Top Ten Tips for Managing Technical Security Folks
I don’t claim to be a brilliant manager at all. I like to think I am a pretty good leader but thats a different skill than managing. I am far from a perfect person. In fact it’s reflecting on my mistakes of managing in the past and contemplating what I will do better next time that leads me to this post. My Top Ten Tips for Web App Pen Testers and Top Ten Tips for Hiring Security Code Reviewers seems to have been well received and it’s that time of the year again when annual reviews loom and my email box starts to see a few comments or requests for advice from former employees. So without further ado I will start with that very topic;
1. Annual Reviews Suck - There is no other way of putting it. Here is what usually happens. Both manager and employee know that all they need to do is to complete an evaluation form once a year and have a formal conversation about performance and careers. To add fuel to the fire it’s usually right before pay rises and promotions are awarded i.e. when people are tense and have something on the line. In practice both parties forget about it until January is over and then start frantically lining up supporting material. Stop sniggering, you know its true! Employees line up facts about why they deserve a promotion and pay-rise and the manager lines up facts why they will or won’t make the grade. It’s hard for anyone to win in this scenario. Once a year and just before pay reviews and promotions is too little too late. Negative reviews hurt morale a LOT and positive reviews have little effect; those people are already blasting away. Employee ranking is just plain daft. Joel Spolksy says it best here;
So if everybody thinks they do good work, and the reviews are merely correct (which is not very easy to achieve), then most people will be disappointed by their reviews.
I recommend frequent reviews (weekly / monthly with an annual summary if you work for the “borg”). This lead’s to small corrections in performance and behavior and better expectations and understanding of ongoing performance for everyone. Promotion and reward should be based on performance events and not based on a calendar date. If someone’s good enough to fill a senior role one year after college then they are good enough period.
At SourceClear I think well do weekly round-ups over a glass of wine on the terrace on Friday night until I get back to the States when we can do something equally informal!
2. Build Trust - Trusting your employees will do the right thing can only be earned when they trust you will do the same. Learning to manage and learning to be managed is really hard. If you are open about the challenges you face and transparent about how you deal with issues it will come back to you. Find an opportunity to be open about something and try it. Trust me on this one. In my early 20’s I was off the rails with sex, drugs and rock and roll (and often the 3 combined). No one I care about thinks badly of me, its was what made me a rounded person today and if you think I am bad you should read Richard Bransons story. My employees know they can tell me anything and I won’t be shocked or judge them. Be open and transparent and karma will come back to you. Build trust.
3. Consistent Pay for Equal Contribution - Most companies have sliding scales and salary ranges for employees. The theory goes that the longer you have been with the company the more experience you have and the greater your contribution and therefore value. Hogwash! In practice what often happens is the new folks work their butts off and make significant contributions. Some established folks feel they can sit back contributing less. Who gets rewarded the most? Thats right, its a reflection of logic and common sense. People also always talk and wether you like it or not most people have a pretty good idea on what other people are making. Do yourself a favor and don’t try and convince yourself otherwise. If one person is at the top of a range then the others in that same range will likely feel disincentive and even cheated. Conversely if you don’t know what someone is making then human nature tends to assume it’s either high or low and you cut them undue slack for being low or hold them overly accountable for being high. In my experience its far better to have a few solid pay grades and no sliding scales and to publish it all in the open. If someone feels they deserve a high salary then they should be prepared to lead by example and prove it to their peers. It’s called accountability.
I plan to publish all salaries at SourceClear.
4. Over Communicate - Most people make big assumptions about what others know. People work best when they feel they are part of a team and feel ostracized when they are last to know about something important. I beleive in over communicating. For instance when someone resigns tell everyone ASAP. They will find out sooner or later. Be honest about where they are going and why. If you are missing sales targets tell everyone so they can pull harder. There is an obvious balance between over communication and a “need to know”. Experience teaches you this balance.
5. Invest in People - It’s amazing how good equipment and training pays back your business many times over. I was once asked by a consultant if he could have a MacBook Pro. For $4K I knew the business would get back far more than the cost. Sadly most big companies don’t get this; the one I was working for didn’t. The same is true for training and nice “thoughtful” perks. Small things go along way!
At SourceClear every employee will get a $50 a month iTunes allowance, $50 a month in movie tickets, $50 a month to send flowers to their mum and tell them that the 16 hour days are worthwhile and $50 a month in Amazon tokens for non-reference books. We buy the best laptops and every developer will have two large flat screens. When we have an office it will have washing machines and showers and good food. Real food not candy and soda. We are boot strapping but this is prudent spending that yields far more than it costs. At the end of every year I am planning to take some employees on a big trip such as hiking in Tibet. Backpacking and hostels, economy flights, nothing glamorous, but something they would never normally do and will never forget. I believe this investment in people will come back to us time and time again in increased productivity. In fact research proves it.
6. Ask, Don’t Tell - I have been guilty in the past of using my authority to get what I want. If you are fighting red tape then this is just fine (in fact encouraged); however if its employees it’s not. People will just do things because they have to. They do the bare minimum and avoid it in the future at all costs. If someone doesn’t want to do something try and find someone that does! I have several good ideas sat on the shelf gathering dust because I told people to do them.
7. Let People Make Their Own Mistakes - When I first managed people I found it hard to let go. It’s like letting the dogs (we have two 12 week old golden retrievers (Luke and Leia)) jump up at my kids now. Unless I let them deal with it on their own, the kids won’t learn to push them down and earn the respect of the dogs. It’s important to let people make their own mistakes so they can learn. I am watching some interesting things unfold now which is another reason I am writing this blog post.
8. Money is Black and White, People Aren’t - If you think people work for money you are dead wrong. Even when people tell you they just work for money they are wrong. I was one of these. Surveys show time and time again that what people want in order is to;
A. Feel they are part of a team
B. Are set challenging and rewarding tasks (stimulated) that they can accomplish
C. Paid appropriately
People don’t stay in jobs for long if the work relationship is only based on money. I was very well paid at Foundstone (I am sure my tax return is online somewhere) but without A and B after the McAfee acquisition, I like other people, saved up a rainy day fund and bailed. Make sure you take care of A + B + C.
9. Set Expectations About Management - The best technical people are rarely the best managers, yet a disproportionate amount of them seem to want to be. They think they will earn more or that managing people is glamorous. Its not. Having to bail people out from foreign hotel bills in the middle of the night when their credit cards don’t work, dealing with people who think they may loose their licenses for DUI, silently ensuring office humor doesn’t get carried away and offend bi-sexual employees (after far too much booze and revelry making it an even harder situation to control) is not glamorous or fun. Setting expectations is hard to do. It requires a face to face conversation that may not be pleasant. But you need to tackle the subject early and often. If you don’t tell them as soon as you know, you’ll let someone down with a bang eventually and are almost guaranteed to loose them. This leads neatly onto 9 next.
10 . Be Prepared To Loose People (for the Right Reasons) - Some people do anything to keep employees at any cost. This is wrong. Turnover is natural and shouldn’t be feared. You’ll never keep everyone happy and as companies evolve so do peoples interest levels and ability to contribute. Measuring managers on turnover rates is just wrong. If something’s not right, not working out or not as expected then I encourage you to part on mutually agreeable and happy terms. I have even planned long term departures with some employees. Help them find something else that better fits is the right thing to do. Building good companies is all about the people.
10.5 Have Fun - I had the most fun I have ever had while at Foundstone. I am seriously welling up as I write this. Both before my reign and while I was in charge we made sure we put on events and everyone had fun. A happy team is a productive team. Barnesy’s horse farting in front on mine in the hills of Santa Fe; running across the Vegas strip to make the Black Hat booth with the 350 lb Dooley dripping with sweat in sweltering heat; the Monks outfits in San Antonio; the Black Speedo invites to the Cabana at Black Hat; 7 Hurricanes at Pat O’Briens and being out drunk by Dooley; whopping Shanit on the pong table (regularly), beating the entire office on the Go Kart track at Domo 1 (one of you bastards still has my trophy), that rainy night in New Orleans I got the entire company doing the mechanical bull in the South Side Lounge ……….and the list goes on. Fun is not a formula and you can’t buy it but you can make it happen. Make sure you do.
We will be having a LOT of fun at SourceClear. Remember that life is not a rehearsal!
Note: A great book that follows the theme of this blog and we used to give to all Foundstone employees at one point is the Art of Happiness at Work.
March 8, 2007 at 9:44 pm
great post, I do think that most companies miss most of what’s important to technical staff in terms of job satisfaction (especially number 5)
One I would kind of disagree with though is number 3. I don’t disagree with the idea of pay equating to contribution but I do think if you’re completely open with your pay structures you’ll spend an awful lot of your time explaining the benefit of the sales and marketing folk to technical staff and vice versa!. It’s not always obvious to one part of a company what the value of another unrelated part is and that problem only grows as you scale your organisation…!
March 9, 2007 at 3:38 am
Mark,
I think you hit many points, but one I feel that should be included are personal and career goals. In my mind all employees need to define a short and long term action plan, especially those who are inexperienced. These people need your guidance and experience to make them better professionals in the long run. This also goes right in line with constant coaching, which I believe you hit in your roundups.
I also agree with Rory that posting salaries may not be the best thing to do. I have seen this in the state government and many employees are disgruntled about other employees’ salaries. I do feel that people are worth their weight in gold though. I call it the Jordan factor. You may be able to play basketball but without Jordon you’re not going to win the trophy. Anyway, my preference is to ask the employee the amount they want to make and then pay them a little more. In most cases they will work harder to show you they are worth it. With that said there are always boundaries on a person’s salary because you have to run the company profitably.
March 9, 2007 at 5:51 pm
Business people (including sales and marketing) should second guess technical, and vice-versa. I’ve heard many times people in the business side of a company ask what the techies are supposed to be doing. The classic case for me was a sysadmin that appeared to be on IRC *all* day. People asked what were we paying him for. However, the servers *never* went down (and there were a lot of them, serving loads of traffic for critical clients), and issues were solved before we even knew about them. The guy was so on top of his job, he made it look like he wasnt working
I’m sure that there’s similar stories out there regarding the “other side” of a company.
Letting people know what salaries are, and paying them based upon what they *do* rather than how long they have been at a place is the fairest way IMO. It’s really easy to figure out what people are getting - especially in big companies that hire foreign workers as there are websites that have to list their starting salary and job title.
Other than that, I think Mark has some great point. Some “rose-tinted glasses” factor in there - things are never as perfect as you’d like them to be - but some good things you would at least like to work towards.
March 9, 2007 at 7:04 pm
I only work part time and I work a low end job I work really hard doesn’t matter I get paid the same as the slackers probaly less then some of them . But I am not just motivated by money to work I grew up knowing it was my obligation to work hard at any job God gave me to do because Giod places us where we well do the most good for him . But I work almost full time on the internet but I don’t get paid for that it is more or less a hobby that cost me money but I love what I do and I think Gid wants me to do what I do to .
March 9, 2007 at 7:04 pm
In regards to number one, I think that regular, formal 360 degree feedback rotations are awesome. Start with your own group, move up to a middle-layer, and then go cross-organizational and across business units with it. Make sure to involve both local office personnel and remote people. See if you can get your vendors, partners, or customers to work into the 360 degree feedback.
Also - upward feedback is really cool for individual contributors. It’s also a useful metric for management salary increases. Get bad reviews from your people consistently should also say something about your own salary review.
I really enjoyed what you wrote in this post, especially the part about over-communication. Besides just saying “you’ll know how to balance need-to-know vs. over communication through experience”… can you elaborate more on this? I’d like to hear your experience to understand my own experiences with this.
March 9, 2007 at 9:19 pm
I can honestly say I’d work for you if you have this mindset as a manager. I can definitely see the similarities between yourself and Joel in how you approach managing. Awesome!
I love the informal feeling of your review over wine or something. I think that is awesome and builds respect and trust and communication which can support some of your other points.
Lots of us technical guys take our jobs rather personally, especially since the lines between “job” and “play” are so very greying and blurring. Likewise, I really want personal relationships at work as well, for instance with my manager.
You touched on it with point 5 and finally hit it (which make me smile) at point 10: happy employees are productive employees. This cannot be said aloud enough, even for employees that are less skilled than others; happiness and a supportive, respectful environment can do wonders for success.
I also agree on point 7. Right now, my current job is taking care of item C, but A and B are the ones leaving me detached personally and on my way out once C isn’t such an important issue.
Like others above, though, I agree that posting salaries is your most “out there” and risky idea presented. If you really want to and need to, I guess you can try it, but if there’s really no huge need to, I wouldn’t. I’ve seen too many teams and people torn up about salaries that I really don’t think much good can come from it a majority of the time. I think the only time it’ll work is when your salaries and people are in full agreement and respect, and I don’t see that often happening.
March 10, 2007 at 5:16 am
[...] just want to point everyone to an excellent post at Mark Curphrey’s (formerly of FoundStone) SecurityBuddha blog. He gives the top eleven [...]
May 21, 2007 at 3:13 am
[...] Top Ten Tips for Managing Technical Security Folks [SecurityBuddha.com] Posted in Ramblings | Trackback | del.icio.us | Top Of Page [...]
July 16, 2007 at 12:37 am
[...] recently (and really what I think ended up inspiring this post the most) was Mark Curphey with his Top Ten Tips for Managing Technical Security Folks. Anyways so I sat down to think about what is it that I can write about that would help someone [...]