How To Give Employee Feedback

Finally some realism about how to conduct employee evaluations...

The Wall Street Journal reports that in the past employees could expect that "we would bring them in and beat them down a bit."

But now, managers are expected to "scrap the negative feedback" and "extol staffers strengths" (accentuate the positives).

Companies are realizing that negative feedback does "more harm than good."

- You tick off the employee and ruin any positive relationship and trust. 
- The employee feels unappreciated, hurt, and in jeopardy. 
- Employees project their hurt feelings and accuse you of being the problem. 
- The deteriorating state makes them fear that you are working against them and they become unmotivated to try to do better.
- Instead, they spend their time working against you (and the company), and looking for another job. 

There is an old saying that you don't sh*t where you eat, and so it is with employee performance evaluations.

In over 25 years, I have never seen negative employees reviews produce positive results!

However, I have seen that sincerely praising everyones' best efforts, leveraging their strengths, and being thankful for what each person contributes makes a high performing team where people are loyal, want to work, and contribute their best. 

Everyone has weaknesses and problems, and frankly most people when they are being honest with themselves, know what their issues are. Pointing their face in it, doesn't help. (Have you ever told a fat person that they need to lose a few pounds?)

One idea that I did like from the Journal is called "feedforward," where you ask "employees to suggest ideas for their own improvement for the future."

This way each person can be introspective and growth as they mature and are ready, but not under threat, rather with support and encouragement. ;-)

(Source Photo: Andy Blumenthal)

How To Give Employee Feedback

Losing The Edge, No More

For years, there has been all sorts of uproar about the U.S. and its citizens and businesses losing their edge.

From critics who point out to how our educational system (especially through high school) is not keeping up, how we are not attracting and graduating enough folks in science, technology, engineering, and math (STEM), how our inventions are freely copied overseas, and how innovation and entrepreneurship is suffering at home whether due to challenging economic or social conditions.

Yet, when it comes to losing our edge, nothing is more maddening than when the technological advances we do have are taken from us--this happens in numerous ways, including:

- Cyber Attacks: According to the Pentagon Strategy on Cyberwar as per the Wall Street Journal (15 July 2011) "each year a volume of intellectual property the size of the Library of Congress is stolen from U.S. government and private-sector networks." Cyber espionage has affected a broad range of our prized national assets: from Space Shuttle designs to the Joint U.S. Defense Strategy with South Korea as del as the plans for the F-35 Joint Strike Fighter and more. Moreover and unfortunately, this is only the tip of the iceberg. For example, this past August, McAfee disclosed a cyber spying operation dubbed Operation Shady Rat that infiltrated some 71 government and corporate entities of which 49 were in the U.S. and which included more than a dozen defense firms over five years, compromising a massive amount of information.

- Spies/Insider Threats: Spies and insider threats can turn over state secrets to foreign powers or entities causing a major lose to our competitive advantage. This has happened with convicted spies from Aldrich Ames to FBI agent Robert Hanssen, and more recently to Army Corporal Bradley Manning accused of turning over troves of restricted documents to WikLleaks. And despite the amazing efforts to catch these subversives, presumably, there are plenty more where they came from.

- Expropriations: We lose our edge to foreign nations and organizations when our high-technology or intellectual assets are used without our consent or otherwise seized and compromised. This can happen from having our copyrights trampled on, our designs simply copied and "knockoffs" produced and peddled, or even when we are in a sense forced to exchange our intellectual property for basic entry into foreign markets. But this also happens more explicitly and violently when our assets are literally taken from us. For example this happened in April 2001, when Chinese fighter jets intercepted (in international air space) and crashed a U.S. EP-3 reconnaissance plane and didn't return it until July in disassembled pieces. Similarly, when the tail of the stealth modified MH-60 Black Hawk helicopter, with sensitive military technology, used in the raid in Osama bin Laden's was recovered and held by Pakistan for weeks before it was returned to the U.S. And we saw this again this week when the Iranians showed off a prized RQ-170 Sentinel stealth drone they now have seized, and which secrets presumably may end up in Russian, Chinese, or ultimately terrorist hands.

Developing an edge is not something we should take lightly or for granted--It is based on lots of talent, experience, and hard work and we do not have an exclusive hold on any of these.

We must prize our scientific and technological advances and secure these the way a mother protects it's young--fiercely and without compromise.

No matter how much or fast we churn out the advances, it will not matter if we do not safeguard our investments from those who would take it right out from under us. We can do this by significantly increasing investment in cyber security, strengthening counterespionage efforts, and not letting any nation or organization take something that doesn't belong to them without consequences--economic or military--that restore our edge and then some.

Losing The Edge, No More

What’s Lurking In The Update?

In defense, it is a well-known principle that you determine your critical infrastructure, and then harden those defenses—to protect it.

This is also called risk-based management, because you determine your high impact assets and the probability that they will be “hit” and deem those the high risks ones that need to be most protected.

In buttressing the defenses of our critical infrastructure, we make sure to only let in trusted agents. That’s what firewalls, anti-virus, spyware, and intrusion prevention systems are all about.

In so-called “social engineering” scams, we have become familiar with phony e-mails that contain links to devastating computer viruses. And we are on the lookout for whether these e-mails are coming from trusted agents or people we don’t know and are just trying to scam us.

What happens though when like the Trojan Horse in Greek times, the malware comes in from one of the very trusted agents that you know and rely on, for example, like from a software vendor sending you updates for your regular operating system or antivirus software?

ComputerWorld, 10 May 2010, reports that a “faulty update, released on April 21, [by McAfee] had corporate IT administrators scrambling when the new signatures [from a faulty antivirus update] quarantined a critical Windows systems file, causing some computers running Windows XP Service Pack 3 to crash and reboot repeatedly.”

While this particular flawed security file wasn’t the result of an action by a cyber-criminal, terrorist or hostile nation state, but rather a “failure of their quality control process,” it begs the question what if it was malicious rather than accidental?

The ultimate Trojan Horse for our corporate and personal computer systems are the regular updates we get from the vendors to “patch” or upgrade or systems. The doors of our systems are flung open to these updates. And the strategic placement of a virus into these updates that have open rein to our core systems could cause unbelievable havoc.

Statistics show that the greatest vulnerability to systems is by the “insider threat”—a disgruntled employee, a disturbed worker, or perhaps someone unscrupulous that has somehow circumvented or deceived their way past the security clearance process (or not) on employees and contractors and now has access from the inside.

Any well-placed “insider” in any of our major software providers could potentially place that Trojan Horse in the very updates that we embrace to keep our organizations secure.

Amrit Williams, the CTO of BIGFIX Inc. stated with regards to the faulty McAfee update last month, “You’re not talking about some obscure file from a random third party; you’re talking about a critical Windows file. The fact that it wasn’t found is extremely troubling.”

I too find this scenario unnerving and believe that our trusted software vendors must increase their quality assurance and security controls to ensure that we are not laid bare like the ancient city of Troy.

Additionally, we assume that the profit motive of our software vendors themselves will keep them as organizations “honest” and collaborative, but what if the “payoff” from crippling our systems is somehow greater than our annual license fees to them (e.g., terrorism)?

For those familiar with the science fiction television series BattleStar Galactica, what if there is a “Baltar” out there ready and willing to bring down our defenses to some lurking computer virus—whether for some distorted ideological reason, a fanatical drive to revenge, or a belief in some magnanimous payoff.

“Trust but verify” seems the operative principle for us all when it comes to the safety and security of our people, country and way of life—and this applies even to our software vendors who send us the updates we rely on.

Ideally, we need to get to the point where we have the time and resources to test the updates that we get prior to deploying them throughout our organizations.

What’s Lurking In The Update?

Security Architecture Q&A

Recently, I was interviewed on the subject of Security Architecture and was given permission to share the Q&A:

In general, what kinds of information security issues does an organization face?

The overarching information security issue in any organization is one of communication, collaboration and the need for transparency vs. the need to protect information from being compromised. Information security is about more than just "stopping leaks." It is also about making sure that people don't intercept, interject or otherwise manipulate agency information for their own ends.

A related issue has to do with protecting the agency's critical IT infrastructure from physical or cyber attack. It's the age-old conflict: If you lock it down completely, then you're protecting it, but you also can't use it. And if you open yourself up altogether, then obviously it won't be long before somebody takes aim.

Finally, the largest threat to an organization's information is clearly from insiders, who have the "keys to the kingdom." And so one must pay great attention to not only the qualifications, but also the background, of the employees and contractors entrusted with access to IT systems. Additionally we must institute checks and balances so that each person is accountable and is overseen.

How do leaders demonstrate security leadership?

Leadership in the area of security is demonstrated in a variety of ways. Obviously the primary method for demonstrating the importance of this function is to formalize it and establish a chief information security officer with the resources and tools at his or her disposal to get the job done.

But security leadership also means building an awareness of risk (and countermeasures) into everything we do: education, awareness, planning, designing, developing, testing, scanning and monitoring.

When new applications or services are being planned and rolled out, does security have a seat at the table?

I can't imagine any organization these days that doesn't consider security in planning and rolling out new applications or services. The real question is, does the organization have a formal process in place to provide certification and accreditation for IT systems? By law, federal agencies are required to do this.

Would you say that information security is generally tightly integrated into organizational culture?

I think that a security mindset and culture predominate in professions where security is paramount, such as law enforcement, defense and intelligence, for obvious reasons.

But the larger question is, how would other organizations make the transition to a culture of greater information security? And this is actually a really important question in today's age of transparency, social networking, Web 2.0, etc., where so much information is freely flowing in all directions. One approach that I have adopted as a culture-changing mechanism is to treat key initiatives as products to be marketed to a target audience. The IT security professional needs to be a master communicator as well as a technical expert, so that employees not only grudgingly comply with necessary measures, but are actively engaged with, and support, their implementation.

At the end of the day, the organization's information security is only as strong as its weakest link. So security has to be as deeply ingrained into the culture and day-to-day operations as possible.

Is information security an inhibitor to new initiatives?

Information security is one of many requirements that new initiatives must meet. And of course there will always be people who see compliance as an inhibitor. But the reality is that security compliance is an enabler for initiatives to achieve their goals. So the key for IT security professionals is to keep educating and supporting their stakeholders on what they need to do to achieve success and security at the same time.

Security Architecture Q&A