From Corporate, to Start-Up, and Back Again

In 2013 I was made redundant from a company where I had worked for the previous 12.5 years. I had grown with the company from the 14th person to join (as a firewall admin) to a position leading 28 people across 14 time zones in a company of over 1,000.

I subsequently discovered that I was basically unhirable, so I started my own consulting practice, which I thoroughly enjoyed. I then joined a very small start-up for a year, which I thoroughly enjoyed, and went back to my own practice.

I swore up and down that I would never go corporate, ever again. I convinced myself that there was never enough freedom, or room for innovation, or ability to make a difference in a large organisation to EVER go back. Not that ‘corporate’ would ever have me back.

Now here I am, at the end of my 3rd week at an organisation that is bigger by far than any I have ever worked for previously.

…and I’m thoroughly enjoying it.

Many times in the course of my blogs I have expounded on the need for self-reflection, on being honest with yourself enough to know when something was entirely your fault, and to adjust your career choices accordingly. Well clearly I had mistaken ‘corporate’ for my own inability to effectively create the change needed to stop me from being made “redundant”.

While I’m not saying I now have that ability, as I will always have a big mouth, when you’re in an organisation who ALL seem to want the change you’ve craved your whole career, it’s a feeling unlike I’ve ever experienced at work. I’ve never needed, or even particularly wanted, to be part of a team growing up, I now find myself in one.

…and I like it.

Frankly I’m not even sure why I’m writing this blog, except perhaps as a tip for those who find themselves in a position where they cannot decide on what’s the right place for them to work. Corporate, start-up, self-employed, or somewhere in between. Every one of my jobs had its benefits, and had its downsides, and I’m under no illusion that this one will be the same. The only difference this time, is that I have now seen both sides of the fence.

It’s not the fence that matters, your skills and talents have no fences.

The only reason I think that corporate fails to attract the truly entrepreneurial is that they are still very attached to job titles and descriptions, effectively pigeon-holing a person into a role that will always limit them. It’s the organisations that go looking for talents to fill known functional gaps, but then get out of the person’s way, that will attract the game changers.

Not saying I’m a game changer, but my title was only assigned to complete a field in the HR system, and my job description was a run-down of the challenges my new organisation was facing. And in just 3 weeks I have not only learned more than I did in the last 6 months, I have a learning curve ahead of me for which I can see no end.

I loved running my own business, and have no regrets about the start-up, but this little adventure is a revelation that has me very excited for the future. And the lesson I learned from all this?;

Don’t limit where you look for your next job, just ask the right questions.

How Smart Watches Will Offend My Generation

I could not help but laugh while having drinks with a friend of mine yesterday. He kept looking at his watch, and before I understood why I was starting to get annoyed he said that he had an incoming call.

To people of my generation and above (not many of those left) looking at your watch frequently is a sign of impatience, and that you have somewhere you need, or would rather, be. For those sensitive to these non-verbal clues, it signals the end of a conversation, date, meeting, and so on, often resulting in stilted conversation and perhaps even resentment.

Ironically, if he had been looking at his phone that frequently, I would not have thought twice as I do the exact same thing myself. We are both busy, he the CEO / Founder of a successful security company, me an insecure addict of social media affirmation (please like this).

I have tried to figure out why I found this so amusing, but have not reach a conclusion yet, but seeing as this would be a very short blog otherwise, here are some thoughts:

  1. My laughter contained at least a hint of nostalgia, it’s clear that I was remembering a simpler time. And by ‘simple’ I mean utterly disconnected from anything not immediately in front of me. A time without mobile phones. A time when the ‘Like’ button was a smile on your friend’s face.
  2. My laughter also contained chagrin. I thought I was as up to speed with technology and innovation as anyone, but clearly my values and reactions to everything around me were formed in a time very different from this one. I now know that part of me will always stay there.
  3. Jealousy that I didn’t have one because I have not seen one I like, and I have the wrists of a 7 year old girl.
  4. Frustration that ALL of this can’t be replaced by a contact-lens-driven heads-up display.
  5. Several large Woodford Reserve bourbon and ginger ales.

I don’t think anyone can deny the enormous impact mobile devices (especially smart phones) have had on both work and personal interactions. And we mostly agree that because this change has been so profound in so remarkably short a period of time indicates that we are actually only at the beginning of bigger changes to come (Internet of Things for example). Where people differ is their reaction to it; from abject fear and utter rejection, to excitement and complete embracement. Most of us are somewhere in-between.

What I do know is that to reject this change is to be left behind, and to stick with traditional concepts of privacy will exclude you from the conveniences to come. I’m not judging this in a negative way, I’m sure you are perfectly happy to BE ‘left behind’, and to do things the ‘old way’ but I’m also saying that I will not be one of those, I’m too bloody lazy not to have as many things done for me automatically as possible.

I am also happy to accept the consequences, and I will likely be laughing all over again when it all goes horribly wrong! 🙂

How to Lose All Credibility in Cybersecurity

There are some things in life that you assume everyone must know by now; give a firm handshake, never accept credit for someone else’s efforts, never be rude to waiters and so on. Yet so many vendors in the information security industry fall foul of an offence far worse than these.

They use phrases like:

  • 100% secure
  • Unbreakable
  • Completely safe
  • Fraud-proof
  • Hack-proof
  • and so on…

The fact remains that NOTHING in information technology is 100% secure. Nothing. If someone wants it badly enough, and they have the necessary skill-set/support, they are going to get it, and anyone who espouses differently should find another line of work before they cause any[more] damage.

And it’s all so unnecessary. You don’t need 100% security even if it was possible, what you need is security ENOUGH. The bad guys are lazy, and if you’re too difficult to breach they will move on, so just ‘build your fence higher than your neighbour’s’ From what I’ve seen in the 15 years I’ve been consulting across the globe, this should not be too difficult.

The calculation you have to make is this;

If the Cost of Security > Value of Data = do what you can afford and no more, OR, if the Cost of Security < Value of Data = do it, but do only what makes sense.

So what process magically gives you the answers to this equation? Easy, the Risk Assessment. One of the most basic tenets of a security program done well, and one of the most under-utilised business tools in every organisation I’ve helped. A risk assessment process performed appropriately will tell you what you’re not doing well, how to fix it, AND how much to spend on doing so.

But I digress.

I can actually empathise with organisations and individuals trying to sell security. It’s tough, but that’s no excuse for lying about your products, and that’s exactly what you’re doing if you claim 100% security. Lying. You have a responsibility to your customers, and whether you like it or not, and whether you ARE or not, you are the usually the expert in the room (if you know 1% more than the other person you are the expert). Your client came to you for help, it’s up to you to provide what they NEED, not necessarily what they asked for.

Your credibility as a provider of information security services or products goes hand-in-hand with your integrity as an organisation and/or individual. Think of your integrity as a form of currency; you can either invest it in your credibility, or spend it on quick wins. Only one of these has a long-term future.

I will note however that if you’re a buyer of security services, you have as much responsibility as the seller to buy only what you need. YOU must ask the right questions, and the only way you can do that is to either do your homework, or hire someone to do it for you. Never expect a salesperson to think twice about giving you what you ask for, then charging you again for providing what you should have asked for in the first place. This scope creep is your fault as much as theirs.

This white paper is not how to sell, I can’t do that, this is how I think you sell with integrity; How to Sell Security

Humble Expert, or Confident Idiot, Do You Know Which You Are?

[This article is based loosely on the Dunning-Kruger Effect.]

Have you ever been part of a meeting where someone whom you suspect has no idea what they are talking about, is actually the one controlling the meeting’s outcome? Or the opposite; been part of a meeting where you KNOW someone in the room is an expert on the relevant subject, yet remains quiet? Now combine the two; the expert stays quiet while the idiot rambles on.

I’m sure at some point I’ve been both, and if I’m honest, mostly the idiot.

One of the many aspects of human nature is our susceptibility to bow to confidence. Con artists and organised religions alike (but I repeat myself) have preyed on this for millennia. Politicians, emperors, dictators, cult leaders, you name it, all have the ability to make us believe utter nonsense. We are invariably less influenced by what is said, than how it’s said, and by whom.

Those who can make you believe absurdities can make you commit atrocities.”
– Voltaire

The opposite aspect of this is that even if you are an expert on something, if you aren’t confident in your presentation, your knowledge and skill may be of little impact. Potentially, even if you did speak up, your hesitant manner would negate your audience’s trust in your message. That’s if they were even listening in the first place.

Another aspect of human nature is that we really don’t care about other people’s opinions. We are either pleased when people agree with us, or we’ll debate, argue, even fight with those who don’t. Our tolerance for alternative opinions, was well as our ability to adjust our own, only get worse as we get older. We spend our lives surrounding ourselves with things that make us comfortable, all of which do nothing but reinforce our established beliefs.

I have long been a proponent of self-reflection. The ability to take an objective-as-possible look at yourself, maybe even from another’s perspective, is critical in being able to adapt to whatever the world throws at you. From my experience, there is a direct correlation between the ability to self-reflect and the ability to accept responsibility for both your life, and your actions.

Blaming others is a form of blind-faith, it suggests an infallibility that can never exist. Both experts and idiots are affected equally on this point, both negatively.

The lines between confidence and arrogance, faith and stubbornness, mentorship and patronisation are all blurry, and entirely dependent on the recipient’s perception, not the deliverer’s intent.  Self reflection / observation is the only way you can adapt to the person(s) opposite you, and without that adaptation your own needs will not be met. At least not in full.

While being aware of your tendencies does not equate to an ability to make immediate adjustments (as I know very well), we all have to start somewhere. Whether you’re an expert or an idiot, everything you do is in some way contextualised by those around you. It’s up to you to maximise your impact in a beneficial way.

In your personal life, do as you wish, but at work you are beholden to someone; employer, stockholders, customers, or just your immediate team. Neither the humble expert nor the confident idiot are any good to anyone.

Including yourself.

Get Customer Service Right, Or You’re Out of the Game

One of my favourite quotes from The Dark Knight; “You know what I’ve noticed? Nobody panics when things go “according to plan.” Even if the plan is horrifying!

A little dramatic perhaps – not to mention some of the best acting of all time – but this directly applies to customer service.

Your clients don’t get anywhere near as angry if you come to them with a potential issue, it’s when they have constantly chase you for resolution of a KNOWN issue when things go horribly wrong.  If your customer service is only ever reactive, you have failed, and if you can’t even react well, you are out of the game.

From my favourite website ever,;



Type in the phrase ‘customer service’ into Google and you’ll get over 1.6 BILLION results. There are institutions and college degrees dedicated to to it, blogs by the hundred, books by the thousand, and articles by the million (this one is very good; 8 Rules for Good Customer Service, by Susan Ward), yet how do organisations STILL get it wrong?

That’s easy, blame the CEO (or equivalent).

Just as a lack of a security culture is the CEOs fault, lack of a Customer Service culture is every bit as much on their shoulders.  You may recall from my post Top 10 Roadblocks to PCI Compliance where I stated; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve PCI compliance, its the CEOs fault, and no-one else’s.

Replace “PCI compliance” with “Customer Satisfaction”  and the rest is the same.

The symptoms of the inability of some organisations to provide good customer service (the CEO being the cause) can include;

  1. Poor selling techniques – if salespeople are not trained to sell only what the customer needs (not wants or even asks for), the organisation behind this salesperson will be unable to support the customers questions.  I don’t care how nice you are, or how great your products, if you’ve sold something the client doesn’t need, they will rarely buy from you again.
  2. Poor products or services – there’s a fairly good chance that if your vendor does not provide good customer service, the other services and products provided by them are suspect, and should be reviewed.  Do your research, and ALWAYS ask for a proof of concept (POC) before you buy.  No POC, no purchase.
  3. Black-hole communication – No-one wants to be yelled at, so if your calls and emails are going unanswered, there’s a very good chance you aren’t going to like the answer when you finally corner them.  This is also an extension of 2.  And finally, forget how quickly the salesperson comes back to you BEFORE the sale, how are they immediately after?
  4. No Customer Service SLAs built in – in other words, if you have to ask for SLAs related to communication, or even something as simple as response times, there’s a good chance you won’t get the service you’re looking for.
  5. Very low renewal rates – include this question in your RFP for new services and products, and have them prove it.
  6. Limited, or no references – this one is too obvious  to expand on, but ignore industry awards, they are a farce.

An organisation that truly embraces a customer service culture will probably allude to it in their Vision Statement, and almost definitely in their Values.  Do business with only those organisations that take the term ‘partnership’ seriously, especially in security, and ANY company that bandies around the phrase ‘Trusted Partner’ needs to be taking client satisfaction to the next level.  Are they?

Good customer service is even simpler than security, and far less difficult to achieve, you just have to treat it as a foundation of doing business.  Your clients happiness is more important than your profit.  If you don’t believe that, you don’t care enough about them to give them what they need.

In one respect or another, we are ALL customer service reps, and this (to me) is the definitive guide to being a good rep; How To Win Friends And Influence People, by Dale Carnegie.

Yes I’ve read it …twice, and yes, I still have a lot of work to do 🙂

Anyone seen any articles on Customer Service in the security arena?