Personnel Management for Office
This blog focuses on personnel management for Office. Having the right team focused on the right tasks at the right time yields optimum performance. We describe some best practice techniques that executives can include in their processes for recruiting, retaining, rewarding, and managing talent in the Cyber Age. We also give recommendations on how to apply that talent as you organize for success.
FINDING THE RIGHT FIT
Having a great strategy complemented by great plans, policies, and procedures gets you absolutely nowhere without the right people, properly trained, with the right attitude, in the right positions doing the right jobs.
As an executive, one of your principal responsibilities is to select and align the right talent to execute your organization’s mission. Throughout your career, you likely have seen the negative effects wrought by ill-prepared employees or ill-fitting personalities being overmatched by difficult tasks.
In today’s highly competitive market where organizations like yours rely on cyberspace capabilities to gain and maintain competitive advantage, you can’t afford to have ill-prepared employees or ill-fitting personalities. You have to build a team that delivers results that are effective, efficient, and secure.
This blog also addresses that greatest cybersecurity threat: you and your people. The great American comic strip “Pogo” coined the phrase, “We have met the enemy and he is us.” When it comes to cybersecurity, that may well be the case. As an executive, you have to inform your employees of cyber threats and vulnerabilities, educate them on the risks, and train them to act in accordance with your policies and procedures to minimize risk.
Further, you have to make sure that you align the right talent to perform the right jobs. For example, too many times, we have seen organizations delegate information system administration duties to individuals who did not have the technical skills to handle the assignment adequately. Often, the systems were misconfigured, resulting in frustrating downtime and outages affecting the organization’s effectiveness and efficiency.
Many times, the systems were not kept up to date with current patches, exposing the organization to exploitation by bad actors. In both cases, the poorly managed systems exposed the organization to unacceptable risk. Misaligning talent will jeopardize your ability to be effective, efficient, and secure. It will cost you time and money.
We believe managers manage “things” while leaders lead people. As an executive, you need to be both a highly skilled and capable manager and a dynamic and proactive leader. In today’s information-enabled environment, the challenges of knowing who to hire, who to fire, what jobs to assign, and who to assign them to become increasingly complex.
You need to continually invest in technical training and education for both yourself and your employees to stay relevant and best postured to succeed. You need to know how to organize your team to best manage and protect its information. You need to lead your team to incorporate cybersecurity into its strategy, plans, policies, and procedures. You need to lead your team to do the right things to make your organization effective, efficient, and secure.
This blog will give you the tools you need as you determine who and what are the “right fits” for your business. We will present you with information regarding the assignment of roles and responsibilities you should consider when determining organizational structures. It will provide you with the information you need to educate and train your workforce to make sure they are hardened against cyber threats.
We’ll also remind you of cybersecurity concerns that are of special importance to executives in general and detailed considerations for executives operating and managing critical infrastructure. The knowledge conveyed will better posture you and your team to be “cyber smart.”
CREATING THE TEAM
When people are asked about teams and teamwork, their minds frequently gravitate to the world of sports. Ask someone to tell you about a great team and they likely will tell you a story about a sports team. They will tell you about a group of different individuals from different communities and circumstances who came together, blending their skills to achieve a common purpose.
They may even tell you about those on the team who didn’t get the spotlight as they subordinated their personal opportunities for glory in exchange for the team’s success. We bet you are thinking of a couple examples of great sports teams right now.
Would you describe your business and its employees this same way? Is your organization the first great team that comes to your mind when people ask you to identify great teams? We submit that every business, whether it is a multinational conglomerate, a small- to medium-sized business, a partnership, or even a proprietorship, relies on team-work to succeed.
Isn’t your business comprised of a variety of different people with different backgrounds and skill levels all contributing toward a common purpose? Don’t you have some people who selflessly sacrifice for organizational success? Teams are especially important in today’s highly complex information-enabled environment. If you don’t think of your business and its employees as a team, perhaps it is time to change your thinking and do something about it.
Just like sports teams, your business has specialists who contribute their unique skills and talents to make your business succeed.
You may even have your “Top Gun” salesperson that you dispatch to handle your most important clients. What about your IT staff? Are they the long snappers in your organization? Perhaps, they aren’t. But we submit they indeed are specialists, they aren’t your “long snappers” who just come for a couple of plays. Instead, they are in on each and every play and, if they are successful in their jobs, they remain invisible and anonymous, much like Jon Kolb.
Picking the Right Leaders
You may have a great group of individuals and even have the best strategy, but if you don’t have the right leaders, you are destined to fail. During your professional career, you probably have seen some very successful and profitable companies suddenly take a nosedive and flounder when they put the wrong person in charge. We have too.
The person may not be bad, but if they are not the right fit, not qualified for the position, and do not possess the right leadership skills, their failure is almost certainly guaranteed. As the boss, one of the most important assignments you will have is picking the managers and executives to execute the corporate strategy and grooming those who ultimately will take your place.
With your business’s reliance on information growing every day, hiring executives who do not understand nor appreciate IT is a losing proposition. With e-commerce, telework, office automation, mobile computing, robotics, computer-controlled manufacturing, and a host of other information-enabled activities emerging at the forefront of business today, your C-suite and subordinate executives must have a thorough understanding of not only technology but also how to leverage it to create stunning victories every day.
Do all of your executives need to be technical experts? Of course not. In fact, we submit that sometimes it is better to hire a great executive with proven leadership skills who can be taught to understand information technology than it is to hire a technical expert and expect to transform him into a great executive and leader. Nonetheless, you can’t afford to hire executives who fail to show the interest in or appreciation of information technology. Likewise, you want to steer clear of those who are dismissive of cybersecurity; you can’t afford them in your ranks, let alone permit them to be in charge.
Your executives not only have to be great managers, but also they have to be great leaders. Leaders and their attitudes set the tone for the organization. If your strategy calls for your organization to be information enabled and values cybersecurity to protect its vital information, you cannot afford to have leaders who do not embrace that strategy wholeheartedly. We recommend you include focused questions on information and cybersecurity as you interview candidates for your executive positions.
Does the candidate make unsolicited mention of cybersecurity as being part of their management and leadership philosophy? Does the candidate view cybersecurity practices, training, and tools to be unreasonable burdens or normal and prudent costs of doing business? Does the candidate believe information is an asset with an intrinsic value?
Does the candidate believe cybersecurity is a “must-pay” priority investment or a discretionary expenditure? Is the candidate able to give examples of how they have incorporated cybersecurity into their business practices and that of the projects they have managed? Does the candidate demonstrate that they practice secure computing in both their home and office lives? With information and information technologies continuing to take a predominant role in business, you need executives who lead efforts to safeguard your information.
Your executives need to be savvy in their professional and personal lives. You would shy away from selecting executives who have a bad reputation for unacceptable behavior such as excessive drinking, gambling, and even caustic personalities. Now, you may include how they conduct themselves in their online activities.
Many companies now comb the Internet and social media sites to vet their prospective executives and employees to see whether they have any embarrassing or inappropriate information on the net. While some people see this as an invasion of privacy, we view it as an essential business hiring practice.
You don’t want nor can you afford to hire executives whose web presence serves as a potential embarrassment to your organization. Individuals who protect their personal identities and sensitive information are more likely to protect your business’s vital information too. Safeguard your organization by selecting executives who not only incorporate cybersecurity into their normal business and leadership processes, but also select those who demonstrate that they use strong cybersecurity practices away from work as well.
An essential skill for executives in today’s information-enabled market is the ability to recognize and quickly act upon opportunities presented by information and IT. Consider businesses that decided to migrate to web pages as their digital storefront, offering lower-cost offerings available anytime, around the world.
They recognized the value proposition that such e-commerce presents as traditional brick-and-mortar store-fronts with expensive staffing, facility expenses, and other overhead costs could be replaced by a web presence that is always open, always available, no matter where the customer is located. Companies such as Amazon and eBay were early adopters of e-commerce, while those who lagged and relied on traditional stores such as CompUSA and Circuit City did not survive.
Do you want executives who are visionary and seek opportunities to leverage the power of IT to gain a competitive advantage? Does your candidate have the proven ability to translate great vision into practical success? Is your candidate a technology innovator or troglodyte?
We recommend you make continuing professional education a priority for your executives, and when selecting the skills you want to enhance and nurture, make sure you include courses that emphasize cybersecurity. There are many excellent courses and seminars run by major universities and professional organizations that are now beginning to recognize the importance of information assurance, information security, and other monikers that apply to the cybersecurity realm.
We recommend you invest in annual focused cybersecurity awareness training for your executive team to ensure they are well equipped to make decisions that keep your information and business interests secure in today’s ever-contested cyberspace environment.
How do you know which course is best to meet your needs? First, determine whether the course content is aligned with your business strategy. If the course espouses principles that are consistent with your strategy and your core values, it is a contender. Second, consider how the course addresses information.
Does it present information as a valued asset that should be managed, controlled, and protected like other valued corporate assets? If so, it remains a contender. Third, does the course have a specific block of instruction dedicated to cybersecurity? If it does, it sounds promising. Fourth, is the course a good value that fits into your budget and promises a good return on investment? If all four criteria are met, you likely have a winner worthy of your investment.
Finally, you need executives who can tell the difference between a slick salesman’s snake oil story and ground truth. Sadly, there are many people in the IT business who overpromise and underdeliver. Select executives who can pick the winners and dismiss the losers. Successful executives are curious and ask the right questions.
They do their homework and research alternatives and options before making decisions. They collaborate with experts when the topic exceeds their area of expertise. They seek other opinions and recommendations from others. They seek to understand and appreciate technology before they make commitments to it. They are cautious when asked to be first adopters of technology and processes. They aren’t afraid to say, “Prove it,” when presented promises of fabulous returns.
Successful executives can discern what is truly within the realm of the possible from proposals based on science fiction. You need to choose your executives with the same care and attention as you would a prospective son-in-law. Your C-suite and subordinate executives need to be “cyber smart.” Your business is at stake. Choose wisely.
Your Cybersecurity Leaders
One of the things that you need to do as a leader is to remind your employees that cyber-security is everybody’s responsibility. This is at the core of building a corporate culture that values cybersecurity. Your cybersecurity programs, training, tools, and procedures do not belong just to one individual or department; they are the responsibility of everybody, including you!
Nevertheless, many organizations assign executives responsibilities for activities that cut across multiple product and business lines. These executives are responsible for policies that govern functional activities and provide oversight that makes sure the policies are appropriately followed in execution by personnel across the organization. These executives provide sponsorship and ownership of cross-cutting activities. Financial, security, and risk management are examples of these types of cross-cutting activities. Cybersecurity is another.
There is no single best practice organizational structure determined to optimize cybersecurity in business. While many organizations align sponsorship of cybersecurity programs under the chief information officer (CIO), we’ve seen others who place it under the auspice of the chief information security officer (CISO), the chief security officer (CSO), or the chief risk officer (CRO).
We’ve even seen several companies place it under the COO or the CFO. The type of business you run and the corporate culture of your organization will guide your selection as to which officer is best suited to sponsor the cybersecurity program in your business.
We recommend you consider aligning management of your cybersecurity programs to your CIO with your CISO serving as a direct report. CIOs are responsible for the information of the business. If they do their job correctly, they are thinking and acting beyond the IT systems; they are focused on the process that creates, consumes, manages, stores, and protects the information that is such a valuable part of your business.
Too many times, we have seen CIOs who become bogged down with the acquisition or management of software and IT systems while losing sight of the fact that these are complementary tasks supporting the management of information, which is truly the heart of every CIO’s job. Your CIO should be responsible for managing the entire life cycle of your business’s information, from creation to destruction, including its protection.
Because the CIO is responsible for the effectiveness, efficiency, and security of information throughout its life cycle, we recommend you consider aligning the CISO as a direct report to the CIO. The CISO provides the full-time focus to manage the programs and operational activities required to protect your information properly.
We view this as a subordinate role to the CIO, who manages the entire spectrum of activities governing your information. A CIO without a CISO is a person ill-equipped to properly do their job. Similarly, a CISO not working in concert with the CIO often is viewed as a competitor, resulting in needless friction that adds drag to your organizational processes and production. You don’t need that kind of heartache.
As senior executives, we make a point of thinking strategically, including with succession planning. We look for promising young executives who we can groom to take broader and more important roles in the future. We are looking for someone who has the skills and experience to prove themselves worthy to take our place when we decide to step aside (or move up). We believe that there is great opportunity to grow future CIOs from your CISOs.
In fact, given the increased importance of information in your business, we believe that CIOs not possessing a thorough grasp of the skills required of CISOs are not adequately prepared to manage the full spectrum of information management successfully.
We recommend you consider placing your potential future CIOs into CISO positions, where they will gain the necessary mastery of cybersecurity practices, policies, and procedures that complement your business and protect your information. These are essential skills that a CIO must have. If the candidates are unsuccessful as CISOs, they definitely will be unsuccessful as CIOs.
CIOs and CISOs share common technical education and training requirements and experiences, yet the CIO’s experience base is arguably much broader than information security. CIOs must master information management, information security, software and hardware operations, system acquisition, architectures, and a host of other technical and managerial functions. This places CIOs in an ideal position to serve as not only the CISO’s boss but also as a mentor.
Too many times, we have seen CISOs evolve into the “Just Say No” security roadblock. Sadly, they put themselves in the position where they are viewed by other executives as the folks who say “no” to innovative ways of doing things rather than helping others find innovative methods with cybersecurity “baked in” to the process as a valued protective measure. CIOs typically have a broader view and can help provide the leadership to focus the CISO on providing value-added and practical security constructs that are appreciated and adhered to.
Many of our clients ask what type of credentials and experiences we recommend that senior executives such as the CIO and CISO have to ensure they have the skills needed to lead contemporary IT organizations effectively. While there are a host of certification and credentialing programs now available, we believe there are two cybersecurity credentials that are “must-haves” for both your potential CIO and CISO candidates, the Certified Information Systems Security Professional (CISSP) and Certified Information Systems Manager (CISM) certifications.
The first is the CISSP certification issued by the International Information Systems Security Consortium (ISC2) organization. It is considered as the more technical of the two certifications, and we regard it as a must-have for CISOs and highly desired for CIOs. Members who possess this certification have demonstrated a detailed understanding and experience base in the following ten cybersecurity domains.
Many senior executives look at the CISSP certification as they do a Professional Engineer certification. Members possessing the CISSP certification have undergone a grueling six-hour examination that tests the candidate’s knowledge in all ten domains. CISSPs must demonstrate five or more years of experience in protecting information and information systems.
They subscribe to a professional code of ethics that promotes the safe and ethical use of IT. Further, they must maintain their currency through continuing professional education. When you hire a CISSP, you can have confidence they have demonstrated technical expertise in cybersecurity.
The second certification, the CISM certification, is issued by the ISACA organization. While the CISSP credential program is more technical in nature, the CISM program focuses on the effective management of information systems using contemporary security principles and best practices.
Like CISSPs, people with the CISM certification pass a comprehensive test that ensures they have the requisite technical and managerial knowledge, have to demonstrate years of experience in professional management of IT systems and have continuing professional education requirements. The CISM certification is highly recommended for CIOs and CISOs alike.
Is one better than the other? Do you need both? Do you need to even have a certification? Frankly, there are numerous CIOs and CISOs operating without these credentials, and many of them seem to be doing just fine. However, with the ever-increasing cybersecurity threats continuing to mount, are your CIOs and CISOs adequately equipped with the skills and experience to excel in the coming years? Do you want to hire or retain individuals who are not prepared to adequately manage and defend your information?
We believe the current and future threat environment demands that your CIOs and CISOs need to maintain a professional cybersecurity certification. If your CIO and CISO already have their credentials, terrific! Make sure they maintain their currency through continuing professional education. Invest in them by sending them to courses and seminars that enhance your business objectives. If they don’t have their credentials, ask them, “why not?” Consider including achieving certification as a mandatory performance objective in this year’s performance plan.
If you make technical credentialing and experience a requirement in selecting your senior technical business leaders, you also send a message that gives hope to your technical workforce that with the right combination of technical prowess fused with managerial and leadership excellence, they can someday rise to the C-suite.
This helps keep your best technical talent, provides invaluable stability within your staff, and builds loyalty and trust. When you establish a career path for your staff that potentially leads to a C-suite position, you set a solid foundation that pays rich dividends in strengthening your cybersecurity program.
Picking the right CIO and CISO is critically important for your organization. Not only do they need to have the technical expertise to effectively perform their jobs, they have to be great partners and leaders. They need to understand the business processes across the organization and look for opportunities to enhance business functions by innovatively leveraging information and IT to gain or maintain your competitive advantage.
Many of our clients ask us to identify attributes we look for in selecting potential CIOs and CISOs to be great “cyber leaders.” Frankly, CIOs and CISOs are executives who have to have solid technical credentials yet possess the same talents and leadership skills we expect of any other executive. We seek those who have demonstrated attributes that include the following:
The ability to lead people and manage projects
Thorough understanding of the business and how technology enhances it
The ability to plan and forecast strategically and tactically
The ability to communicate clearly across many different audiences and cultures
The ability to adapt and perform at high levels in a variety of new and different positions (e.g., career broadening)
We’ve spent considerable time discussing your CIO and CISO, whom we consider your principal cybersecurity leaders, but what about your other executives? Aren’t they also cybersecurity leaders?
In fact, many firms now require that their CRO and CSO have demonstrated cyber-security experience and possess CISSP or CISM certifications as a prerequisite in their job advertisements. Cybersecurity is about risk management, and both the CRO and the CSO have a huge stake in maintaining a solid cybersecurity program. It makes sense that they too should have experience in protecting and defending information.
Like your CIO and CISO, you should consider recurring cybersecurity training for your CRO and CSO. Perhaps more than other executives in your organization, their duties call for a broader and deeper understanding of threats, vulnerabilities, and the tactics, techniques, and procedures needed to minimize risk. While they don’t need the detailed technical knowledge of your CIO and CISO, they need to be able to speak and understand the same language. We recommend you consider investing in specific cybersecurity training for your CRO and CSO.
Having leaders who are “cyber smart” helps your business immeasurably. Executives who are well informed and understand the risks and opportunities facing your organization are much better postured to make the right decisions that yield success. As you look to pick the talent for those who lead your cybersecurity efforts, we strongly encourage you not only to pick great executives with terrific leadership skills but also to pick the ones that are established technical leaders with the right certifications and qualifications.
Create Hire-Right Profiles
Design Blueprints Detailing Who’s Right for a Job
Dating and interviewing have a lot in common. Both are about getting to know one another better and can lead to a long-term relationship. This courtship can become something very special—a fulfilling and nurturing partnership that meets the needs of all involved.
Applying my Hire-Right Profile, a process for creating a blueprint for who is the best fit for a job, made sense as the place to start.
My greatest concern in using my hiring profile for romantic purposes was that it would turn dating into a cold, dispassionate exercise.
Adding Your Hiring Criteria
Whether you’ve interviewed hundreds or a handful of people, those experiences will shape your Hire-Right Profiles. Also, your observations of past and current employees who have succeeded and failed in the role will provide valuable details as to what makes or breaks a good hire. The following questions will uncover those details.
What are the common assets of employees who have succeeded in the job? These assets include an employee’s skills, experiences, values, education, helpful behaviors, and personality features.
As you consider potential Dealmakers, think about all of the assets of people, including past and current employees, who have succeeded in the role. Which skills and previous work experiences do they have in common? When comparing their personal values, behaviors, and personality features, which ones were integral to their success in the role and compatibility with your culture? How did their education impact their ability to perform well in the job?
Look for patterns of assets. Assets common among successful hires are Dealmakers. Assets appearing in only a few people are Boosts.
What are the common deficits of employees who have not succeeded in the job? These deficits include unhelpful behaviors, counterproductive actions, conflicting values, and negative personality features.
Using the same process you used for Dealmakers, look for patterns among the deficits of people who failed, or who are currently failing, to meet expectations. Each deficit that shows up consistently is a Dealbreaker; deficits that appear in only a few individuals are added to the quadrant of Blocks.
In addition to Dealmakers, what other assets were exhibited by top performers?
The more Boosts a candidate has, the more likely she will consistently perform well in the role. You’ll uncover some of these answers in the first question about Dealmakers.
An in-depth review of top performers in the job will uncover additional Boosts. Think about what was truly unique about each individual who did exceptionally well. Which skills did they have that others did not? What experience did they bring to the company that was different? What differentiated the personalities and behaviors of these top performers from everyone else? Every additional detail about these noteworthy employees becomes part of the list of Boosts in the lower left quadrant.
In addition to Dealbreakers, what other deficits were exhibited by employees who were mediocre performers?
Blocks are attributes that, individually, don’t typically cause someone to fail. However, the more Blocks someone accrues, the greater the chance he will struggle. Even when a candidate has every Dealmaker and none of the Dealbreakers, Blocks can undermine assets.
Carefully review past and current employees whose job performance was disappointing. You’re looking for hires whose tenures were nothing spectacularly good or bad. What were their negative attributes? List each attribute that is not already noted as a Dealbreaker in your Blocks.
Ask your colleagues, such as your boss and employees that report to you, to independently answer these same questions. Watch for patterns among the details as you compare their input. Traits that appear three or more times in your collective answers to each question should always be included in the correct section of a completed profile.
Your HR or talent acquisition department can be a helpful resource when creating Hire-Right Profiles. Colleagues in those departments who have been closely involved with your team should be asked to answer the four questions. Also, many HR departments maintain files of performance reviews of past and current employees. These should be perused as well, looking for assets and deficits for inclusion in the Hire-Right Profile.
Existing Hire-Right Profiles can be used as templates for new jobs in the same department. Traits are often transferable for a new role, especially those that relate to values, helpful behaviors, and personality. Additional skills, experiences, and education can be identified using a variety of different resources, including:
• Friendly competitors who are open to an exchange of ideas.
• Job postings for similar roles at other companies; these can be found on company websites and on job boards.
• Websites that provide lists of job descriptions; examples include:
• Membership in an HR, staffing, or employment-related association may include access to job description templates. For instance, SHRM provides its members with dozens of sample job descriptions on their website.
• Profiles on LinkedIn, especially details that people list about their job experience and skills.
When you create and use Hire-Right Profiles for each role in your company, you gain significant advantages over people who hire by gut alone. Employee selection is done subjectively, based on accurate criteria. Your emotions, rather than running the show, are balanced with facts and logic. Instincts and gut feelings inform sound decision making versus being the primary selection method.
More important, faith in the process, versus fear of making a bad choice, allows you to make fast and accurate hiring decisions. Instead of losing talented people to more nimble competitors, Hire-Right Profiles allow you to secure top talent and fill open seats in an instant.
No two companies are exactly alike, even when they’re in the same industry. Job titles vary, as do the skill requirements and interpersonal traits that best fit each organization’s culture. As a result, no two Hire-Right Profiles end up exactly alike, even when comparing similar roles at different companies.
There are, however, role-specific assets that often get overlooked, and should appear in almost any company’s Hire-Right Profiles. Here are three examples of such roles and their matching assets:
Role: Executive Leadership
Asset: Helicopter Leadership Skills
Executives who have successfully maneuvered between a 30,000-foot understanding of the marketplace, a 15,000-foot strategic viewpoint and a ground-level perspective of the daily operations of their company are said to be “helicopter leaders.” They make better decisions. Helicopter leadership allows them to combine a visionary outlook with current realities to create smart strategies.
Asset: Professional Humility
Humble executives acknowledge their own limitations, rather than being driven by an unhealthy ego. Their self-awareness and healthy self-confidence allow them to surround themselves with people who have strengths and abilities they themselves lack.
Asset: Inventor Mindset
Executives with an inventor mindset view failures as opportunities. They encourage those around them to leverage mistakes as a chance to improve capabilities and deepen relationships.
Asset: Collaborative Curiosity
Curious salespeople ask better questions. They get to know their buyers and their needs, taking time to uncover detailed information. This creates lasting relationships built on trust and understanding.
Asset: Fearless Tenacity
Over 80 percent of deals close after the fifth contact with a prospect. Fearlessly tenacious salespeople are the ones who keep showing up, knowing that every “no” moves them that much closer to the next buyer who will say “yes.”
Asset: Tempered Impatience
Impatience in sales professionals can be a virtue, but only if it’s tempered with a focus on the greater good. Salespeople with tempered impatience are motivated to help customers improve their circumstances as soon as possible. They’re driven to build and maintain mutually beneficial relationships.
Role: Customer Service
Problem resolution is vital to excellent customer service, as long as it doesn’t go too far. People who have a proven track record for setting boundaries in a kind and compassionate manner deliver service that’s respected and remembered.
Asset: Collaborative Compromise
When customers require help, savvy customer service pros avoid trying to resolve the situation on their own. Instead, they collaborate with customers, remembering that two heads are better than one.
The world is filled with people who care too much about how they’re seen by others. Such people-pleasers focus on their own likability. Outcome-achievers strive to create a positive outcome for all parties, knowing that compromise is more potent than popularity.
Your Hire-Right Profiles must reflect your organization’s values, needs, and culture in order to be useful. When considering these recommended traits for your roles, review each one carefully, making sure they fit your specific needs and culture.
Trust the Process
When we began working together, Sharon Strauss was no stranger to using hiring profiles. Strauss is vice president of client services at Vitamin T, a global talent agency that serves creative digital professionals. She came to me, wanting to improve Vitamin T’s hiring process for internal staff. “Our biggest challenge, hands down, was getting our staff away from hiring with their gut,” she said. “If they really liked someone, they wanted to hire that person, even if there were indicators that she was not the best fit.”
It took a few minutes over the phone to walk Strauss through the structure of the Hire-Right Profile. The familiarity of a four-quadrant table and the straightforward labels for each quadrant make it simple to share this with anyone, anywhere. After outlining the structure for her, Strauss took it from there. She filled in each section and, along the way, discovered several key insights. “Identifying Dealmakers was relatively easy. Once I started listing those, it was hard to stop.
They flowed from my head to my hand to the paper. When I moved on to Dealbreakers, I initially found myself listing the opposites of my Dealmakers. That’s why using the four questions to guide the process was important. As I refocused on the deficits of employees who had not succeeded in the job, identifying Dealbreakers became easier.”
The simple design of these candidate blueprints has allowed Vitamin T to implement a standardized hiring tool that can be used companywide. In rolling out Hire-Right Profiles, Strauss quickly learned how the tool would make their good selection methods better. “I realized we’d been on track with most of our selection criteria,” she said. “The problem was we often gave into gut feelings. We can now call each other out when we’re compromising, and hold one another accountable to sticking to the plan and trusting the process.”
Strauss’ advice to first-time Hire-Right Profile users is to be patient. “There’s lots of factors to consider, so don’t let them overwhelm you. That’s one reason why it’s vital to include your colleagues in creating these profiles. As you use them, make sure you’re able to confirm that candidates have all of the Dealmakers and none of the Dealbreakers. Follow the plan and don’t let your personal feelings overrule the obvious. And be sure to follow the ‘rules,’ especially the one about never changing the details in the midst of the interview process.”
Using Completed Hire-Right Profiles
Once completed, Hire-Right Profiles shape the remaining steps of the Talent Accelerator Process. The following four rules will help you get the most from your completed profiles:
Rule #1: Never Change Hire-Right Profiles in the Midst of Interviews
When a candidate seems to be a great fit but is missing one Dealmaker, it’s normal to want to adjust the profile to match the person. The same is true with Dealbreakers—but each one was listed for a reason. Sticking with what’s on a Hire-Right Profile ensures that you hire logically instead of emotionally.
Rule #2: Use Hire-Right Profiles as a Checklist, Providing One to Every Person Interviewing a Candidate
Hire-Right Profiles ensure that your team misses nothing. How? Each interviewer checks off criteria they witness during their interactions, confirming that prospective new hires match every Dealmaker and have none of the Dealbreakers.
Rule #3: Update Hire-Right Profiles to Increase Their Accuracy
Each round of hires can provide details that improve the accuracy of future Hire-Right Profiles. Review the performance of new hires two to three months after the start of their employment. Use their successes and struggles to add details to the profile.
Rule #4: Be Specific
Specific criteria are easier to understand and identify than generalities. For instance, listing a “drama-filled life” as a Dealbreaker might confuse interviewers. It’s too ambiguous. Instead, describe specific behaviors, such as “complains daily about the latest difficulty or injustice.”
Facts Over Feelings
During my “interviews” with potential relationship partners, my Dating-Right Profile made it easier to know who did and didn’t fit my needs. But that was just the start; it helped me through each step of the dating process. It served as my guide on who to date, informed the questions I asked of each person, and ensured I never compromised my values nor allowed my emotions alone to run the show.
Your Hire-Right profiles will do the same for you. You’ll rely on these candidate blueprints in each step of the Talent Accelerator Process. They’ll guide you in selecting resources for procuring better talent. You’ll use them to write compelling content for employment ads and job postings. They’ll help you craft provocative questions that elicit the details needed to make accurate hiring choices. Hire-Right Profiles help you get away from hiring by gut. Facts become more important than feelings, resulting in hires who do good work.
Incorporating Hire-Right Profiles into your selection process takes minutes when you follow these steps.
Prioritize Your Jobs
People often choose one of two paths to begin: the easy road or the vital one. The easy road to creating your first Hire-Right Profile is by picking a familiar role, one where you and your colleagues have lots of hiring experience. You may elect the vital path by choosing a job that is especially important to your company or department. Neither path is wrong. The most important thing is to make a choice and create your first profile, knowing that making progress is more important than choosing perfectly.
Create Your First Hire-Right Profile
Use the four questions for adding your hiring criteria to complete each quadrant. Start with the top half of the profile. If you find it easier to start with Dealmakers, begin there. What if you’d rather start with Dealbreakers? Go for it. After completing the top half, move on to the bottom portion for Boosts and Blocks. Write down everything that comes to mind, knowing that you can move items, delete criteria, or add information at any time. Keep focusing on progress, not perfection.
Involve Key Colleagues
Select at least three colleagues to independently create their own Hire-Right Profiles for the same role. Ideally, this occurs at the same time you’re creating your own version. When three other colleagues aren’t available, look outside your company. This could include vendors or service providers who’ve interfaced with people in the role for which you are creating a Hire-Right Profile.
Research When Needed
Use resources, such as the job description websites listed in this blog, when creating Hire-Right Profiles for new jobs. You may also find these resources helpful if you are stuck when trying to complete a profile for an existing role.
Compare and Combine
Review your Hire-Right Profile alongside those of your colleagues. When a trait appears three or more times, that detail should always be included in the correct section of a completed profile.
Follow the Do’s and Don’t’s
Don’t change Hire-Right Profiles in the midst of interviews or use vague labels. Do create Hire-Right Profiles that are used as checklists by each interviewer, updating them 60 to 90 days after each round of hiring. Keep your candidate blueprints current, refreshing the content as the needs of your company evolve.
Step #2—Improve Candidate Gravity
Generate a Continuous Flow of Quality Candidates
Not all recruiting methods are equal. Some give you outstanding candidates for a modest effort. Others are labor intensive, producing hundreds of people, many of whom are a poor fit. Using the correct recruiting methods is essential if you want to efficiently hire better employees.
Picking the best talent-finding options can be a challenge. There are lots of ways to recruit, including job boards, social media, advertising, and requesting referrals. New innovations, improved technologies, and an expanding range of service offerings are added every year.
Some talent resources require a sizeable investment. Marta, a talent acquisition executive for a large financial institution, found this to be the case with job boards. She couldn’t believe her eyes when her company’s primary job board sent her a renewal quote. The same level of service was going to cost nearly double.
She tried to negotiate a better deal, gaining a few concessions and a slightly lower price. Unfortunately, this lower price was still not within her budget. “I’m not sure what to do,” she said. “We’ve been using that job board for a decade. It’s one of our top resources. But, every year, it’s gotten increasingly expensive.”
I asked her what makes it a top resource. “Our recruiters have relied on it more than any other recruiting tool,” she replied. “That why it’s such a hard decision. I can’t make the numbers work, but I also can’t afford to let it go.”
“Since you can’t afford to let the board go,” I said, “I assume it provides lots of good candidates.” Making a face as though she’d bitten a lemon, Marta closed her door, leaned closer, and in a near whisper said, “What I’m about to say isn’t politically correct, but that board brings in a ton of candidates, many of whom are garbage. We waste so much time reviewing resumes of people who don’t fit.”
Marta’s experience isn’t unique. You, too, have likely gotten poor results from certain recruitment methods. Does that mean that these methods are a waste of time? No. The issue is how they’re being used. To hire efficiently, you need a healthy talent flow. Generating a continuous flow of quality candidates requires using the right resources in the right way.
Post and Pray
Many sources provide a generous flow of quality talent. However, no one source can be the do all, end all. Each resource ebbs and flows. That’s why these resources must be used in the proper combination.
As we looked closer, Marta’s situation had two issues. First, her team relied too heavily on this single job board. Second, they handled it incorrectly. “Marta,” I said, “your recruiters are using a common yet unfortunate practice called ‘post and pray.’ They post open positions, then pray for responses.”
Marta chuckled, “That’s spot on. They’ve been posting and praying for years. I’m guessing that’s because it does produce candidates. However, never enough and never quickly enough. I’ve talked to the team about pipelining talent before we need it. But they’ve been resistant.”
The status quo is sticky. Like a spider’s web, it’s a trap. You get stuck in current circumstances. The longer you’ve done something, the more likely you are to repeat it.
I suggested to Marta that the time for talking was done. Instead, it was time to act. “I’m part of the problem,” she said. “You’ve told me you can’t think your way into change. You can only act your way into change. If my team is going to see things differently, it will be through action. How do you recommend we do that?” This began a discussion about the alternative to post and pray.
Plan and Produce
Waiting until a job opens to search for talent keeps you stuck in the old way of hiring. Many organizations hire in this manner, duking it out with one another over a limited candidate supply. Often, they’re fighting over leftover third-tier talent.
“Passivity is our problem,” said Marta. “When we wait to recruit, our results are inconsistent. We sometimes find decent people. Other times, we don’t. We end up battling other organizations for the best of the three ‘un’s’—the best of the unhappy, unemployed, and underqualified. It costs us too much time and effort.”
Shifting from reactive to active recruiting is an important step to hiring faster. However, recruiting actively isn’t enough when you’re searching for quality talent in a sea of “un’s.” You need a clear distinction between qualified and unqualified candidates.
Marta incorporated the Hire-Right Profile, working with hiring managers to create a clear picture of who was the best fit. She used that information to write improved posts for the job board, adding details that had been previously overlooked. The Hire-Right Profile also guided her in selecting better ways to recruit. “Never again will I be left flat-footed,” she said. “Relying heavily on our primary job board has never been a good idea. Our poor results prove it. We need a constant flow of candidates if we’re going to eliminate hiring delays.”
When Marta introduced these improvements to her team, they were openly skeptical. They’d heard talk about change before, then nothing would happen. This time was different; we’d planned for their skepticism. Marta started by indicating that she was part of the problem, admitting she’d been all talk and little action.
This got their attention, especially since she was taking the blame versus casting it on them. Marta went through reports on sources of talent, showing why they’d been struggling to fill jobs. By the time she finished explaining how they would be cultivating top talent and waiting for the right job to show up, the recruiters were like a sports team ready to take the field.”
This is plan and produce. You create a plan to produce a continuous flow of qualified candidates. That flow is generated by tapping into an expanded pool of talent. The strength of your company’s pull on top talent is called “candidate gravity.”
Drawing in people is a critical function in business. Stores that don’t attract enough customers fail. Restaurants that don’t fill tables close. Gyms that don’t sell enough memberships fold. Companies with a weak pull on prospective job candidates always struggle to fill their open jobs.
Candidate gravity is the pull your organization has on talent. This pull may be weak, drawing in an insufficient supply of candidates; inconsistent, coming in ebbs and flows; or strong, generating a consistent stream of people. Companies with strong candidate gravity always draw a stronger flow of top talent their way, leaving second- and third-tier candidates for everyone else.
Eight streams of talent generate candidate gravity. Each one taps into a different pool of people.
Talent Stream #1: Advertising
Job ads are one of the oldest forms of recruiting. Yet, running such an ad isn’t necessarily an old-school approach. Campaigns place targeted advertisements in the results of an Internet search engine. Banner ads on web pages are often viewed by hundreds of potential applicants. Numerous online magazines, newsletters, and classified ad sites offer you the ability to advertise job listings.
Old-school promotion still works. Each week, millions of people peruse job ads in printed publications. Flyers on bulletin boards at schools and houses of worship continue to attract applicants. Signs on buses and benches create awareness of job opportunities.
Advertising works when it delivers a persuasive message to the appropriate audience. Your ad content must be compelling and succinct, communicating to readers what’s in it for them to pursue a job at your company.
Talent Stream #2: Automation
Technology can generate talent and streamline your recruiting. Job boards and career sites come in many sizes and specialties. Sourcing systems find candidates for you. Automated telephone calling services alert job seekers to opportunities. Other recruiting tools find passive candidates or mass distribute job postings.
Talent Stream #3: Candidate Mining
The longer a company has been around, the more resumes fill filing cabinets and databases. Many are covered in real or digital dust, having been overlooked for years. The resumes in these files are a rich, renewable source of potential hires and people who can provide referrals.
Mining this untapped pool of talent is a simple exercise. Methodical searches of databases convert old resumes into new leads. Working through a filing cabinet a few files a day reestablishes contact with potential hires and referral sources. Searching previous candidates in applicant tracking systems could uncover prospective employees and networking contacts.
Talent Stream #4: Market Presence
Your company has a presence. This presence is created by your physical locations, online identity, organization’s reputation as a place to work, and overall standing in the community.
Market presence can draw in top talent. Storefront signs can convey organizational values. Websites can share stories of how employment at your company has lifted careers. Videos on social media can highlight where your organization stands on important issues.
Talent Stream #5: Networking
In the old days, if you wanted to network, you had to leave your house. You’d drive or fly to a conference, job fair, or reception. Today, you can also network virtually. Social media, online communities, and comments on articles have all become places for us to connect.
Getting the most from networking requires participation in both the physical and virtual worlds. Joining conversations on a discussion board before a conference leads to meaningful interactions at the event. Staying in touch with people on social media after a job fair may deepen relationships. Attending cocktail parties at the local chamber still offers opportunities to meet people who aren’t active online.
Colleges and schools are prime territory for connecting with talented people who have fresh perspectives. Full-scale networking taps into a wide stream of people who can become your job candidates and provide referrals to top talent.
Talent Stream #6: Referrals
Referrals have always been the most potent talent stream. One person can guide us to many others, pointing out who’s particularly good at a job.
We have many opportunities to ask for referrals to potential job candidates. Current employees, along with their family and friends, can connect us to thousands. Every candidate interviewed by your company can be a source of introductions to colleagues and friends. Reference checks also provide us ready-made opportunities to ask for help with referrals.
Talent Stream #7: Talent Manufacturing
Job candidates aren’t just found; they’re also made. How? Through “talent manufacturing” programs like internships and education, which provide potential hires with experience and new skills; and cross-training programs, which provide current employees with the skills needed for advancement. Of all the streams, talent manufacturing is the most underutilized.
Talent Stream #8: Talent Scouts
Actors on stage and screen have agents, professionals who land them their next roles. So, too, do people in every profession. Staffing firms and recruitment agencies are external corporate talent scouts, providing contract workers and full-time hires. The staffing industry has evolved into an entire ecosystem of services to help your company procure one person or an entire team of people.
Only 10 percent of organizations across the globe maintain strong candidate gravity. Why? They maximize all eight of the talent streams; the other 90 percent do not. If you want your company to have stronger candidate gravity, you must identify where your pull on talent is weak and improve those areas of weakness.
Improving Candidate Gravity
Answers to common questions will show you how the process of improving candidate gravity works:
1. Why is our candidate gravity weak or inconsistent?
It’s important to remember that each talent stream gives you access to a different group of candidates. Some of the talent streams provide overlapping access to the same candidates, but no single stream can secure every qualified individual. If your company is experiencing an inconsistent flow of qualified candidates, you’re not using all eight streams effectively.
Marta’s talent acquisition team wasn’t in the habit of asking everyone for referrals, nor were they regularly participating in networking opportunities. Improving these two streams brought in top talent they hadn’t previously found using their primary job board.
2. How does our organization improve a talent stream?
Improving the flow of talent in each stream requires choosing the correct methods. For example, there are many automation options, including products from Indeed, LinkedIn, Monster, and CareerBuilder. Referrals can be generated using different techniques, such as querying current employees or asking for referrals during candidate reference checks. Picking the correct methods, in the form of resources and techniques, maximizes the flow from each of the eight streams of talent.
The recruiters on Marta’s team began asking for referrals in every reference check. They also launched different referral initiatives, including asking for leads from current and past job candidates, internal staff, and the friends and family of team members.
3. What makes a resource or technique the right one for us?
Finding qualified people for a specific role requires tapping into the groups of people who may fit the role. Hire-Right Profiles will guide you in choosing methods for producing prospective employees from these talent pools.
The Hire-Right Profile Marta created for one of the company’s core roles, financial analysts, including two important Dealmakers: Active industry connections and strong verbal and listening skills. Recruiters researched options for finding people with these Dealmakers, looking for possibilities among the talent streams they weren’t using effectively, including networking. They found several monthly networking opportunities widely attended by financial analysts that fit the bill.
4. How do you know you’re using a resource or technique properly?
That’s simple. If a resource is giving you a flow of qualified candidates, some of whom become good hires, you’re using that resource correctly. An inconsistent flow from a resource indicates that you’re likely making a mistake.
Two recruiters in Marta’s firm generated a flood of financial analyst candidates from referrals. The rest of the team, in comparison, was drawing a trickle of talent. The success of the two recruiters stemmed from how they were asking for referrals. They made specific requests, based upon whom they were speaking with.
Currently employed financial analysts were asked for referrals to colleagues at other firms. Requests of internal staff were focused on who they’d like to see join the company. Once the rest of the team adopted these practices, everyone had success in bringing in a steady flow of candidates from referrals.
5. Do we really need to use all eight streams to achieve strong candidate gravity?
Most organizations find they need to use all eight to maintain a strong talent flow, especially since each stream draws in candidates unique to that stream. Small companies, though, are the exception. As long as they leverage the most potent stream—referrals—smaller organizations can often generate a robust flow from four or five streams. The leveraging of this selection of talent streams is handled by managers, an HR leader, the business owner, or a combination of these individuals.
Marta and her team initially found the idea of using all eight streams overwhelming. In a short time, they discovered that employing all eight streams takes less effort than relying on only a few. Why? They were drawing candidates from a wider audience rather than struggling over a limited pool.
Maximizing each talent stream creates a continuous flow of talent. How do you create and sustain this flow? By using recruiting methods correctly, consistently, creatively, and completely.
The Human Aspect of Referrals
Why are referrals such a potent source of talent? Human nature. We were built to help each other.
Research demonstrates that helping one another is nature, not nurture. Social experiments at the Max Planck Institute for Evolutionary Anthropology found that children as young as 18 months old will help complete strangers. The researchers developed scenarios where an adult needed help, such as grasping for a clothes peg that had fallen to the floor. Virtually all the children handed the peg to the adult. These diaper-wearing toddlers lacked the socialization that teaches many life skills, yet they were already exhibiting altruistic behaviors.1
Altruism, our default factory programming, is why requesting referrals works. Each person we ask gets to help three people—their colleagues, us, and themselves. They get to do what they were born to do.
Are you in the habit of asking everyone for referrals? Probably not. Many people haven’t developed the habit of asking for this type of help from every person they meet. Rather than viewing this as a natural human activity, you may believe it’s an imposition or that the person being asked won’t know anyone.
In politics, we often hear about the power of the people. In business, there’s also a power within individuals—the power of their network. We are more connected than ever through the Internet and social media. Hundreds if not thousands of contacts are within our reach. That’s why asking everyone is important: We never know whom someone may know.
How can you ask for referrals without sounding awkward or needy? Here’s a simple four-step approach:
Step 1: Ask for help.
Requesting help taps into your shared humanity.
Step 2: Explain why.
Briefly explain why you are asking. Understanding your motives makes it easier for people to be supportive.
Step 3: Define who.
Be specific. People have lots of contacts. Asking for referrals for a specific type of person helps them search their vast mental Rolodex.
Step 4: Make your request.
Ask a short open-ended question to solicit their recommendations.
Put together, the four steps could sound like the following:
“May I get your help? I’m responsible for finding people who may fit our company—now or in the future. That’s why I’d like your help. I’m looking to connect with people who have a background in [INSERT AREA OF EXPERTISE]. Who do you suggest I speak with?”
The Four Cs
Why does a recruiting method fail to supply enough talent? Often, the method gets the blame. However, it’s usually the people who have failed to use it properly. To generate a flow of talent that’s continuous, each recruiting method must be used correctly, consistently, creatively, and completely.
Correctly: Is the Method Being Used Correctly?
There’s a right way and a wrong way. The right way (often referred to as a best practice) is the one that gives you the best results for the least effort.
Take job boards, for example. Marta’s team previously spent hours sifting through job-board resumes of people who didn’t fit. This unstructured and exhausting approach produced only a handful of acceptable candidates, never enough to fill all of their open positions.
Marta and her team eliminated the need for all that mindless sifting by planning ahead. They posted positions on job boards before the real need came up. Dealmakers from Hire-Right Profiles were added to better communicate who should apply. The number of matching candidates grew as the volume of applicants decreased.
Consistently: Do People Use It Consistently?
Properly using a recruiting method that fits your circumstances always increases the flow of talent, as long you apply that method consistently. Lack of consistency is the most common issue among the four Cs.
The referral initiative developed for Marta’s team focused on consistency. Called “Engage Everyone,” the initiative operated on the belief that every individual knows at least one person who could be a potential employee or source of candidate leads. This effort paid off: 85 percent of people provided at least one referral. Four new hires generated from Engage Everyone started with the company within two months.
Creatively: Are They Using It in Creative Ways?
Best practices are proven methods that are meant to be repeated. Creating twists on these proven ideas makes it easier to sustain these methods.
Marta noticed that networking and referrals were generating the strongest flows of candidates and the most new hires. To leverage this success, we designed the “Collaborative Community” campaign. The goal was to partner with leaders in centers of worship, community organizations, and other groups that provide help to their members.
Leaders in many of these organizations were happy to participate. Job notices were placed on bulletin boards, announcements were made from pulpits, and recruiters were invited to attend a variety of events. Leads from Collaborative Community led to a dozen hires during the campaign’s first six months.
Completely: Is the Method Being Used Completely, to Its Full Capacity?
An improved flow of candidates in a talent stream can have unintended consequences. It’s normal that you’ll become satisfied with better results and overlook untapped potential.
Marta collaborated with her firm’s marketing and PR department as part of her sourcing strategy. Together, they fortified the company’s market presence. Videos of new hires sharing about their job successes were posted on YouTube and social media. A podcast series was launched featuring employees sharing heartwarming stories about their tenure at the company.
The website was upgraded, making it easier for qualified candidates to have immediate contact with a recruiter. Each of these methods proved beneficial, keeping the company top of mind and generating quality candidates.
During a progress review meeting, Marta proudly reviewed the successes resulting from their enhanced market presence. I congratulated her on this progress and asked when she planned on leveraging her company’s physical locations as a recruitment method. After a moment of silence, Marta laughed, admitting she’d forgotten all about that idea. “It’s so easy to be satisfied with current results,” she said. “In some ways, satisfaction is a trap.”
A contest soliciting inspirational quotes from employees provided content for banners and signs, which were displayed inside and out of the company’s physical locations. These drew in additional candidates, one of which became one of the best hires of the year. “Had we continued to overlook using our market presence to its full capabilities,” said Marta, “we wouldn’t have found that candidate.”
The four Cs are an indispensable tool. They’ll guide you in determining why a recruiting method is failing and how to fix it. They’ll also help you implement new methods correctly the first time around.
Increasing Your Organization’s Candidate Gravity
Given all the ways to recruit, the thought of using more of them may feel overwhelming to you. That’s normal. You’re probably already managing a full desk and a packed calendar. The thought of doing one more thing may seem impossible.
Improving candidate gravity takes time, but less than you might expect. Expanding one talent stream at a time immediately draws in new candidates. When you’re ready to move to the next stream, you do so, expanding the capacity of each at your pace. After you implement recruiting methods, managing them becomes part of the daily routine.
This is why candidate gravity works in organizations of all sizes. It meets you where you are today and grows at a pace that works for you. Over time, the stronger flow from each talent stream increases candidate gravity, providing more candidates with less effort.
A timeline will help you stay on track and eliminate being overwhelmed. This tool defines deadlines, allowing you or your entire team to allocate time appropriately. The sample was similar to the approach used with Marta’s team. Every month was focused on improving a different talent stream and the methods that fed that stream.
Prior to the beginning of each month, the four Cs were applied, allowing Marta to guide team members on what to improve and how to improve it. Specific actions were planned for each week of the month, such as adding referral generation to phone interviews one week and then to reference checks the following week.
Eliminating empty seats and long time-to-fill is all about people. The people in your company have to know who fits a job, and who does not. Then, talented people are lined up before they are needed. Strong candidate gravity supplies those people, empowering your company to cultivate qualified candidates and then wait for the right jobs to show up.
To improve candidate gravity, take the following steps.
Review Your Core, Essential, and Supportive Roles
I suggested prioritizing your jobs into three categories: core, essential, and supportive. Now is a good time to review and update your priority list before planning your approach to improving candidate gravity. The importance of some roles compared to others may have changed as market conditions and the needs of your company have changed.
Update Your Hire-Right Profiles
You’ll use your Hire-Right Profiles to pick appropriate recruitment methods for improving talent streams. Ensure that Hire-Right Profiles are up-to-date and accurate before choosing any methods.
Understanding the current strength of your company’s candidate gravity is important. A brief assessment will inform your efforts as you plan your improvement timeline.
Determine how many of the eight streams of talent are producing a strong flow of people. For any that are not, look at which recruitment methods are being used to add candidates to that stream. Are those methods being used correctly, consistently, creatively, and completely? Your goal in taking stock is to understand where your candidate gravity needs attention.
Pick Your Recruiting Methods
Different methods will provide access to different groups of people. Use your updated Hire-Right Profiles to pick these methods.
Ask your vendors of hiring technologies (like job boards and automated sourcing tools) for details on the effectiveness of their resource for your specific needs. Solicit proof, not promises. Whenever possible, request a free or low-cost evaluation period to experience how much effort is required in using the resource.
Spend some time noticing how your competitors are using their market presence to draw in candidates. Surf their company web pages, video and podcasting sites, and social media. Note ideas that you can borrow. Drive through town, paying close attention to how organizations use their physical location to attract job applicants.
Collaborate with your colleagues inside and outside your company for additional recruiting methods. Share and practice the four-step referral conversation, noted earlier in the blog, with your colleagues. Ask for their suggestions for local networking opportunities, advertising media, and quality talent scouts.
Also, ask the people you recruit where they hang out. To which groups do they belong? Where do they get their news and share ideas online? Ask for invitations to join them at networking events.
Create a Timeline
Choosing the order in which you’ll improve each stream will allow you to coordinate schedules and resources. A timeline template, is available for your use. You can download this template at the following website: http://resources.highvelocityhiring.com.
Where should you begin? Pick the stream that will immediately improve the flow of talent for your top core role. Address the other streams at a measured pace, allowing enough time to incorporate each into a regular recruiting routine.
Apply the Four Cs
The four Cs should guide how you improve each talent stream. Make certain everyone involved in using a recruiting method understands how to use it correctly. Define what constitutes consistency in employing that method. Schedule regular brainstorming sessions to develop and share creative ideas. Ensure that people are using the method completely, getting the most from their efforts.
Spot-check the flow of each of your talent streams a few times a month.
Apply the four Cs if a flow drops, so you can swiftly address the problem.
Enroll Everyone in the Recruiting Effort
Improving candidate gravity is a team effort, especially when it comes to increasing the flow of talent in your referral and networking talent streams. Everyone in your company is connected to hundreds of people. Ask for their help to actively network and request referrals.
This requesting of referrals starts with the senior leaders. When senior leaders actively seek referrals, their leadership positively infects the rest of the company.
Create New Twists on Old Ideas
When recruiting, the third C, creativity, allows you to innovate. Experimenting with new twists on different methods keeps recruiting interesting and talent flowing. One of the easiest ways to develop new approaches is by combining techniques. Here are three examples that combine networking and referrals:
• Candidate recycling: Invariably, good people will apply for jobs that don’t suit them. Rather than casting these people aside, why not offer to introduce them to your colleagues at other companies?
• Zombie searches: Your resume files and candidate databases are likely filled with hundreds, if not thousands, of “lost” candidates whose contact details have become invalid. Rather than declaring these as dead ends, these talented prospects can be brought back to life using online search engines (such as zabasearch.com or http://pipl.com).
• Orbiting businesses: Whether it’s a dry cleaner, sandwich shop, or florist, retailers strategically position themselves near centers of business. Ongoing networking with these establishments can attract their foot traffic as your future employees.
Keep Asking the Most Important Question
As your candidate gravity increases, keep asking: Are we generating a continuous flow of qualified candidates, some of whom become good hires, from each stream? If not, use the four Cs to resolve the issue.
ESTABLISHING PERFORMANCE STANDARDS
Many executives believe they are successful if they meet their performance targets for the year. Nothing gets your attention more than your performance standards. Failure to achieve established goals can result in a change of scenery for you and the organization, so there is strong motivation to do well and meet “your numbers.”
We advise you to exercise wisdom and sound judgment when your employees permit bad actors to penetrate your cybersecurity shield. Is this person one of your star performers? Was it a lapse in judgment and common sense, did it fit with a long-term pattern of carelessness, or was it an accident? Can you afford to live without this person?
If you exhibit compassion for one instance, do you dispense justice fairly and evenly to all thereafter? Demonstrate wisdom to your employees. Show them that there are consequences for mistakes and hold them responsible, but don’t let intransigence stand in the way of intelligence.
Many companies are now struggling on how to determine cybersecurity success. How do you factor that into your annual “numbers”? How do you create meaningful cybersecurity performance standards that can enhance your business?
Determining measures of success is essential for any job. Everyone wants to know what the boss wants and how they will be measured for their performance. If you don’t tell your employees what you value and what you expect them to do, they will give you what they believe is best and expect to be rewarded based on their own criteria, not yours.
That is unacceptable for all parties. Be clear that you expect certain cybersecurity-related performance measures to be included in their annual performance plan. As with most performance standards, make them feasible, achievable, suitable, and measurable. (We bet you thought we were going to say affordable. Standby, that discussion is coming.)
We hope you get our point. We believe that you can sharpen your organization’s focus toward cybersecurity by incorporating it into your performance standards. Focusing on cost, schedule, performance, and (especially) business effects can drive home the point that proper cybersecurity practices have value in nearly every process and product in which your company is involved.
Linking pay to performance multiplies this effect many times over. When people know they will be rewarded for cybersecurity success and face consequences for cybersecurity failures, chances are very good they will give you their best effort. As you seek to develop a corporate culture that values cybersecurity and cyber hardens your workforce, consider incorporating cybersecurity into performance standards and link pay to performance. We believe you will get people’s attention and they will respond exceptionally well.
Who is responsible for cybersecurity in your organization?
If you didn’t say, everyone, you need to reread the first six blogs of this blog! Actually, if you asked employees in many organizations who run their corporate cybersecurity program, they may tell you the name of the corporate sponsor, that is, the executive who administers and manages corporate-wide activities that promote cybersecurity.
In some companies, the program is managed by the CIO, while others delegate those responsibilities to the CISO. We are aware of several companies who assign cybersecurity programs to the CSO and a very few who assign it to the CRO. Each company is different and assigns roles and responsibilities based on several factors including strategy, corporate cultures and values, company size, organizational goals and objectives, and the capabilities and personalities of their executives.
All things being equal, we submit that in a perfect organization (perhaps yours?), the cybersecurity program would be “owned or sponsored” by the CEO and managed by the CIO. This is because cybersecurity touches each and every activity in your organization. When the CEO stands up in front of the employees and says, “This is so important that I personally am its champion,” and backs their words up with leadership in the activity (including holding subordinate officers accountable for promoting the program), people take notice and respond accordingly.
After all, people tend to work the boss’s problems first. If your organization is trying to develop a culture of cybersecurity, we suggest no more powerful signal of the value the corporation places on the effort than the CEO adopting the program as his or her own and actively promoting it.
With the CEO as the champion of the cybersecurity program and every employee responsible for their piece of it, you still need someone to manage it. We believe the CIO, who has responsibility for shaping and controlling the corporate information environment, is the best-qualified position to manage the corporate cybersecurity program.
Through the creation of plans, policies, and procedures; architecture development; and the selection of tools that create, manage, monitor, control, and store information, the CIO is at the heart of nearly all business activities. Furthermore (as previously discussed), the ideal CIO has the managerial experience and technical credentials to manage a cybersecurity program effectively. Supported by a capable and credentialed CISO and the CEO serving as the organization’s cyber security champion, the CIO leads a powerhouse team.
Managing an effective cybersecurity program involves more than publishing policies, conducting annual cybersecurity auditing, training, monitoring intrusion detection systems, managing firewalls, and sending out occasional email reminders about the importance of cybersecurity. Unfortunately, that’s all a remarkable number of companies do when it comes to cybersecurity. With the number of cyber incidents continuing to rise in volume and severity, you and your organization need to invest wisely to ensure you best manage your cyber risk.
For example, consider your organizational finances. Many companies convene Financial Review Boards chaired by the CFO to review organizational expenses. One of the more common agenda items is a review of whether items of expense produced their desired results. Is cybersecurity an agenda item in these financial governance sessions?
In the organizations we’ve been affiliated with, it often is but determining whether cybersecurity investments are effective often is difficult to grasp. Nevertheless, if the organization approaches cybersecurity much as it does insurance, these meetings tend to be more fruitful and yield better decisions.
Consider also how risk decisions are made. As previously discussed, many companies establish risk committees as part of their governance structure. These committees evaluate the risks facing the company and establish the risk appetite of the firm. Does your company have a risk committee?
Is cybersecurity on the agenda during these committee meetings? Who makes the decision to accept cybersecurity risk in your organization? We recommend you make it perfectly clear how risk is managed in your organization because no doubt the board of directors will be acutely interested in how you answer these questions.
The type of organization, its culture, and its values are key factors in determining the governance structure for cybersecurity programs. Secure leadership/ownership at the highest levels is necessary to reinforce the importance of safeguarding your information. Make sure everyone knows that cybersecurity is their responsibility.
TRAINING FOR SUCCESS
Investing in cybersecurity training for your employees can save your business more than money. It can save your brand reputation. When employees are not properly trained, they often devise methods and procedures on their own and the results are not predictable, effective, efficient, and secure.
When your employees don’t understand the need to practice cybersecurity methods at home and the office, they are more likely to expose themselves and your organization to risks. Much is at stake. Cybersecurity training for all employees is a wise investment that you can’t do without.
Information Every Employee Ought to Know
We’ve already shared a significant amount of information that you ought to include in your employee training program. It is important to train every employee on basic cybersecurity principles and techniques so that they have a solid understanding of the threats, vulnerabilities, and risks confronting them and your organization.
They should know what they should do to protect the organization’s information and thus their own vital interests. Demonstrating how the individual can be personally affected is a powerful technique to reinforce the importance of the subject. Therefore, we recommend you include a section in your corporate training on how to protect yourself at home as well as how to protect the organization.
We believe that a strong cybersecurity posture in the employee’s home computer system is essential to effectively managing your corporate risk. For example, if they are working for you in the evening on a project that you and they enjoy, that’s a good thing. However, if they have been lax in protecting their home computer and have a device riddled with malware, then that spreadsheet they created at home and transferred to a thumb drive probably will be plugged into one of your “clean” computers and unwittingly spread throughout your network.
Hence, computer safety does begin at home. We suggest that you continually invest in training your personnel to be sensitive to cybersecurity and proper use of computers. We have found that training that applies well at home and the office positively reinforces learning.
If employees understand their vulnerabilities at home, they will relate more easily to the need for attentiveness at work. As telecommuting and home commuting become more popular, the likelihood of a compromised home computer infecting the company network increases dramatically. Elsewhere in this blog, we articulate policies and procedures that apply.
Don’t make the mistake many organizations do by getting lazy at the top. Your training should apply to every employee, from the Chairman of the Board to the newest hire in the mail room. Every employee shares in the responsibility to maintain a solid cybersecurity posture because a mistake by someone most likely will be felt by all.
Make it policy that cybersecurity training is mandatory for every employee. Lead by your example, and don’t exempt yourself because of your busy schedule. Schedule your cybersecurity training as you would any other important meeting. Check to make sure your employees take their training as well. Follow-up when they don’t. Make satisfactory completion of their training a performance standard.
You may be asking yourself what your cybersecurity training program should look like. You are not alone as many people ask us to help them establish their cybersecurity training programs. For example, we have a CEO client who recently asked us to give our cybersecurity training to his employees. We tailored our presentation for his organization as all training should be put into a meaningful context to deliver the maximum positive effects.
Nevertheless, there are some common items of interest that we recommend you include in your training programs. Many of these items have been covered in detail elsewhere in this blog, and we will try to avoid replowing that ground. Rather, we propose an outline you should follow as a basis for training your employees to properly understand cyber risks and equip them with the knowledge to respond appropriately. Follow this training program and you will have a workforce that is not only “cyber smart” but “cyber hardened” as well.
Cybersecurity Training Plan Outline
Purpose: Describe why your organization is investing in the training and why it is important that they need to pay attention:
Your organization needs reliable, accurate, and accessible information.
Your information has value and needs to be protected; it is essential to maintaining your competitive advantage.
Bad actors, such as hackers, and even some employees pose potential threats to your information.
Need to balance security and effective information access.
Cybersecurity and risk management: Describe the threats and vulnerabilities facing your organization. Emphasize how they create risk if you don’t protect against them.
Natural: lightning, fire, hurricanes, earthquakes, tornados, floods, etc.
Unintentional: accidents, safety violations, poor security practices, carelessness, and ignorance
Deliberate: hackers, spies, disgruntled employees, and social engineering Social engineering
Phishing, spear phishing, and whaling
Procedures: Describe how you want your employees to protect your vital information.
Inform them how you defend in depth.
Security classification, data accuracy, data quality, timeliness, authoritative sources, user authentication, roles and permissions, and need to know
Passwords, email policy, backups, threat awareness, antimalware software, firewalls, encryption, network design, demilitarized zones (DMZs), access control lists, redundancy, and physical controls
Facility access, escort control, screen locking, clean desk, and equipment control
Privacy: Remind your employees of the importance to protect the privacy of clients and themselves. Don’t forget to discuss the legal requirements and liability concerns:
Personally identifiable information
HIPAA and other regulations
Foot stompers: In the college setting, “foot stompers” are things that you need to pay attention to because you’ll see them again on the test. They generally are the things your professor believes are so important that you can’t get wrong and are repeated often. These are some of our preferred “foot stompers” for everyone, regardless of whether you are at a business or at home:
Acceptable use, employee monitoring, and content filtering
Email rules and email etiquette
The U.S. Department of Defense maintains a database called the Joint Universal Lessons Learned System (JULLS) that catalogs lessons learned during operations. One of the benefits that users discover is in finding out how people made mistakes and learned how to prevent or fix them. I find learning from other people’s mistakes is very helpful, so I like to share some of the most common cybersecurity mistakes with you in the hope that if you are aware of them, you don’t make them too:
Failure to install and keep antivirus software current
Opening unsolicited email attachments without verifying source and contents
Executing games, music, videos, and programs from untrusted sources
Failing to install security patches
Not making and checking backups
Not installing the security features on your computer and network
Leaving default passwords on your computer and network devices
How to protect yourself at home and the office: Here are some “best practice” techniques that everyone should follow at home to protect themselves and their information:
Regularly scan with up-to-date antivirus, antimalware, and antispyware.
Scan all email attachments and downloads you get from the Internet.
Update and patch your software regularly.
Install and use a firewall when you are connected to the Internet.
Turn off and disconnect your computer from the Internet when not in use.
Back up important files.
Use complex passwords and keep them secret.
Don’t click on untrusted links.
Don’t reply to spam and don’t send it.
Don’t send emails to people who don’t need the information.
Don’t surrender your personal information (i.e., birth dates, birthplaces, social security numbers, mother’s maiden name, etc.) to untrusted sources.
Don’t use the same username and password for multiple sites.
Ethics: While your acceptable use policy should address ethics, we believe it is important to reinforce the importance of ethical use of computers. Our lawyers do too. Because violation of ethical standards frequently is viewed as an offense worthy of termination, consider making ethics a special “foot stomper” in your training program:
Ten Commandments of Computer Ethics
Training timelines for accomplishment: If you offer your cybersecurity training through a web-based or network-based training method, establish a policy that addresses when the training must be accomplished. Most organizations require the training be accomplished before the employee is given an account on the network with annual keep-it-current training. We believe this is a reasonable training rhythm that you should adopt.
Certification/decertification: Many of our clients like to compare their cybersecurity training programs to a driver’s test. Prove yourself capable of safe driving on the highway and you get your driver’s license. Prove yourself capable of safe driving on the information superhighway and you get access to the corporate network appropriate to your job.
Prove yourself incapable of safe driving and your license gets suspended. Many of our clients decertify their employees and suspend their network privileges when they exhibit poor cybersecurity practices and only renew their privileges after they are retrained and demonstrate they understand and will follow the corporate policies. We believe this is a best practice.
Special Training for Executives
With the emergence of IT as an integral part of every business, cybersecurity has become a critical concern for all executive activities. As a result, we recommend that you consider investing in special training to sharpen the focus of executives on how they should incorporate cybersecurity considerations into their decision-making processes.
Consider also investing in additional ethics training for executives. Your executives are responsible for not only serving as the epitome of your ethics program; they also are your principal enforcers. Many organizations invest in additional ethics training for executives not only to highlight ethical behavior and business practices but also to give them the tools to recognize and deal with employees who violate ethical standards of behavior.
Regrettably, executives often are the people in organizations who make the most egregious ethics mistakes and violations. We have seen numerous executives who were on the fast track toward the highest leadership levels in their organization yet stumbled due to unethical behavior. We have seen some engage in business transactions with IT firms that resulted in an unacceptable conflict of interest.
We have seen others whose personal financial interests inappropriately guided their transactions such as steering business; for example, large computer and information service contracts, to companies that they owned stock in. Others had their careers derailed when they accepted special gifts such as free or “specially discounted” software and games from IT firms. You invest a lot to develop and grow your executives. Make sure you invest in their ethics training as well.
As the people who will enforce your acceptable use, employee use, and Internet monitoring programs, your executives also should be given special training regarding your policies and enforcement mechanisms. You do not want an uninformed executive jeopardizing due process or violating someone’s rights when confronted by a violation of your policies.
Executives should clearly understand their roles and company pro-cesses when handling disciplinary situations arising from violations of these policies. The general counsel should be a key player in making certain your executives are well trained to handle violations of your policies fairly, quickly, and decisively.
Computer crime is on the rise. It can come from inside as well as outside your organization. Your executives may be among the first supervisory levels notified of incidents of computer crime. Make sure they know what to do! Whether the crime involves physical or information theft, your executives need to know the proper process to preserve potential evidence, respect individual rights, alert law enforcement authorities, and protect your business. Invest in special training for your executives on how to handle instances of computer crime.
Privacy and anonymity are two increasingly hot topics for Internet users. In the aftermath of Edward Snowden’s disclosure that the NSA had collected sensitive information from several companies, anxiety over the exposure of private information and assumed anonymity on the Internet has become front-page news.
Your company likely is the custodian of sensitive information your clients, customers, and employees want protected. They expect you and your organization will protect information about them and not release that information to a third party without their permission.
Intellectual property and trade secrets are among your company’s most valuable assets. Your executives must understand the value of these assets and how to protect them from inadvertent disclosure, theft, or tampering. Invest in training your executives so they know the proper procedures for handling your intellectual property and trade secrets.
They identify several indicators that are common to those who engage in intellectual property and trade secret theft, including previous violations of rules, policies, practices, or law; personality and anger issues; and disgruntlement. Train your executives how to recognize telltale signals that your intellectual property and trade secrets are at risk. You’ll be glad you did.
Globalization and the Internet are tightly coupled. Being able to sell to anyone anywhere in the world presents special issues about which your executives need to be aware. For example, every entity that uses the Internet to conduct its business is a global business. Every one. Now, a small quilt shop in Eureka Springs, Arkansas, can advertise its patterns to prospective customers around the world.
They can sell to anyone with a PayPal or credit card account and use worldwide shipping services to deliver their products to the consumer quickly and efficiently. What does that company do about sales taxes at home and abroad?
Each country has its own importation and taxation laws. Does the quilt shop need a lawyer who understands the laws of every customer’s country to ensure they stay on the right side of the law? Perhaps they do! Also, depending on what your company produces, your product (including information) may be subject to exportation controls; you may not be permitted to sell your products in that country. Your executives need to be aware of the impact of globalization and how it affects your business. Make sure your executives are properly trained and your general counsel is included in the conversation.
Your executives can make you a lot of money through their expertise, imagination, and managerial and leadership skills. They also can cost you a lot when they are ill prepared and make big mistakes. You cannot afford for your executives to be unprepared in a hotly contested cyberspace environment. Make sure you give them the training they need to best protect your vital information and business processes. It will be one of the best investments you make.
SPECIAL CONSIDERATIONS FOR CRITICAL INFRASTRUCTURE PROTECTION
If you are an executive in an organization identified as being part of the critical national infrastructure, you have special responsibilities above and beyond that of many of your peers. Those who operate and maintain critical national infrastructure are the custodians of special public trust.
Critical infrastructures such as defense, financial and banking, transportation, pharmaceuticals, water supply, and power production are heavily dependent upon computers and networks. Regrettably, many of those computers and networks and the software they depend upon were not designed with cybersecurity in mind. As a result, much of the world’s critical infrastructure is exposed to numerous vulnerabilities that could permit bad actors to disrupt, disable, or destroy these vital infrastructures that our modern society relies upon.
Cybersecurity incidents involving critical infrastructure can have huge effects that threaten public health and safety, potentially damage the environment, and cause significant financial loss. Because of these effects, critical infrastructure is a high-visibility target for hackers, terrorists, and others who are intent on creating mayhem.
It even is a target for insiders, some of whom deliberately launch cyber attacks on critical infrastructure, while others do so by accident. Regardless of the attack vector, executives charged with the management and control of critical national infrastructure have a special responsibility to protect the well-being of the public by guarding against cybersecurity incidents.
Cybersecurity experts often cite the computers that operate and control industrial systems as being an Achilles heel for many critical infrastructures. We agree. Because many of these automated control systems were designed and fielded without cybersecurity controls, many companies are scrambling to retrofit or replace their control systems to protect the systems from attack and exploitation.
These are the smart ones. They surveyed their automated control systems looking for vulnerabilities and are taking proactive measures to insure against threats. Regrettably, other companies are blithely unaware of the vulnerabilities their automated control systems may have and are doing nothing or taking inadequate measures to protect against accidents or attack. If you are in an organization that is part of the critical national infrastructure, which best describes you?
Are you an organization that is proactive and is making sure your automated control systems are secure or do you trust the security that the manufacturer built into the system, so you believe there is nothing to fear? What’s the worst that could happen? (Clearly, the answer is plenty!)
When thinking about worst-case scenarios (and as an executive in critical infrastructure sectors, you should know what your worst-case scenarios are and protect against them), two examples leap to mind. First, a cyber-based attack against your automated control systems could cause catastrophic results.
Cyber attacks could alter your products, disable safety controls, or introduce dangerous flaws in products or processes. Secondly, misconfigurations or other accidental alterations of automated control systems can have equally catastrophic effects. You must defend against both threats.
Many executives mistakenly believe they are immune to cyber attacks. They cite isolation from the Internet as one of their “insurance policies” that allow them to consider themselves protected against cyber attack. Especially for those in critical infrastructures, this is a foolish belief. As was demonstrated with the Stuxnet virus incident, even systems isolated from the Internet are vulnerable to cyber attack when inadequate cybersecurity controls and procedures are not implemented, such as protecting against malicious code transported by contaminated USB thumb drives.
Are you one of these people who believe that you are immune from cyber attack because your ICS are not connected directly to the Internet? Do you think because you operate on an intranet that you are adequately isolated and protected? Isolating critical infrastructures from the Internet whenever possible is a very good cybersecurity step yet is not the only step you should take.
Thorough employee training, strong policies, disciplined procedures, and rigorous testing (such as penetration and red team tests) ought to be part of your overall cybersecurity program to protect critical infrastructures.
We recommend you invest in training your executives on cyber threats to ICS not directly connected to the Internet. The Stuxnet case study is a good starting point but is only one of many examples worthy of your consideration. Just because your systems may not be directly connected to the Internet doesn’t make you bulletproof. Be prepared.
Executives in critical infrastructure operations are the custodians of a special public trust. Public health and safety, environmental protection, and economic well-being all depend on effective, efficient, and secure critical infrastructures. Many people refer to the operation of critical infrastructures as “zero-defect” operations, that is, the consequences of failure are so severe to such a large segment of the population that it is unacceptable to endure a failure.
Cybersecurity is a new element in the decision matrix for executives in critical infrastructures and needs to be incorporated into every training program, into how systems are monitored and controlled, into maintenance programs, and into procurement processes. Cybersecurity needs to be an integral part of critical infrastructure internal controls.
If you are an executive in critical infrastructures, what should you do to safeguard the systems and information under your control from threats? How do you control your risk?
These are good questions that executives in every sector ought to be asking. Many executives are quickly overcome by the breadth and depth of the cybersecurity issues. Our clients ask us, “Where do I begin?” We recommend they start by “Knowing Your Enemy and Knowing Yourself.” You should too.
Know yourself by asking, “What am I protecting?” Surprisingly, many executives do not conduct a thorough analysis of what it is that they are actually trying to protect. Are you trying to protect public safety, intellectual property, or perhaps both? Are you trying to protect machinery such as valves or regulators from inadvertent changes that could result in harmful effects?
Are you trying to prevent bad actors from altering processes or information that could result in catastrophic effects? Are you trying to preserve the integrity of your ICS to safeguard your critical infrastructure processes and products? Are you trying to protect intellectual property or trade secrets from falling into the wrong hands, from destruction, or from alteration?
Successful executives, particularly in critical infrastructure businesses, seek to know the second-, third-, and fourth-order effects of their decisions. Know yourself like these executives by asking deeper questions and seeking more specific answers. Know what your systems are connected to.
This is critically important in critical infrastructures as more and more ICS are being connected to business and industrial safety systems that may be connected to the Internet or potentially may introduce malicious code in a Stuxnet-style attack. In order to best manage and control risk, you need to understand your systems, your processes, your people, and yourself. You need to know where you are vulnerable and what are your options to address each vulnerability.
You should also know your enemies. Your enemies include adversaries, competitors, and potentially employees who are disgruntled or incompetent. As you conduct your risk analysis, make sure you look at all possible threats and don’t expect that the list will remain static every year. In fact, threats to critical infrastructures are growing every day.
Stay abreast of the evolving threats to critical infrastructures and regularly schedule management-level risk reviews to ensure your risk management posture and internal controls remain potent to control the risks presented by contemporary threats.
Many of our clients ask for a prescriptive checklist they can follow to “achieve cybersecurity,” especially those who operate critical infrastructure. We hate to disap point them, but there is no singular checklist that applies to every organization; every organization should be analyzed and managed separately. Nonetheless, there are several best practices that every critical infrastructure organization (and many noncritical infrastructure organizations as well) should incorporate into its cybersecurity program:
Make cybersecurity a stated organizational priority and act upon it. Because so many critical infrastructures are susceptible to cyber attacks and accidents, senior management needs to focus attention on actions to mitigate weaknesses that may be exploited. For example, you may be an executive in the oil, gas, or water industries. If so, your facilities may use wireless sensors to monitor and control the flow of oil, gas, or water products.
“Bake in” cybersecurity to everything you do. Your strategy, plans, policies, procedures, and training should all incorporate cybersecurity best practices. With critical infrastructures increasingly reliant on IT and automated control systems, the need to incorporate cybersecurity best practices into your organization is no longer an option; it is an imperative.
Executives in critical infrastructures should make a point of making sure that all due diligence and due care is accomplished to ensure that appropriate cybersecurity controls are in place throughout the organization. Remember that cybersecurity is much more than technical controls. Cybersecurity is about risk management. Control your risks by addressing cybersecurity early and often in the creation of your key business and technical activities. It is much more expensive to add cybersecurity later than to “bake it in” from the very start.
Don’t buy anything without evaluating its cybersecurity risks. With the advent of automated industrial control and safety systems, cybersecurity risks to critical infrastructures have risen significantly. Many vendors may try to sell you automated controls that are susceptible to cyber attacks. Scrutinize every potential purchase through the eyes of a hacker.
How could a hacker exploit this particular unit? Consider hiring a certified ethical hacker to evaluate the unit to give you information that will help you with your business case analysis. It may turn out that the great deal that the vendor is giving you will quickly be offset by the costs associated with a cyber vulnerability that is exploited.
Implement strong internal controls and tightly monitor. Executives in critical infrastructures need to safeguard their systems to ensure public health and safety, protect the environment, and maintain economic stability. You can’t let your guard down and must maintain constant vigilance.
Make sure you have strong internal controls that give you the ability to monitor and control your key processes and procedures. Don’t solely rely on automated systems and their reports. Factor in human monitoring and control mechanisms too. Your internal controls should maintain defense-in-depth principles with checks from primary and secondary systems.
Identify and have a plan to address all single points of failure. Single points of failure are items in a system where an item malfunction or failure could cause the entire system to fail. Systems that require high availability are frequently built with redundant components and subsystems to insure that the system continues to function in the event of a failure of a component or subsystem. A common single point of failure in your house is your electrical power.
Many people mitigate this single point of failure by installing uninterruptible power units and generators to provide continuous power to their critical electronics such as medical devices, computers, and (sometimes) their televisions. Critical infrastructures typically can’t afford to have single points of failure, which could have catastrophic effects. Primary and secondary systems are normal configurations.
If you are involved in critical infrastructure management, make sure you avoid single points of failure. Conduct a failure modes and effects analysis of your systems. Identify all potential single points of failure and analyze your risk to determine whether you need to mitigate, accept, or ignore the risk of single points of failure.
Train your personnel.
Your people are your most valuable resource and are the key element in protecting your resources against cyber attacks and exploitation. A well-trained and focused workforce is best prepared to find and fix vulnerabilities quickly and efficiently. When your workforce is cyber hardened and “cyber smart,” they are more likely to recognize unsafe practices and procedures and detect aberrations that could be the early signs of a cyber attack or probing of your systems.
Invest in your workforce by training them well to understand cyber threats and vulnerabilities. Teach them the procedures to follow to safely and securely operate and control your systems. Make sure they understand what to do when things go wrong including who to notify and when to do it.
Practice! Many critical infrastructure operators conduct training exercises to make sure employees, local authorities, and other key stakeholders are familiar with risks and what to do when “the unthinkable” happens. The authors have been involved in countless defense, nuclear, and industrial disaster preparedness exercises and drills that have honed the skills of mission partners across multiple sectors.
Exercises help gauge the effectiveness of plans and training. We believe exercises are invaluable and best prepare people to perform at high levels when confronted by emergency or unplanned situations.
We recommend you make exercises part of your operations yet caution that in critical infrastructures your exercises should be carefully choreographed to protect against undesired effects. At no time should exercise controllers ever allow a condition to occur that could possibly jeopardize safety. Executives at all levels should insist that all plans and personnel be tested regularly and safely.
Audit. Trusted independent audits of your systems should be regular parts of your business rhythm when you operate critical infrastructures. Don’t just audit your policies and business processes. Invest in penetration tests and red teams that probe your systems for cybersecurity weaknesses.
It is important to find and fix problems before bad actors find and exploit them. Audits also may find bad actors in your own organization. Take the case of “Bob,” a software programmer for a critical infrastructure company. Bob was a longtime employee of the organization and was widely regarded as one of the firm’s best coders.
Supervisors praised him in performance reviews for his “clean, well-written” coding. All the attaboys evaporated when security audits revealed that Bob’s account had been repeatedly accessed from addresses in China. In the ensuing investigation, it was discovered that Bob had outsourced his own job to software programmers in China, paying them one-fifth of his six-figure salary to produce the software he was responsible for. He had his Chinese employees adjust their work schedule to coincide with him in the United States and sent his security token to them via FedEx so they could access his computer system to make it appear that he was doing the work.
While they toiled away, Bob surfed the net, watched cat videos, updated his facebook and LinkedIn profiles, and dutifully sent his supervisors an end-of-day report detailing all the good work he (more precisely, his Chinese employees) had accomplished during the day. Bob no longer works for that critical infrastructure firm, thanks to that security audit.
Does your organization audit for cybersecurity vulnerabilities? Do you include penetration and red team assessments of your systems as part of your risk management program? Critical infrastructure audits should be comprehensive and not just limited to business functions.