Understanding the Why Behind Blocking Social Media

Below is an article I republished to our internal employees via our monthly news letter, which I felt is very applicable these days. The why is an interesting topic. Companies operating today varying opinion on social media in the work place is truly a mixed bag. Ultimately, it depends on culture. Internet access and social media coupled with privacy data equal a degree of risk. This article highlights the legitimate reasons, where privacy and risk collide.


Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals.

Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.

It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.

Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.

Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users and the Twitter CFO. Indeed, if one of social media’s own executives isn’t even immune to this risk, this demonstrates the realistic situation every organization faces.

** This article was republished.

\\ JMM

What happens if we don’t invest in developing our people…

CFO asks CEO: “What happens if we invest in developing our people and then they leave us?”

CEO: “What happens if we don’t, and they stay?”

The Lesson: Train people well enough so they won’t leave. Treat them well enough so they won’t want to leave.

Numerous LinkedIn Postings

We see this advice over and over. As leaders, are we walking the walk? Or just more of the same. I talk to colleagues and training is still a problem. Fear of making the investment and watching that investment walk out the door cited as the primary reason.

In today’s economy, junior people are far more skilled than 10 years ago. I see the resumes. We live in times where candidates are highly competitive, highly motivated, and have goals. Financial goals.

Leaders: You are either a part of the solution. Or part of the problem. Invest in your people. Technical and professional. Hard skills and soft. Teach people how to win. Otherwise, your people will move on. And waiting till your top talent leaves you… is on you.

C-Levels: Culture starts at the top. Invest in your leaders. Values and culture matter. Establishes tone. What is and is not acceptable. Mentor the gaps, but hold the line on the winning culture: That you built. Otherwise, your leaders will move on. Waiting till one of your top leaders leaves the organization is on you. Money doesn’t solve the aggravation or feelings of having no support.

Invest in your people. Constantly.

\\ JMM

Technology solutions shouldn’t replace people management responsibility…

Let me give you an example:  In my healthcare days, hospital nurses often have downtime in the overnight shifts.  Nurses often loaded games and streamed videos on their workstation, which was against company policy.  When we approached hospital leaders, they asked for a technology solution:  Block the nurses from loading games and streaming videos.  I argued overnight managers should keep an eye on nurses and keep them busy.  Technology solutions shouldn’t replace people management responsibility.  In the end, technology solution won. And in the long run, this technology hurt that hospital’s culture and relationships with IT as an enabler.

Our SOP for these detection’s should be to report these incidents to their leader and HR.  Let people processes work and govern themselves.

Jonathan Merrill, 2018

Technology solutions shouldn’t replace people management responsibility, but it does. And often. And not much as changed in 10 years, other than information security awareness is now a mandatory thing. Which should have changed the conversation. But it hasn’t.

Culture will trump policy every time.

\\ JMM

How to Let People Go…

My advice on firing is simple: Treat that person the same way you’d want to be treated if you were in that situation. They’re still a good person, just not the right fit. So how do you help them move on in a productive way that allows them to maintain their dignity?
– Mary Barra, CEO, GE

Letting people go is uncomfortable, creates anxiety, and often a dreaded part of people management. It’s not surprising that it’s often done poorly. Here is my advice for leaders who face this difficult task.

  • Don’t do it on Friday at 5pm.
  • Have a plan. Assemble a team.
  • Keep it short.  And respectful.

Unsurprisingly, EntreLeadership has the best advice for this subject:

How to Fire Someone the Right Way (Highly Recommended)

Why You Need to Hurt Someone’s Feelings

Should They Stay or Should They Go?

\\ JMM

Enter Predictive Index For New Hires and Retention…

Ask any military leader the difference between winning and losing on the battlefront is effective battlefield intelligence.  Hiring for culture is no different.  This is why EntreLeadership lessons focus on extending the recruiting process, creative interviews, and not making decisions purely on skill.

For years, I’ve advocated either DiSC or Style of Influence (SOI) in lieu of the Myers-Briggs.  I’ve taken all three in business settings and I would say each has strengths, but all three focus on approaching communication and collaboration.  I found something different.

On September 21, I attended Security Advisor Alliance‘s conference.  Arguably, one of the best conferences for information technology leaders in 2018.  One particular break out session caught my eye:  Using personality analytics not just for culture, but learning capability.

Here is the front page of my report:

Nevertheless, I was and still am throughly impressed by this tool.  Not only did it eerily get me as a possible candidate, it perfectly got my strengths and weaknesses as employee.  Things managers need to know as they give role and responsibilities, including things to look to ensure performance.

Check out these links:

// JMM

Why You Are Being Asked To Be in CAB

Today’s blog is from the mailbag of notables.  The context of this email is when I was “leading by walking around” and overhearing a few employes not wanting to go to CAB.  Not wanting is putting it nicely.  CAB is “Change Approval Board”, which is mostly a call to talk about the changes happening to the production environment.

From: Jonathan Merrill
Sent: From My Desk
Subject: Why You Are Being Asked To Be in CAB
Importance: High

Just overheard “Why do I need to be at CAB. I don’t have changes”. Not the first time this has been said. And it’s not unnoticed those team members who don’t show up. Before you say, “busy”, I know everyone is busy. We are all busy. Nevertheless, here is why I encourage you to be at CAB every time:

1. If you do have a change, you need to explain to CAB what the change is, what it will impact, and allow architects and SMEs to chime in. We’ve had one over-ride since we started CAB, which saved us from an embarrassing situation.

2. You listen in on what’s changing in our environment. Operations teams must have the pulse on what’s going on. If you don’t know, how can you react? Putting things together is a skill, just like listening and comprehending. All three should be applied in CAB.

3. Opportunities to sharpen your saw putting in changes. Once we get some consistent muscle memory on non-standard changes, let’s talk about standard changes. Until then, let’s learn from each other and ensure we understand the why about change management. I’ll need your help to train other teams once they get incorporated into our change system.

If you’re working on a critical ticket, production outage in flight, or anything affecting a client ability to process, then your at least armed with what changed.

If your actively engaged in a production issue, clear it with your manager and let him or another team member represent your change in CAB.

Any other reason… eh, no. Knowledge culture, folks. Root word is “Know”. We need you to know. I need you to know. This is the culture we are building. Please participate. Everyone…

\\ JMM

When A Leader Told Me To Stop Reading Books…

“Jonathan, you need to stop reading books.  They are hurting your career.  Read the email I just sent you.” – Name Withheld (Obviously)

I would bet in any career field, you run across people who say things that are incredibly damaging in multiple ways.  Causes pause for how toxic or caustic people get into leadership positions.  Nevertheless, the most outrageous comment I’ve ever been told is to stop reading books.

If you know my leadership style, then you know I perpetuate the knowledge culture, which is heavily based on DevOps’ CAMS (Culture, Automation, Measuring, and Sharing).  Working with other teams who don’t embrace that philosophy can and does create friction.  Which is where education is applied.  Culture is critical, we all agree.

So, if your wondering what the email said, I’ve kept it in my personal journal.  Sharing it’s entirety to you editing out business bits:

From: Director, Information Technology
Sent: Long Long Time Ago…
To: Jonathan Merrill
Subject: Communication

I wanted to tell you something I learned a long time ago.  What you did yesterday or last week or last year is almost worthless.  I too have won [people] awards.  They mean nothing.  The business world is focused on what have you done for me now.   The growth of teams is far more important than most anything else.

One of the main things that I desire is that I would rather make progress than simply prove that I am right.   As long as the progress is in the best general direction then it will likely make things better.  In time possibly it will convince people (that aren’t under me) that it was a good idea.  Maybe it shows how it wasn’t.  But I don’t try to emulate anyone.

The people you list (Leonici, Maxwell, Wooten) are mostly wrong in any approach they suggest.  Each approach has to be custom tailored for the situation.  I find that most of the books people write all say basically the same thing.  Many of them are worthless and if they are good I take only a few points from each of them that I have found worked.

For example I remember when everyone said emulate Jack Welch and his leadership style.  I started reading about him and it sounded impressive.  Then I started learning that it wasn’t uncommon for the company to lay off people all the time just to improve stock price.  I found that his words lacked practice.  So he said the right things but practiced a form of management that basically resulted in turn over at all levels (forced or not forced).  In time I figured out that in my opinion he was just another useless manager who had some good ideas but his ideas likely only worked one time in one situation and me saying I would use them was highly suspect.

So really I hate to say it (good or bad) but I don’t study anyone.  I keep a list of things I have learned and try to put who taught it to me.  Outside of that I don’t worry about it.  Graduate school taught me that for the most part.  Good management is 50% how you treat people and how they perceive you and 50% of your ability to define what you want.  Combine those and you likely get progress.

Sounds seat of the pants I know but how I work.

Let’s dig into a few of these statements, as parts of his email is peppered with logic, and where it goes off road.

#1.  What you did yesterday or last week or last year is almost worthless

Leaders are always judged positively by their achievements.  Finding the achievement pattern leads to good hires.  Not tracking your achievements nor having a track record of your achievements is a professional miss in self-development.  I argue all people, from help desk to VP, IT should actively track achievements.  Marry them up with your personal and professional goals.  Minimally, present them annually during the evaluation process so the organization understands what your about and the value you bring.

#2.  As for selling on approaches or styles I rarely if ever do that.  Nor will I start.

Managing a team on democracy and goals is good, but if the culture isn’t set to create the operating context of expectations, then that team is no different than a mob.  People want great cultures.  People desire to know the boundaries so they can freely do their job.  I would argue effective leaders have a style and actively sell/mentor approaches to their people.  Ineffective leaders do not try.

#3.  The people you list (Leonici, Maxell, Wooten) are mostly wrong in any approach they suggest.  Each approach has to be custom tailored for the situation.

How can you argue with the results of those leaders who study and embrace good leadership principles versus those that do not?  We take what is learned and apply it to any situation.  Most situations require customization as no one things fits.  I argue studying principles of success does far better to educate versus only depending on your last leadership experience.

#4.  I remember when everyone said emulate Jack Welch and his leadership style… I found that his words lacked practice.

I too have read Jack Welch and found many things that didn’t align with my leadership philosophy or brand.  I don’t advertise leading this way, but learning how he led isn’t less important.  We should not read any book and apply it to our life prima facie.  Books should educate us, challenge our thinking, and give us opportunity to change us, make us better, or just entertain us.  I argue practicality alone shouldn’t be a reason to not read books about leadership.

#5.  I don’t study anyone.  I keep a list of things I have learned and try to put [into practice] who taught it to me.  Outside of that I don’t worry about it.  Graduate school taught me that for the most part.

I would argue that going to college should just be the beginning of your life long learning journey.  Not the end.

#6.  Good management is 50% how you treat people and how they perceive you and 50% of your ability to define what you want.  Combine those and you likely get progress. 

Of everything said here, this statement rings most true.  And worthy of underscoring as working with this leader for over a year, I can say he wasn’t intentionally “toxic”.  He was a grounded guy, with a family, bills, car, and problems just like us all.

However, looking back on what he got accomplished during his time, he achieved very little.  Not many strategic things got done.  He touched no one.  Influenced little.  And was quickly forgotten as he left.  Does anyone enter a leadership gig with the desire to leave no legacy?  I would argue no.

I ran across this comic today and it reminded me of that leader and his email.

Source: Jake Likes Onions

If anyone knows the author of this book, please let me know.

\\ JMM

Who Is To Blame For The Culture of No?

“If there’s a big problem in corporate America, it’s that we say ‘Yes’ too much at times. There’s a whole lot of yes going around. The problem? Only about 1/2 of the “yes” responses are followed up with action that is representative of all of us living up to the commitment we made. That’s why you need to say ‘no’ more.”  – HR Capitalist

You haven’t experienced all the fulfillment of service delivery management until your told something that is so foreign, so alien, that your first reaction is bewilderment. With a dash of astonishment. What the heck did this guy just tell me?

What could anyone say that would create such a reaction? When someone says someone represents the culture of no.  Traditional help desk, engineering, and information security has thrived in a culture of “no”. To be accused of perpetuating the culture of no.  Seriously?  Let’s break it down…

What is the Culture of No?

“Rather than encountering a world that encourages you to dream big, you may find yourself mired in a ‘culture of no’ — one where fear of failure means that great ideas don’t even get a try” – Wafaa El-Sadr, director of the International Center for AIDS Care and Treatment Program

“We have all met that wall. And when those walls exist, people find ways around them. The workarounds make their lives easier. They implement what they think is best. Their efforts are not intentionally destructive but can lead to unintentional vulnerabilities and, potentially, harm.” – Article from DZone

Let’s unpack the why…

First, is to acknowledge no one in management wakes up in the morning and says, “I’m going to tell 10 people no today”. Talk about a crazy goal. No is a often considered an emotionally negative word, so delivering it is avoided.  Sometimes, at all costs.

Second, is often ‘no’ is grounded in policy and standard. Especially if it’s a politically sensitive subject. In my early career, I’ve been directed, a couple of times, to refresh my memory on a policy as the no was delivered.

Third, Leaders are often asked to get creative to say no without saying no. Wordsmithing ‘no’ is a career maker for many leaders, especially in the public relations functions. I’ve been told this falls into the “interpersonal savvy” characteristic, which is a sought after leadership trait.

So mix all that up in a information security or systems engineering context, and you have an explosive mixture pitting IT against business units and developers alike. It’s not surprising there are movements like DevOps to correct the cultures behavior.

Again, all that said, the why of the problem is commitment delivery and lack of clarity that is so succinctly described by the HR Capitalist’s quote above. It’s far easier to just slide into corporate ambiguity versus a clear response.  Yet clear responses are sometimes not appreciated by types of leaders.

So, Who Is To Blame?

Many employees  who are described as being a part of the culture of no are often swimming to stay alive in a toxic company culture. DevOps won’t solve that problem, nor any other service management framework. If CAMS represents DevOps’s core values, start with the first letter: C = Culture.

If your organization is mired in the culture of ‘no’, look hard at your company’s culture and how you are affecting it.  This article isn’t about saying ‘no’.  It’s about having the right culture so ‘no’ is not political, but academic.

\\ JMM

Constraints, Asking for Money, and Kristin Cox…

“Everyone runs to technology for the answer” – Kristin Cox, Executive Director of the Governor’s Office of Management and Budget

I don’t think she meant that in a good way… Maybe if we used our brain versus technology to solve our problems.  Wow!  That’s crazy talk!

Nevertheless, I stumbled across her articles and posts in my Linkedin thread.  An “Expert at Constraints”, here is the highlights on her video, which I would recommend you go watch:  Kristin Cox’s “How to Ask for Money”.

Four questions:

1. What do you do? What services do I produce?
2. How well do you do that? (Quality – Couple of things: Faster, Outcomes better, etc.)
3. What is your operating expense? (What does it cost to make it)
4. What is my ambitious target? (What % quality for I want? Better Outcomes)
– Get clear on what we are really focused on.

Government is lucky to have her.

\\ JMM

Spinning plates as hard as I can…

Routinely, it’s easy to get into deep water with tickets and projects.  Here is an email exchange between one of my team members, JC Foster, and I.


Jon Foster

Where does this fall on my priority list?

  • Tickets
  • AD Project
  • PBX Project
  • Office 365 Project
  • Visual Studio Project
  • Teams rollout

I am spinning plates as hard as I can here.


Jonathan Merrill

Thank you for asking.  My own list is overwhelming.  The organization is hustling.  Projects are piling up and plates are falling as only so much can be done to keep those spun.  Let me turn you onto a recent EntreLeadership podcast, #263 – Thriving in the Age of Overload.  Skip to the Daniel Tardy’s talk about, “The Tyranny of the Urgent”.

Questions Needing Answered When Looking At Your Workload

  1. Does it have to be done?  Can we eliminate it?
  2. If I can’t eliminate, can I automate it?  ß This is where I feel the most work needs to be done.
  3. If I can’t automate it, can I delegate it?  Let someone else do it.
  4. If I can’t delegate it, is it urgent?  Is it a fire?
  5. If it is urgent, how do we approach, getting the right people in the room?   Most often, someone’s fire is not a fire to the organization.

Our temptation is everything is on the list is a fire.  We need to prioritize on impact and urgency based on the most impact to the most people.

If you’ve listened to the pod cast, tasks (or WIP) should be limited 3.  So, looking at this list, here is my recommendation where your head should be at:

  1. Tickets – I agree.  Although take care against this taking up 100% of your day.  Handle Critical and Highs only.  Sometimes, that means contacting customers, negotiating and adjusting the criticality.
  2. Visual Studio Project – Most impact.  Most urgent.  Key to our business.
  3. Office 365 Project  – Most impact.  Most urgent.

This is an exercise everyone can do.  And should be aligned to what is on our team Kanban.

\\ JMM