Buyers Seek Sellers

In the normal course of my life I am a buyer. I buy groceries, gadgets on Amazon and occasionally a new car or furniture. In all these cases I select the seller and go to their marketplace, electronic or physical, to search for the exact product I want. This system works well for me, it's efficient and doesn't waste my time.

Then there are the others, like the door-to-door salesperson, hoping to find that I have carpet in my house so I will submit to a demonstration of their multi-thousand dollar amazing carpet cleaner and high-pressure me into buying one. Sadly they see hardware flooring and trudge away. But it's still a waste of time to answer the door and say no. And there are the alternate electric and natural gas suppliers, various religious groups and magazine sales people. Sellers seeking buyers is very annoying, even more so when they use my email inbox to get my attention that way. Even with spam filters and blacklists they get through on a routine basis.

Perhaps this is why the job seeker is in such a bad position. They are a seller of services trying to find a buyer. This should be very inefficient, if not downright annoying, to the buyer. And it is. Digging through dozens or even hundreds of resumes per job posting, hoping to find some keywords that differentiate a few applicants that deserve a first interview. To make matters worse, the job seeker usually doesn’t find the hiring manager directly, at least not until the first interview, if then. So we end up with a seller dealing with an agent (HR) of the buyer. Or even worse, a seller dealing with an agent (recruiting firm) of the agent (HR) of the buyer. Not surprising this situation is horribly inefficient and terribly frustrating.

Solving this situation is the purpose of a reverse job fair. A typical job fair has the buyer occupying a booth with the sellers wandering around trying to figure out who to talk to. The reverse job fair flips this. The seller occupies the booth and the buyer seeks the type of seller they need. This makes the marketing of the seller at the forefront. If it was me, my booth would clearly display my talents, experiences and the types of positions that interest me. A buyer would immediately know if I’m the type of seller they are looking for, and not waste their time, nor mine. A short, face-to-face conversation between the buyer and seller will quickly determine if there is mutual interest in taking the next step.   

So at first blush a reverse job fair might seem like a strange idea. But applying the rule that buyer’s seeking seller’s is the proper direction, you can quickly understand why a reverse job fair is not just a great idea, it’s simply following the same path that you, the consumer, know is the right way to approach any purchasing decision.

Recent MIS Careers

The increasing complexity of modern businesses, opportunities driven by continually decreasing technology costs and the dependence on these technology assets have led to similar patterns of problems across many companies. The right projects are not being identified, selected or scoped properly. Projects are not consistently completed, often delivered late or come in significantly over budget. Business decisions are made without solid understanding, even though we're seemingly swimming in data, spread throughout the company's disparate systems. Computer viruses, social engineering attacks and headline-making data breaches are causing Board-level attention to the risks, threats and reality they pose. Each of these problems in turn create career opportunities for the creative, the disciplined and the deeply curious. And these in turn created the demand for advanced degrees and concentration in these specialized areas.

That led me to take a critical look at the creation of four concentrations within the University and Dayton's graduate Management Information Systems (MIS) program. The business problems described above are addressed by focused curriculum on Business Analysis and Design, Project Management, Business Intelligence and Cyber-Security.

I put a single word to describe each of these, hoping that might lend some insight. Here's what they mean to me.

• Business Analysis and Design - “Starting”
• Project Management - “Finishing”
• Business Intelligence - “Knowing"
• Cyber-Security - “Protecting”

So what does that mean to a prospective student? That depends on understanding what you really like to do. That can be a difficult introspection for those early in their adulthood, and those preferences can change over a lifetime. But perhaps some guidance or direction can be gained by seeing which of the following, if any, is appealing.

"Starting" appeals to the creative person who sees a blank sheet of paper as their type of challenge, willing to explore the unknown and quickly turn around when they’re headed down a dead-end alley. One win amidst five losses is not just OK, but the way they want their world to work. Like many entrepreneurs, they are big-picture risk-takers, flexible and open-minded.

"Finishing" appeals to the disciplined person that defines success as getting it done, completed, put to bed. They like picking up a defined project with clear goals, laying out responsibilities, caring about the details, clearly communicating, understanding the interdependencies among hundreds or thousands of tasks and being the task-master, holding people accountable for completing their parts on time. They deal with the inevitable roadblocks, bottlenecks and issues, finding creative ways to restructure the plan to meet the objectives.

"Knowing" appeals to people that like bringing clarity, a deeper understanding or a new insight into an existing situation and the persistence to solve complex problems. Most of the data that exists within companies start in transaction-based systems. This data is structured to support running their defined business processes, but it's typical that this data is not designed to help support changing those processes. Merging this type of data, which can originate in many different systems, and performing advanced analysis is an appealing big reward, big challenge puzzle.

"Protecting" appeals to the safety minded, those who look to defend their set of technology assets, increasingly a "life or death" struggle, to ward off computer hackers, data thieves and anyone with an agenda against their company. It's an environment of constant learning and challenge as these criminals employ the latest techniques against both the technology and their users. You must be ever vigilant, never satisfied or complacent, and persevere through the tough times, as most companies will be compromised at some point from either external or internal threats.

All four MIS concentrations should provide a long-term career as their underlying business and technology drivers continue to become ever larger and more complex. If one or more of the above sounds like your type of challenge, explore them with the faculty at your university.

A Dose Of Human Reality

In the world of computer security, much depends on users selecting complex passwords and avoiding using known information like their children’s names or their favorite hobbies. It’s really important, and we count on their active involvement.

Now, a dose of human reality.

These are the same folks that slow down to 60 mph in a 70 mph zone when they see a police car, the same folks that won’t put a new roll of toilet paper to replace the one they just finished, and the same people that never make more coffee even when there’s ⅛” left in the pot.   

So now let’s head down the path of password construction, adding the human element.

In the beginning, well, not really THE beginning, but since we have to start somewhere, let’s baseline with the common 8-character password, which has about 200 billion (26**8) possible, lowercase combinations. Of course, there are many more when you factor in their uppercase and numerical brethren, but why add pressing the shift key or reaching for the top row when it isn't necessary?

Now, for whatever reason, real, imaginary, or just job security, the powers decided that a number was needed to increase that 200 billion even higher. Now there will be nearly 3 trillion (36**8) possible combinations, clearly much better.

Now, a dose of human reality.

We replaced the 8th character with a number, so we actually reduced the actual combinations down to 80 billion ((26**7)*10), clearly a step backward. But we really appreciated that we no longer had to decide on a new password each time; we just incremented the number on the end. Thanks for the tip, IT!

Well, that last one didn’t work out so well, so now the word came down from high that a capital letter and a number would both be required.  That would increase the possible combinations to over 200 trillion (62**8). Now we're really getting somewhere!

Now, a dose of human reality.

We all just capitalized the first letter, so we’re still stuck back at 80 billion.  What the heck did they think we would do? Then they tried requiring a special character, which we all put as the last character, and moved the number up to position 7. Since there are fewer special characters than letters, we're now down to about 30 billion or so combinations.

Frustrated that these stupid humans just won’t get with the program, they recommend that we build a password from a phrase.  So using the last sentence as the phrase, we generate an 8-character password of “Fttshjwg”, then change the “s” to a “3” and the “j” to a “!”, resulting in the beautifully constructed password of “Ftt3h!wg”.  

Now, a dose of human reality.

No. You people have lost your minds or are smoking funny things. Perhaps both.

Then more advice. Change your password every 60 days, never use the same password across sites, and never, ever write them down.

Not just no, but HELL NO! You guys are in serious need of rehab.  

So why don't we go really nuts and have Unicode passwords, and we'll have umpteen jillion combinations.  Mine will be the following, made from Greek, Gaelic, Russian, French, Roman Numeral, and Latin Script, Dotless and Cedilla. And an easy phrase for me to remember.

ΒÍТÊⅯℰıţ

Human Capital Management

I hate the term "Human Capital Management" (HCM).  This term is used within the industry to sum up the various processes needed to pay people, evaluate performance, promote, retain, etc., all good things. But how could a term consisting of three words be so far off base from its actual mission? More than off base, it's totally demeaning. Let me explain why each word is wrong and when slid together what message it's relaying to me.

Human.  

Well, at least this is technically accurate. I am human. One particular human. A unique person. I have a name, a birthday, parents, children, hopes and dreams. How often do we greet each other, even someone we don't know, and say "Hi human!"? Like never. No, we say "Hi, my name is ...", a personal invitation to begin engaging in getting to know you. I find the term human offensive except in describing our species.

Capital.  

This one is the worst. It says, from a business view, that I am a purchased asset, in the same classification as a piece of machinery. They own me. Humans that are owned are called slaves. In reality, I am an expense. I cost the company money every month and we have a joint responsibility to create more value with my contributions than I cost.

Management.  

You don't manage people, you manage business processes, assets and projects. You change those at your desire. You lead people. You establish purpose, clarity and help them change. Leaders tell an exciting, compelling story that people want to be a part of. Leaders know the company needs your ideas and efforts to succeed. They ask for your best, not demand it. Save that management stuff for things.  

Added together "Human Capital Management" tells me "I own you, you faceless biological machine, and you will do as I tell you to do". Lovely, isn't it?  

What’s a better alternative?

Google ditched their “Human Resources” name and changed it to “People Operations”. They call the system their “People Operations Processing System”, or POPS for short. I like the personal touch of “People” that speaks to our uniqueness and individuality, and “Operations”, which talks to the all the processes necessary to process paychecks, attract, retain and promote the best people, and deliver all the compliance and regulatory reporting that’s required. Beats that other name hands down.

Facebook and All About Me

A couple years ago there was highly publicized criticism over employers asking potential employees to turn over their Facebook login userid and password as part of the interview process.  This resulted in laws being passed to prevent that, but to me the central theme was all wrong.  The potential employees saw it as an invasion of their privacy or just that they view their personal identity as separate from their professional identity and what they do on their own nickel as no business to business.  Employers wanted to learn more about the person than a well-rehearsed interview tells them.  Both miss the real point.

What would I have done if I found myself being asked for my Facebook account? One of two things.  Probably just got up and left, then wrote their CEO and HR VP a letter that I don't share their company's values on work-life balance, privacy and confidentiality.  But I also would have missed the real point, as I attempted to allude to in part of the title of this article, "All About Me".  Giving up my Facebook login allows someone that was not granted access to see other’s posts, not just mine.  Giving up my login compromises a couple hundred other people’s, my friends, right to their expectation of privacy.  So I'm not giving up just me, I'm giving up them.  I don't have the moral right to do that.  So the second choice would be to say something like "while I don't mind giving you access to my posts, for I have nothing to hide, you will have to get permission from all my Facebook friends before I betray their trust".  And I'm not giving you their names since that's also betrays their trust in me.  Case closed.

This mental "All About Me" model is so pervasive in our world today, from drivers behind the wheel to shoppers in the grocery store.  But it surprises me to see this in the Social Media space, where it should be abundantly clear that others are sharing their thoughts, hopes, prayers and cat pictures with me and hundreds of their friends.  Why wouldn't our first reaction to being asked for our Facebook login be that this would violate other people's rights?

As our world becomes more socially interconnected, our mental model needs to shift to "All About Us" and keep "Us" first and foremost.  Employers wouldn't have asked for login credentials in the first place and people wouldn’t have given them.  They would know better.

Email Legalese

Have you ever received a footer on an email that reads something like this?

--

This electronic mail and any attached documents are intended solely for the named addressee(s) and contain confidential information. If you are not an addressee, or responsible for delivering this email to an addressee, you have received this email in error and are notified that reading, copying, or disclosing this email is prohibited. If you received this email in error, immediately reply to the sender and delete the message completely from your computer system.

--

How stupid is that?  A lot.  Let me elaborate.

Of course I was an addressee, because I received it.  That makes the remainder of this dire warning pointless.  Why further mention that I might have received this in error, when by its very definition, I couldn't have?  Wouldn't it make more sense to say that if I, the sender, made a mistake and accidentally misaddressed my email so that you unintentionally received it, that I would appreciate a heads-up?  It is, after all, their mistake, not mine.  This part is just plain rude.

Assuming the first part mysteriously applies to me, how in the world am I suppose to avoid reading it?  Did the sender really think that any human being reads their emails starting at the bottom and moving up?  There are languages on Planet Earth that are read right to left, but nowhere in existence am I aware of one that’s bottoms up.  This part is just plain stupid.

If I did receive this email in error, which of course is the sender’s mistake, why does the sender think, no, demand, I somehow owe them an immediate response and take my time to “completely” remove the email?  I might if I was asked nicely, but making it a demand is the least likely way to gain my assistance.  This part just pisses me off.

That’s it, there’s no part of this email footer that in any way makes any sense or entices me to help out the sender in any way.  

They shouldn't piss people off, particularly those of us with blogs.  Take the hint.

Brains Over Brawn

Oh so many years ago when my children were growing up I instilled the message that brains are stronger than brawn.  In other words, that thinking through a problem will usually result in finding an easier solution than simply applying more brute force.  The shady side of the Internet has figured that out and use socially engineered attacks and keylogging malware to get passwords in clear text..  It's about time that the good guys starting using their brains, stop suggesting stronger passwords, and start getting smarter at identifying and stopping authentication attacks.

I've written before on the statistics around passwords and that it is nearly impossible for a crook to simply guess anything other than the most simple of passwords, most of which inexplicably are allowed in most systems.  Passwords structured like "can9dy11" or "mis0s0up" require billions of attempts before they are likely to be guessed and shame on the IT department that doesn’t detect and prevent more than a few incorrect password attempts.  Ideas like taking a phrase like "I would like to destroy every password I have" and turning it into "Iwltdep1h" is great, at best, for passwords that don't ever have to change, but coming up with a new phrase every 60-90 days and repeating the learning curve to remember this formulation of password just doesn't make sense, unless you are one of the few that have a perfect memory and total recall.  Us normal folk just struggle to remember where we left our car keys.  Stop treating us like Einstein.  And then blaming us for choosing bad passwords.  Ultimately it's your fault Mr. or Ms. security professional that we do, because you allow us to use them.

A recent security headline was an OpenSSL bug that allowed an attacker to collect information stored in memory, which among other things could be your password.  No password was immune to this type of leak.  No combination of length, capitals, special characters or other "best practice" (a term I despise) offered any protection.  So what did I hear from every expert quoted in the press about how to protect yourself?  Choose harder passwords.  Would it have protected you?  No.  Would it have made the crooks job any harder?  No.  Did the interviewer ask that question?  No.  Would it drive you nuts having a harder to remember password?  Probably.  Would you be more than mildly upset when you found out this didn't help the least bit?  Absolutely!

The answer is to move beyond passwords and add some form of secondary challenge, at least for that small number of systems that contain financial, health or other personal information valuable to the crooks.  Let's try not to solve world peace here.  Let's get focused and truly solve the small part of the problem we really care about, for as many people as we can.  The clear technology winner, for now, is two-factor authentication. In a nutshell this involves entering a second code, but one you don't store in your brain. It can be delivered via a smart-phone app, a phone call, a text message or an email.  Many popular web sites, like Google's Gmail, Apple’s iCloud and Bank of America offer this as an option.  Check out twofactorauth.org for a list of popular web sites and if they support a second factor.  Would two-factor authentication have drastically reduced the risk associated with the OpenSSL issue?  Absolutely!  Was that ever mentioned?  Sadly not.  Makes you wonder if security folks really want the problem solved or just like to hear themselves talk.

We also need to detect authentication attacks and make a meaningful response.  Years ago I made a credit card purchase in Key Largo, Florida and immediately received a phone call to verify it.  Turns out that lots of fraud occurs in that area.  When I travel internationally I call the credit card company and tell them when and where I'll be.  I recently added the option to my primary credit card to send me an email every time a purchase is made on my card.  If I spot a charge I didn't make, I can call and have my account locked out.  These are simple, yet effective, methods to detect fraud and limit their impact.  These types of methods are also appropriate to IT security, and need to be routinely deployed to protect our most important online assets.  

It’s time to stop acting like John Henry, who believed his brawn was better than the brains that built the steam-powered hammer.  According to legend he succeeded, only to die in the effort.  Let brains prevail, or die losing the authentication battle.