25 Most Dangerous Information Security Programming Errors

Want to visit ground-zero for data security?  Experts from SANS, MITRE, SAFECode, EMC, Juniper, Microsoft, Nokia, SAP, Symantec, and the U.S. Department of Homeland Security’s National Cyber Security Division last week presented a listing of The Top 25 Most Dangerous (Information Security) Programming Errors.  Expect to see future government and big-money RFP’s mandate these items be addressed.

Mike J. Berry
www.RedRockResearch.com

Anatomy of an Execution Plan

Have you been challenged with performing a high-risk task like upgrading a prominent server, for example?

Here’s an execution plan template that you can use to guide you.

I. Executive Summary
Brief overview of intended event.

II. Review of Discovery
Details of what efforts were made to research what is listed in the following sections.  Meetings, Vendor consultations,  OnLine Resources, and Conventional Wisdom can be included.

III. Pre-Upgrade Procedures
Steps identified to be taken before the event.

IV. Upgrade Procedures
Steps identified to be taken during the event.

V. Post-Upgrade Procedures
Steps identified to be taken after the event.

VI. Test Plan
Verification procedures to confirm the event was a success.  This section should define the success criteria.

VII. Rollback Plan
In case the worst happens, what to do.

IIX. Situational Awareness Plan
After-the-event steps to validate the success of the event with the system’s business users.  This would include a two-way communication between your group and the business users, announcing the success, and providing contact information for them to contact you in case there is still a problem.

IX. Risk-Management plan
A plan listing risks associated with the steps above and recommendations as to how to lower those risks.

X. Schedule
If the event spans many hours or days, you may want to draft a schedule for the benefit of all involved.  Include on the schedule the ‘rollback point,’ which would be the latest time a rollback could be successfully performed.  Your success criteria whould have to be met by this point to avoid a rollback.

Be sure the Execution Plan is in a checklist format, not a bullet-list format.  Require participants in the event to ‘check’ completed checklist items and sign-off sections they are responsible for.

For critical areas of high-risk, (ie: setting up replication), for example, you may want to require two individuals to perform the checklist steps and sign their names when that section is complete.

If you like, add a ‘lessons learned’ section to be completed later, and keep a copy of the execution plan for historical purposes.

Mike J. Berry
www.RedRockResearch.com

Excellence over Heroics

I value Excellence over Heroics.

‘Excellence’ can be defined as “the crisp execution of established procedures.”  Think about that for a minute.

Do you know of a software development shop where several prominent developers often stay up late into the night, or come in regularly over the weekend to solve high-profile problems, or put out urgent mission-critical fires?

The thrill of delivering when the whole company’s reputation is at stake can be addictive.  I remember once staying up 37 hours in-a-row to deliver an EDI package for a bankers convention.  I was successful, delivering the application just before it was to be demo’d.  I went home and slept for 24 hours straight afterwards.

The problem with ‘Heriocs’ is that the hero is compensating for the effects of a broken process.  Think about that for a minute.

If heroes are needed to make a software development project successful, then really something upstream is broken.

Most problems requiring heroics at the end of a project stem from improper effort estimations, inability to control scope, inadequate project tracking transparency, mismanaged Q/A scheduling, unnecessary gold-plating, or inadequate communication between the development team and the project users/stakeholders.

A well-organized development group humms along like a well-oiled machine.  Proper project scoping, analysis, design deconstruction, estimating, tracking, and healthy communication between development and the users/stakeholders will bring that excellence that trumps heroics.

Hey, I hear that Microsoft is looking for some Heroes.

Mike J. Berry
www.RedRockResearch.com

Book Review: Motivating Employees

Employee motivation is an ever-present concern for most proactive managers.  Interestingly enough, motivation can come from both functional and dysfunctional sources.

I’ve seen employees motivated for many different reasons: recognition, financial incentive, empowerment, personal growth, tension release, fear, and finally there’s that weird Lord of the Flies thing where employees get motivated together against another employee.

In their book, Motivating Employees, Anne Bruce and James S. Pepitone describe the most effective ways to motivate a team.  They describe the three C’s which are vital to functionally motivating employees:

1. Collaboration: Be sure to involve employees in decisions and discussions where their efforts are involved.

2. Content: As they produce suggestions, act on those suggestions immediately.

3. Choice: Be sure to offer choices to your employees–even if you can predict what they will decide.

These three techniques actually empower your employees.   Involving employees in decisions that affect them, or the outcome of what they are working on produces a level of buy-in that is hard to match any other way.

Bruce and Pepitone continue with an examination of Theory-X and Theory-Y motivation and management styles.  These styles were originally presented in the 1960’s by Douglas McGregor.

McGregor states that Theory-X managers proceed from the assumption that their employees are uninformed, lazy, and needy of high-structure.

Theory-Y managers, however, proceed from the assumption that their employees are qualified, intelligent, and capable of making proper decisions provided they are given proper goals, accountability, authority, and resources to accomplish their tasks.

Although Theory-X is the most effective approach during some situations, if you consider the amount of college-educated employees in the workforce today, it’s easy to see how Theory-Y, if applied properly, yields much higher performance.

The authors continue with a formula for encouraging Entrepreneurial Thinking.   Their five-step formula is:

1. Explain the organization
2. Demonstrate how the organization operates and generates income
3. Help your employees understand the competition
4. Encourage intelligent risk-taking
5. Inspire innovative thinking

Another great idea the authors present is to link motivation to performance.  They suggest you develop a written-list of performance standards for meeting and exceeding the expectations you’ve agreed upon during collaborative sessions with them.

The authors talk about how important it is to weave fun into everything your organization does.   This may sound like a unusual suggestion at first, but the authors point out that there is a direct correlation between fun on the job and employee productivity, moral, creativity, satisfaction, and most importantly–retention.

The final few chapters in the book discuss de-motivating factors (or individuals), and how to deal with them.  There is also a good chapter on conducting effective employee-reviews.

Overall I recommend this book to any manager.   It’s a great book to re-read every so often.

Mike J. Berry
www.RedRockResearch.com

The Three P’s of a Quality Management System

A Quality Management System, sometimes referred to as a Total Quality Management (TQM) System, is a simple concept that will dramatically improve software production quality over time.

Companies that don’t have a quality system are commonly reacting to production and support issues due to omissive events.

A simple rule of thumb is to ask yourself how many fires your development team has put out this month.  If any come to mind, then chances are you don’t have a proper quality management system in place, and should read on…

I remember early in my career I struggled to get my employees to follow our procedures.  Whenever we’d encounter a production problem with our software, it would inevitably be a result of someone not having completely followed an established procedure.

We would have a big discussion about what should have happened, and about how “we can’t forget to do that next time,” yet we’d experience the same omission later.

I would get frustrated because I could never seem to find a way to get my team accountable for following our established procedures–until I discovered the “Quality Management System.”

A Quality Management System has the following three elements (the Three P’s!):

  1. Process (documented–most of us have processes or procedures we are supposed to follow.)
  2. Proof (a separate checklist, or “receipt” that the process was followed for each software release.)
  3. Process-Improvement (a discussion, and then an addition or adjustment to the documented process.)

Most companies have an established–and hopefully documented–software development process.  (If you don’t you can download one from my website for Waterfall, or Agile here.)  This is the first ‘P’ and should be in place at every established development shop.

A great question to ask the team is “How do you know the process was followed for each release?”  This is where you may get the deer in the headlights response.  This is the second ‘P’ and is the piece missing from most software development shops.

Think of this ‘Proof’ document as a checklist accompanying each software release.  The checklist would include every major step in the documented process, names of team members performing specific functions, and locations of final source code, test scripts, install files, etc.  The checklist would also require a series of quality checks.  Ie: Were requirements signed off by the customer, stakeholder, tester, and developer?  Was the help file updated with the new release number and appropriate functionality?  Was the source code checked in?  Where is it located?

As problems occur, the checklist would be added to so that the product would be protected against a similar failure in the future.

The governing driver considered here is that one particular problem might broadside the development team once, but after the process is improved, that problem should never occur again.

For example, you might have a stored procedure that goes into production without a “Go” statement at the end.  After the error is discovered, and fixed in production, your team should have a discussion and conclude that a checkbox needs to be added to the quality document stating “All Stored Procedures Confirmed to have ‘Go’ at the end.”

From that point on, whenever a stored procedure is moved into production, the developer presenting it must check for ‘Go’ statements at the end and then sign their name at the bottom of the checklist.

This is the difference between process improvement, and hope.  Many companies view process improvement as a discussion and some verbal affirmations.  What they are really doing is “hoping.”

Actually, the “act” of process improvement is physically altering a written process or procedure.  This is the real definition of process improvement–the third ‘P.’

The final endpoint of a quality management system is to achieve excellence.  I’ve heard excellence defined once as “Crisp execution of established procedures.”

You can’t have excellence without procedures, proof, and process-improvement.

Mike J. Berry
www.RedRockResearch.com

The Bat-Phone

Do you have one of those executives that harasses you with status updates to projects, yet never attends the status update meetings?

Perhaps they call you, email you, stop in to your office, and want to know what the latest on project X is?

Is the behavior efficient?  What suggestions do you have about how to convey project status communication within your organization?

Mike J. Berry
www.RedRockResearch.com

Anti-Values

I was sitting in a KFC eating lunch, reading the slogans painted on the wall.  This particular KFC is supposedly the first KFC in America.  Yes, it’s in Utah.  Along with some chicken legs and a drink, you can enjoy a small exhibit showing Colonel Sander’s original briefcase, white suite, shoes, etc.

One mural read, “Somehow we’ll do it, by the principles of thrift, honor, integrity, and charity.”

I thought for a moment.  Some of the financial service companies I’ve worked with would fail if they valued charity.  Then I thought about how trust is a wonderful interpersonal dynamic, but the companies I’ve worked with in the medical field allow no latitude for trust.  Everything must be written down and authorized by a credentialed physician.  Walk into a pharmacy and you’ll need a signature on piece of paper to get a prescription filled.

Hmmm, just like charity is an anti-value in the financial services industry, trust is an anti-value in the medical industry.

I spent the day thinking about this new concept.  I owe the title of ‘Anti-Value’ to the Discovery-Channel documentary about Anti-Matter I was watching the night before.  I  guess I’m coining the phrase here, but it makes a lot of sense to me.  Normally, a value is something our society charishs, yet in a particular situation, or line of business–it becomes the wrong thing to do.

I started seeing how this concept can be applied all over to help clarify the decision making process.

I remembered taking third place instead of second in a Maryland school-district programming competition in high school because I let the guy from our rival high school cut in line in front of me to turn in his test.  When the results were announced we had both scored the same grade, but because he handed his paper in first, he won second place and I won third. (I beat him in the State programming competition the following month.)

I’ve never forgotten this experience, and actually now that I think about it, offering your competitor any leeway is an anti-value.

Some business meetings I’ve been involved in are a collage of participants cutting other participants off mid-sentence to make their point known.  Rude? Yes.  But, in fact, politeness may be considered an anti-value in these types of situations.

I think the concept is fascinating.  Just as a good value system should be in place to help an organization, department, team, or individual govern their decisions, an anti-value system can compliment a value-system by providing additional clarity for the decision making process.

One example of this is the U.S. government’s policy on dealing with terrorists.  The government values having a “no negotiating with terrorists” policy.  As a disincentive to future terrorism, they have an additional policy to provide or produce exactly the opposite of what the terrorists are demanding.  The notion–to give them what they want–really becomes an anti-value, and is an additional input to the decision-making process.  So, in fact, their policy is set by values, and anti-values.

I hope you find this concept as fascinating as I do.  It was the best $7.79 I’ve spent on lunch in a while.

Mike J. Berry
www.RedRockResearch.com

What to look for when interviewing a candidate

Posted by mikeberry | Agile Executives,Leadership,Product Owner,ScrumMaster,SDLC Management | Thursday 21 February 2008 10:56 pm

My sister was recently promoted to manage a team of software project managers for a large bank on the East coast.  She told me she gets to hire someone for the first time in her career.

I told her that hiring is always a bit of a dice roll, but I offered her some advice after having hired about 15 people at various times in my career:

1. The most important indicator of future success is past success.  Good interviewers know this.  Dig into people’s past work experience and try to find out if they have been generally successful, or not.  Some indicators of this are whether they have changed jobs often.  If they jumped jobs on their way up the ladder of responsibility, this is OK.  If they jumped sideways, or sometimes down, this is a red flag.  Drill them about each job change.  You will get interesting results.  People will say they were fired, or had fights with their boss or coworkers.  These are usually not your desirable candidates.  If they fought with their previous peers and managers, chances are they will fight with your group also.

2. Look for enthusiasm.  Enthusiasm is a great sign of a star employee.

3. Examine their personal lives (you really can’t do this in an interview).  But whatever they tell you can be a clue as to how they respond to accountability, pressure, authority, and responsibility.  If they hate police, or the government, or have been divorced five times, then they may have issues with authority or responsibility.  You have to be careful here because you cannot descriminate.

4. Call their references and ask their references if that person was successful, and if they would re-hire that person.  Ask how socially distracting they were inside the workplace, and what time they came in the morning and what time they went home.  Ask if they were a good team-member, and if they were typically dependable enough to get things done.  Ask why they left and compare their answers to the candidate’s explanation.

5. Because software development is not always a 9-to-5 job, a good question to ask is if they have any extra-curricular activity that would prohibit them from staying late if needed.  I have hired people to discover that every day at 5:30 they need to pick up their kid from daycare.  This obligation makes them incompatible with leading a team that may require them to stay late and fix a critical problem.  This is a good thing to find out before you hire someone for a position like that.

6. Try to get them to express an opinion about something business related and that they are passionate about.  Pay attention to how they express their opinion.  Do they express themselves dogmatically, as if their opinion is fact and you must argue with them to object, or do they express their opinion in a collaborative way, where they would be more of an asset in a group discussion where others may disagree.

7. Pay attention to how they show up for the interview.  Are they on time, and dressed for the part.  Did they bring with them a copy of their resume? Are their shoes shiny?

8. Ask them several obvious question about your company to see if they did any research before the interview.  Find something on your website homepage that they would know if they looked there before the interview. This is a clue as to their proactive abilities.

9. Pay attention to how they describe their previous workplace, management, and executive staff.  This will likely be an indicator of what they will think of your staff.

10. If you sense an extreme level of dissatisfaction, high-maintenance, or lots of questions about what’s in it for them—beware!  This is an employee that will likely perform the bare minimum and be unnecessarily needy.

There are lots of books and tips about how to be the interviewee, but not so much is written about how to interview.  I wish I could have read these tips years ago when I began hiring people.  I hope this helps others and I would be interested in hearing what readers have to add.

Mike J. Berry
www.RedRockResearch.com

Book Review: What Got You Here Won’t Get You There

Marshall Goldsmith’s New York Times Bestseller, What Got You Here Won’t Get You There: How Successful People Become Even More Successful is an excellent self-help book for executives and managers wishing to improve their “soft skills” and other interpersonal traits.

Goldsmith is an executive coach who has worked with more than 80 of the worlds foremost CEO’s.  As a symbol of his influence,  Alliant International University recently renamed their school of management after him.  With these credentials, probably anything he writes is worth reading.

In his book, Goldsmith lists twenty-one common “soft-skill” dysfunctions he has encountered while coaching top executives.   He explains that the higher you go in executive management, the more your problems are behavioral.  A few of these behavioral problems are as follows:

  1. The need to win to much
  2. Making destructive comments
  3. Starting sentences with “No,” “But,” or “However”
  4. Telling the world how smart you are
  5. Speaking when angry
  6. Withholding information
  7. Clinging to the past
  8. Playing favorites among direct-reports
  9. An excessive need to be “Me” (or, “I can’t change, that’s just how I am”)
  10. Goal obsession

To get the whole list, you need to read his book.  The first half of the book details these ten and the other eleven common issues at length.

One of the primary challenges Goldsmith writes about is getting executives to understand how they are perceived by others in their work environments, and at home.  He separates our personal “perception” into four categories:

  1. Public Knowledge (Traits known to others and self)
  2. Private Knowledge (Traits known to self but not to others)
  3. Blind Spots (Traits known to others but not to self)
  4. Unknowable (Traits unknown to others, and not know to self)

Goldsmith says that the most interesting traits to examine and study are #3, the blind spots known to others but not to ourselves.  He provides a formula for detecting these traits, examining them, and fixing any negative discoveries.  The formula is:

  1. Collect feedback from everyone around us, using both deliberate and subtle tactics.
  2. Apologize to everyone for any negative traits.
  3. Advertise that you are beginning a personal campaign to improve and that you would like their feedback periodically as you work on improvement.
  4. Listen to feedback in terms of “what can I do in the future to improve” and not “what did I do wrong in the past” (one is positive, one is negative)
  5. Thank people for their suggestions, and don’t disagree with them.
  6. Follow-up relentlessly.  This is the key to the improvement process taking shape.

He explains, for example,  that as a professional coach, he and a colleague call each other each evening and report to eachother on the progress of their goals.  This simple practice enables them to metric their performance over time–the same thing effective executives do to examine trends in their departmental interests.

Goldsmith discusses several other topics in his book.  One interesting aside is a list of common reasons why goal setting can fail:

  1. Time: It takes longer than expected, so it couldn’t be completed.
  2. Effort: It’s harder than was expected.
  3. Distractions: Nobody expected a “crisis” to emerge that took resources or time away.
  4. Lack of Rewards: After they see some improvement, they don’t get enough positive response from others, so they give up.
  5. Maintenance: Once a goal is met, there is no fortitude to stick with the pattern that brought success.

One of the closing thoughts in Goldsmith’s book struck me as quite novel.  As one of his executive coaching tools, he sometimes asks executives to produce a “How to Handle Me” guide for his staff.  This is a short memo detailing behavior, values, lessons from past experience, and input from past and present coworkers and direct reports.

As new hires are onboarded, part of their welcome packet is the “How to Handle Me” guide from their manager.

I found the most valuable part of Goldsmith’s book to be his formula for collecting feedback about others’ perceptions of us, and how we can affect change within ourselves where needed.  I appreciated Goldsmiths continuous transcentions that all of these tools and dynamics also have value at home to improve our family lives and social relationships.  This was a reoccurring theme in his book.

I recommend Goldsmith’s book for middle to senior level management, and to any husband or wife.

Mike J. Berry
www.RedRockResearch.com

Book Review: The 360 Degree Leader

John C. Maxwell’s book,  The 360 Degree Leader, is an excellent field-guide for navigating the challenges of leadership at all levels of an organization.

Maxwell starts his book by dispelling many common dysfunctional myths that are found at line-level, or middle-level management.  Ideas such as “When I get to the top, I’ll be in control,” and “If I were on top, then people would follow me” are inaccurate adolescent attempts to understand the true nature of leadership–which is influence.

Maxwell continues by explaining the characteristics of influence:

  1. Position – Influence because people have to follow you.
  2. Permission – Influence because people want to follow you.
  3. Production – Influence because of what you have done for the organization.
  4. People Development -Influence because of what you have done for them.
  5. Personhood – Influence because of who you are and what you represent.

Maxwell gives examples of effective leadership in all directions: up, across and down.

To lead up well, he suggests you lighten your leaders load, anticipate your leaders needs and use their time wisely, and invest in Relational Chemistry–get to know what makes your leaders tick.

To lead across, Maxwell suggests you focus on completing your fellow leaders, instead of competing with them.   Be a friend, don’t pretend you’re perfect, and avoid office politics.

To lead down, Maxwell suggest you develop each team member, place people in their strength zones, model the behavior you desire, transfer the vision from above, and reward the results you desire.

Overall this is a good book worth reading and re-reading every so often.  I recommend it for managers at all levels.

Mike J. Berry
www.RedRockResearch.com

« Previous PageNext Page »