Top Priority for a Leader

It’s easy to undervalue leadership, and think that just being good at the “hard skills” of your career and telling your direct reports specifically what you want them to do will be sufficient, but as team’s and organizations grow, that doesn’t scale.

It’s also easy to think the most important priority for a leader is to build big, complex schedules with row after row of Microsoft Project tasks and a huge Gantt chart.  Or to conduct frequent sync-ups to drive work through your team.

But the most important thing a leader actually does is define his or her team’s/organization’s culture.  Great leaders create a culture that attracts and retains great people that align with that culture.

Sometimes that culture is focused on being a safe space where people can take big risks and it’s okay to fail (see Google’s Project Aristotle, see Google X). Sometimes it’s a culture that focuses on a purpose that people rally behind (an exciting mission by manned space flight or a noble mission like helping Veterans find post-military careers).  But whatever it is, it’s critical as a leader to realize that setting and maintaining culture (and actually making hiring, promotion, attention, firing decisions based on it) that is the most important thing a leader does.

Leadership 1-on-1 Tips from Bill Campbell

I’m enjoying the audiobook Trillion Dollar Coach about Bill Campbell, a football coach who pivoted mid-career into a business executive in Silicon Valley, as an executive at Apple, a CEO of Intuit, and an executive coach to Steve Jobs and other high profile leaders.  One of the great concepts early in the book is how to structure time on 1-on-1 with a direct report.  Some of the concepts including:

  • Discuss job performance, ensuring that you can clearly articulate what success looks like (not just qualitative discussions about how you’re feeling)
  • Discuss rapport with peers (while it’s important to monitor relationship/rapport/political capital with more senior leaders, the rapport with peers is critical to advancing initiatives (getting things done))
  • Is this person (your direct report) coaching, guiding, inspiring, and holding account his or her people?
  • Is this person continuously focused on identifying new ways to improve and mature?


2019 Gartner Security and Risk Summit

I recently went to the 2019 Gartner Security and Risk Summit in National Harbor (outside of DC).  This was my second Gartner conference, and so far they’re 2 for 2 at delivering high-quality, impactful, intense 5 day conferences.  The event was jam-packed with great sessions, roundtables, workshops, and keynotes.

I can tell a conference is going to be great when I try to build my agenda before the event and I want to pick 2-3 sessions for many of the time slots.  Fortunately Gartner gives attendees of their events access to the slides and audio of the conference, so you can review what you missed.

I was also very impressed at Gartner’s midsize (companies with $50 million to $1 billion in annual revenue) sessions, where presentations, roundtables, and workshops where leaders from midsize companies could connect, collaborate, (and commiserate sometimes) on best practices related to their size of organization.

My major takeaways (and it’s hard to summarize) were:

  1. Identity is the new perimeter (not the network, not the device)
    • You hear people often now talking about “zero trust networks” (the idea that instead of thinking of the perimeter as your LAN/VPN that you protect and you trust people inside your network, you should instead focus on ensuring your identity and access management (IAM) approach is solid and build security around identify, using things like MFA and risk-based access management)
    • This also means that identity is a critical linchpin to security instead of the idea that devices/users inside a network are trusted devices/users
    • There was also a key point, from Neil MacDonald, here that non-human entities (e.g. DevOps pipelines) need to have unique identities that they authenticate against securely, so they don’t become a huge security hole in your infrastructure
  2. Communicate Risk with Business Perspective: It’s critical to communicate risk to executives/non-IT leaders/board in a way that actually articulates/visualizes risk and how cyber risk affects the business’ value chain/business model (and not talking about security technology at all)
    • It’s important to strike the right balance between quantifying risk and impact (the board demands numbers), and the fact that cybersecurity risk and impact isn’t a statistically mature field, so sometimes qualitative assessments are the only reasonable way to communicate risk (numbers can be overly precise when we don’t have a solid foundation to build them on) — there was a great session where four Gartner analysts debated this intensely, 2-on-2
  3. Information Security fundamentals are critical to do well, and organizations still don’t do them well – organizations spend too much energy on new projects/technologies (shiny new objects) instead of refining the fundamentals they do (e.g. log analysis, change management, asset management, vulnerability management)
  4. Select one primary security framework to orient your Information Security Program around (e.g. NIST CSF (which is dominating the survey data for US and international companies as their standard), ISO 27001) – more than one primary framework leads to confusion, and none means you either have no foundation or you’re trying to reinvent a wheel that industry is rapidly refining
  5. Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) programs are very hard to run well, both technically and from a privacy compliance standpoint — individual state and international privacy legislation requirements make this very complex

If you want to hear more, check out some of the keynotes from the Gartner YouTube Channel; or check out other’s people’s perspective on the event, check out the Tweets from 2019 Gartner Security Summit or other blog posts like this one.

Continuous Quality: Enforcing Quality with DevOps Pipeline Gates

At the recent 2019 Capability Counts conference, hosted by the CMMI Institute, I presented a session related to Enforcing Quality with DevOps Pipeline gates, where I provided an introduction to the concepts and technologies of DevOps, and how to use the concepts of Continuous Quality to improve software quality earlier and throughout the application lifecycle.

Here are the slides, published on SlideShare, if you’re interested.

Fathering beyond ‘Normal’

I’ve been reflecting recently on my father’s life and what he taught me. My father was great (though certainly not perfect), and I keep appreciating more and more how different he was from the ‘average father’ in many ways.  Many of these storied reminded me of great values I hope I can pass on well to my children.

When I was in elementary school, I loved competing in a local paper airplane contest.  A ‘normal’ father may have said encouraging things, or bought me a book about paper airplanes, but my my father patiently took me to his schools’ gym (he was a school teacher) where for hours and hours on many nights and weekends, he would patiently hang out while I threw so many different types of paper airplanes trying to identify the best one.

In addition to paper airplanes, I also really enjoyed real airplanes as a kid.  A ‘normal’ dad may have rented a movie about airplanes, but my father look me down to the local (small) airport and knocked on the door at the air traffic tower, and asked a very confused man if we could come up and see the air traffic control tower from the inside.  The man was very confused, asking if my dad was a controller, or a pilot, or if he worked for the FAA.  My father explained that no, but his son wanted to see the inside, the and confused man welcomed us up and explained all the screens/lights up in the tower.

Growing up, when we saw someone stranded on the side of the road, my father didn’t just drive by or think to call the police after we got home (this was pre-cell phone era) — instead, he would pull over to the side of the road, get the reflective vest and flashlight wand he randomly kept in his trunk, and ask my mom to drive us home, so he could direct traffic or help them change a tire.  Inevitably, a police officer or other helpful person would drop my dad off at home later that day.

When I was transitioning from playing T-ball to ‘real baseball’, I struggled with timing my swing.  My father could have just encouraged me to keep practicing.  Or asked the coach for some additional attention.  But instead, he recruited one of his friends to come to the baseball field with us some random Saturday and video tape me swinging so we could go home and watch my baseball swing in slow-motion.  We quickly diagnosed the problem.

My father’s hobby was investing in other people’s lives — whenever he would talk to someone else, he’d pepper them with questions with a real curiosity on learning more about their life and what was important to them, often finding areas where he could help them.

He worked long hours, often juggling teaching and other side jobs, but he was always showing my sister and I with his time that we were very important to us.  He was hours early to every play or dance recital, ensuring he had great seats for him (and any family that came at a reasonable time to find the seats he saved) and he was at every baseball game.

He taught my sister and I a real focus on living well below/within our means and saving our pennies for a rainy day — it’s amazing to realize how powerful this is in, once you connect this value with some understanding of things like simple investing, 401(k), IRA accounts, etc. — it’s so powerful to transition from youth to adult by getting used to saving early.  And so hard to make that transition later.

He was constantly serving people — he and my mom were always volunteering around our church when we were growing up, which looking back on, I am so impressed with, because it’s hard just getting young kids to church and home.

Work hard and be proud of your work — he loved to say that “There’s no such thing as extra credit in this house”, meaning that any opportunity to get extra credit in a class wasn’t optional — it was expected we’d take every opportunity we were given to succeed.

He had great little nuggets of wisdom to share all the time, like:

  • Slow down when you’re doing public speaking — people often get nervous and talk way too fast
  • Be respectful to everyone, not just people with important job titles or in positions to help you
  • Take the time to learn people’s names and learn about them — he loved to remind people of how people took good care of him when he’d go get his car oil changed because he knew the people who worked there, and would write letters to their boss when they did a good job.  And because of this, people would constantly be chatting with him and offering him discounts.  As an aside, I’m often struck by how rude people are when they go somewhere to buy a sandwich — it doesn’t cost anything to be pleasant with the people serving you!
  • Ask people about themselves — both because it’s good to be genuinely interested in the lives of other people, and because people like to share about themselves, so they often think (without realizing it) that the best conversations are the ones where people asked them to talk about themselves for most of the conversation
  • Don’t make big-money decisions quickly — my father used to take my sister or I car shopping randomly, years before we’d need a new year, both to help us understand how to talk to salespeople and negotiate, and so that when a car ever died on him, he long-ago knew what type of car they wanted to buy
  • Make sure your tie isn’t showing when you fold your collar down around it (the back of your dress shirt)
  • When you commit to something (like signing up to play T-Ball for a season), you were expecting to finish it — he loved to connect it to the concept of ‘following through’ when you swing a baseball bat.  You don’t stop half-way — you finish what you started.

I look back on so many things my father taught me over the years, and I am so thankful that he was my dad!

Know when Working Harder isn’t going to Work

A dedicated employee who will work harder, with a greater sense of urgency (and maybe some extra hours when needed) is great.  But what’s much more valuable than someone with that work ethic, is someone who can see when working harder isn’t going to work, and they need to change their approach.

Think about someone using a dull saw to cut a huge pile of wood to build a house — they’ll look at the schedule and say “I don’t have time to sharpen my saw”, which is ridiculous to think about.  But we do it all the time when we try to shift into a higher gear and work harder to “dig out” of a busy season/project instead of thinking about what should we change.

It is so valuable as a leader to determine when a situation can be surged over, and when you need different resources/capacity/people/tools to overcome the situation.  Years ago, I was helping a Project Manager whose team was continually well below the needed velocity to get to the project’s finish line on time.  He kept trying to work nights and weekends to get back on the track, but simple math made it very clear that he could not single-handedly get the project back on track.  So we had to investing in both a technology and some additional people to help his team finish — it was easy to easy for those investments on his project; but it was much better to ask for them early in the project’s life as opposed at the end when he would be doomed to fail.

Think about if you need better processes/checklists, or a tool (e.g. software application) to help you be more efficient), or more people on your team, or something else.  Take the time to step back and think about how to change the game you’re playing so you can actually win.

Don’t Point at Problems, Attack Them!

There should be a word for people who have the annoying tendency to point at problems and talk about them, instead of trying to actually improve the situation (or maybe there is, and I just don’t know it).  I don’t know if you’ve been in a meeting with one of these people, but it’s so frustrating to listen to someone pontificate on and on about some problem and how it’s SO horrible, without trying to come up with any ideas, or asking someone to help them solve the problem, or just stop talking about it so someone else can try to solve the problem.

I’m not saying you should wait to bring a problem to your boss until you have a solution — for some teams/problems that’s a good idea, and for others that’s a horrible idea, and you need to get help for problems.  But what I am saying is that you should focus your attention and energy on fixing the problem, or removing the problem, or getting around the problem, or changing the situation so it’s not a problem anymore, or something else productive.

Email 101: Avoid the Bystander Effect

There’s a fundamental pyschology concept called “Bystander Effect“, where a group of people are less likely to help someone in need than when a single person is present.  Everyone in the group thinks someone else will/should help the victim, instead of them.

Think about this when you send an email — I recommend you clearly articulate who you want to do what, and ideally only put 1 person in the To: line of the email (even if you have a few people in the CC: line).

Cyber Security 101 for Small Businesses

If you’re a small business, the world of cyber security can be very overwhelming and intimidating.  There are infinite articles you can read about, a long list of cyber security maturity frameworks and concepts you could try to learn, and an overwhelming feeling that you can’t possible actually defend yourself from the hackers all over the place!

Cyber is a big, complex thing that is hard to do — if you’re looking to better defend your organization and you don’t know where to start, I recommend this approach:

  • Read the Center for Internet Security’s (CIS) CIS Controls, as they’re a great list of security controls (fancy way of saying todo items) that are already in priority order — so you start at #1 and just keep working your way down the list.  Here are the top 5:
    1. Maintain a current list of all the IT hardware (equipment) you use
    2. Maintain a current list of all of the software applications you use
    3. Invest in, and use frequently, a vulnerability scanning tool (e.g. to identify security holes and then go fix them
    4. Limit who within your organization has Administrative Access.  Instead limit the access to only those who must have it, and then track who has it and who is using it to do what when.
    5. Configure IT equipment securely and monitor the configuration to ensure these configurations are being changed — for example, you may use an imaging solution to push out a consistent, pre-configured image of Windows 10 for new employee laptops and then use a device management software (e.g. Microsoft SCCM) to monitor the configuration across your organization
  • If you’re ready to keep digging in, read the NIST Cyber Security Framework (CSF), give yourself a red/yellow/green score on each of the 5 core domains and then focus on improving on the areas you think are the best return on your time and money

Recurring Activity Matrix: Write Down what your Team Actually Does

Scott Adams, the creator Dilbert, has written about how systems are much more valuable than goals.  This concept is incredibly powerful, and there are great, large, complex frameworks for defining and enhancing systems that people and organizations use and manage.  Frameworks like ITIL and CMMI do a great job of helping organizations think through all the various aspects of defining process architecture and governance.

However, they’ve often big, intimidating frameworks for a small team looking to become more mature.  Something I’ve found a lot of success with is starting with creating a Recurring Activity Matrix (RAM) for teams to write down all the stuff they do more than once, so they can publish a body of knowledge, which helps them be more efficient, collaborate with each more easily, and bring new people onto the team quicker.

I start small with teams, building a simple table with these columns in a wiki platform (e.g. Atlassian Confluence):

  • Team – specify the team (if this group has more than 1 team) that does this work
  • Owner (Role) – specify the role (not the person’s name) who performs this work
  • Recurring Activity – name the actual activity performed (e.g. “Check that the Website is Still Working”)
  • Frequency – e.g. Weekly on Fridays at 3pm
  • Link to Procedure/Checklist – provide a link to another wiki page with the details of what is actually performed (this can start pretty small, but eventually the goal should be that someone with little to no experience in this area could use this list to perform the activity)

Teams usually populate this data initially with a very small list, with early versions having the owner as someone’s job title. But as team’s mature, they start to identify a lot of items that go in this table, and start to break up roles more, so they’re not directly tied to job titles (Holacracy has a great concept related to this called Role vs. Soul).

As teams advance in this, I like to keep building on this — ideas like:

  • Automate the reminding and tracking of these actions, such as using recurring calendar reminders, or emails from to the person to reminder them, or (if you really want to show off) an email from to a Jira Service Desk instance to create a Jira ticket and assign it to the right person to do the work (and track if they completed it)
  • Use daily standup meetings or other sync-up meetings to identify tasks that are occurring that aren’t tracked in the RAM (or when someone takes a vacation and no one can figure out how to do something)
  • Separate Process Owner, Process Manager, and Practitioner roles (see ITIL process roles)

Eventually organizations as they scale will want more complex process management, looking at things like an ITIL Service Catalog or CMMI Organizational Process Definition; but early on the real value is just writing something down and incrementally improving it.

This is great, short article about how 1-800-GOT-JUNK wrote down their key processes, published it in a binder, and used it to rapidly scale a huge franchise business across the country.