?”

CEO: “What happens if we don’t, and they stay?”

The Lesson: Train people well enough so they won’t leave. Treat them well enough so they won’t want to leave.

Numerous LinkedIn Postings

We see this advice over and over. As leaders, are we walking the walk? Or just more of the same. I talk to colleagues and training is still a problem. Fear of making the investment and watching that investment walk out the door cited as the primary reason.

In today’s economy, junior people are far more skilled than 10 years ago. I see the resumes. We live in times where candidates are highly competitive, highly motivated, and have goals. Financial goals.

Leaders: You are either a part of the solution. Or part of the problem. Invest in your people. Technical and professional. Hard skills and soft. Teach people how to win. Otherwise, your people will move on. And waiting till your top talent leaves you… is on you.

C-Levels: Culture starts at the top. Invest in your leaders. Values and culture matter. Establishes tone. What is and is not acceptable. Mentor the gaps, but hold the line on the winning culture: That you built. Otherwise, your leaders will move on. Waiting till one of your top leaders leaves the organization is on you. Money doesn’t solve the aggravation or feelings of having no support.

Invest in your people. Constantly.

\\ JMM

NSX Is Not For Beginners…

“If I would have known how difficult it is to get NSX up and running, I never would have recommended this solution.”
– Sonny Mendoza, System Engineer – Architect, Lanvera

One of Lanvera’s major achievements in 2018 was crossing the finish line with the deployment of VXLAN and VMWare’s NSX.  Although, NSX was not simple to deploy, easy to troubleshoot, nor kind on your patience.

In fact, in 2018, I attended a Palo Alto event where I sat at a table and talked about NSX.  Others overheard and came to our table to talk about it.  One gentlemen claimed he was on his third attempt to deploy it.  Another said it broke several parts of the network and IT deemed it a risk.  The other said it’s deployed but not in production, fear of it breaking.

All of these concerns are not unfounded.  Here is a few of the take-aways we ran into that marred/aided our deployment.

5.  Hiring A Consultant Does Not Guarantee Success.  After the consultant left, our NSX solution was technically up, but moving VMs between datacenters didn’t work as expected.  Routing didn’t work as expected.  And many phone calls to VMWARE ensued to work on the small whoops that the consultant didn’t catch.  Consultants often expect their clients to know what to look for and with something like NSX, we didn’t know what we didn’t know.

4.  NSX Training Does Not Guarantee Success.  At the behest of our sales engineer, they highly suggested we attend VMWARE’s NSX training, which we spend credits on.  My team reported that the training was problematic, from lab’s crashing or freezing to unable to run the content.  Many phone calls to support dragged it out by weeks, if not a month or two.  After the technical leads were trained, they found the training really didn’t prepare them for the challenges of the deployment.  “Thank goodness we had the consultant”.

3.  Attending VMUG Did Not Guarantee Success.  Although, my team would say it helped.  In fact, Sonny took over a session at the DFW VMUG to talk through our NSX deployment with their subject matter experts.  Explaining our behavioral problems.  Lots of stumpers unsolved.  All that said, I am an advocate of VMUG.  I feel user groups are important to attend for these kinds of reasons.

2.  Reading VMWARE’s Books and White Papers on NSX Did Not Guarantee Success.  Forums and communities would highlight these reads, so we absorbed as much as we could.  However, the books contradicted what sales engineers and our consultants told us.  When we shared our sources for the matieral, “Well, that is technically true, but I don’t recommend it” is what we got back.  Conversations got really suspicious.  What is the agenda here?  Sell more VMWARE licensing or actually get NSX running in a workable state.

1.  Having a VMWARE Lab is the Biggest Recommendation We Can Make To Improve Success.  We didn’t have a lab, but the entire time either we made comments, consultants made comments, or people at VMUG made comments.  Testing these technologies in lab is far better than going straight to the production network.  VMUG is an excellent resource on lab licenses for the VMWARE IT pro.  Competency of the product is paramount, especially when encountering anomalous behaviors.

Resources

VMWARE’s User Group

NSX Communities

Beginner or Advance NSX Hands-On-Lab (HOL)

VMware product page, customer stories, and technical resources

VMware NSX YouTube Channel

\\ JMM

Technology solutions shouldn’t replace people management responsibility…

Let me give you an example:  In my healthcare days, hospital nurses often have downtime in the overnight shifts.  Nurses often loaded games and streamed videos on their workstation, which was against company policy.  When we approached hospital leaders, they asked for a technology solution:  Block the nurses from loading games and streaming videos.  I argued overnight managers should keep an eye on nurses and keep them busy.  Technology solutions shouldn’t replace people management responsibility.  In the end, technology solution won. And in the long run, this technology hurt that hospital’s culture and relationships with IT as an enabler.

Our SOP for these detection’s should be to report these incidents to their leader and HR.  Let people processes work and govern themselves.

Jonathan Merrill, 2018

Technology solutions shouldn’t replace people management responsibility, but it does. And often. And not much as changed in 10 years, other than information security awareness is now a mandatory thing. Which should have changed the conversation. But it hasn’t.

Culture will trump policy every time.

\\ JMM

How to Let People Go…

My advice on firing is simple: Treat that person the same way you’d want to be treated if you were in that situation. They’re still a good person, just not the right fit. So how do you help them move on in a productive way that allows them to maintain their dignity?
– Mary Barra, CEO, GE

Letting people go is uncomfortable, creates anxiety, and often a dreaded part of people management. It’s not surprising that it’s often done poorly. Here is my advice for leaders who face this difficult task.

  • Don’t do it on Friday at 5pm.
  • Have a plan. Assemble a team.
  • Keep it short.  And respectful.

Unsurprisingly, EntreLeadership has the best advice for this subject:

How to Fire Someone the Right Way (Highly Recommended)

Why You Need to Hurt Someone’s Feelings

Should They Stay or Should They Go?

\\ JMM