I dread linking to anything posted on Medium, but Performance Reviews Are A Waste of Time by Xavier Shay echoes much of my feelings about how useless they are.

I enjoyed Jamie Thingelstad’s article write-up:

Formal feedback mechanisms in companies are hard. I’ve come to think of performance reviews as an organizational insurance policy. The process and mechanism for them insures that a bare minimum of dialog is happening. I really don’t know of anybody that feels that they are an effective way of leading and managing teams. I think that is summarized in the common refrain that there should be nothing new learned in a performance review.

(Via Weekly Thing Newsletter Archive Feed)

Back when I was a manager and my direct reports were local-ish (I rotated weekly between the three cities in two countries where they were) I had to do the annual review and instituted formal quarterly reviews.

They sucked. They were one of the many mistakes I made as a manager.

However, I found more value – and I am told my team did as well – in the concept of “Management by Walking (or Wandering) Around”. This was hugely informal and unintentional. I didn’t want to be holed up in my office all day. My team was doing the kinds of technical work I enjoyed but from which I had to step away. And I valued their input and ideas in an ersatz Socratic Method to help with the bigger picture stuff.

I liked, trusted, and valued my team, so why wouldn’t I want to be closer to them than my offices offered?

Many modern workplaces with remote workers don’t necessarily have that benefit. Tools like Slack can’t really make up the gap, especially if your team is global. The formal performance review still fits poorly.

I should have seen the performance review as a company insurance policy back in the day.

Interestingly, I was contacted not too long ago by a colleague who felt “railroaded” by a sudden bad performance review. I advised challenging it with the formal HR process with plenty of CYA (Cover Your Ass). Turns out the supervisor involved had nothing to back up their position but my colleague had plenty to refute.

The bottom line is as always: protect yourself; document everything; use the HR system to your advantage; and don’t accept the premise.

Reproducible Research for Management | Irreal:

Derek Feichtinger has an interesting post in which he describes the application of reproducible research and literate programming to management problems. As an example, he considers generating a budget for a pair of related projects. His workflow is to first generate an outline describing his goal and the information he has and to refine that with subheadings as more information becomes available. That provides a history of the project and automatically tracks changes.

(Via irreal.org)

I really like this idea. Something to think about.

When I first managed people, just as I’d taken over a troubled retail sales department and had to do performance evaluations, I got a great piece of advice from my then mentor:

> If all your reviews are a 5 you are doing it wrong. You may have reasons to rationalize such scores, but you do no one – especially yourself – any favors by doing so.

We, my new team, turned the department around quickly. I ignored my mentor’s advice and went ahead with my “All 5” reviews (the best possible) and … they were rejected. I had to do them all over again, this time with supervision.

My mentor rightly chastised me for ignoring his guidance and then gave me the next nugget:

> If your team is all 5s, they’re all 2s.

Meaning if your baseline is so high and everyone gets the highest level, normalize the baseline. And it’s probably still too high.

> If people don’t have a challenge to overcome they will tend toward complacency.

I was lucky to have smart leaders. They saw my naïveté as an advantage. My short sighted management style was converted into a galvanizing experience for the team. Meanwhile, I reassessed.

Fast forward to today. We rank all kinds of things: Amazon purchases and podcasts and Lyft drivers and restaurants and beers and so on. How many of us default to 5 stars or equivalents? What about vapid or useless “me, too” comments? And how about the essay review? My approach is evolving, but in short:

> Am I adding value and what value am I adding?

If I experience something enjoyable but otherwise unremarkable, am I doing anyone any favors by assigning a 5? Better to make 2.5 the baseline.

What about the skew toward high scoring? Am I not making it worse for some things?

I try to add content to the review. A 3 beer, for example, is better than the average mass produced brew. If I give a beer such a score I will add the context to the score. Maybe it’s dry or fruity or hoppy or has some other attribute placing it above the norm.

Until this becomes normal I do not rely on straight up scored reviews for anything substantial. Again with beer or food I will trend toward the high scores with high review counts.

I suggest all embrace circumspection in scoring of things, services & people.

Let me know if you can identify the post’s title reference.

Also on:

A travel weekend for me, and a long weekend for many of us, so plenty of opportunities to catch up on my reading list.

Surface Pro 3 Field Guide by Paul Thurott & Martin McClean, 0.09 draft version

Not a security book per se, it is helping me get the most out of what is quite possibly the best laptop I’ve ever owned. It is without a doubt the best tablet I’ve ever owned.

Essentialism – The Disciplined Pursuit of Less (Kindle Edition) by Greg McKeown (Hardcover, Audible)

Again, not a security book. The concepts tie into my drive to simplify and declutter my life, professionally and personally.

As a leadership book, the concept of reducing your field of vision to what is truly important helps focus precious resources to the things that hold real value.

Also on:

Assume that it’s time for Bob’s performance review.

Bob’s boss says he’s a great addition to the team. Easy to work with!

And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!

Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.

Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?

via Should employees be punished for sloppy cyber security? [POLL] | Naked Security.

A thought experiment, sure, but one that leads in some interesting directions.

This is mind blowing:

A 2012 survey of more than 500 college graduates by Adecco, a human-resources organization, found that 8% of them had a parent accompany them to a job interview, and 3% had the parent sit in on the interview.

via Should You Bring Mom and Dad to Your Office? – WSJ.com.

That’s 15 applicants bringing Mom & Dad along for the interview. I was a hiring manager in some of my past professional lives. I never encountered a parent hovering over an interview. I don’t think I would care if the parent tagged along, but I would not let the parent into the actual interview. If pushed I would either say no or rank the applicant lower regardless.

… parental involvement in the U.S. doesn’t begin to match countries in Asia and South America, according to a 2013 study from the global accountancy firm PricewaterhouseCoopers LLP.

The study, which surveyed 44,000 people from more than 20 countries, found that just 6% of recent college graduates surveyed in the U.S. wanted their parents to receive a copy of their offer letters. That’s well below the global average of 13% and much less than some other countries, where it was as high as 30%. The study also found that just 2% of young employees in the U.S. want their parents to receive a copy of their performance review, compared with the global average of 8%.

Having recently gone through a job hunt I shared details with my folks and other trusted advisers but never the actual correspondence. Again as a hiring manager I don’t think I would agree to sending a copy to anyone other than the applicant.

This could be a generational thing, but as a parent I would never consider intruding into my kids’ lives to this degree.

What do you think? If you’re a manager, would you hire an applicant who brings parents along? If you’re a parent, would you want to tag along on your child’s job interview?

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults.

According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

via Timing is an influential risk-factor for cyber attacks.

Good but generic advice in the article. If you work for a multinational you’ll need to keep in mind dates and events beyond the US – the football (soccer) World Cup, for example. User education is important but the returns diminish over time, especially if you cause fatigue in your users. Pen testing is good as well as a commitment in time and money to a security infrastructure life cycle management.

Mathew Ingram at GigaOm wrote an article on Yahoo’s new policy on remote workers:

Not long after her arrival at Yahoo, new CEO Marissa Mayer started handing out carrots to her new employees, including new smartphones, free food and other Google-style amenities. Now she has brought out the stick: namely, a directive that employees are no longer allowed to work from home, something that is expected to affect as many as 500 Yahoos. Mayer’s move has its supporters, who argue that she is trying to repair Yahoo’s culture — but in doing so, she could be sending exactly the wrong message for a company that is trying to spur innovation after a decade of spinning its wheels.

The moment I first heard Yahoo proclaimed this policy I became angry. It does not impact me directly, but as a highly skilled and experienced IT Security and Networking professional now on the market I can say that Yahoo is no longer on my list of companies I’d care to work for. Here’s why.

About 15 years ago while I worked for EDS as a Network Security Administrator my marriage fell apart. Up until then I rarely if ever worked from home. With divorce looming I had sole custody of my two young kids. I had to work from home when they were sick or were off of school. At the same time my role at EDS changed to include firewall administration, demanding more of my time to cover on-call and odd support hours.

I was fortunate to report to managers that understood my situation and worked to help me. I worked with a great group of professionals who didn’t complain about my flexible work schedule. In fact we all worked together so everyone could have the same flexibility I had. How did I handle things? I became infamous for keeping sleeping bags, pillows, snacks, and toys for my kids in my cube. I don’t know how many nights I carried the two of them into the data center in the middle of the night, each slumped over a shoulder while I badged through the security doors. They slept on the floor swaddled in their sleeping bags and little heads resting on Disney-themed pillows, lullabied by the white noise.

When I interviewed with Magna I was very upfront about what I needed to do to take care of my kids and what I would to do in return. They took me on without hesitation, and I always appreciated and respected the trust they placed in me. Similar to my days at EDS, the team at Magna embraced me and the flexibility I needed. I repaid my boss’ and team’s trust in many of the same ways I did for EDS, but there was one case that was  above and beyond.

For reasons that escape my memory the IT staff in Europe all quit on the same day. The organization I worked for was very lean. There were no extra people around to help fill in while they hired new staff. I stepped up, waking between 03:00 and 04:00 Eastern time to support Europe until I had to get my kids ready for school. I’d drop them off (no bus service) and return to cover the rest of the European day and my normal work. I was caretaker of servers and services in addition to the network and security. I did this for almost 6 months from my basement, buying the European IT director time to hire some great team members.

When I moved into management my team earned with me the same opportunities and respect that I earned. With instant messaging and email, IP telephony and video conferencing, and cheap Internet-based VPNs back to the company they could do everything they needed to do from home that they could do from work. Yes, you cannot replace face-to-face interaction. But by the same token how much hallway and water cooler talk is mere friendly trivia?

I’ll leave how companies chose to handle working from home to what makes sense for them and their business. But I want the conversation rephrased to talk about working from home as a tool and not a benefit. It can help both the employer and the employee, and that can’t be taken lightly.

I sincerely hope Marissa Mayer reconsiders her decision. She’s closing a door on quality hard-working talent that will go elsewhere just at the time when she needs them in Yahoo.

via Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis.

NOTE: For those of you who came here because of my running Ubuntu 12.04 on T430s series, that is at an end. The laptop was my work machine. I’ll try to help point people to more information but I can’t provide configs or verify settings any more.

This past Tuesday I was “let go” from Magna, the company where I worked for well over a decade. Upper management’s move came out of nowhere, and a number of my now former colleagues did not see the change coming either. It was really hard to experience, it’s not something I’ve ever been through before, and I’ve no interest in experiencing it again.

I’ve got good things to say about my time at Magna. I value my time and work there. I will miss the people. I will especially miss my team.

After Tuesday’s kick in the gut I took Wednesday off to let things settle emotionally. Thursday I kicked off the job hunt.

My plan as of now on prjorgensen.com is to write about the job hunt, what I’m doing for it, and what kinds of things I should have planned for while I was gainfully employed. Looking at this change as an opportunity I will also catch up on my InfoSec and IT reading backlog, so you’ll likely see write-ups. I’ll dig into privacy issues, politics and IT, and other topics as I’m moved to write.

My personal plans and journey you will find over on Harmony Pirate.

Evernote (EN) fills a gap in my presentation preparation. This is more nuts and bolts and less philosophy, though there’s a bit of that here.

I’m often asked to present and explain complex technologies and concepts to a broad audience. Sometimes the request comes with little time for preparation.

Occasionally the lack of notice is okay. I keep general slide decks (e.g. Microsoft Office PowerPoint Presentations) ready to go. I know the material well and engage the audience, to the point that a deck on display behind me is informational. The problem manifests when I forget portions of my presentations, just like when you know a song but forget the middle verse. The same happens when the discussion heads down an interesting tangent.

In such cases I use EN to record the presentation for continual improvement, but that doesn’t help ensure I get the content across I intend to.

When I hit an interesting tangent I can forget why I’m there in the first place.

The problem expands when I need to convey something new and soon. I stumbled on a solution accidentally using EN. EN has a record audio button in the note dialog. I use it to capture tasks and notes when I can’t get to a PC. I use it to record my talks as mentioned before to help me improve my presentations.

While I’m used to recording my talks, recording the pre-presentations is the “ah-ha” moment. In the EN note I put the key concepts and points in the talk. Then I use the record option to capture my initial brain dump ramblings on the topic. I play it back, capturing the concepts and details I like and discard the less salient points.

Eventually I draft the deck in the same note. I’m a huge fan of Garr Reynolds Presentation Zen and the presentations of Steve Jobs, Guy Kawasaki, Ze Frank, Alton Brown’s Good Eats (one of the best show-&-explain examples out there), and those who let the display set the story but the presenter to tell the story. This is the antithesis of the “death by PowerPoint” or “bullet pointed to death” exaggerations of boring to bad presentations.

For each slide I use EN to grab the pictures that might help convey the message I want to communicate. I write the slide text and any supporting materials.

As I iterate the mirror & timer test of my deck, I record them. I can go back and listen to older versions to make sure I move forward without losing content. I adjust the note to reflect the changes.

The last step I do is actually put the slide deck (ppt) together.

The folks who run such sessions want the presentation deck way ahead of the actual presentation. When they do, I give a dummy deck then send the final version as adjacent to the session as practical. Worst case I’ll ask to use the version on my USB stick. Those who want to vet content don’t care for that technique, but a live audience can surface other concerns.