Project Management Without Technical Knowledge

I recently received an email from a project manager who was trying to do their best, but was flummoxed by the technical staff (engineers) who were constantly speaking above the project manager.  I have been in this exact situation in the past with engineers and technicians that attempted to talk above me while making their points.  I learned the hard way that just taking that tech talk and attempting to relay that up to my bosses failed miserably.

I responded to the project manager with this email that I wanted to share with you as the reader.  Although I realize that everyone is different, I wanted to ensure I placed my L.O.V.E. (learn, offer, value, and educate) model into the answer.  In essence, I wanted the project manager to learn from the engineers using them as mentors, offer them thoughts in the form of questions, value what they had to say, and finally educate the project manager’s bosses on what the engineers found in a language that the bosses could understand.  I think I hit all those points, but you can judge for yourself.

I imagine that it must be very difficult in your position as a project manager with technical people around you, especially engineers.  I have two brothers who are engineers and sometimes feel inadequate around them.

So, given those background facts, what can you do to increase your “value” while dealing with engineers in your project?  First, I am sure you are aware of the many free courses that are available on the internet to gain some technical knowledge.  There are articles on specific technical areas and, although some are difficult to understand, some are really a good explanation of the technical arena.
There is an entire series of free courses from Stanford University (www.stanford.edu) that can give you some good background.

Second, and probably most important, is to use that “force” that is against you as a force for you.  If you are into any martial arts, you know that the way to defeat an opponent is to use their force against them.  My sister is a black belt in Tai Kwan Do and I am an orange belt in Judo and it was my sister who told me about using the force generated by the opponent against them.

What does that mean from your standpoint?  You have the opportunity to use every one the engineers as a mentor, a repository of information, a way to get information from them and let them value you as a colleague.  When I was a project manager, I had times when the technicians would constantly try to convince me that they were doing the right thing and use terms and definitions that I did not understand.  Technical people do this because they do not want to take the time to explain something.  They just want to do it.

What I would do is to think strategically and value their knowledge, but offer my thoughts.  For instance, a PhD was explaining his dissertation (which they LOVE to do by the way) which was tracking a pollutant in water using sensors.  I used his dissertation theme and transformed it into tracking possible criminals also using sensors.  He was thrilled and headed off to take his data points and use them for this new application.  Did I understand the technical parts of dissertation?  No way, but I did understand the concept and used that to translate it into something that was current and appropriate.  You can do the same thing.  The transcript of the email is below.  The name of the project manager, or the location of that project manager, is not included for privacy reasons.

When an engineer talks to you about a part of the project, translate it into something that you can understand and then let him/her agree with that translation.

For instance, if the discussion is about information technology infrastructure, the technical person may say something like:

Engineer:  “If we add these routers to the infrastructure, we will overcome the limitation of IP addresses that currently exist.  We have to get these routers in order to fix this problem.  The cost is about $10,000 per router and we need your okay to make this happen.”

First of all, you need to find out more about IP addresses and routers, which you can look up on the internet, but you can ask some basic questions.

You:  “In order for me to talk intelligently about this with my superiors and ensure that we get the funding for the routers, I need some more information.  First, how many IP addresses are there currently being used and how many are predicted for the future?  How many routers are there and how many IP addresses are they capable of storing or distributing?  I am assuming that an address that you are referring to is like a street address in that people can only have one per house or apartment, is that right?  Finally, how did you come up with that $10,000 figure?  Did you competitively price these routers?  Oh, and one more question, when do you need these routers so we can plan that in the schedule?  Let’s make a 30 minute meeting this week to go over some of the information so that I can explain it better to my superiors.  You sound like you have your act together with this thing, and I want to support you wholeheartedly.  In order to do that, I need as much information so I can answer the questions to my bosses.  Help me help you.”

I am not saying that this is a script or that this is something that will work every time, but what you are doing here is taking what you know and using that to leverage yourself so that the engineers will value you.  Remember that you are the project manager, so you have the responsibility to keep everything on track.  You need to have those engineers know that without your help, things will fail to succeed.

Be nice, be kind, but be firm.  You value their opinion and their technical expertise.  What they need to value is your organizational skills and your ability to keep everything on track.  Please let me know how it goes and keep being positive.  Remember that you are learning from them in order to increase your value and your offering.  Just by reaching out for help, you are acknowledging your willingness to learn.  Keep asking questions and taking good notes.  You will do great!

I hope that this helps somewhat with those that are in the dark with their engineering staffs.  Everyone wants to succeed; whether it be the engineers or the project managers.  Use their desires as just that and move to understand them the same as someone that speaks a foreign language.  We all want to understand one another, it is just a challenge at times (just ask my wife).  Keep the L.O.V.E. model in mind!

Environmental Force Effect Analysis (EFEA), CyberSecurity, Project Management – Part 1

I am a private pilot that hasn’t been in a cockpit since the 1980s.  That is a shame since I really liked flying.  I enjoyed being up there alone, just me and the machine, battling all the different forces that hit that aircraft whether it be wind, rain, downdrafts, or updrafts.  I was once pushed up over 1000 feet because of an updraft; it was relentless and I was powerless.  The instructor, who was with me at the time (whew), told me that there was nothing I could do and to just ride it out and ensure that the aircraft was straight and level; consistency and stability were the keys.

I recently remembered that story and associated it with life in general or, since I am a business owner, the business aspects.  Let’s say that you are making money hand over fist (an updraft), or the project is going extremely well, or your cybersecurity is doing what it is supposed to do; the consistency of the moment is unbelievably important.  You must keep the “plane straight and level” meaning that you must keep an eye on the project costs and schedule, or you must ensure that the cybersecurity policies are consistent, in order to keep everything stable during the period of updraft.  This means that, like the wind or the updraft or any force on the object, the idea is to counter that force and keep the plane on course and straight and level.  In the world of flying, in order to keep your aircraft on course when the wind is against you, you adjust your course to account for the wind.  What if progressing through a project or implementing cybersecurity did the same thing?  What if you could use existing flying tools to adapt to changing forces in the environment?

This is where the theory “Environmental Force Effect Analysis (EFEA)” comes into play.  Basically, what this does is use existing flying tools to adapt and adjust your course to ensure you stay straight and level and on course for the future.  I am completing an article for the PMI Journal on MegaProjects and realized the company I was profiling was carried through some buffeting times and still is extremely strong today, even though forces pitted against it should have crashed it several times over.  After some analysis, I found that the company realized the force against it and countered it with some far-reaching strategic solutions, which it then adapted as those solutions were hit by even more forces.

How does this theory work?  It works on the Kepler law of motion that every action has an equal and opposite reaction.  The force is treated as a wind that is hitting your object (business, project, etc) head on (0 degrees), slight cross-wind (45, 135, 225, 315 degrees), full cross-wind (90, 270 degrees) or tail-wind (180 degrees), with the object always traveling in a consistent north direction (0 degrees).  What you are trying to formulate is the ground speed at each of these forces, since that is the actual speed you are traveling.  The true air speed is that speed your aircraft gauge reads and that would be your revenue or sales or iteration completion time or cyber outliers detected, etc.  You set the “true air speed.”  The ground speed is the rate you are going with the force against you (or with you).

The next article will delve into the specifics of the formula and how to calculate the true ground speed and how this can be adapted to your project.  This is just a theory at this point, and is being developed, so please excuse the very elemental nature of this explanation or description.  It is a work in progress.

 

Learn, Offer, Value, and Education (LOVE) http://www.grectech.com

 

Are Insider Threats caused by Bad Management?

As a manager in a variety of workplace settings including the military, public service, private industry and academia, I know how management philosophy and application can affect the workforce for both good and bad.  Most bad managers are usually bullies, forcing their staff to perform unnecessary or repetitive work in order to exert control.  Most employees just take this abuse, or else look for employment elsewhere.  But what if these employees were not malicious, but just made human errors as a result of the work environment, where they were stressed and overworked?

I did some preliminary research on this subject and found a great article on Human Factors in Critical Infrastructure Security by Ayhan Gucuyener on LinkedIn (https://www.linkedin.com/pulse/human-factor-critical-infrastructure-security-insider-ayhan-gucuyener).  In this article, Ms Gucuyener gives some fantastic research data from several sources including Carnegie-Mellon University and the Department of Homeland Security on why individuals become an insider threat and what positions they have at the time they commit that threat.  The results are relatively predictable, with the majority of individuals stating that the commit the act out of financial gain, and the positions they possess are usually in the IT area of the company.  The recommendation that she gives are also very good, focusing on the Human Resources side of the company in the form of hiring practices and different security controls.

What does this have to do with the line management responsibility?  Everything!  I realize that Human Resources is the first line of defense when it comes to the insider threat, but the management is the consistent line of defense for employees once they enter the workforce.  I say that from decades of experience.  I know first hand what bad management can do to the workforce and how that workforce can strike back in ways that are both subtle and effective.  At several times in my management career I was a bad manager, expecting more than reasonable and demanding results, no matter what the cost.  The way that my workforce struck back was relatively low tech – following instructions to the letter, ensuring my documentation on tasks were thrown back in my face in a very respectful manner, and just basic stalling using my words and tasking against me.  As a workforce member with a bad manager, I did the same thing.  In a highly bureaucratic organization, this is done more than you  think, and is unpunished since the manager sets themselves up for the fall.  Of course, by expecting unreasonable goals, I also placed my staff in a stress mode, them wanting to satisfy my desires and spending more time in the office to do so, resulting in fatigue and more human error.  So, the conclusion is that you have insider threats already existing in the organization and now they have the technology to not only put a wrench in the works, they can do so with a machine’s ability to perform tasks in nanoseconds.

I was also in IT as a systems administrator and can tell you that systems administrators have the ability to place little bugs in the system that may not be found for months and in the meantime spread poison throughout the system.  Even when the mistake is not intentional, an IT systems administrator has great impact on the computer environment and as much impact on the security of that environment.  I see through some of my research that people do not always commit insider threat because they are being malicious.  A study completed by Carnegie-Mellon University for the Department of Homeland Security  in 2013 called “Unintentional Insider Threats”(http://www.sei.cmu.edu/reports/13tn022.pdf) notes that there are instances when an insider threat is not done out of retribution but are unintentional because of fatigue, incidental use of drugs or hormones, along with other factors.  On page 42 of this report, one of the main recommendations for mitigation of these unintentional insider threats (or UIT as in the report) is focused on “human error.”

“Human error plays a significant role in UIT. Countermeasures and mitigations to decrease UIT incidents should include strategies for improving and maintaining productive work environments, healthy security cultures, and human factors for increased usability of security tools to decrease the likelihood of human errors that lead to UIT incidents.” (page 42 of the report).
Human error in this case is associated with work environments, of which the manager is the lead observer of the workforce in this environment.  I postulate that trust is a major factor between the workforce and manager, so if the trust is absent, so is the observation of the environment.  One real life example of this was when I was a manager of IT project managers.  Because of the trust that I kept with that workforce, my staff brought problems to me prior to those problems being disasters.  It also helped that I did not punish them for mistakes, which helped keep that trust relationship solid.  Human error is not something that we can eliminate, but it is something that we can control through good communication and trust relationships, all an essential part of good management.
More articles on this in the future.  A quick note to the managers out there:  read my book “L.O.V.E. is the Answer” available through http://www.lulu.com.  It gives you some basic essentials for how to treat your staff and make you a better manager and person.

Occam’s Razor and “Cutting Edge” Email Security

You have probably all heard of Occam’s Razor, a theory that was attributed to William of Okham centuries ago that the conventional use is associated with the adage “given two solutions, the simplest solution is probably the best.”  Well, after some research, it turns out that this is just one of many interpretations of this theory, others being that an “entity should not be multiplied beyond its necessity” as well as others (see the wikipedia entry on Occam’s as well as read Charles Mackay’s Extraordinary Popular Delusions and Madness of Crowds by Tim Phillips).  The reason I write today about this used (and somewhat overused) theory is something that can be useful with computer security in your company.

After working in several federal government agencies, I found two different security methods.  The first one was “keep it secure at some point, but otherwise keep it open” while the other one was “keep it secure until otherwise needed.”  These two competing forms of information security had their advantages and disadvantages, but I found one thing in common – keep it simple.  For instance, the email address.  In order to ensure consistency, most email addresses contained something that was pretty easy to remember for the user – the first name and the last name.  The problem with having this as a standard is that all an amateur hacker needs to get into someones email is the user name since that gives them the ability to attach a text file with malware and they are in the company.  I could give you some advice on this, but that could make me a black hat, so I will not do that here.  However, instead, let me give you some advice on email names.

First, do NOT base your email name on your first and last names!  I cannot count the times that I see this, even with friends that are computer security specialists.

Second, do NOT put a date in that email address!  Any date has to be based on something and someone will figure it out – period.  If someone wants to get to your personal information, why make it easy for them?  If you must put a number in your email address, make it something that means nothing to you personally (like the number for pi – 314 – or something similar).

Third, do NOT use your middle name if  you have a choice.  Again, the middle name can mean something more than just your middle name.  It could be your mother’s maiden name and you never want to give that out.

Treat your email address as you would any other piece of personal information.  Make the information displayed as hidden as possible.  Don’t worry.  Those people that you know will probably know when your birthday or anniversary is, so they will remember.

Just a quick bit of tips from the people at GRECTECH (www.grectech.com).

 

 

Should We Teach Cybersecurity Ethics to Children?

I have done some preliminary research on teaching cybersecurity ethics and have found articles written by academia, federal government agencies, and private industry.  But I have yet to find one written about teaching cybersecurity ethics to children attending middle or high school. In one article, by KQED news, there was a survey that showed that 91% of teachers felt that there should be instruction on on-line ethics but less than half believed their school was doing a good job of teaching those subjects (http://ww2.kqed.org/mindshift/2011/05/19/how-well-are-schools-teaching-cyber-safety-and-ethics/).  This is one concern that I share after teaching very briefly at the middle school level.  The facts and theories taught are not being associated with the ethical standards that surround them.  Teaching middle school and high school students basic programming does not address the idea of copyright laws and that, although copying modules of code to enhance your system is accepted, that does not make it correct.  The very idea of teaching students ethics is no more unorthodox than teaching them the rules of the road when taking drivers education.  I am positive that the drivers education instructor covers the proper way to park, the proper way to make a turn, signaling others, etc.  Although there is some foundation in the law, the fact that people do this is to be courteous to others, to give other consideration.  Is that not what ethics covers in the long run – consideration of others?  Why should being online be any different?

What types of subject matter should be taught when covering cybersecurity (or for that matter cyber) ethics?  The first, and most important, is to regard others information as private.  One would normally not break into a person’s home and steal anything, but somehow it is okay to break into their email and steal information, or to take a stolen password and steal a person’s bank account.  Teaching the student that this is not the right thing to do is the first step to getting them to think through the process.  What is happening now is what I call “enabling the bad.”  Basically, by TV shows and movies showing the glamour of hacking and stealing, we are endorsing the behaviors that we would not want our peers to possess.  By teaching the right/wrong aspects, we are no longer providing the plausible deniability that many hackers are using for their activities.  How many times have you heard that the hackers are “just equalizing the playing field” or “righting a wrong?”  It is this type of thinking that can at least be addressed with the ethics training.

The second part of the ethics training could be a series of simulations where the students interact in the scenario.  A few of these are included here:

  1.  The student is confronted by another student that says they posted something bad about them on social site.  The student has no knowledge of this but remembers giving someone else a password to his/her site.  How does the student address this problem?
  2. A student realizes that they copied code from another student which helped the first student to deploy an app that is making money.  The other student recognizes the app.  How would the student who copied the code address this problem?
  3. A student reads something bad about another student online that he knows is false.  What does the student do?
  4. A student is approached with the username and password of another student to use as he/she sees fit.  How would the student handle this situation?

Granted there are hundreds of scenarios, but these are important because young students do not think of strategy in terms of years but sometimes hours.  Unfortunately the decision they make now based on what they think will happen in hours do not seem to pass the test of extended time past that hour.  Ethics training should take this situations head on and show the student that decisions made now for their strategic outlook may affect them for years.  That is a big task, but one that has to be taught, not assimilated by other people who think that technology usurps human interest.

 

 

 

Is CyberSecurity “Child’s Play?”

I have read so much about the technology that accompanies monitoring for possible breaches that I consistently come back to “Ockham’s Razor.”  Most people believe that this adage is about “the simplest solution usually being the best” but that is not the whole story.  The Latin phrase that William of Ockham used meant “Among competing hypotheses, the one with the fewest assumptions should be selected” (according to wikipedia).  Another interpretation would be that “entities should not be multiplied beyond necessity.”  In all these theories, it is evident that it is best to keep things simple.  So why are we increasingly making cybersecurity more difficult?

No matter how many people you have as employees, by having more than one set of eyes and ears, you have a monitoring system already in place.  If you do not have the employee loyalty that you need for people to help this monitoring then the bottom line is you need to increase that loyalty through some good ol’ fashioned management and mentoring.  Other IT professionals that I talk with mention the “insider threat” but I counter that if you have a loyal workforce, the insider threat is reduced or even eliminated.  There is a difference between insider threat and insider mistake.  Your yearly computer security policy is rarely read and rarely dignified more than a perfunctory glance, so make it part of the weekly staff meetings or town hall meetings.  Point to people that were vigilant and what they received in the way of reward for being that vigilant.  Ladies and gentlemen, treat your workforce as if they were people you want to respect and they will respect you.  If you are a parent, you know that treating your children with respect always lands you on your feet — do the same with your workforce.  I will write more on this as this topic is beginning to finally sink in to the cyber workforce.  The more “buttonology” we employ, the more difficult it is to get the “troops on the ground” to take notice.  In fact, if you make the cybersecurity so complex, the workforce will work to avoid or to bypass that security — making again an insider threat into an insider mistake.

If we do not start considering the human factor in all this, we are doomed to making people more scared of the cure than of the disease.