Blog

Managing involves measurement, doesn’t it…?

“We wouldn’t even know how to measure what healthy looks like. When we have a problem, we just know it’s resources.”

A Developer, Collaborating a slow application issue.

I immediately perked up at the man’s comment. It’s one any seasoned IT pro with server and storage background can identify with. And it annoys today no different than when I heard it years ago.

The relationship between development and infrastructure teams have historically been… professionally difficult. Nevertheless, in the age of DevOps, agile, and automation, this problem of developers vs. infrastructure still exists at some levels. And, in my experience, the root cause is typically the same: a lack of understanding how and what to measure.

Let’s take a common sample: An in house developed business application begins to get slow after load. The application works well under artifical testing workload. Passes quality and security testing. It’s released into production, but as the business grew, the application’s workload exponentionally grew despite no changes to the application.

Through the lens of the five stages of grief:

LevelThe Business Says…Developers Say…IT Says…
“1”
Denial
The business is growing. Keep the application healthy as we grow.Nothing wrong with the application. Application just needs more resources.Somthing is wrong. Resources are finite and can’t infinitely scale. As demand goes up, soft argue requests.
“2”
Anger
Clients impacted randomly, jeopardizes revenue. “This is unacceptable!” Sales and Executive team anger palatable.“Just give it more resources!” demands development. IT is at fault because they are slow to react, although recognize applications limits and technical debt growth. Will fix one day…“Iceberg ahead!” Technical debt grows. Business and development are at fault because they don’t understand workload vs. timing of resource vs. limits vs. financial realities.
“3” BargainingIf only the technical teams worked better together. Blame development and IT leadership for failures. Deny technical debt reality, priortize features over scale.If only the business recognized earlier the technical debt so developers could improve the application to scale. If only IT would be more supportative so development didn’t have to perform support.If only leaders would recongize the effort IT is trying to keep the application working, which is turning into a support nightmare. Morale low. People leaving.
“4”
Depression
Impacts on top of slow sales cycle lead to short tempers and broad opinions based on perception / feelings. Not data.Developers take a beating as primary causes for failure. Morale low. Talented developers begin to leave. Technical debt begins to be worked, slowly.Culture isn’t sustainable as we grow. People and process ignored as blame and fingerpointing ensure. Nothing based on data.
“5”
Acceptance
Option 1. Things Stay The Same. Culture, processes, and people remain unrecongizable or admitted problem areas. Status quo.Option 2. Things must change. Recongition to change, but how to change? Confusion and lack of alignment ensues.Option 3. Things do change. Leaders commit to mission and vision, collectively. Measuring and alignment replace confused culture.
I stole this table from a college class, which the professor underscored not just the business disfunction, but the importance of data making business decisions.

The point here is managing things, including developed applications, based on perception and/or reaction is not managing. It’s guessing. And when it works out where the thing is not a problem — the guess paid off — everyone enjoys feeling good. The “avoided bullet”.

But what about when it doesn’t work out? Take the quote at the top: “We wouldn’t even know how to measure what healthy looks like.” That is a serious flag on the field. If you don’t measure health, you can’t manage the patients’ health care. As we all know, unmanaged health care means shorter lifespans. Despite ownership.

Calls to action are:

#3. Every single piece of technology deployed must be (1) measurable, (2) being measured, and (3) react “able”. What does healthy and unhealthy look like.

#2. Every development project must have requirements outlining measurements of health, particularly what success and failure looks like. Evaluate peridoically to adjust to business climate and workload change.

#1. Leaders must commit to the culture of quantification by measuring business performance. Start with key performance indicators (KPIs) tied to business mission, goals, and initiaitves. Start with departments that don’t (won’t) measure will be instantly assumed to be failing.

\\ JMM

Real Reason Companies Don’t Want You To Work From Home?

From this article: https://www.linkedin.com/feed/news/working-from-home-is-the-future-5097042/

“Managers who set clear goals for what employees should accomplish in a given time period (whether it’s a week, month, quarter, or year) and regularly check in on progress against those goals “

Is the real reason you can’t work from home because some comapnies can’t set clear goals nor check in on progress? Are those companies measuring performance? Or just winging it?

Culture trumps process, every time.  Go along or lead.  Good to great starts with one leader.  Call To Action.  Managers.  We need to do better.


PS. This post was actually drafted on February 21, 2020. Now, with COVID-19 and shelter at home, this topic has taken a new meaning.

I spoke to a few colleagues today on different fronts that had an interesting take on “working from home”. Let’s explore a few notables:

3. VPN Technology is “flying off the shelves”. Many SMB companies were not prepared for large percentages of workforce to work from home. Interesting. VPN has been around for awhile, true. But I bet companies weren’t buying licenses to cover 90% of their workforce. Unlike toilet paper, plenty of VPN licenses availble to be purchased…

2. Old school leaders are coming to grips with work from home. Begrudlingly admitting it is working, but still prefer the office. I suspect there is truth in that statement. It’s less about “better collaboration” and maybe more about senior leaders like being in the office. So, everyone else should too! Hmmm…

1. Home networks may not be ready for work from home. It started innocently with headsets. But the ask has expanded to dual monitors, docking stations, and … subsidize my Internet! Working from home on my slow as hell 50MB isn’t cutting it. Should companies allow the equipment to go home? Pay for a percent of Internet usage? Consensus is no. No budget to equip home users this way.

All that said… as of April 1, any progress being made by managers setting clear goals? Measuring for employee performance? Status quo or WFH improving culture?

Last note: In March, I worked from home for two weeks and lost 5 pounds. Went back to work for one day, gained 2 pounds. Came back home, worked two more days at home, lost 2. Scientific evidence WFH is healthier for me?

\\ JMM

Blowing the Whistle…

Great leaders encourage dissent, welcome whistleblowing and encourage contrasting points of view.  Weak leaders demand blind obedience and threaten those who would dare point out any shortcomings or question their decisions.” – Robert Glazer, CEO, Acceleration Partners

This statement reasonated on two fronts:

First, the importance of leaders pushing team engagement. Academic debate is key to my teams’ success. Not just explaining the why. Getting the team to buy in on the why and carry the message.

Second, I would bet most seasoned leaders have encountered this scenario and faced a similiar decision: Speak up and possibly lose your job OR stay quiet, stay safe, and protect the bad decision. Risking being seen as a political pariah or worse, loss of financial safety. Especially as we get older.

Read the whole article here: https://www.robertglazer.com/friday-forward/value-of-whistleblowers/

\\ JMM

Top Valued Skills for 2030

Lately, I’ve been speaking to my boys, colleagues, and peers about the difficulties of finding people.  Specifically, what are the valuable skills that we need to instill in our people.

Shortly afterwsrds, ironically, I caught this slide during a recent technical conference:

Technology literacy can be taught. Judgement learned by wisdom and mentoring. Tougher to find is the emotional intelligence, logic, and creative drive.

\\ JMM

The single most important decider in your success at any job is your attitude…

I find this quote very naive:  “The single most important decider of your success at any job or company is how much your boss likes you or wants to succeed.”

This quote is more realistic:  “The single most important decider in your success at any job is your attitude.  This includes willingness to work, to improve, and learn from failures or adversities.” — Frank Walton, Saxon Global

Pro Tips On How To Do Tactical Meetings…

From the mailbag, here is an old email given to team members, old and new, pro-tips for how to approach the Tactical meeting every Monday.

Why?

If your curious where this comes from, check out the book Death By Meeting, by Patrick Lencioni.  His suggested meeting structure mentally optimizes and focuses on the tactical subjects of the week.  It’s far too easy to stray into the strategic or get into the weeds, which traditional meetings suffer from.

How?

Here are my tips for team members

1.    Lightening Round – Round table allowing 2 minutes per speaker to give what was accomplished last week and what is on your task list for this week.

The lightening round asks two questions:  What you got accomplished last week and What you have on your plate for this week.

  • Come prepared before the meeting. Don’t muddle through.  It’s obvious when it happens and doesn’t reflect well.
  • Talk about the top 5 or most significant things you accomplished during this round.  Think about your audience and what you would like the team members to know. Especially if it’s project work, client-related work, or tasks of high importance.
  • Don’t waste the teams’ time by telling the teams the obvious things, like “Did my security training” or “Cleaned up my tickets”, or “Went to Team Meeting”. This is what is expected of you.
  • It’s ok to say “Tickets” and/or “BAU” (Business as Usual).  This indicates you were head down focusing on what’s in your queue and don’t have anything of significance to share.

2.    Metrics/KPI Review – 10 minutes to review last week’s SLAs and KPI performance.

The teams leaders are responsible for asking team members what is important to measure.  If you’ve been asked to create a slide for KPI review, consider these points:

  • What is your KPI trying to communicate? What is “good” performance?  What is our current performance?  State the “good” on your slide.
  • Avoid busy or cluttered slides. Jamming a bunch of charts and graphs on your slide does not communicate or relay the message well.
  • Don’t “Wing It”.  KPIs are designed to get everyone on the teams aligned, goal in hand, and hitting targets.  If the KPI isn’t relevant to those ends, then skip it.
  • Use KPI’s to communicate problems. Got a particular problem you need to communicate but no one is taking notice?  Use KPIs to measure the “bad”.

3.   Adhoc-Agenda – Group comes up with an agenda on the spot based on time remaining.  Keep topics tactically focused.  No strategic discussions during this meeting.

Adhoc is where questions, answers, or announcements that pertain to the coming week are had.  Key goals are ensuring alignment and communication between our two teams!

  • This is not the venue to vent or rail against “something”.  Again, show professionalism by using time wisely, refrain from bloviation, and overly wordy.  Straight, to the point, and informative/questioning.
  • This is not the venue to challenge or have academic debate.  Take those topics offline, if needed.
  • Keep Adhoc discussion focused on items needing to be discussed tactically this week.  Shift “strategic” items somewhere else and talk to your manager about when/where.

Always forward, team!

\\ JMM

Compliance is not Security

From: https://www.armor.com/blog/achieving-security-compliance-healthcare-world/

A few compliance and security factors to consider in your environment:

Compliance:

  • Do you know your scope?
  • Do you know your data within that scope?
  • Is compliance your baseline or objective?
  • Do you understand the compliance requirements?
  • Have you mapped to external requirements?
  • Are you following audit best practices?
  • Do you have the right security partner?

Security:

  • Do you know your adversaries?
  • Do you have the visibility you need?
  • Is your Operations appropriately configured and staffed?
  • Have you built a culture of security across your business?
  • Have you combined people + processes + technology?
  • Do you have appropriate measures in place?
  • Do you have trusted partners?

The guys at Armor are solid, btw. Enjoyed meeting them a few times in 2018 at their CTF events. And very recently at the Dallas Cyber Security conference.

\\ JMM

Begin Your Culture With a Mindset that you Cannot Force Culture…

“Begin your culture with the mindset that you cannot force a culture into existence.  Think of culture as needing a set of boundaries, but allow the culture to build itself using those brains that you have brought into the company to share and mold it into something that is a living breathing thing.  If you expect to build a culture of a PowerPoint presentation – you will be sorely mistaken that anyone will take you seriously.”
– Chris Hatley, Produt Manager for AT&T at Austin CSI.

I talk a lot about the importance of culture. More importantly about how leaders influence culture. But, never enough time talking about how to put the desired culture in place. It’s not easy. Arm chair quarterbacking culture produces a lot of hot air…

Here is my top 5 observations on planting effective culture roots:

5. Vision, Mission, and Values.

It all starts here. What is the vision and mission of the organization? Department? What are the organizations’ values that drive our actions? Where is it in writing? Ink signatures for acceptance. The absence of articulation and promise leads to gray areas.

4. Hire Leaders Who Are All In.

Leadership needs to not just talk the talk, but are all in on vision, mission, and values. Do you have their commitment? Are they driving not just results, but growing their people? Are you watching your leaders? Are they effective?

3. Eliminate “Toxic” and “Donkeys”.

Somehow, they seep in. Whether by best intentions, accidents, or inheritance, culture is most deeply affected by toxicity and donkeys. Kill toxicity where it grows, quickly. Let go the donkeys. Replace with thoroughbreds who can connect to vision, mission, and values.

2. Live and be Accountable to the Values.

People watch their leaders carefully. The best leaders attract disciples and model the desired behavior. The worst, drive people away. How do you model the culture? Are you accountable to yourself? To your team? Time to be real about culture: Are you a part of the problem? Fix it.

1. Reinforce Culture At Every Turn. Teach, Rinse, Repeat.

We joke on my current team about talking/forgetting about things said and “must say it ten times” for it to sink in. There is truth to this. To make change, you must drive it, and drive it, and drive it. Monthly, quarterly, annually. If culture is truly important to you, then make it a priority to teach it, display it, reinforce it, and award it.

\\ JMM

Understanding the Why Behind Blocking Social Media

Below is an article I republished to our internal employees via our monthly news letter, which I felt is very applicable these days. The why is an interesting topic. Companies operating today varying opinion on social media in the work place is truly a mixed bag. Ultimately, it depends on culture. Internet access and social media coupled with privacy data equal a degree of risk. This article highlights the legitimate reasons, where privacy and risk collide.


Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals.

Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.

It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.

Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.

Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users and the Twitter CFO. Indeed, if one of social media’s own executives isn’t even immune to this risk, this demonstrates the realistic situation every organization faces.

** This article was republished.

\\ JMM