Fight for Your Hiring Process

In the war for talent, are you like the Ukranians or the Russians? Canonical, the publisher of Ubuntu Linux obviously hasn’t heard that the labor market is tight. One candidate published the email describing their hiring process, and it has gone viral on the internet.

In addition to to a 40 bullet point written interview, there is an aptitude assessment, personality assessment, culture assessment, HR assessment, peer interview, tech assessment, hiring manager interview and senior lead interview. The candidate withdrew their application.

If you have a hard time attracting the talent you need, examine what your hiring process looks like from the application side. Unless you actively fight to keep it simple, it will insidiously accumulate additional steps and bullet points until it degenerates into a ridiculous CYA-box-checking-exercise. You should be able to decide whether to hire someone based on their resume and two interviews.

How are you Vetting New Packages?

Some of the code you depend on was written by Ukrainians, Russians, and hacktivists. Deep in the dependency tree of NPM packages your software depends on, you will find node-ipc. That package was recently drafted into the ongoing war in Ukraine. If you are in Russia or Belarus, it will delete your files. Otherwise, it will only write an anti-war message to stdout and put it on your desktop.

As a professional organization, you are surely not just getting the latest software packages directly from a repository on the internet. But what is your procedure for vetting new versions you incorporate into your blessed repository? With the current threat level, having a single overworked developer do this in addition to his normal development tasks is not a good idea.

Cybersecurity Insurance: Read the Fine Print

When are you in a war? Your cyber security policy probably contains the standard exclusion: It does not cover acts of war. But when the war is being fought partially in cyberspace, it can be hard to tell if you are part of it.

Insurers tried to use the war clause to wriggle out of a cybersecurity claim lodged by Merck. Merck was hit by the NotPetya attack that spilled over from Ukraine into the systems of global shipping giant Maersk as well. They insurers claimed it was war, but a judge recently dismissed that argument and ordered insurers to pay up.

The insurance industry is tightening up their exclusion language with new definitions from Lloyd’s Market Association. If you recently got an email from your insurance company with a boring “we have clarified the terms” subject line, read it carefully. You just might find that your insurance company has re-defined your cyber security coverage to be worthless.

Cybersecurity must be risk-based

Good cybersecurity is based on risk analysis. It is not based on locking down everything as tightly as you can.

I’ve been discussing the consequences of the war in Ukraine with several cybersecurity experts. Some argue that if you have to strengthen your defense now, it means it was too weak before. That is a fundamental misunderstanding of security. Security, like availability, reliability, and many other aspects of your technology is a trade-off. Higher security costs more money and slows your organization down. You don’t need maximum security always. You need a security level that is appropriate to your risk.

Right now, cyber-warriors and vigilantes are firing indiscriminately in all directions. You might get caught in the crossfire even if you have nothing to do with either side in the war. That’s why your risk has increased and you need to strengthen your cyber security posture. When the war is over, you can reassess your risk again.

People and Material

“In war, three-quarters turns on personal character and relations; the balance of manpower and materials counts only for the remaining quarter.” Napoleon said that in 1808, and it applies equally in Ukraine today.

It also applies in other human endeavors. You can see organizations performing well with antiquated IT systems, and organizations making a mess of their customer service even though they have the latest and greatest cloud services. Simply rolling out new technology without considering people, organization, and processes will not improve your organization.

Do People Believe You?

How is your credibility balance? Will your employees, partners, and customers believe you in a crisis?

The information war accompanying the kinetic war has been resoundingly won by Ukraine. Many of the stories coming out of the conflict zone are false, but Ukrainian stories are given the benefit of the doubt while Russian stories are immediately disbelieved.

Honest communication adds to your credibility balance. Trying to sweep your failures under the carpet and hitting your critics with spurious DMCA takedowns and questionable lawsuits detracts from it. If you are in a credibility deficit when the next crisis hits, it will become orders of magnitude worse.

Don’t Ask Half Questions

Asking half questions leads to dangerous outcomes. We just saw an example when irresponsible Reuters pollsters looking for a scoop simply asked Americans “should NATO establish a no-fly zone over Ukraine.” They got a resounding 74% approval.

Another pollster asked the question with the qualifier “knowing that this will lead to direct war with Russia” and support dropped to 34%.

A complete question asks “are you willing to accept this downside to gain this upside?” Organizations get an idea, focus on the upside, take a cursory glance at the downside, and then take erroneous or even disastrous decisions. Who has the job of ensuring the downside is examined as well as the upside? You might need someone external to provide this.

There is Always an Alternative

There is always an alternative. Not looking for it is either intellectual laziness or willful manipulation. Margeret Thatcher, Prime Minister of the UK for a decade, was known among friends and enemies alike as “TINA” due to her usual insistence that “There Is No Alternative.”

As an IT leader, you are bombarded with requests to make specific technical decisions. Many of these are attempts to railroad you into choosing a technology that the team would like to play with and put on their CVs. When presented with a single option, ask for more. When one of the options is the obvious slam dunk, examine what has been left out of the presentation of the others. Binary selections are common in computer programming. In the real world, there are always many choices.

Are you Monitoring Important Systems?

New York is replacing their payphones with LinkNYC access points providing free calls, 911 calls, free WiFi, charging, and more. You would think such a system would warrant professional monitoring. Nevertheless, some of these devices just show a blue screen of error messages followed by a Linux login prompt.

  • Monitoring of crucial systems must include an automated mitigation action and reporting to a 24/7 operations center.
  • Monitoring of important systems needs immediate alerting to staff on call.
  • Monitoring of normal systems only needs to log a trouble ticket to be addressed by regular staff during working hours.
  • Low-priority systems do not need active monitoring.

It seems these kiosks are not as important to the company running the system as they were to the Mayor promising them.

Does every system on your central system list have a monitoring priority? When was the last time you checked with the person with the technical responsibility what monitoring is in place?

Fancy or Usable?

Do you want something that works or something that looks fancy? Sometimes, these two objectives come into conflict. Too often, the IT professionals can’t imagine a solution that does not involve touchscreens and mobile apps.

I’m staying in an upscale hotel in New York this week, and the control panel for heating and lighting is definitely old-school. But it works. And it can be understood and operated by every age group likely to frequent the hotel.

Meanwhile, back in Denmark, we are currently rolling out a new central authentication system. You will have to figure it out in order to do online banking or access public services. It was designed by tech-savvy young people and is very fancy. Too bad it has left hundreds of thousands of non-computer-literate citizens desperately calling the understaffed phone helpline.

Are you sure the solutions you roll out have been tested by the entire target audience?