Your security maturity is low? Are you using your people the best way you can?

One famous saying attributed to Steve Jobs must be: « it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do. »

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see http://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html).

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. « Failure is not an option » is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.

 

Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.

 

We need more (security) fixers!

This past few years, interest and budgets for ethical hackers and pentesters has grown rapidly. They gain more and more visibility (see the Belgian Cyber Security Challenge or the European Cyber Security Challenge). More important, consulting companies are recruiting young and talented hackers by the dozen those last years.

During the last decade, lot of (nor to say most) TV shows and even novels have included or even starred a hacker:

  • Lisbeth Salander in Millenium,
  • Harold Finch in Person of Interest,
  • Felicity Smoak in Arrow,
  • Elliot Alderson in Mr Robot,
  • Skye in Marvell’s Agent of Shields,
  • Christopher Pelant in Bones,
  • Penelope Garcia in Criminal Minds,
  • Luther Stickell in Mission Impossible,
  • and the list goes on.

Nowadays, being an (ethical) hacker is sexy, trendy and well paid. It’s no surprise that a lot of young graduates want to embrace this professional career. As such, it is a good thing as we need more skilled and talented professionals in cyber Security.

However, it might be a bit short sighted as Artificial Intelligence’s powered automated hacking systems are on our doorstep (see DARPA’s Cyber Grand Challenge and other AI powered systems in the links at the bottom of this post).

Nevertheless, that’s not really my point here. With all these young genius at work uncovering our weaknesses, we still don’t have enough talented people to fix the issues.

WE NEED MORE FIXERS!

When I talk about fixers, I don’t only mean people skilled enough to fix the vulnerabilities discovered by our code breakers but also people able to fix governance, processes, organization and people. We need professional who can make effective security awareness (meaning that will make people change their behaviour), people who can implement a flawless IT & security governance. People able to define processes preventing attacks by design. People able to define new strategies and able to implement them (or at least to make people implement them). Person who can understand in which detail the devil is hidden. Hackers just need to find one vulnerability, we have to fix them all. It is less sexy, even more complicated and there is not enough people who wants to fix the problems… but we clearly need more. So, young geniuses, when you’ll be bored of breaking things, please come to the light side and help us fix this mess.

 

For further reading:

Will IoT kill us someday?

herzschrittmacher_auf_roentgenbildWhen you’re working in the security industry, being paranoid is kind of natural (or is it the other way around?). So, when you see how easy people, processes and technologies can be hacked, you become rapidly suspicious of anything. We all know bad things can happen and most of the time we try to mitigate the risks (without even thinking too much about it). Business as usual, so to speak. However, while I have a good idea of the risks our future is bringing to us (what makes me even less worried about my business’ future), it seems that most people don’t imagine how much danger Internet will bring to them. So here are some clues.

The new buzzword that has a lot of attention in the media lately is probably IoT: The Internet of things. According to the media, it’s IoT who allowed hackers to put websites like Amazon and Netflix on their knee for a few hours on October 21st. But that’s a mistake. Although IoT has led to some specific new technologies like Bluetooth 4.1 or ZigBee to accommodate the low consumption and the low cost requirement necessary to embed technologies in nearly all objects, it is probably a mistake to see IoT like something new or something different. As Bruce Schneier said recently in front of the US congress, we should not see this has objects with computers in it (and an Internet connection) but rather see it as computer that do things. A Tesla is a computer with wheels (and when you see how Tesla manage its updates and is manufacturing process, it is closer to the Software industry than to the car industry way of working), a smartphone is a computer with a microphone and a 4G connection, a connected fridge is a computer with an extra cooling system, and so on.

Bottom line, these connected objects are all computers and we must treat them like it. So, like for all computers when it comes to managing security, we should think about patch management, access control, hardening, change management, release management, network segregation, encryption, key management, user awareness and training and all these processes and best practices. Unfortunately, the issue is that most connected object manufacturers didn’t spend enough time and money in designing secure objects, easily upgradable, with strong and secure communication protocols. Consequently, the future is now… and we are not ready for it.

But what is our future? Let’s get a glimpse at it. In the tenth episode of the second season of “Homeland”, Nicholas Brody help terrorists to kill a political figure by giving them his pacemaker serial number, allowing them to hack it and induce a heart attack.

In another TV show, “Blacklist”, a computer genius triggers remotely the airbag of a car while driving, causing the car to crash and the death of its driver.

Is this Science-Fiction? Unfortunately, not anymore! Exploits on « smart » cars become more and more frequent. More recently, a British and a Belgian researcher have devised a wireless wounding attack on pacemakers (1). While the latter exploit need specific and rather costly hardware (3 to 4.000€), we are just one step away of having a ZigBee or BT 4.2 interface. Do you wanna kill someone with your smartphone? Don’t worry, you won’t have to wait too long.

At the same time, as other device with less deadly capabilities are spreading over the world, they provide a potential army of unsecure devices that can be used for Distributed Deny of Service attacks, like it was seen recently, but, why not, to perform parallel tasking, helping to brute force passwords, crack cryptographic keys or hide communication sources by bouncing thousand of times on these little soldiers that we provide to these hackers. Nice isn’t it? We purchase the devices that will be used against us in the near future. To be honest, for most people, including for a lot of security specialist, it is not easy to make the difference between a secure IP camera and an insecure one, simply because we don’t have time to test everything and there is no useful and relevant certification for that. So think about the number of « computers » you have at home: Your internet router, you tablet, your PC or your Mac, your smartphones, your videosurveillance camera, your printer, your TV box, your Bluray player, your « smart » TV, your alarm, your new « connected » fridge, your smart thermostat, the PSP of your kids, the IP doorbell and so on… Think about it, in your home alone, you may have more than 10 little future soldiers for the next hacker’s army. Android, iOS or IP cameras, they nearly all have exploitable vulnerabilities.

So, we have an army and we have soon legion of potential targets for the new kind of attack: DoL attacks (Denial of Life). Imagine ransomware targetting your pacemaker, large scale attack on cars to cause traffic jams or worse, new hitmans (version 3.0) changing the medication of patients in hospital, overdosing people. Just watch any episode of « Person of Interest », they were just a few inches away from the actual reality… and we are getting there.

It sounds crazy, isn’t it? As bruce Scheneier said, Internet is not that fun anymore. It’s not a game anymore. Things are getting serious and we should act accordingly. Not only at government level but also in industries and in the civilian world. We should ask our suppliers, our manufacturers to secure their devices, to make them safe AND easy to control.

To be continued…

For more details…

 

Should companies create Bitcoin accounts to be ready to pay ransoms?

In the past months, the press made public different security incidents involving companies being victims of ransomware (1)(2). Most of the time, a ransom had to be paid in Bitcoins. It’s logical as Bitcoins are much easier and cheaper to launder the money and hide the recipient than traditional money laundering circuits.

You may decide that dealing with cyber criminals is unacceptable (like for terrorists or kidnappers) but if you don’t have such policies and the amount of the ransom is lower than the overall cost of restoring your services by yourself (including manpower, business losses, public image), you may decide to pay the price. In such case, time is of the essence. In order to limit the impact and to comply with criminal’s conditions, you might have no more than 48 or even just 24 hours to pay your “lack-of-sufficient-security fine”.

But, how do you pay in Bitcoins and keep it under the radar in such a short amount of time. Imagining the time spent debating the question “do we pay or not”, the time left to actually pay will likely be very short. So, you better have your Bitcoin wallet ready and loaded or some agreement with a trusted Bitcoin exchange platform to guarantee the required discretion.  Bottom line, nowadays, it might become wise to include a Bitcoin wallet in your Disaster Recovery Plan.

Whatever you’ll decide, decide now and be prepared.

Security: It’s all about trust!

In the past few days, I had a few discussions and readings that made me think about the importance of the concept of trust in security and in our life more generally speaking.

Think about it. All we do in security management, in training, in penetration testing, in patching or with monitoring is because we don’t trust our employees, our colleagues, our customers, our suppliers or our competitors. That’s why we often have 3 levels of controls, each level controlling the others so we suppose we will always have at least one person who will do the « right » thing. In our line of work, it makes sense.

But how far should we go? When do we start to trust? When do we make this leap of faith in humanity?

I worked with pretty paranoid people (for a reason, not the pathological ones) using their own operating system (Based on reviewed and modified NetBSD source code) on air gap networks. They also had RFID chip in the printer’s paper in order to trigger an alarm if you leave the facility with printed information. Other electromagnetically wiped and physically destroyed (with presses) any hard disk in end-of-life. Some requires 10 months of thorough investigation and background check before letting someone work on their systems. I worked with people having private investigators watching their security guards to ensure they were totally honest (and it wasn’t the case all the time). In the security community, you will easily found people who will not trust any software to handle their very sensitive information as they might always have a backdoor. And it is the same with hardware. And they are right to be suspicious as we found vulnerabilities and backdoors in nearly any system or application. Firmware corrupted by the government of the country manufacturing the processors or motherboards or spyware built-in from the start at the manufacturer’s government request. Routers, operating systems, firewalls, remote access applications, switches, phone equipment, and so on. There is a very long list of known backdoor, Trojan horses, spywares and so on discovered in widely used systems. You can imagine the length of the list of the one we don’t know about (yet).

If we talk about people, it’s even worse. Belgian Secret Services have published a quick card to warn travellers in some specific sensitive industry on how prevent information leakage while being out of the country. The warning is not restricted to the usual suspects (like Korea, Russia, China or USA) but also to our European “friends”. Economic espionage is written in the bylaws of many European country’s intelligence services. According to our States’ Security services, if you belong to the targeted categories of people, the question is not anymore “if” you will be victim of spies but “when”. Humans can be manipulated, blackmailed, bought, threatened, seduced, just pick one. We are no more reliable than the rest.

I know it sounds crazy, even paranoid! Unfortunately it’s just the world as it is.

So, how do we function knowing we can trust nothing and no one?

Obviously, we tend to create redundancies, to multiply the controls and the levels of control. In large organisation you may easily have more than 5 levels of control (Operational control, security, risk management, internal audit, external auditors, compliance, and so on). Even though, we still manage to have incidents. This still doesn’t answer my first question: When do we start to trust?

For me, trusting is part of the risk management process. It also meets the intelligence gathering process of evaluating your information, your sources and how reliable they are. We trust and we verify. We evaluate continuously the level of trust we can grant to our systems and our people. The higher the stakes, the higher our level of paranoia should be. Also, as usual, we must balance between the risk of doing it and the cost of not doing it. If I don’t trust my suppliers, my employees, what will be the cost for my company, my business?

What’s also important is to know that we trust. There is a clear difference between believing without knowing and believing with the consciousness of the fact that we make a leap of faith. The difference resides in the decision. I don’t believe because I do, I believe because I have decided that it is the best choice to make.

Let me take an example: in my car, if I believe that a green light for me means that cars coming from other directions will stop at the red light, without doubting that or even having the conscience it is a belief, I will never pay attention to the other cars. If I understand it is a belief, I can adjust my behaviour and check (monitor, watch) other cars to see if they are compliant with this belief (and obviously hit the brakes if they are not).

On the other hand, I should also give a little trust to my car manufacturer and have confidence in the fact the brakes will stop my car when I hit them. Else, I won’t dare to drive anymore. As always, we need to find the right balance and we need to do it consciously in order to function effectively.

So, question everything and take sound decisions, knowing that you don’t know for sure.

La séduction comme outil de hacking

Quel est le point commun entre James Bond et le premier hacker venu?

On peut en trouver quelques-uns mais le plus évident, c’est leur objectif commun: collecter de l’information! Car, bien qu’on semble parfois l’oublier, l’objectif premier d’un espion n’est pas de séduire toute la gente féminine et de tuer tous les mâles alpha armés qu’il rencontre mais bien de faire du renseignement. Et si les espions utilisent de plus en plus les services des hackers pour arriver à leurs fins, les hackers utilisent de plus en plus les techniques les plus anciennes des espions: la manipulation, l’ingénierie sociale, le chantage.

Kevin Mitnick, un ancien Hacker « repenti » après avoir fait quelques années de prison pour délit informatique, a d’ailleurs consacré quelques livres à la plus grande faiblesse des systèmes informatiques: l’humain. Il en a d’ailleurs fait son fond de commerce.

Ces techniques utilisées par les espions tout comme les terroristes (Le Manuel d’AL Quaeda trouvé à Manchester, dont vous pouvez trouver une traduction sur le site du US Department of Justice, mentionne aussi des techniques d’espionnage utilisant les êtres humains (HUMINT – Human Intelligence).

En soit, rien de nouveau sur le soleil. Bien que ces techniques soient utilisés depuis la nuit des temps, la plupart des responsables sécurité sous-évaluent constamment le risque. On peut imaginer que cela est dû au profil parfois plus technologiques de certains RSSI (ou CISO) ou à l’impression qu’ils ne peuvent pas y faire grand chose, à part coller des posters, faire des petites séances d’information et compartimenter l’information. Trop souvent on confond sécurité informatique et sécurité de l’information. N’oublions pas que l’information est ce que l’on cherche à protéger, ou du moins, celle qui a de la valeur. Les systèmes informatiques, bien que de plus en plus présents dans nos vies, n’ont pas l’apanage de l’information. Que ce soit sur papier, dans nos conversations ou dans nos têtes, l’information est insaisissable et donc, de facto, difficile à contenir et à protéger. De plus, l’information est généralement destinée, in fine, à être utilisée par un ou plusieurs êtres humains. L’élément humain est donc indissociable de la protection de l’information.

Mais je m’éloigne de mon sujet: La séduction comme outil de hacking. D’abord, pourquoi est-ce que je viens avec ce sujet particulièrement? Hier je lisais un Tweet parlant de SexyCyborg, une jeune « hackeuse » (ou du moins, elle prétend s’y intéresser) chinoise qui a imprimé des chaussures 3D lui permettant de cacher son matériel de hacking. Sur sa page Imgur, elle dit ceci: « So I got to thinking- if I had to do penetration testing on a corporate facility, how would I do it? Social engineering for one- I’m a natural honeypot » (Ma traduction: Je me suis mise à penser: si je dois faire des tests de pénétration dans une entreprise, comment vais-je faire? De l’ingénierie sociale pour commencer – je suis un pot-de-miel [Honeypot] naturel).

Pour bien comprendre, je reprend une photo de cette jeune personne qui n’hésite pas à mettre son physique en avant:

SexyCyborg

Elle ajoute ceci juste après: « I think there’s a reasonable chance that a guy might invite me back to their office after a few drinks in the neighborhood? » (Ma traduction: Je pense qu’il y a une probabilité raisonnable qu’un type m’invite à son bureau après avoir bu quelques verre [avec lui] dans les environs).

Sans juger de l’attirance de son physique ni de ses tenues, la psychologie sociale a plutôt tendance à lui donner raison. Si voulez manipuler quelqu’un, il est préférable d’être séduisant. Et si ce quelqu’un est un homme hétérosexuel (ce qui est souvent le cas dans l’IT), être une jolie femme aide grandement (qui s’en serait douté?). Avoir une poitrine opulente et mise en valeur, encore plus (vraiment?). Quelques minutes de discussions dans une atmosphère intime, un peu d’alcool et un décolleté plongeant pourraient donc bien venir à bout de vos systèmes de protection les plus coûteux.

En plus des sciences psychologiques, l’histoire de l’humanité et particulièrement de l’espionnage, nous rappelle combien la séduction est un outil fort utile et souvent fort efficace, pour obtenir des informations. Mata Hari n’a pas marqué son temps pour rien et plus récemment, l’affaire d’espionnage impliquant Anna Vasil’yevna Chapman, nous a montré que même à notre ère du tout digital, le charme féminin restait une arme de premier choix. Bien sûr, la même chose est vraie pour les hommes qui peuvent aussi utiliser leurs charmes. En hacking comme en espionnage, il n’y a pas plus de sexisme que d’inhibition: tout ce qui fonctionne est bon à prendre. Tout est une question de coût et de rentabilité.

Et si vous pensez que la tâche ne peut être si facile, demandez-vous s’il est vraiment compliqué de trouver une photos d’un des responsables de vos systèmes informatiques sur Linkedin ou n’importe quel autre réseau social. Une fois cela fait, est-il difficile de se poster près de la sortie de vos bureaux et de suivre cette personne, identifiable par sa photo (et éventuellement par son badge que la plupart des gens oublient d’enlever quand ils sortent de l’entreprise), jusqu’à un bar, son train, sa salle de sport, son domicile, ou l’endroit où il rencontre sa maîtresse. D’ailleurs, vu les statistiques dévoilées dans le récent hack du site Ashley Madisson, on ne peux que se demander si l’éventuelle présence d’un membre de votre personnel dans la liste des utilisateurs (vous pouvez vérifier sur Trustify, à vos risques et péril) ne pourrait pas aussi être utilisé comme moyen de chantage pour obtenir des faveurs. D’ailleurs, il n’est probablement même plus nécessaire de suivre vos employés depuis l’entreprise, utiliser les réseaux sociaux est plus rapide et moins dangereux pour les rencontrer et les séduire (et en apprendre plus à leur sujet).

Ce n’est pas sans raison que les personnes qui sont titulaires d’une accréditation sécurité auprès d’un gouvernement sont invités à ne pas le mentionner (histoire de ne pas se mettre une cible sur le dos) et d’éviter d’avoir des affaires extraconjugales pour diminuer son exposition à des tentatives de chantage.

Tout cela amène bien sûr plusieurs questions: La vie amoureuse des employés devient-elle potentiellement un problème de sécurité pour l’entreprise? Et de là, où le droit à la vie privée s’arrête quand cette même vie privée devient une menace claire pour la sécurité de l’entreprise? La proportionnalité de la réponse n’est jamais facile à trouver et la gestion de la sécurité sera toujours bien plus un problème humain qu’un problème technologique, ne pensez-vous pas?

Pour terminer, quelques petites suggestions de lecture (si vous ne les connaissiez pas déjà):

  • « Psychologie de la manipulation et de la soumission » de Nicolas Guéguen (2014)
  • « 100 petites expériences de psychologie de séduction : Pour mieux comprendre tous nos comportements amoureux » de Nicolas Guéguen (2007)
  • « Influence et manipulation : Comprendre et maîtriser les mécanismes et les techniques de persuasion » de Robert Cialdini (2004)

 

The lost meaning of our (professional) life

First story

Not so long ago, I met a young and intelligent lady working as a student in a big organisation. A Monday morning, she was tasked to review the translation of some official documents. Around 10.30, she was already nearly laying on her keyboard, her head between her hands, whispering that she wanted to be on Friday. Not because she had a special event planned, just because she wanted this week to end.

If you compare her to other students having a holiday job, she was supposed to be lucky as she was actually doing the job she was studying for instead of counting hardware pieces in a store or delivering mail.

At some point we started a discussion and I took the opportunity to ask her:

– What are you gonna do with your life?

– Translator, she answered.

– You are here, doing the job you are preparing yourself to do the rest of your life and after one week, the only thing you can think about is not doing it. Are you sure it is what you want to do with your life?

– It is all I can do!

– Is is what you think or is it what it is? Which evidence do you have?

– None, but I don’t know what else to do!

– Maybe you should figure out that first?

Obviously, it is not the only thing she’s good at and it is not what she really want to do in her life. But somewhere, she became convinced that she had to follow this path and that it was the only one possible. At around 20, she was already in autopilot mode, following a path that is not her but the one her environment offered her.

A few days later she came to me and told me that she will use her time abroad (she was going to study abroad for a few months) to discover what she really wants to do.

 Second story

In a rock festival, I discovered a Belgian New Orleans’ jazz band called Big Noise. The 4 musicians played like if they were possessed or in transe. The drummer was so into it, playing an “infernal swing” that he looked like he was drunk or on drugs. But, evidently, his drug was his pleasure to play. To play music, to play whit friends, with the audience, to have fun, a lot of fun. And the public was seduced, sharing the nearly shamanic transe, powered by the music and the magic of this group sharing the same love for music. From where I stood, at that moment, they had the best job in the world, the one making them happy.

Third story

I discovered recently the new Aaron Sorkin TV show called “The Newsroom”. The series is set behind the scenes at the fictional Atlantis Cable News (ACN) and centers around the team of idealistic journalists working for the news, seeking the truth and aiming to educate their audience. As it was the case before with “West wing”, Sorkin’s wrote again some of the most intelligent scenarios and dialogs ever. I was captivated by the show and found myself excited by each episode. As images of the series where present in my mind the next day, I wondered what was so appealing to me in the show. Obviously, I was probably projecting myself (in the Freudian acceptance of the term) in the show. Something was talking to me. But what? Fortunately, meditation helps a lot to make your mind clear and it became rapidly evident to me that it was the commitment of the characters and their values that was stimulating my soul. These characters are devoted to their work, or, should I say, to their cause. In fact, they don’t work, they do something they believe in it, they live their passion and they stick to their values. They are committed to their life, not someone else’s life.

 Last story

More than a decade ago, I was running a company with my associates and, at the same time, I was coaching young children from 5 to 7 years old to teach them how to swim. Surprisingly, although my daily job was very interesting and I was successful at it, I happen to wait all the week for this moment, on Fridays, when I was in the water, teaching those kids how to float, dive, breath or jump into the water. At first, I tried to ignored this and managed to have so busy weeks that I couldn’t even think about it or anything else than my work and my occupations. Fortunately, at some point, my mind or my body (or both as they are one) found a way to pass the message. And it was clear: something was going wrong in my apparently picture perfect life. Unfortunately, the root cause of this “unhappiness” was not as evident. As I didn’t understood at the time what was laking me unhappy, I started to change nearly all aspects of my life, private and professional. During the process, I was lucky enough, as I often am, to cross the road of wonderful beings that helped me to understand what was missing in my life. At a bit more than 30 years old, I decided to go back studying and found myself on the way to the University to pursue a master in Psychology. It was a very long journey during which I continued to search for the meaning of my life as a sense on “un-achievement” was still haunting my mind. It took me a while, and a lot of these blessed encounters with wonderful people (sometimes through books, sometimes during a very short time or sometimes for a long lasting and beautiful journey) to understand that the meaning of my life was not the goal, the end of the road, but the road itself. I found my direction, my path, my identity as I was able to accept myself as I am, with my paradoxes and my weaknesses as much as with my strengths and my values. I finally understood the true meaning of Steve Jobs saying, in his 2005 Stanford commencement ceremony address: “for the past 33 years, I have looked in the mirror every morning and asked myself: « If today were the last day of my life, would I want to do what I am about to do today? » And whenever the answer has been « No » for too many days in a row, I know I need to change something.” or the “Carpe Diem” from Dead’s poets society. I discovered my values and found my balance to integrate all aspects of my life. Writing this, even if you are just a few hundred to read it, should it even be only one person, is a part of it. I

 Epilogue

Our society is very good at picturing a way of life and making us believe that we must fit into this scheme. Unfortunately, in some aspects, our society has lost her values, or, to be more accurate, I cannot recognise myself in some of these values and, maybe, you don’t either. As Jiddu Krishnamurti once said: “It is no measure of health to be well adjusted to a profoundly sick society.” And unfortunately, our society and most corporations, are so complex that it become difficult to understand what is the goal, the meaning and the role we have to play. And the pace imposed by our “modern” way of life do not often leave time to think about our values, our dreams, our expectations. We must be artists, philosophes or even fools to dare thinking about our purpose, the meaning of our lives or, more simply, what really matters for us, deeply inside. “Stay hungry, stay foolish” was the closing sentence of Jobs’ 2005 speech. Tomorrow is the first day of the rest of our lives. We can be foolish too for this commencement. We can demand the meaningful life we deserve. It is often not so far from where we stand. A few centimetres close even. It is not necessary to change everything, we can just change what is not in line with our values, with the direction we want to take.

According to recent studies, people with a purpose in their life, with a meaning, are happier and are also in better physical condition (less stressed). Corporation, society, should think about the meaning of what they do and the meaning of what their people do. If everyone could find a true meaning (money is obviously not one, as such) at what it does for leaving, nobody would have to work anymore, or at least, we would not have to call it labour because it wouldn’t be labourious anymore.

 

Stay foolish!

 

http://news.stanford.edu/news/2005/june15/jobs-061505.html

Even if you are good at what you do, you may get a job…or not!

Another post that might raise comments from « colleagues » saying « you shouldn’t talk about it » although there is nothing new in this post. It is more a philosophical approach in the sense we try to deconstruct the way we work. Our goal is not to explain that the market is saturated and that it is difficult to find a job, even if you are skilled as, fortunately, it doesn’t seem to be the case, at least from our point of view. The goal of this post is to highlight the facts making difficult for most companies to discriminate (and then hire) really skilled people.

In 1970, George Akerlof, who will receive later in 2001 a Nobel price of economy for his work, wrote one of the most quoted economic articles: « The Market for ‘Lemons’ : Quality Uncertainty and the Market Mechanism« . This article explains the effect of assymetry of information on the used car market behaviour. In short, as most buyers are not able to make the difference between a good quality used car and a bad one (called Lemon), the model suppose they are ready to pay 3/4 of the price of the best quality car for all cars (as they cannot make the difference) instead of 3/2 of the price of the car according to its quality (see the Wikipedia article on « Market for Lemons » for more details on the economic model).

In june 2013, in a New York Times interview, Lazlo Bock, senior vice president of people operations at Google, revealed that, according to their internal statistical researches (You may imagine how good Google people are at doing statistic) showed that it was very difficult to find a good predicator of an employee performance during interviews. According to Bock : « It’s a complete random mess, except for one guy who was highly predictive because he only interviewed people for a very specialized area, where he happened to be the world’s leading expert« . The only person that was good at hiring specialist was the leading expert in the field.

You may already see where we are going. We work with large organizations employing numberous specialists in IT, risks management, security, business laws, recruitment, marketing, finance, tax, logistic and so on… While talking to a specialist, you might get to the point where he (or she) will state something you cannot (easily) verify (like: « What you ask is impossible » or « This is the best and only viable solution »). Rings a bell? As he’s your specialist and you have to trust him (else, how can you work with him if you don’t), you accept the statement as the truth… until you discover, from another specialist’s mouth or by your own experience, that it is’nt true. You’ve been there before, for sure!

Maybe, at some point, if you have such experience repeating, you might wonder how reliable your specialists are? If you have other specialists in the same field working for you, you might ask them what they think of their colleague (and maybe start doubting how reliable they are if you don’t receive the correct answers – welcome paranoïa). If you don’t have a lot of experts at hand (what is most likely the case as, by definition, experts or specialists are rares and expensives), how can you tell? You might ask to an external party to help you but, most of the time, you will not be better equipped to determine how skilled this third party is and, evenmore, there is a potential conflict of interest as any other independant specialist might be interested in a  mission to replace the presumabely un-skilled specialist you have and fix the issues.

In their excellent and famous book, Rework, Fried and Heinemeier Hansson highlighted the numberous advantages to hire someone only when you have performed his job first. At least, you will become a kind of expert yourself and you will have some clue about the potential candidates for the job. At least, you will be more likely to discover if they try to bullshit you.

Is there no other way to assess how good our specialists are? Yes, of course!  Asking people what they did in the past (and how) and checking their background with previous employers might probably give you more relevant insight. But it is rarely the path followed.

Often, we, people, call other people that are renowned expert or at least that looks like experts. Unfortunately, we are often victims on numerous cognitive biases. One of the first should be the Halo effect. To make it short, our judgement of one person caracteristic will be influenced by a global first impression that we might have deduced from a tiny litlle detail. As an example, if you are not well shaved, I might have the impression that you are a messy person. The halo effect is well known, at least intuitively, by most people. If you go to a job interview, you will likely wear your best suit and ensure it is neat, just to make a good first impression. As multiple experiments like the one from Young, Beier and Beier (1979)1 or Bull & Rumsey (1988)2 showed, we all know how important it is to make a good first impression to get a job.

The halo effect is often based on extrapolation of small details. Nowadays, we could perceived a consultant as more skilled because he has an expensive car (Porsches make good impression not only on women), a lot of recommendation on Linkedin (or even just connections), a nice suit, because he’s tall and fit or even just because he has a louder voice and he displays more facial expressions of agressivity (that is often seen as a sign of authority). Maybe, the simple fact that you read this blog could give you a false impression of our notoriety and skills.

All this facts may sounds confusing but, here comes the link. Let’s take Akerlof’s model and apply it to the expert world, let even narrow this to the area of experts (or senior) consultants for the purpose of the exercise. We can easily presume that there is an effective information assymetry between the buyer (the organization) and the seller (the consultant) as the latter knows much better what he’s capable of than the organization wishing to hire him. Most of the time, organizations are not able to make the difference between a good and a bad expert consultant. Consequently, organization are ready, according to Akerlof’s theory, to pay a certain price for a consultant, whatever his quality is. Let’s call this price the market rate. If a skilled consultant (let give  him a note of 9/10 for his quality) believes his services worth more than the market rate (matching a consultant with a 7,5/10 quality level) because he provides better quality services (better, faster), he might want to raise his rate. Unfortunately for him, as his potential clients (luckily, it will not be the case for all) can not assess his quality, they might just find him too expensive and discard his candidacy. Instead, they might select a less skilled consultant (quality=5/10) with a high opinion of himself that will see and sell himself like a 8/10.

The rate we pay for a consultant might create a halo effect and generate the perception (and our trend to confirm our believes) that the consultant is more skilled, of better quality, than what he is in reality. Unfortunately, the rate of a consultant is not the direct result of his experience and abilities but more of non-relevant factors (for the hiring organization at least) like the markets perception, its capability to sell himself, to bargain, his ego, his reputation, his financial needs and its intermediaries (As you know, more intermediaries mean higher rate as each middle-man will add his margin – often between 10 to 30% – on top of the others). Also, reputation is sometimes assimilated to quality by hiring organization. « Famous » or more visible consultants may ask for higher rates as they are perceived as more qualified (although their reputation is often not based on their intrinsinc qualities but more on their visibility and the halo effect).

Some consultants have sometimes so well understood this principle that they managed to build their own reputation not on the quality of their work but more on their presence and their visibility, thanks to their involvment in organizations, meetings or magazines. They also benefit from the halo effect generated by their more skilled peers in the organisation. Consequently, organizations are often victims of personal marketing.

So, what to do? Use your common sense! Ask specific questions and expect practical answers. As Bock mentionned in his NY Times interview, ask your candidate what did they do during their previous assignments, practically. What where the challenges (so you will at least know what they consider a challenge)? How did they react? Ask them to explain why they did things and why they believe you should make things the same way or another way. When you know your job, you should be able to explain it to a layman. At least, we should expect that from a skilled specialist. If you don’t understand what he tells you, ask again! Don’t assume you are not skilled enough to understand. Too often, bad consultants impersonate experts by using complex and/or meaningless babbling. As you will likely pay the price for a consultant of 7,5 or 8/10 quality, you should expect at least to understand what it does or it is likely that you will get screwed.

If we were not good at what we do, we could get a job because we understand these principles. And, unfortunately, even if we are good at what we do, we might not get a job if we don’t want to play the game, out of respect for our customer, or just because we have better things to do than drinking cocktails and play golf (just for the stereotype) to lobby and build our reputation in another way that just the word of mouth of our customers. But, fortunately, you already knew it, like most of our customers and readers.

You should’nt share this with your « coopetitors » as it might help you if they continue to hire the bad consultant for the price of the good one. This way, the real good one will still work for you.
1Young, D. M., Beier, E. G. and Beier, S. (1979), Beyond Words: Influence of Nonverbal Behavior of Female Job Applicants in the Employment Interview. The Personnel and Guidance Journal, 57: 346–350. doi: 10.1002/j.2164-4918.1979.tb05408.x

2 Bull, R. & Rumsey, N (1988) « The Effects of Facial Appearance in Persuasion, Politics, Employment, and Advertising » in « The Social Psychology of Facial Appearance », Springer Series in Social Psychology, pp 41-79 http://link.springer.com/chapter/10.1007/978-1-4612-3782-2_3