workplace rules and artificially knee-jerking them into place, part 2

In my previous entry, I linked to, “8 rules for creating a passionate work culture,” and I poked at one entry that I didn’t completely like. Another one rubbed me the wrong way, but it took a bit to sink in why:

3. Tend to the weeds. A culture of passion capital can be compromised by the wrong people. One of the most destructive corporate weeds is the whiner. Whiners aren’t necessarily public with their complaints. They don’t stand up in meetings and articulate everything they think is wrong with the company. Instead, they move through the organization, speaking privately, sowing doubt, strangling passion. Sometimes this is simply the nature of the beast: they whined at their last job and will whine at the next. Sometimes these people simply aren’t a good fit. Your passion isn’t theirs. Constructive criticism is healthy, but relentless complaining is toxic. Identify these people and replace them.

I absolutely get the reasoning behind this item. But I also think this item is too often misconstrued in a subtle way: “Get rid of the people who aren’t team players,” or “Get rid of the people who don’t agree with what we’re/I’m doing.”

I’m a huge Star Wars geek, but I don’t really care for the later 3 movies, much like any other Star Wars geek of my age. I firmly believe the main reason for this discrepancy is George Lucas (really, left in a vacuum his writing is childlike and his directing atrocious). In the first movie especially, I believe George Lucas and his entire team had many disagreements and had much adversity to go through to produce one of the best movies ever. Later in life, I believe George Lucas surrounded himself with “Yes Men,” or at least people who feared speaking up against the man because of his clout in the industry. This resulted in really awful later Star Wars movies with childish writing and awful directing which resulted in horrid performances by otherwise decent actors.

The point is, this item is meant to get rid of truly bad people who just whine and cannot provide anything of value themselves. It is not to surround oneself with “Yes Men,” and downplay people who may criticize or question with best intentions. In fact, doing this item wrong stabs at the heart of other items: 2. Communicate (and foster trust and safety) and 6. Celebrate differences.

(Some could bring up Steve Jobs and his causing fear amongst his employees, but I really think Jobs is an outlier in many things; essentially the right person with the right personality at the right time with brilliant ideas and input making the right decisions with a lot of luck. He shouldn’t be a model of anything except the idea that you can have success by bucking the established “rules.” That itself is not a new rule…)

workplace rules and artificially knee-jerking them into place

Checked out “8 rules for creating a passionate work culture.” I like these rules, though there needs to be some emphasis added to a few key words here and there to drive home the key items in each point. For instance: “A culture where everyone understands that long hours are sometimes required will work if this sacrifice is recognized and rewarded.”

While these “rules” are good, I find that some people/organizations try to artificially implement them without really understanding themselves or the rules. It’s like dieters looking for the diet pill or easy magic recipe, rather than putting in the real effort and lifestyle changes that healthy living requires. Whacking your employees to be more innovative or passionate without truly understanding the psychology of it all is not a road to success.

I do take slight (slight!) exception to this rule:

7. Create the space. Years ago, scientists working in laboratories were often in underground bunkers and rarely saw their colleagues; secrecy was prized. In cutting-edge research and academic buildings, architects try to promote as much interaction as possible. They design spaces where people from different disciplines will come together, whether in workspace or in common leisure space. Their reasoning is simple: it is this interaction that helps breed revolutionary ideas. Creative and engineering chat over coffee. HR and marketing bump into one another in the fitness center.

I agree with bringing people together, but too many leaders read this and think they need to tear down physical office and cube walls and that will make everything innovative and ideas flow! But that’s not going to work with every department or every person. It’s a nice idea to give people spaces to collaborate and bump into others, but you’re not going to end up celebrating those people who are introverts or who may in fact be more productive in a space they feel comfortable in. Just like “team-building” exercises and get-together social events for an entire company, not everyone is going to be comfortable or have a good time at such things. You’ll tell those people who want some space to work rather than be distracted, because they’ll have headphones on in their “collaborative pods” and it takes several yells of their name to break them out of their trance (ie interrupt their work).

I do have a lot of sympathy to common shared areas that naturally will gather people, for instance break rooms, places to sit/lounge on a break or just a break from the desk to sit and think in maybe a space with some chairs overlooking the morning sunrise, etc. Give people places to broaden out, but keep the places where work can get done in an efficient manner without the distractions or the open space.

More importantly, I think the space should foster creativity and underline the idea of trust and being happy when you’re at work. People who are happy at work are going to do great things. Some people are happy surrounded by friends, some are happy sitting in an environment where their cube is as comfortable or decked out like their favorite room at home. One shoe doesn’t fit all, but you can’t certainly be open. Watching videos and photo montages of many of today’s prime tech companies, start-ups, and creative shops, I am constantly drawn to their non-traditional work spaces. They’re not all open, they’re not all wall-filled, but they do have character. If your office space does not have character reflecting the company (or attractive to an employee you’re asking to spend their days in), you need to fix that before diving into this rule.

will this make someone feel good?

Jeff Snyder has a post up about (Handwritten) Thank You Notes. (note: security recruiter page, in case you’re worried about web filters).

I think part of this is not about sending deserved thanks,* but the sort of human contact that really makes our day. Similar to a random (non-creepy) smile from a stranger to someone who goes just slightly out of their way to hold a door or learn your name if you’re a regular in a store or location. Or better yet, give us a conscious, sincere compliment about something. I think I remember every time someone has complimented me on my car, or whatnot. We’re all people, and it’s natural to react positively and memorably to those who poke us the right way.

The article Jeff links to has 5 business etiquette tips, and I can’t help but notice that they’re of a similar human (humane!) vein. In fact, now that I read to the end of the article, here’s the crux: “Will this make someone feel good?” You know, I actually like that as much as the common geek theme, “Don’t be a dick.” It’s a bit of a positive note rather than the absence of negativity, but also doesn’t use a word I tend not to use (if you know my full name, you know why!).

* And please don’t just send Thank You’s like firing off a form letter. Make them personal and try to actually *feel* it. It’s sort of like never saying “thanks” or “excuse me” as a rote reflex, but always with conscious sincerity. (You can observe this failure in other people when they say thanks when *they* did something for you…)

facebook privacy issues still only slowly being realized

Via Emergent Chaos, I got linked over to a nice article on Consumer Reports about FaceBook privacy. Now, being a CR subscriber, I tend to really skip their tech/security/privacy articles because, well, their treatment always makes me nervous or leaves me with more questions than answers (similar to skipping their reviews on laptops/computers, because I build and evaluate my own based on criteria far higher than their focus). But this article about Facebook actually *taught* me a few things that I probably could suspect, but never actually fully appreciated:

Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?

And I like this quote from Zuckerberg, which sort of illustrates that we’re often not talking about the same things when we talk about privacy:

…a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”

That’s great to hear about users accessing other users information, but what about the data you use for your purposes and keep for however long?

lessons from others: a chumby engineer

As kids, we don’t listen to the advice of other people. We’re too busy being independent thinkers, individuals, rebellious, and caught up in our own autonomous futures. We’re also unconsciously sick of being constantly told what to do and molded by parents, institutions, and school.

Part of the process of getting older is appreciating the (value of, which itself is an ‘adult’ phrase, yeah?) experiences shared by other people, and our learning from mistakes and successes of others. This is probably why adults keep trying to “advise” kids, and we adults just don’t get why kids don’t listen. I also believe this sharing of experience is one of the best things about the Internet (and maybe one of the worst if you get idiots sharing poor experiences that make no sense or are rife with, well, idiocy).

Anyway, in comes an experience-sharing interview: “MAKE’s Exclusive Interview with Andrew (bunnie) Huang – The End of Chumby, New Adventures.” I have a Chumby. While I’d known about the Chumby for years, I didn’t actually pull the trigger on purchasing one until last year. Sadly, I jumped on just in time for the wagon to reach the end of the trail: the chumby is on the way out. While it still works, the Chumby is basically dead-thing-uhh-sitting, since its apps rely on the central server for updates and actual function. I see today the forum’s aren’t working, and my never work again for all I know… (also sadly, I do not have one of the cute, awesome, little bean-bag type plushy ones that I fell for years ago; mine is a hard upright piece of plastic…)

But Huang has plenty of advice to give in this long interview, where he talks about entrepreneurship, design, kickstarter, funding, pricing…

The hardware model is radically different from the software model. Software is innately scalable; you can acquire a hundred thousand users overnight. Monetizing the user base in software is trickier, but most software plays start with scale and then worry about money.

This sort of discussion is worth having in really any part of IT. Are you making infrastructure decisions based on what the business wants, or creating a space for the business to find uses for what you do? I’m no expert in this area, but sometimes you need to worry about how your infrastructre or solutions scale and are agile and fill multiple needs quickly, and let the business worry about the monetization, ya know?

In the face of ‘ship or die’, one should not be looking to ship the perfect product. It is more important to ship a product that’s good enough, than a great product that’s late.

I think we in security can relate to shipping unfinished products. But hey, that’s the name of the game.

But that does show one of the flaws of fact-based reasoning. Engineers love to make decisions based upon available data and high-confidence models of the future. But I think the real visionaries either don’t know enough, or they have the sheer conviction and courage to see past the facts, and cast a long-shot. It’s probably a bit of both. Taking risks also means there’s a bit of luck involved.

the discussion of firewalls and antivirus

Often, a 140-char Twitter post isn’t enough to convey a message. In fact, sometimes accessible blog posts don’t give enough meat to a discussion that deserves it. This can probably be said about the current discussions on firewall or AV (or more broadly: “old”) security technology effectiveness. The bullet points usually aren’t good enough to do a topic justice (which sometimes means we’re arguing two different nuances of the same position…).

(Aside: I really hate how Google Reader links tack on extra crap behind a URL; which means I have to get rid of it when linking to stuff found via it.)

Anyway, Beau is back to blogging and threw out a post, “Firewalls and Anti-Virus Aren’t Dead – Should They Be?” which itself is a response to one from Wendy Nather, “Why We Still Need Firewalls and AV.”

(Aside: It might not be proper to call them antivirus tools anymore, but I also still use the term “video” when I mean DVD/Bluray, or to “tape something” as in record it. That’s not meant as a dig, though it certainly makes me grin to think of this analogy.)

This is a necessary and healthy discussion to have, even if I am not terribly open to the direction (wet blanket comes to mine). I totally encourage any other bloggers out there to also chime in, because Wendy’s closing question is really still unanswered, and it’s the Big One, ya know? “So if you don’t agree with me, and you’ve really stopped using these products, I’d love to hear about how you’re addressing those classic threats, and what controls you replaced them with.”

(Aside: This same feeling exists in the whole Down With Patching movement…)

I really require hard proof that techX isn’t working anymore (I already agree it’s not as effective, but that’s different.). And I also require an alternative (something business/management learns you pretty quick) that matches the technology one-to-one and/or improves upon it. Many vendors think this means making Super Boxes that do so many things with covers on top of covers to shield me from the guts of the surgical tools, and I tend to disagree with that approach.

(Aside: I left a comment on Beau’s post, and I’m thrilled to say I only needed one attempt at the captcha to post “anonymously” [or at all]. This is rare, and actually reduces my commenting in outside areas, like the HP evangelist blog which pisses me off to no end each time I try… Of course, InfoSecIsland gets no comments from me because of the login req…)

I do want to bring out just one part of Wendy’s post at the end that I liked, “They [users] need to know what each security product will and won’t protect, and they need to understand this in a non-technical way…” This is partly why it sucks to talk to security vendors today. Their products are too big and bloated for an elevator pitch that doesn’t dive deep into hyperbole. And too complex to understand them well enough to sell them this way. They conflate their protection (DLP is notorious. Also I had a large endpoint security provider today use the words “100% secure” after rolling out their endpoint solution remotely…). And they latch onto compliance and media scares for attention (ok, I do the same thing, since compliance has given me more tools than I’d have without…). The vendors that do this leave a bad taste when dealing with anyone in the whole industry space, which is a shame.
(Aside: Oh, and I think Beau actually agrees with both Wendy and myself [RE: paragraph 8 from his post], it just kinda kneejerk sounds like he doesn’t.)