Book Review: by Tarah Wheeler Van Vlack

Started reading the first chapter as soon as I got the book. Put it down to go order a copy for a friend/recent graduate. I’ve started writing this review before finishing the book. Why? I’m just that excited about it.

First off, I almost never finish reading non-fiction books. I get bored easily and, once I’ve got the general gist of a book, I skip to the next shiny object. But this book is full of shiny objects.

I’m out of the tech world. I’m an academic now and I don’t anticipate ever needing to get a job in the real world again. However, there’s great advice here for *everyone.* You don’t have to be a woman or looking for a tech job to learn from how to do a better job of personal branding or communicating or…well, whatever you need to survive the working world.

When I’m done with the book, I’m handing it off to my husband. He’s a <man in tech>, he’s not 20 years old any more, and he can use the tips and tricks in this book both for himself and for supporting any underrepresented minority he may end up working with. That's to say, I think there's value in more than just the bonus chapter on becoming an ally.[1]

What I love. Tarah[2] has a blunt writing style. I love that. Some may not. To me, her style is very matter-of-fact, cut-to-the-chase and definitely-not-sugar-coated. YMMV, but I’ve always found it easier to work with people with this approach. Now, being blunt is not the same as being rude; Tarah is respectful of different personalities and needs. If you want no-nonsense advice for navigating the world of tech work, you’ll find it here.

What I don’t love. I’m not super fond of the contributed stories – the bios. I’m having a hard time articulating why I have a problem with this. Initially I thought I could do without any of them. But then I read Katie Cunningham’s contribution – that one resonates with me for some reason. Maybe I can’t relate to the earlier stories. Maybe it’s the academic in me getting all caught up with the bias of only having stories from women who have succeeded. Maybe it's because I'm Canadian and don't buy into the dominant American theme that success = owning a business, being wealthy and famous/important. Maybe it’s my unconscious (culturally taught) bias against (discomfort with) women having the audacity to flaunt their accomplishments. I don’t know. I do know that I’m just one person and while I don’t find these stories inspirational (at this time), I do know why they are in the book. 

Looking for advice on writing your tech resume? This book has it. If you’re reading closely, you can adapt this advice to any resume. Why? Because every HR department is inundated with applications, so they’re using technology to help whittle down the hundreds (or thousands) of applications to something manageable. You have to learn how to beat the software and there is advice that can help here.

Looking for how to ace the technical interview? Well, I’ve never lived through one of the new tech/coding interviews, so I don’t know if this will help you ace it. But Tarah gives you some great strategies that will help. In particular, use her strategies and you should be able to diffuse the (possibly unconscious) biases of your interviewers. Win! Again, you can adapt the tech interview strategy to many problem solving based interview questions.

Looking to build your brand? It’s in this book. I’m going to start working on this advice right now. Because we all have a brand to manage, whether we know it or not.

Considering consulting work? Important info here!

Want to start your own company? Well, first off, Wheeler Van Vlack has done this. So have many of the women who contributed their stories to the book. The folks here have experience. They’re sharing that experience.

I anticipate buying up a stash of these books and handing them out to students as graduation gifts. At the very least, I’ll be lending my copy out lots.

Just so you know, I bought this book personally. I’ve received nothing in return for writing a review. If, however, I’m ever attending the same conference as the author, I’m going to track her down and get her to sign my copy.

Amazon Link to book[3] : <Women in Tech>

----------

[1] Also, I already think he's an ally - I wouldn't have married him if he weren't. 

[2] I hope I can call her that. If only because it's shorter than writing Wheeler Van Vlack.

[3] I receive nothing for this link. I'm just making it easier for you to find the book.

---------
Update 1: I corrected a typo in the labeling for footnote 2. That's all.

Olds, AB - Fastest Home Internet in Canada!

According to this CBC story small towns are getting faster Internet service before the big cities. I'll leave you to read their reasoning. I want to pick up on the Olds story, because a project that I worked on helped make it possible.

The synopsis: Olds, AB chose to build fibre infrastructure within their town, enabling them to provide gigabit Internet service to end-users, including home users. A key driver for doing this was to keep businesses from leaving for better connected locations. You can read this story from 2013 for more info.

What I want to point out is that Olds would never have had the capacity to do this without the Alberta SuperNet. SuperNet is the broadband fibre network that brings Internet connectivity to Olds. No business would have build this link to the community and without it, the speed at which you can connect within Olds would be throttled at the pipe out to the world at large.

Regardless of your personal politics, the Alberta Government did a good thing with the SuperNet. And I am proud to have been a part of that project. My role was small (I helped the public libraries design and implement their connections to the SuperNet) but it takes a lot of people making small contributions to make something like this a reality.

Kudos to Olds. Kudos to the decision makers who had the foresight to make the Alberta SuperNet a reality. And kudos to everyone still working to make sure that the power of this new resource is available to everyone in Alberta.

Also, this shows that sometimes we need public bodies to create the infrastructure we need for the 21st Century. If we left this job to commercial enterprises, they would not build it. Why not? Because it's not cost-effective. That's why, even in large cities, we don't have better service. It's also why I'm pro-Net Neutrality. We don't see every electricity producer putting up power lines to carry their power to their customers - it's too expensive to build the infrastructure - yet as consumers we can choose who supplies the power. It is going to have to be the same for Internet. There are a few distributors who build the delivery infrastructure and we get to choose the provider of the actual service. The distributors should have no right to decide which traffic is delivered first just as the power distributor has no right to decided that solar generated power gets delivered faster than wind generated power.

In summary: SuperNet - good. Net-Neutrality - I'm in favour.

Have a great Wednesday.

We're not prioritizing security activities properly...or are we?

Dark Reading and Black Hat conducted a survey of Black Hat 2015 attendees in June 2015. Their executive summary has some interesting findings. They report that there are significant discrepancies between the priorities of security professionals and the resource allocations. They also report that "Many security professionals feel that the perception of current threats - both in the media and among their managers and supervisors - is different from their own" (p. 5).  While you should take a look at the full report, here are the top 5 responses for the security pros' greatest concerns, time consuming incidents, and budget consuming incidents.

Greatest concerns:

• sophisticated, targeted attacks
• phishing, social network exploits, other social engineering
• accidental data leaks by end users not following policy
• polymorphic malware that evades signature-based defenses
• espionage/surveillance by foreign governments or competitors

Consumes time:

• vulnerabilities introduced by own app dev team
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering
• internal mistakes or external attacks affecting industry or regulatory compliance
• accidental data leaks by end users not following policy

Consumes budget:

• accidental data leaks by end users not following policy
• sophisticated, targeted attacks
• internal mistakes or external attacks affecting industry or regulatory compliance
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering

Let's talk about one problem with this survey - the respondents are all 'security professionals' and they're all Black Hat attendees. This would suggest that they are, for the most part, more technical people. These are the people doing the job of computer security within organizations. That's great. They are needed. I used to be one of them. But they have a completely different view of the problem than a business manager would. So, I'm not surprised that they feel that management doesn't 'get it' - that their perceptions of the problem are wrong. However, these security pros' perceptions of the problem are also wrong.

Wait, no, that's not it. The professional in charge of maintaining secure and functioning information systems has a different problem to solve than the professional in charge of managing a company/business. So, since they have different problems to solve, their perceptions of how to solve them are going to be different. Management thinks in terms of risk management - what are the risks to the organization and what do we have to do to get those risks within acceptable parameters. Security folks think in terms of risk to their specific piece of the business and are trying to minimize it - no data lost, no hackers in our network, no (little) down-time, etc. They definitely understand the problem (threat to the systems) better at a technical level than anyone who gets their information from the popular media. But they don't necessarily understand the bigger bundle of concerns that management is dealing with.

So, what are Management's greatest concerns? This survey hasn't captured that. There are some built-in assumption. If a concern is 'sophisticated, targeted attacks' I ask you why? What is it about that threat that makes it a big business concern? When you, as this security professional, can explain to the manager why she should care about this thing and what you can do about it, then you may get the resources you need to counter it. If you're spending all your time dealing with vulnerabilities introduced by your own app development, then quantify that so you can explain how much this particular problem costs the business. And, align your concerns with the business concerns. In short, learn to speak in business language, become part of the risk management team and process. And use that to get better alignment of priorities and resources.

Thoughts?

Employees as weak link

Yesterday, Krebs on Security posted this story about the Ashley Madison hack. OK, this is a problem for the company and comes with all the standard issues of data loss. But here's something else to think about.

Firstly, if you didn't know, Ashley Madison is an online cheating site. That means, account holders at AM likely do not want it widely known that they use it. Unlike other data breaches where the fear is ID theft and financial fraud - activities for which AM could simply offer ID theft protection services like everyone else -  this is a case where the compromised information could be used to blackmail individuals. Ask yourself:

• Do you have privileged users who are AM account holders? Two factor authentication isn't going to help you protect privileged accounts if the user herself is compromised.
• Is your CEO an AM account holder? What would exposure of this fact do to your company? What would he do to keep the information quiet? Are there other high-profile employees that could be AM users?

Even if you perform security checks before you hire people, you need to remember to keep monitoring them. Circumstances change and an employee who was fine last year may have run into financial difficulties or engaged in activities that have compromised her previously secure standing. These changes have impact on your organization, regardless of how much security awareness training you provide.

The next questions - How will you know if one of your people has been compromised? What will you do if it turns out they have been? What HR policies are in place to support your choice of action?

Cybersecurity is not just an IT thing. It never really was even though we shoved the responsibility into the IT department. Cybersecurity is a corporate risk management thing and it touches on every aspect of the business. HR and IT are just the first two that spring to my mind, but clearly finance, production, and operations may all be impacted by any information breach - even if it's not at your company.

Note: Edited to correct spelling mistakes on Aug. 5/15.

US Federal Cybersecurity Sprint: Maybe you should do one, too.

In early June, the US Federal Government announced they would be undertaking a 30-day Cybersecurity Sprint. The goals of the program included:

• scanning systems for indications of malicious activity
• patching critical vulnerabilities without delay 
• reviewing and improving policies regarding privileged users
• accelerating multi-factor authentication implementation, especially for privileged users.

For anyone who's working in cybersecurity for any length of time, these 4 items seem like baby steps. They are activities that a/ should have been implemented a long time ago and b/ take time, money and commitment to carry out. I suspect the problem in the past as been item b - there has been no commitment by top decision makers and, thus, there has been no money to make it happen. That is why this sprint has been such good news (once I ignore the fact that it's 2015 and it's only now happening...I started in this field in 1999 and had rather hoped we'd be in better shape by now). So yay, US Federal Government. 

Preliminary results have been discussed stating that:

• Federal civilian agencies have increased multi factor authentication use for privileged users by 20 percent within the first 10 days of the Sprint.  Several agencies have increased multi factor authentication use for privileged users to 100 percent.

• DHS has scanned over 40,000 systems for critical vulnerabilities and it is increasing those numbers every day.  Federal agencies are patching vulnerabilities as they are identified. 

The fact sheet also notes that there are several activities that remain ongoing, as we would expect. Cybersecurity is not an end-point, it is a process of continual improvement.

Now, here's the skeptic in me commenting.

• "...increased multi-factor authentication...by 20 percent..." So, if 10 privileged users used to have multi-factor authentication, a 20% increase means that there are now 12 privileged users. If you want me to applaud you, you're going to have to tell me what that increase represents as a percentage of all the privileged users. And if some agencies have increased to 100%, great for them, but where did they start from? Did they just remove privileged users (which could be OK; maybe they had too many privileged accounts to begin with).
• "...scanned over 40,000 systems..." And that represents what percentage of systems? Are we talking end-nodes (user workstations and PCs) only? What about telecommunications equipment, servers, smartphones, etc.? I suspect they still have a *very* long way to go.

In short, provide real data. I know my statistics and I know how to make numbers look impressive when really they're just 'meh.'

As government agencies continue to look closely at their systems, we can expect them to find evidence of additional leaks or breaches - that means we're going to hear more about lost data and it's going to make everyone angry, especially those who learn they had personally identifiable information exposed. I'm really sorry, but at the same time, I think it's a good thing. We need to be honest about the scope of the problem before we can start fixing things. And that means that those of you in industry need to be honest about the scope of the problem in your organization(s), too.

So, what is your organization doing to improve its cybersecurity processes? Did you take the opportunity to run your own Cybersecurity Sprint? I would suggest that the activity would be helpful in any organization, regardless of how well you believe you are managing this aspect of your business. For those with strong processes and procedures in place, it's a chance to measure their effectiveness. And for those with little cybersecurity infrastructure, it's a chance to learn from the federal initiative and get yoru house in order, hopefully before you have a significant breach.

Teaching with technology

So, today I was thinking about how I use technology in my classroom and/or assignments. It's pretty typical in an intro MIS course to use MS Access to introduce students to databases. Excel is also a pretty common application - you can use it to teach ways to create simple decision support systems -  build a predictive model of stock prices, use pivot tables to do what if analysis, for example. But what about other things that might be useful in the working world?

In my class, there are several group assignments. This means, students need to learn how to collaborate. Despite my expectations, they don't actually already know how to use tools such as wikis or GoogleDocs to create content in a collaborative way. They stick with passing Word documents back and forth and seem to rely on the ability to meet in person. This is crazy - the world doesn't work like this anymore. I regularly collaborate with people all across North America. For a short time one summer (as a PhD student), I was working on a project with 4 people spread across 3 continents; one person in China, one in Turkey, one in Alberta (western Canada) and I was in western NY at a conference. Sure, it was a time-zone mess, but we had work to be done and timeliness mattered (I really felt for my colleague in China as he had just finished teaching all day and had to wait around until 9pm his time to connect with us).

What to do? Well, I guess I see it as my job to help students learn how to collaborate in new ways. I mean, I teach them about the need for collaboration and what types of applications might be used to collaborate, but I've never required them to actually use any of these tools before. And, like all time-pressed individuals, they just won't try something new if they don't have to. I guess it's about managing risk & reward - too risky to try a new way of working.

New this term, then, I have implemented a wiki (http://is251.openlearner.com) where each group will be developing their strategic IT report project. Here, they'll be writing about a company, identifying it's strategy, performing a value chain analysis, discovering the current IS in use and, ultimately, making some suggestions for future IS initiatives that make sense given the corporate strategy. The students will be presenting their findings in class (part of teaching them to be comfortable making presentations), but they'll be working together in public on content creation. Wish me luck.

Business Strategy & why IT folks should care about it.

So, in teaching IS251 here at Loyola, we require students to find and post stories to an online site called Microsations.com. It's a bit like Reddit; they must post a link then have 255 characters to summarize it. I wish I could say this was my bright idea, but it belongs to my colleague, Paul Di Gangi. Ideally, the summary will explain how this story relates the 3 key resources in information systems - People, Information & Technology (at least, according to the text we use). I happen to be a "people, process, technology" proponent, myself. Whatever.

Anyhow, this week students are tasked with finding stories related to business strategy. It's not surprising that they're struggling with this a bit. First off, we have started lecturing on strategy yet. Secondly, they haven't taken a business strategy class yet, either. So, we're seeing lots of stories that are more along the lines of marketing strategies. It's good for me, it will provide many teachable moments. :-)

But, why do we bother even looking at business strategy in an IS/IT course? Well, it's the classic Business-IT alignment argument. And before we can discuss the right IS choices for a firm, we really need to be sure we understand what that firm does - what it aspires to be and how it plans to make money. So, for this course, we focus on Porter's 3 generic strategies (low cost, focus, product differentiation) with some minor variations. We also talk about Value Disciplines from Treacy & Wiersema  as another way of looking at these generic strategies. Where Porter takes a market-centric view in defining his strategies, Treacy & Wiersema shift to a customer-centric focus.

The first lectures will centre around understanding the business so that we can find the appropriate IS solutions to support business goals. This is why I ended up studying in a business school - I'm an IT person who really does think technology is cool. But I recognized that just because something is cool, doesn't mean it's worth spending time or money on, from the organization's perspective anyhow. Technology has to support what we want to do, it has to help the organization deliver on it's strategy in some way be that through reducing cost or opening up new products/services that delight the customer (who will then pay!).