Tag: Applicable to business

Ack or ook ..?

Yes, there we are again, on the subject of ‘Ethical’ hacking.
Because I came across such a ‘Certified Ethical’ Hacker once again. Which made me think (again…) about the allure of that. And then it struck me: It’s just a matter of replacing ack with ook and we’re all set!

Think about it; and ook does for money what others do for fun and ulterior motives… So does an ack. An ook can be certified (licensed) and get government-controlled medical/physical check-ups, by another bodily-educated professional. An ack can be and get the same; through permanent education requirements and peer review.

But what an ook can’t get, is the Ethical label that the ack has – for no apparent reason and it should be the other way around: Where the ook has proven her (majority; unless some ladies in the readership have sufficient experience to validly claim the opposite) role in society since the dawn of time/mankind/human society, the ack dabbles in what somewhat similar but short by aeons, is a crook’s business.

So, CEH better refer to the ooks out there. For now:
DSC_0081
[It’s … Name That City time again!]

Ah, some comms overview

Still looking for a definitive (if there’s such a thing) categorisation of ‘social’ media, some tweet flew across my screen (as is its type) that, well, at least has some pointers. To this TechCrunch article.
But, as I indicated already in this here my own earlier post, I asked for a classification that would not only cover some of today’s (social, actual or not, or not) media but also the past ones. To be able to see whether and if not when how, changes occurred over, e.g., the past four decades and back through times immemorial. Where the TC article only has some latter-day media, not even categorised with all dimensions I foresaw. But then, it’s something … maybe memyselfI will pick up the subject later, and expand.

For now, I’ll leave you with:
DSCN3655
[Unsure how open for discussion; Toronto]

Model code

In the race to get everyone and your grandmother (but in particular, ‘youth’) to code as that would be the new literacy, this here piece arrived quite in time.
In which Chris Granger explains that modelling the world around us (and taking it in), is the new literacy. [Read the article; it’s a full stretch more intricate than that actually.]

Right. With a number of sideline qualifications. But I don’t have the time right now to elucidate… They’re in the order of “But then, calculus and basic reading skills are required to understand the world and be able to deal with it. So it’s not that the old forms of literacy will go away (on the contrary; dismal education globally (sic) should be repaired, in particular numeracy) but they will be augmented. This will require a massive, huge! upgrade of about all teachers at all levels – which will not happen anytime soon. And programming skills are only the basics one needs to be able to analyse, model, and design the world around us, much like + and – are required to understand one’s income – assuming one has or needs money to live – or even money, or society’s functioning.
Let alone understand culture. Isn’t culture what is being transferred in Education ..?”

And so on. But as said, time limits… See this, too. Hence:
DSCN7557
[Baltimore is old. ?]

Here, First

Integrity at any level is the Yggdrasil of any CIA or other quality of the layers on top of it.

I.e., if at the platforms level the integrity of software (à la Turing, engine/programs and data) cannot be fully 100,000…% be guaranteed, no extreme of measures op top of it can restore the missing percentage, only (somewhat) limit further deterioration of the stack on top.

Okay, this being a bit abstract, a somewhat more simple and extensive explanation will follow.
Till then:
DSCN6859
[No base, no glory; Sevilla]

Th Ei(ght hours overtime) Team

When one has the luck to be selected and present [see below…] for the 8-i.org challenge, Dutch division, one learns.

It started when my wife, volunteer for the Stichting Babyspullen, happened to get a slot at the March 28th Utrecht session. And couldn’t find a fellow volunteer to be present all 18:00-04:00h so I chipped in (also for the ride home as public transport would be a night-mare).
It continued with all sorts of small lessons learned throughout the evening, regarding (event) management and content.

But the one thing that stood out was: How, per charity, the volunteer creatives that lend their time, were hand-selected to form as (age-)diverse teams as possible, and with a definite eye for some but optimised not maximised team competence diversity as well.

You probably get it already: Why don’t all businesses work that way ..!? Why would any buiness that wants to think of itself as Creative or Innovative or Open to Change or just We Don’t Want To Acknowledge We’re Boring As Heck, follow this model, too? Usually, almost always, the safe route, the Our Kind Of People incestuous groupthink wins out. Yes, even in creative circles, anyone not fitting the wannabe-hipster mold would be outcast, not allowed in.

So, @8_iOrg won the day, and saved it (for me, for this already), by deliberately changing common ways and demonstrating that when results are wanted (i.e., the specific objective(s) for the charities helped for free) where any level of creativity is required, one best goes for team diversity.

Now you all go out there and spread this word in your organisations. Not by babble but by actual action. For now:
??????????
[Where would be the reason to build something standard?
 Why need a reason to be creative?
 Hopefully, all will move to standard-only-where-actually-needed…;
 Cala at Hoofddorp]

No first, but right responder…

Really, wouldn’t the world be a better place if more people (?) would respond like this

Though of course, a. fights would break out over whether it’s Jif or Khif, b. it would be difficult to control descent into haters’ hate pics.

Anyhoo, the weekend beckons. With:
DSCN8301
[Ah, friendly beaches of Normandie! Viller-sur-Mer]

Stuck in the 80s (wrong end)

Some recruiting experience a friend had recently… (in no particular order, just what I recall from his analysis; yes I did take notes after a short while and seeing friend’s energy drained even in the recall):

  • When walking into the shared space / reception, an all-M team were starting on pizzas.
  • Setting: One candidate (my type, i.e., aiming to think fresh), one manager-possibly-to-be (M; styled like a civil servant), one HR (F; typical? she got the coffee).
  • Mptb repeatedly brought up a vacancy not applied for. Mptb may have wanted to fill that slot more urgently, but was not the one that triggered friend to send the open (sic) application for a first meeting just to learn more about the co.
  • Mptb couldn’t but return over and over again to the capacity for sales. Friend had already mentioned explicitely in the motivational letter that sales (of the cold call type) was the main weak point, well-known. Why keep hammering on that? Not on marketing (friend has great, very frequently demonstrated capabilities for that), hardly anything on content, not much on knowledge or fields of interest. But then, what can one expect from an Mptb that had the first half of ‘career’ in selling bananas (literally; I checked for friend)? Also, Mptb did not show any interest when friend mentioned his very, very extensive, professional thoughts-filled blog; possibly b/c Mptb didn’t know the concept of ‘blog’..?
  • Apparently, only the one-pager resume had been gleaned over. Of which friend had remarked in the motivational letter that it might read as being skewed to the (IS) audit side but that work content had hardly been that at all for the part decade+ and had been almost completely with advisory and consultancy services. Mptb could not see that, or may not understand enough of business outside the own (narrow? I’ll leave that to friend and you) scope of one’s own daily drudge. Mptb kept hammering that out. Friend has a two-pager resume in English (may be too difficult for the all too Duts Mptb?) that has job content descriptions but that didn’t even come to pass. LinkedIn? Nothing. Friend has a very extensive and diverse profile there and had checked; Mptb hadn’t had a single cursory look. SocMed seemed not to exist.
  • Mptb indicated anyway to operate at ‘tactical’ level with clients. Highly doubtful. At least, taken from some details of the conversation, friend operates a level and a half higher, and examples given and some details of the discussion indicate, Mptb hardly rises above operational control level and didn’t demonstrate to understand much about dealings at various management let alone governance levels. Which may have explained some of the misunderstandings. But Mptb would have had to be the one to have noticed, if Mptb – or would be a very mediocre, 70s-to-80s type of manager?
  • Same indication from the salary range indication. Quite something lower than current. Pay the bananas, get the monkeys.
  • But then, Mptb did keep on spelling out that selling services project-wise to clients, bore down to just proposing a handful of CVs with all track records spelled out. Actual project definition, ToR, deliverables, whatev’ (?). Ah. If friend were to spell out all projects, that would lead to a. a 25-30 page resume, as friend had a resume like that already 16 yrs ago that counted 15 pages (I still have that on back-up somewhere) through executed project summaries (sic), b. clients being dismayed their details would be presented to just about anyone else – if you see the project details of others, yours will be displayed to competitors as well in our business that deals with/in confidentiality.
  • But then, the main point is that friend doesn’t want to be bodyshopped, stuffed in client job slots just for the pay by the hour. How 80s can you get ..? Didn’t Mptb notice the world has changed, and such retro business is to be ridiculed …?
  • This, with a focus on billable hours and not sitting on the bench. Yeah, friend and I understand that. To be an operational hygiene factor. Not the focus of daily work life.
  • On the other hand, Mptb also kept on hammering on with questions how friend would deal with project hiccups, as if they’d be simple bugs or so. To be fixed with a simple fist bang..? As if that goes in today’s business, at the level one wants to be concerned. Friend’s answers to resolve them in, at the same time, businesslike and diplomatic ways, apparently was too difficult to grasp.
  • And oh yes, a handful of half-cocked STAR attempts were thrown in. The sample I heard, are far from and would have missed the point (the method’s information gathering actually intended) quite comprehensively.
  • Overall, Mptb seemed like a bad listener to me, not interested in what friend brought to bare let alone what work friend wants to do, what directions he wants to go, etc. Oh yes, there was the question about own ideas for personal development, but the answers again didn’t seem to land; friend got reaction, not response.
    And though non-verbal comms was clearly mentioned, Mptb didn’t recognise that as a signal that his own posture only conveyed confusion and resignation. Verbal comms didn’t result in replies by Mptb that might indicate understanding and exchange of ideas, just what friend told be to understand “Hm, didn’t get the fully templated answer I wanted to hear b/c that’s the only kind I understand”. But Mptb found fault with friend over the latter’s non-verbal.
  • Overall II, I’m unsure whether, or rather am sure that, friend nor I would want to work with/for such a Mptb. Probably, ‘management’ would consist of bullying over unbilled hours only; no sight of understanding today’s knowledge workers need to be freed of chores such as sales, and need coaching and all other facilitating stuff (and risk management, etc.) offloaded to … the manager as that’s his job, to be free to deploy one’s excellence without being bothered by not-understandelings. We agreed we wish Mptb luck with client relationship management as he’d need tons of it, and would advise him to stay away from actual project execution or staff management. If we’d get into a relevant position we certainly wouldn’t invite him.
  • The (quite unattentively) somewhat brushed aside HR lady slipped in some questions about friend’s private life and goals in the end. I know friend as someone who wants to very much have a seamless blend of (hardcore to softcore) business, semi-professional hobbies, and other stuff. Mptb didn’t seem to care.
  • Conclusion: A waste of my friend‘s time.
  • Friend was contacted afterwards; they sought a full-on build-a-team-through-all-sales person indeed. That was not in the function profile friend showed me… And, as said, friend wrote in his motivation that if anything, that is was/his weak point. The waste of time could have been prevented.

Had to discuss this over a couple of days, to get it out of friend’s system…

Only to realise that I haven’t had a good job conversation myself recently, either. Though most of the (not so many) times, only a couple of above’s issues were at play, I was disappointed all too often. I also didn’t really like the other sort of ‘interview’ where one is asked snarky gnarly brain teasers. Of even had to do an assessment with a day’s full of questions with quite certainly the wrong answers. Or just in the interview. Why do recruiters still think they’re the conversation boss or something? Haven’t they learned how to beg for the right talent ..!? I might not completely be in that category [worded like that not to appear presumptuous at considering myself perfect, or would that add to the adoption of the hypothesis? ;-] but still to have a grown-up conversation about it all, would be welcome. So, … your comments.

But hey, then, to not get depressed:
DSCN6875
[Pleasant life; not only the Expo at sunny Sevilla]

Progress (cont’d)

In the series of updates on where actual rpogress is, beyond (or in undertow of) the hype, herewith another shining example: This. [Huh that ‘typo’ was on purpose]
Good to see that there’s more to exo than plain mil or med applications – b/c now, the ocean between the two may be explored iso falling back to these sectors every time when some new idea comes along.
OK, for now:
DSCN1252
[Meanwhile, static, old London]

IoTA mutiplication; old style, is the new new

Apart from the previously established focus on Integrity, in particular to have Data plane integrity from which actual Information could be derived, through integrity in the Control plane, there’s of course a need for other aspects as well, like Confidentiality, Availability, and Effectiveness and Efficiency.
[Oh that previous Integrity signal is here.]
Though the latter two, we’ll diss straight away as most secondary, at best, along with the even further irrelevant Auditability et al. That take a devastatingly distant back seat to ensuring the first three objectives are met; not to interfere by mention, even.

Intermission:
DSCN5611
[Onto itself, good enough; Papendorp]

And, we’ll square the three foremost information/data/systems/elements quality aspects with the great many objects one can outline in the IoT sphere. Leading to very interesting new combinations of various corners and angles of objects and aspects in all sorts of abstraction levels – multiple, not necessarily constant, consistent or complete when studying for certain overall audit objectives.

And, let’s not forget, we do have OSSTMM for more traditional objects, and may (have to) enhance that to incorporate the ‘new’ more technically oriented objects of sensors and actuators (including a need to understand and probe them, e.g., at the AD/DA-converter and pure signals levels).
But we also need to incorporate the vast blue (rather, muddely grey) ocean of People, as controls and to be controlled elements.
Only then, can we have a full systems view on the to be controlled and to be audited phenomena.

But we dreadnought and fear not; for we have a number of building blocks bricks, even if at Lego size. Like the security suites springing up and spreading, Splunk et al and al. of the proprietary hardware-vendor types.

To Be Continued in extenso, including including these vendors their security-management-first approach which helps a lot, through logging/reporting availability and some security control, and including including the generic risk management approach that is at the limit of what common auditors’ associations seem to have as vanguard developments in lieu of actual understanding of the vast terrain to cover.

All in all, together in order

Ah. Actually, I needed a well-ordered list of the subset of my posts re All Against All. Because searches don’t pony up the rightly ordered results, herewith for future reference:

So… Done. For you:
DSCN4588
[Well-calculated dare, Madrid]

Maverisk / Étoiles du Nord