Your security maturity is low? Are you using your people the best way you can?

One famous saying attributed to Steve Jobs must be: « it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do. »

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see http://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html).

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. « Failure is not an option » is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.

 

Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.

 

Why is usability important for security management?

Why is usability important for security management? Is it even important? Obviously for a lot of people, it is not. And that’s a problem. But what is usability anyway?

Usability?

According to Wikipedia, and I find the definition pretty accurate, usability is “the ease of use and learnability of a human-made object such as a tool or device. In software engineering, usability is the degree to which software can be used by specified consumers to achieve quantified objectives with effectiveness, efficiency, and satisfaction in a quantified context of use”.

In other words, usability is the process of designing things so they can be easily used and mastered by their end users. Usability is not just about design, it is a science. It is about making our environment optimized for our brains and our bodies. As an example, usability is when you put handles to a box so it is easier to lift. Google, the most visited website in the world is an example in terms of usability: straight to the point, one field and you get what you need in one click. It even completes the words for you, as you type. There’s a reason they are number one and it’s called user experience (UX).

Nowadays, usability, neuroergonomics and even neuromarketing are at the heart of successful designs. Whatever you are selling, you better make it easy to use and even sexy. The traditional KISS (Keep it simple and stupid) design requirement has gained an additional “S” for sexy (KISSS, Keep it simple, stupid and sexy). The article I wrote about the ineffectiveness of SPAM awareness session was also an advocacy for the use of cognitive sciences insights in order to design more effective awareness material.

Why do I care?

If you are a product manager for a startup, you are probably already aware of all the usability requirements for your products. That’s were startups win the war against the old dinosaurs: “better engineered products with better usability and even sexiness”. We all learned from the master’s success: Apple. Steve Jobs knew the rules to make something usable, less buttons. Sleek design is all about simplicity.

But if you are working in security management, or as a security project manager, or even as a security architect, it seems it is more likely that you won’t care about usability. You might think that your job is to make your company secure, not sexy. And you’re right about that. Except that, when it comes to humans, you’re probably failing (in a large part). You may think: « These stupid end-users still don’t get it. » Of course, they still manage to use weak passwords. If you force strong passwords, they write them down or they use the same everywhere. They still don’t know the security policies. They watch you’re very nice slide you showed them during the mandatory security training during their induction but the next day they are already sharing their passwords with their colleagues. Don’t speak about their inability to spot a fishing attempt! Let’s not speak about your system administrators. These fools who believe they are the kings of the realm and have left so many vulnerability open in their system that the latest vulnerability report you received was so long you couldn’t finished it in one day. Hopefully, you will make a strong point during the next security steering committee to ensure these operation guys’ boss understands he must bring them back to the righteous path.

Ring a bell? Not even a little bit? I think so.

If we believe an old saying, wisdom is being able to differentiate between what you can change and what you can’t. The goal here is to focus your energy and your efforts where it matters. So, think again about your problems. What did you do? You made awareness sessions? You wrote very thorough policies and standards? You made sure they were obliged to read them, to sign with their blood that they had read your literature and that they will abide to your rules?

Did it work? How well? Be honest, some miscreants continue to refuse to follow the rules of the holy god of security. They are probably psychopaths! Or could they be just humans? What if you could increase the probability they will read your policies. Even better, what if you could improve the odds of having them changing their behaviours and embracing your security culture? You don’t believe in Santa Claus? Me neither, but I do believe in sciences!

Neuroergonomics & neuromarketing of security!

Neuroergonomics and neuromarketing are the catchwords to refer to the use of social psychology and neuro-cognitive sciences to improve your desire to use a product and to improve your ability to handle concepts, to remember things or to become addict to some applications (think about Facebook or Twitter). If people can influence what you eat, what you drink, what you wear, what you watch or what you read, why couldn’t we use this knowledge to change your people’s attitude towards security?

Does it worth it? Well, are you already paying people to communicate, to make videos, to draw cartoons but you still have too many incidents and non-compliance? Yes, so maybe you should start investing in better designed solution and put usability as a requirement for all the projects and for all the tools or “product” security wants to sell.

Concretely?

POLICIES

  • If you have an Intranet, your security policies must one click away from the first page.
  • You must have a clear organization, a hierarchy and a search engine allowing anybody to quickly find the policy he needs or the procedure.
  • Policies should go straight to the point, from the reader’s point of view, as soon as the first pages.
  • Forget lawyers or technical talks, use common vocabulary.
  • Do’s and Don’t are likely more efficient than long descriptions.
  • Use words and situation your audience are familiar with.
  • Ensure your rules are translated into actions in their process and procedures.
  • Ensure these procedures are pragmatic and easy to read.
  • Use pictures, screenshots, beautifully designed templates. Make it look more like a fashion magazine than an old book.
  • Use positive words. Any command that can be better performed by a dead man is a bad command (example: « Don’t use short passwords« … a dead man can do that very well. Rather prefer « use long secure password« ).
  • Group similar things together.
  • Be consistent. You even better be congruent (use multiple association together) like Red + Triangle to signal Don’ts and Green + Checkbox to signal Do’s. Keep consistency with the colors (Red Negative, Green, positive).
  • Use consistently the same word to designate one thing. Even if synonyms can make reading less annoying, always using the same word to designate one object or concept makes it easier to understand (even more for new concepts)
  • Prefer lists
  • Keep it as short as possible (More than 10 pages, is clearly too much)
  • Use symbols, signals, icons, pictures
  • Keep the rule of 3 in mind: if you want to explain a concept, break it down to 3 parts/steps/components, then explain the 3 sub-concepts (using 3 other steps/concepts/parts) and so on until people can understand it. You can go up to 5 « objects » but not higher.

PROCESSES

  • Imbed security processes into existing processes.
  • If a process works, don’t fix it.
  • If you can streamline it, do it, even if it is not you first job. Making people life easier will facilitate the acceptance of the controls and it might even improve the attitude of people towards security.
  • Create links between all processes so they can benefit from each other e.g. ensure Vulnerability scans feeds the CMDB to ensure consistency. (It is supposed to be like that in a perfect world, but that’s just theory)
  • Forget long swim lane drawings or decision trees spanning on 3 pages, keep it short by splitting the process.

AWARENESS

  • Changing behavior is something we do out of emotion, not based on rational thinking. Even if rational thoughts can lead to a change, we initiate this change only if we connect these thoughts with some emotion.
  • Use real concrete situation (something that happened or could happened)
  • They must be relevant for your audience (use scenario involving your audience, allowing them to identify themselves to the character)
  • Use as much as possible what they already know well (places, situations, products, application, organization, but also more personal things kids, sports, cooking, walking in the street, …)
  • Show them the concrete consequence on people when they don’t comply with the rules or the secure behavior (its easier to have feelings toward people than organization)
  • Foster self-identification to your character by using little positive details to which your audience can relate to (« Sam likes to take a coffee with his colleagues, Alice likes
  • Songs, rimes, jokes, kittens, anything that will be outstanding will help memorize. So use it when it is important (if you use the same trick too often, its efficiency tend to fade down)
  • Associate non-« sexy » items (like security rules) with more attractive one (a nice place, a smile, a cute cat picture, a beautiful woman – yes, it works for both man and woman -, a good song)
  • Repeat, repeat & repeat the message but change the format so it doesn’t get boring and so you can use various way to reach people.
  • We are all different, what works for you doesn’t absolutely work for everybody.

PS: Yes, I could make this list more « sexy » and it will likely come, but it will be in the (near) future 🙂

Et vos politiques de sécurité, vous les préférez sommaires ou complètes ? Réflexions sur les deux possibilités !

Dès que l’on parle de bonne gouvernance d’entreprise, on entend très vite les mots « politiques », « règles » et « procédures ». Lorsque l’on dirige une entreprise ou une équipe, la plupart des gourous en « management » vous diront qu’il faut donner des ordres précis ou définir des objectifs SMART (Simples, Mesurables, Atteignables, Réalistes et Temporellement définis).

Sur cette base, bon nombre de grosses entreprises génèrent des dizaines (pour ne pas dire des centaines) de pages de règlements divers que les employés sont supposés connaître et que seuls les personnes qui les ont écrites et le juriste qui les a révisés arrivent à comprendre (et encore, j’ai parfois des doutes sur le sujet…). Quelle société n’a pas son « Code de bonne conduite », son « Règlement d’ordre intérieur », son « code éthique », sa « procédure d’achats », son « code de bon usage de l’Internet », sa « politique de gestion des risques » ou même son « code vestimentaire ». Et là, je n’énumère que les grands classiques, bon nombre d’entreprises ont bien plus de règles que cela, parfois séparées en fonction du public visé (utilisateurs finaux, service informatique, fournisseurs externes, département achat, ressources humaines, etc.) et parfois le tout mélangé dans un document monumental et illisible que l’on n’ose même pas ouvrir tant il nous rappelle ce Best-Seller de 500 page que l’on a jamais fini tellement il est massif. Bref, vous avez des règlements internes (des politiques internes) mais savez-vous combien de personnes les ont lues et les ont comprises ?

Les militaires, dont on pense souvent, et probablement pas à tort, qu’ils sont bien organisés et qu’ils sont plus rigoureux dans leur approche de la sécurité que la plupart des acteurs du secteur privé, ont bien compris ce problème. Un adage bien connu des généraux est qu’  « aucun plan militaire, aussi bien fait soit-il, ne survit au premier contact avec l’ennemi » ou comme le dit cet autre adage : « En théorie, la pratique et la théorie sont la même chose, en pratique, c’est différent ». En conséquence, vous aurez beau prévoir tous les cas de figure possibles et imaginables, il ne faudra pas longtemps pour que quelqu’un tombe sur une situation qui n’ai pas été prévue. Et de toute façon, ils n’auront pas lu vos 2500 pages de règles.

Doit-on écrire encore plus de politiques ?

Avec encore plus de détails ? Même si les juristes adorent vous dire que  « tout ce qui n’est pas interdit est permis » ou encore qu’ « il vaut mieux être trop précis que pas assez », il n’empêche que c’est souvent perçu comme infantilisant. Est-ce que vous travaillez avec des chimpanzés à qui il faut tout expliquer dans les détails ou avec des adultes responsables ? Pensez-vous qu’ils sont trop bêtes pour prendre les bonnes décisions ou bien qu’avec un minimum d’explication et de mise en contexte ils feront les choix appropriés ? C’est peut-être bien les réponses à ces deux questions qui devraient déterminer votre approche. Rappelez-vous cependant que personne n’aime être pris pour un imbécile, infantilisé et dépouillé de toute liberté d’action et d’initiative. C’est mauvais pour le moral des troupes et pour la créativité. Et pour la seconde, si vous avez engagé des imbéciles, peut-être faut-il revoir votre politique d’engagement… ou adapter votre communication.

Comment peut-on s’assurer que nos hommes vont pouvoir prendre les bonnes décisions ?

Nos chers militaires ont bien entendu trouvé la solution à ce problème : Le CI ! Le CI c’est le « Commander’s Intent », une définition concise et claire du but de l’opération et de l’état final désiré. Le CI peut aussi contenir l’idée que se fait le commandant du CI de l’adversaire ainsi que le niveau de risque (de perte) qui est acceptable. Grâce au CI, toutes les personnes qui sont mobilisées dans une opération doivent pouvoir agir de concert, en mobilisant leurs compétences, dans un but commun. Et si par hasard les conditions de réalisation du plan magnifique que vous avez concocté ne sont plus d’actualité, les acteurs de terrain doivent pouvoir facilement adapter leur plans pour pouvoir réaliser leur part de l’objectif fixé.

Comment traduire ce principe dans la société civile?

Certaines  entreprises ont déjà bien compris ce principe et le CI est souvent devenu le « motto » de l’entreprise. Imaginez que vous travaillez pour un fabricant de voiture, je suppose que vous pouvez facilement vous imaginer les comportements et les décisions que vous prendrez si le CI de votre CEO est, par exemple, d’ « être le fabriquant  de la meilleure voiture au monde » ou d’ « avoir le meilleur taux de satisfaction de vos clients ». Ces deux objectifs, qui pourraient être perçus comme une volonté similaire d’excellence, vont néanmoins donner lieu à des choix différents quand il faudra prendre des décisions relatives à l’investissement dans le service après-vente, le service commercial et la R&D. Néanmoins, chaque intervenant de l’entreprise pourra facilement répondre à cette question : « ma décision va-t-elle permettre à mon entreprise de tendre vers ou d’atteindre son objectif ?».

Bien sûr, cela implique que chacun connaisse son métier et les conséquences de ses choix.  D’une certaine façon, on peut se demander si le choix de politiques internes sommaires ou complètes n’est pas une décision stratégique fortement liée aux valeurs de l’entreprise et de son équipe de direction. Micro-management ou macro-management ? Contrôle total et minutieux ou travail en confiance ? Contrôle et répression ou éducation et encouragement ? Chimpanzés ou petits génies ? Le bâton ou la carotte ? Livre ou cinéma ? (OK, là, je pousse le parallèle un peu loin).

En résumé…

Vos politiques internes, et encore plus vos politiques de sécurité, doivent être alignés avec les valeurs de votre entreprise. Personnellement, je préfère éduquer que réprimander. Des politiques brèves qui expliquent ce que l’on attend, pour quelles raisons et qui donnent un contexte et des exemples concrets me semblent plus efficaces qu’une longue liste de paragraphes similaires au code pénal. Et vous, que préférez-vous ?

Even if you are good at what you do, you may get a job…or not!

Another post that might raise comments from « colleagues » saying « you shouldn’t talk about it » although there is nothing new in this post. It is more a philosophical approach in the sense we try to deconstruct the way we work. Our goal is not to explain that the market is saturated and that it is difficult to find a job, even if you are skilled as, fortunately, it doesn’t seem to be the case, at least from our point of view. The goal of this post is to highlight the facts making difficult for most companies to discriminate (and then hire) really skilled people.

In 1970, George Akerlof, who will receive later in 2001 a Nobel price of economy for his work, wrote one of the most quoted economic articles: « The Market for ‘Lemons’ : Quality Uncertainty and the Market Mechanism« . This article explains the effect of assymetry of information on the used car market behaviour. In short, as most buyers are not able to make the difference between a good quality used car and a bad one (called Lemon), the model suppose they are ready to pay 3/4 of the price of the best quality car for all cars (as they cannot make the difference) instead of 3/2 of the price of the car according to its quality (see the Wikipedia article on « Market for Lemons » for more details on the economic model).

In june 2013, in a New York Times interview, Lazlo Bock, senior vice president of people operations at Google, revealed that, according to their internal statistical researches (You may imagine how good Google people are at doing statistic) showed that it was very difficult to find a good predicator of an employee performance during interviews. According to Bock : « It’s a complete random mess, except for one guy who was highly predictive because he only interviewed people for a very specialized area, where he happened to be the world’s leading expert« . The only person that was good at hiring specialist was the leading expert in the field.

You may already see where we are going. We work with large organizations employing numberous specialists in IT, risks management, security, business laws, recruitment, marketing, finance, tax, logistic and so on… While talking to a specialist, you might get to the point where he (or she) will state something you cannot (easily) verify (like: « What you ask is impossible » or « This is the best and only viable solution »). Rings a bell? As he’s your specialist and you have to trust him (else, how can you work with him if you don’t), you accept the statement as the truth… until you discover, from another specialist’s mouth or by your own experience, that it is’nt true. You’ve been there before, for sure!

Maybe, at some point, if you have such experience repeating, you might wonder how reliable your specialists are? If you have other specialists in the same field working for you, you might ask them what they think of their colleague (and maybe start doubting how reliable they are if you don’t receive the correct answers – welcome paranoïa). If you don’t have a lot of experts at hand (what is most likely the case as, by definition, experts or specialists are rares and expensives), how can you tell? You might ask to an external party to help you but, most of the time, you will not be better equipped to determine how skilled this third party is and, evenmore, there is a potential conflict of interest as any other independant specialist might be interested in a  mission to replace the presumabely un-skilled specialist you have and fix the issues.

In their excellent and famous book, Rework, Fried and Heinemeier Hansson highlighted the numberous advantages to hire someone only when you have performed his job first. At least, you will become a kind of expert yourself and you will have some clue about the potential candidates for the job. At least, you will be more likely to discover if they try to bullshit you.

Is there no other way to assess how good our specialists are? Yes, of course!  Asking people what they did in the past (and how) and checking their background with previous employers might probably give you more relevant insight. But it is rarely the path followed.

Often, we, people, call other people that are renowned expert or at least that looks like experts. Unfortunately, we are often victims on numerous cognitive biases. One of the first should be the Halo effect. To make it short, our judgement of one person caracteristic will be influenced by a global first impression that we might have deduced from a tiny litlle detail. As an example, if you are not well shaved, I might have the impression that you are a messy person. The halo effect is well known, at least intuitively, by most people. If you go to a job interview, you will likely wear your best suit and ensure it is neat, just to make a good first impression. As multiple experiments like the one from Young, Beier and Beier (1979)1 or Bull & Rumsey (1988)2 showed, we all know how important it is to make a good first impression to get a job.

The halo effect is often based on extrapolation of small details. Nowadays, we could perceived a consultant as more skilled because he has an expensive car (Porsches make good impression not only on women), a lot of recommendation on Linkedin (or even just connections), a nice suit, because he’s tall and fit or even just because he has a louder voice and he displays more facial expressions of agressivity (that is often seen as a sign of authority). Maybe, the simple fact that you read this blog could give you a false impression of our notoriety and skills.

All this facts may sounds confusing but, here comes the link. Let’s take Akerlof’s model and apply it to the expert world, let even narrow this to the area of experts (or senior) consultants for the purpose of the exercise. We can easily presume that there is an effective information assymetry between the buyer (the organization) and the seller (the consultant) as the latter knows much better what he’s capable of than the organization wishing to hire him. Most of the time, organizations are not able to make the difference between a good and a bad expert consultant. Consequently, organization are ready, according to Akerlof’s theory, to pay a certain price for a consultant, whatever his quality is. Let’s call this price the market rate. If a skilled consultant (let give  him a note of 9/10 for his quality) believes his services worth more than the market rate (matching a consultant with a 7,5/10 quality level) because he provides better quality services (better, faster), he might want to raise his rate. Unfortunately for him, as his potential clients (luckily, it will not be the case for all) can not assess his quality, they might just find him too expensive and discard his candidacy. Instead, they might select a less skilled consultant (quality=5/10) with a high opinion of himself that will see and sell himself like a 8/10.

The rate we pay for a consultant might create a halo effect and generate the perception (and our trend to confirm our believes) that the consultant is more skilled, of better quality, than what he is in reality. Unfortunately, the rate of a consultant is not the direct result of his experience and abilities but more of non-relevant factors (for the hiring organization at least) like the markets perception, its capability to sell himself, to bargain, his ego, his reputation, his financial needs and its intermediaries (As you know, more intermediaries mean higher rate as each middle-man will add his margin – often between 10 to 30% – on top of the others). Also, reputation is sometimes assimilated to quality by hiring organization. « Famous » or more visible consultants may ask for higher rates as they are perceived as more qualified (although their reputation is often not based on their intrinsinc qualities but more on their visibility and the halo effect).

Some consultants have sometimes so well understood this principle that they managed to build their own reputation not on the quality of their work but more on their presence and their visibility, thanks to their involvment in organizations, meetings or magazines. They also benefit from the halo effect generated by their more skilled peers in the organisation. Consequently, organizations are often victims of personal marketing.

So, what to do? Use your common sense! Ask specific questions and expect practical answers. As Bock mentionned in his NY Times interview, ask your candidate what did they do during their previous assignments, practically. What where the challenges (so you will at least know what they consider a challenge)? How did they react? Ask them to explain why they did things and why they believe you should make things the same way or another way. When you know your job, you should be able to explain it to a layman. At least, we should expect that from a skilled specialist. If you don’t understand what he tells you, ask again! Don’t assume you are not skilled enough to understand. Too often, bad consultants impersonate experts by using complex and/or meaningless babbling. As you will likely pay the price for a consultant of 7,5 or 8/10 quality, you should expect at least to understand what it does or it is likely that you will get screwed.

If we were not good at what we do, we could get a job because we understand these principles. And, unfortunately, even if we are good at what we do, we might not get a job if we don’t want to play the game, out of respect for our customer, or just because we have better things to do than drinking cocktails and play golf (just for the stereotype) to lobby and build our reputation in another way that just the word of mouth of our customers. But, fortunately, you already knew it, like most of our customers and readers.

You should’nt share this with your « coopetitors » as it might help you if they continue to hire the bad consultant for the price of the good one. This way, the real good one will still work for you.
1Young, D. M., Beier, E. G. and Beier, S. (1979), Beyond Words: Influence of Nonverbal Behavior of Female Job Applicants in the Employment Interview. The Personnel and Guidance Journal, 57: 346–350. doi: 10.1002/j.2164-4918.1979.tb05408.x

2 Bull, R. & Rumsey, N (1988) « The Effects of Facial Appearance in Persuasion, Politics, Employment, and Advertising » in « The Social Psychology of Facial Appearance », Springer Series in Social Psychology, pp 41-79 http://link.springer.com/chapter/10.1007/978-1-4612-3782-2_3

Is happiness at work a security concern?

A recent Gallup report estimates the cost of absenteeism due to depression to 28 billion US dollars. It is not the first report nor the first time a link is made between depression (and consequently  happiness)  and absenteeism at work (and it direct and indirect costs). If we extrapolate these numbers for an average company of a 1000 employees, we will have, on average, 60 employees (we use de more conservative numbers and consider only people actually diagnosed and in treatment) suffering from depression having each an average of 4,3 additional days of absenteeism (the more conservative number) with a cost of 250€ per day (conservative currency conversion). If we do the math: 60 x 4,3 x 250€= 64.400,-€ per year just for absenteeism (likely to be twice the cost and to have an additional cost for loss of productivity as it was estimated by other studies).

In terms of risk management, for most large corporate of 1000 employees (or more), 65.000€ is not a number big enough to be a major concern (even if you triple the figure, what could be a more realistic estimate of the cost for large european companies, even more in Belgium where salary costs are extremely high) for risk managers. However, the financial, operational and human benefits of having happier employees might not be ignored as « happy » companies seems to have higher productivity, client satisfaction and revenue than others « less happy » organization.

Nevertheless, we do believe it is a wrong question to ask. In order to succeed, engaging an organization into a « happiness at work » journey should be a human decision based on a true believes, on inner values from senior management . Doing the things right should be the main purpose. Return on investment will « only » be the cherry on the cake.

No training is (often) bad training

When we talk about training, it is common to ear that they should be given on purpose. The purpose being « doing a better job ». Likely, when someone need a specific skill she/he doesn’t have yet, it is often when we can demonstrate a Return on Investment that he/she will be sent in training.

This is quite black or white. To be or not to be skilled! In real life, people may have partial skills, or a minimal level of proficiency in a skill. Sometimes they believe they have the skill and as you might know, the worse thing than not having a quality is believing you have it (so you are certain you will never get it).

Nowadays, creating documents is not the sole tasks of secretary. They don’t exist as such anymore, they are Personal Assistant. Why, because most people, including managers, create and type their documents by themselves. Reports, emails, presentations, spreadsheets, who isn’t working with those beautiful office tools? Which percentage of users are sufficiently skilled to use these tools efficiently? In 2012, I still have seen manually generated table of contents in large documents, titles underlined using underscores, mistakes in spreadsheets due to lack of knowledge of the tools or surcharged presentation missing their primary objective: convince people. OK, they are just loosing time and efficiency. As time and efficiency are money, companies are just loosing money due to the lack of training. Is it so bad? No, if you can train them now and stop loosing money.

Though, as Jack Zenger underlined it in his article « We wait too long to train our leaders« , no training is bad training, even more for soft skills. Why? Even if you are not trained, you do practice and practicing bad behaviors is fostering bad habits. With spreadsheets and word processors, it can be corrected easily. But, when it comes to soft skills, to human interactions, it is another challenge to correct bad habits. Moreover, if a manager is a lousy communicator, improving his listening and communication skills will not be the only challenge. Having his staff letting him the chance to use his new skills, to trust him might take some time. In the meantime, as you must know, your employees are living their bad managers, even if you, as a company, are proposing attractive salary or bonuses.

Most managers I know have difficulties to manage people. Budgets, programs, projects, objectives, board seems to be somehow difficult but still manageable. People? No thank you. Conflicts, competition, motivation, expectancies, turnover, headhunter recruiting your best elements, stress, emotions management… it is not an easy task to manage human. In fact, you don’t manage them, you can just love them (or hate them, but its seems less efficient). Nevertheless, as a recent article in Le Monde was pointing out: more and more managers don’t want to be managers anymore. Companies are then loosing good employees and managers.

Of course, universities and management schools don’t prepare well to this task. Even with a degree in psychology, you won’t be ready to be a manager. Of course you have natural born managers. Some of them even became great leaders and created their own companies. But, what will the 98 other procent do?

Yes, we can train them. In fact, you MUST train them. Not tommorow when they will come to you nearly burned out. No, today! Now!

But how? What do they need? After more than a couple of decade spent working for companies and organization of all sizes, I still have the feeling that, before being bad communicators, a lot of managers are bad listeners. Too often also, we find narcissistic managers, lacking empathy, certainly a good quality to find amongst leaders. Above stress management, emotion management should be also a good skill to develop. (see Daniel Goleman video below for more insight around the emotional intelligence and leadership). Being mindful does certainly helps too. A manager able to stop, take time, take some distance, will likely be more available for his collaborators, to be more creative, to listen. Honnesty, integrity is also something you expect from Managers, as you certainly already do. Nevertheless, this honnesty must encompass his relationship with all the employee. He should not be put in such position by the organization that he cannot be honnest with them (I already wrote on Corporate values, I will certainly come back to this soon).

So, to summarize, inmy top 5 of soft skills a manager should have:

  • Listening
  • Empathy
  • Mindfulness
  • Emmotional intelligence
  • Honnesty

As these 5 skills are thightly bound together,  you might look for some holistic approach. Of course, higher in the hierarchy you start, the better.

 

Additional reading (external):

The Value of a Good Manager? People Leave Managers Not Companies!

Forbes.com: Why your employee are living?

Daniel Goleman « Social Intelligence and Leadership » sur Harvard Business Publishing on YouTube

What motivates us?

Here is a link to a animated video of Dan Pink, author of the famous book on motivation, « drive ». If there is just one thing to remind from this speech it is that you should not consider your employees as horse that need to be motivated but just let them do their job. If you think they don’t do it right, teach them, train them, give them the freedom to improve themself, to master their work. It will cost you less money at the end, be more efficient and will provide more satisfaction to your employees. In return, they will be more engaged, be more likely to stay within your company and be more productive.

Think in terms of implicit communication: If you have to pay them more to do their job, the implicit reason is that their job is so boring that it requires higher reward. If you don’t pay much, it must be fun. Even if the job is not boring in itself, you imply somehow that it is.

So, don’t try to control their work, just let them improve themself because they want to. Foster their desire to master, nurture it. Provide the right environment. Be a cultivator. You don’t require to your plant to grow faster or better, you just provide the right food, water and good spot with light. You control the conditions that allows your plants to grow. Why do we try to do otherwise with people? They are not plants? Of course, but they just want to grow.

Great (Human) Leadership

What can help us being great (human) leaders?

To answer this question, we should start with our personal values. Gandhi, in his great wisdom, said : « Happiness is when what you think, what you say, and what you do are in harmony« . Before asking you to take human aspect into account, ask you if you care about human (not as a resource but as a human being). If you don’t, it is maybe time to think to move to another blog, you likely won’t be interested in what will follow. If you do really care, ask yourself if you fell in harmony with this value and your other values. If you feel something is wrong, you might have a need for real change. What matters for you? In a perfect world as you see it, as you dream it sometimes, what will be different?

If you can picture what should be different, you can start change yourself. Be the change you want to see in your company (to paraphrase Gandhi, him again). Changing a company culture starts at the top. Leading by example. You want to have a « human » company… be human! You don’t know how to do? It is fine, you are human. You can make mistakes. Just communicate, learn to be vulnerable. It will just make you a better person, a better leader. Making mistakes is not the problem. Not learning from it, is one.

You need to avoid two common pitfalls here. First, contrarily to lot of companies claiming their 3,5 or 10 corporate values, you should adapt your management style to reflect these values. If you talk about entrepreneurship, let people take decisions. When you talk about creativity, accept that employee (including yourself) will make mistake. Do what you say you do, not the opposite. If you are scared of making mistakes, you can’t be creative. It is paradoxical communication. If you want to have a psychotic kid, try such kind of communication, tell her/him you love him and slap her/him on the face.

Second pitfall is the definition of your job as a leader. Are you an expert, a decision maker, a key element in a complex machinery? Lot of managers believes or fell that they must be strong, always right, providing directions, controlling everything. If you do so, It does not let them you a lot margin of maneuver. How many leaders are stuck in meeting all day, taking decisions based on very limited knowledge and without a real understanding of what their subalterns, subject matters experts or not, thinks of the subject? You must be able to trust your team, you must be available in order to ear their ideas, their fears, their issues, their needs. You must understand what they do. In order to do this well, you cannot be in a complementary higher position. You need to be able to be high, low and symmetric. When you don’t know, you are low, accept it. When you take the decision, you are high (referring to Watzlawick).

The job of a leader is to define a strategy, directions, and to take the necessary decisions to make it happen. In order to do this, you must listen, be emphatic, take all inputs into accounts, accept to be challenged, take sounds decisions that you can explain to your kids. Leaders should trust their people, act as human, taking emotions into accounts, be available and take decisions, good or bad and stay consistent with their values, their directions. Be a leader, be human.

The right to be wrong

A large number of companies have a culture of perfection or, at least, « right from the start »  in their values. As a consequences, failing is not welcome. Who like to fail? Nobody!

Even if you don’t like it, failure occurs. And the worse thing about failure is to fail to learn from it and to repeat our failures. Unfortunately, with a « right from the start » culture, employee tend to be scared to fail and try to hide, as much as possible their failure. If there is no failure, there is no lesson to learn from it or not the right one if the truth about the root cause is kept secret. Moreover, such culture prevent creativity to occur in our offices. To do it right we do it like the others, we follow the normal path, the one without risk. Nowadays, can companies afford to be on the same path as their competitors? Don’t we need fresh ideas, innovation, improvements? But if your employees are scared of proposing a (maybe) good and innovating idea, how will you achieve innovation? If you cannot fail, how will you succeed?

Another consequence is the tendency to postpone decisions. In order to minimize risks, managers tends sometimes to postpone decisions or to transfer the risk, meaning the decision process, to the upper management. What is worse? Taking a maybe wrong decision or not deciding? Going forward or staying still? No decsision is a bad decision (100% chances). Deciding is likely less risky but fear of being wrong (or not being right) slow down the process or burden upper management with additional (sometimes minor) decisions to take.

Experience shows that accepting failure will likely increase the number of failures during the first year. Not because people will do more but rather because they will report more failures. With time, failures will diminish as people will learn and creativity and success will rise.

Are you ready to take the risk to allow people to be wrong?