This post is as much as a reminder to myself of where I should focus on the multiple jobs I have and also share with the community are large what I consider important and key in this trying times.
Last year a dinner I had a very nice conversation with my friend Ed Skoudis on security consultancies and how many operated. This conversation covered many aspects from markets, politics, engagement best practices, retention of employees, and knowledge collection. Later at the end of the year, I had a good brainstorming session with Andrew Thompson via DMs on how recessions and the cyclical up and down of markets may change security consultancies where those that can adapt the faster, have worked to provide the greatest diverse value and have planned ahead for the changes will be the ones to dominate when the market is down. The initial seed for these conversations came from multiple videos from Gary Vee. I think with what is currently happening with COVID19 pandemic I would like to share my options on this.
Half of my career in infosec has been as a lead or a manager leading groups from 2 all the way to 24 in multiple projects. I had the luck to be in organizations that during some time periods I had some of the best upper managers, in my opinion, I could ever wish for. Under them, I saw companies grow exponentially and produce some of the best resources I have ever worked with. I now from time to time advise startups as part of my work for an incubator and I would like to share some of the advice I give based on the experience I have so far.
Let’s be clear no matter the job, no matter the company there has to be something that defines where you are aiming and serves as the foundation of your decisions. Having a clear overall objective for the company and objectives for each group that supports the main objective. This should be clear and concise. As you try new things diversify the mission has to be updated, refined, and communicated.
Teams get de-moralized, rumor mill gets spun up and mixed interpretations of tasks and projects start to happen when a clear goal is not provided.
I don’t know how many have not read the Phoneix Project novel, but if you are one of those I highly recommend you do. In the novel Brent is the subject matter expert for most of the IT operation, every project had him working in it and he kept the knowledge in his head. When he was not available or present to help out in moments of crisis stuff broke down. This was because of leadership, they allowed this to happen. Here is where we come to once of the main sources of pain in human nature, instant vs delayed gratification, signs of this can be seen in most businesses, examples of this “Consultants can not document, train ..etc, they need to be billable”, “Time, not coding is time wasted”, “sales cant do that, they need to keep selling” ..etc their way too many examples where the dissemination of gained knowledge thru experience is lost. A great blog post on this is http://allengeer.com/how-to-handle-brent-in-the-phoenix-project/
Signs of this are when you do not see as part of the metrics in an organization the creation of “Development Plans” and the use of “Administrative Time” for resources. If you hear from management the argument that if you train people they will leave, this is not an organization you should consider for growing professionally. A manager should look at the goals of the team and those of the organization and with the employee if needed develop a plan for them to gain the required knowledge in a proper manner to achieve the goals to succeed in the mission. OJT (on the Job Training) is not a good resource. Also providing planned and structured administrative time for the collection of knowledge is key, this is writing the information in an internal shared repository, developing internal training, doing internal webcasts, or planned mentoring is key for success.
If an organization is not setting the time as part of their structure to do this they will have scaling problems as the organization grows and the volume of work increases because people will become bottlenecks in the operation. Also, flexibility will be hampered, this is a clear sign of an organization that is way to focus on the immediate gratification of the quarter per quarter win and can not also set the ground for the delayed benefit to be ready to adapt and grow at a later date. Been in organizations where everything was Q by Q and the Year over Year goals and plans, then I was on others where the plans where across yearly quarters and some times multi-year general goals and still using quarterly and yearly results as a metric to see if they are on the right path to their overall goal or if they need to go down another path or adjust for market variables.
In my last job every trimester leads and managers got soft skill training, project management, and people management 1 day, lunch hours for a week or even multi-day workshops, I saw the results of this, and they were very positive. Popper management is learned it is not an instinct, being good at a craft does not mean the person will make a good manager, there are a lot more that goes into it. This is why I believe managers should be opened to be evaluated by the resources they manage and be mature enough to truly have an open door policy. One manager taught me a long time ago “You listen and respect the opinion of the guy in the ground, it is not law or always correct but it is the best source for situational awareness”.
Knowledge acquisition and spread are key to success in the long run.
This may sound cliche but we should plan to win. I see many organizations that jump into projects without proper planning and testing, be it a procedure or a piece of code to even presenting to a customer. I follow very simple rules when it comes to planning and executing, they are:
Everyone should now the main goal of project, engagement, strategy ..etc.
Everyone in the team has a voice in the planning process, they are the guy on the ground and they have the experience.
A plan is as detailed as easier the task is, the more complex the situation the looser the plan phases are so as to be able to adapt fast.
No plan is written in stone, a plan can be scrapped and a new one made if the situation dictates it.
A hotwash is done after any big engagement.
A key part of planning an endeavor is to have an owner and that dates be set and followed on. Many times we may see people reluctant to set an owner so as to keep all happy, this, in turn, creates a lot of debates on how to get each of the individual tasks of the project done, it also means more time is lost. This is what many colloquially refer to as “Too many cooks in the kitchen”.
It is important that one meeting to have an agenda set beforehand and that notes be kept centrally, also a task list of action items should be kept. The list of action items sets the tone for the next meeting since it gives an initial set of discussion points to build the next agenda and motivates members to get those done. The importance of notes is that in a high tempo environment or one where members come in and out it serves as a journal of actions that can be later referenced.
One Item I found prepared well some of the teams I managed or where a part of, was the use of a Hotwash or ENDEX (End of Exercise) session. Normally these are done after long engagements or projects, the purpose is to collect the lessons learned in the exercises, find what was done wrong and what can be improved. This is where good team dynamic and relation is important because for this to truly be effective people must leave their ego at the door and be open to showing where they failed and take maturely the criticism of others. Now, this exercise can not be done for every engagement, especially in consultancies running large numbers per week, this is why weekly or by weekly team meetings are important, as areas of improvement are identified “administrative time” should be scheduled to have the person document and if possible do a “Lunch and Learn” presentation to help expand the overall team knowledge.
In the dynamic times, we are in where attention spans are so short it is important to constantly be putting out content, this ensures that your organization is present in the minds of potential customers and to also build the company brand.
It is important that there are a strategy and clear objective for the content plan, it must ensure that all services and/or products are covered in it. Let us take for example a consultancy, each of the consulting verticals (IR, Pentest, Research ..) should be part of a schedule to deliver not only blog posts, white papers, podcasts, webinars, and videos. This means that each group, be it consulting or product groups have as part of their task the generation or assistance in the generation of this content, this should not be left to chance since it may be dominated by one single vertical or group causing that the image/branding of the company is skewed to that one area. Since the attention span of most is small now a day short-form video content or text like Twits should be pushed out daily, longer-form webinars, podcasts, and longer videos should come out weekly. Content can support each other across verticals or groups or could be unique to the groups. Having a schedule where equal opportunity is given to ensure the company image is in line with the goals. This can be changed if revenue from a group or groups needs to be grown. Content needs to be in line with the company mission and engagement with the people that consume and react to the content is critical.
This are only my opinions, a small subset of thoughts I keep reminding myself and sometimes advice to others. Hope you find something useful in them.
Click to Open Code Editor