When I have told tales of some of the contracts and consultancy gigs I have worked, people think it sounds pretty nice. There’s a big bill rate, you escape some of problems of being an employee, what could possibly go wrong, right?

Not always. Sometimes it is no [...]]]> So you want to be a consultant or a contractor?

When I have told tales of some of the contracts and consultancy gigs I have worked, people think it sounds pretty nice. There’s a big bill rate, you escape some of problems of being an employee, what could possibly go wrong, right?

Not always. Sometimes it is no fun at all.

Let me give you two tales of not nice at all.

My first example was the six months that I spent at Fannie Mae in 2006. I worked everything out myself and all I needed was someone on their approved vendor list to front end my billing. A mutual acquaintance suggested that the company on this magical list, Michael D. Joyce, would serve this purpose. I did not expect to be jerked around in ways that exceeded the usual horror stories that I had experienced in the past.

I did, once upon a time in the roaring 1990s, work for a company that had a silent partner that the two principals at the firm used as an excuse in matters of contract negotiation and such. A very silent partner. So silent, he was a fiction; an imaginary person and a complete fabrication.

I thought that this was pretty questionable behavior, but I was busy working like crazy at the time to keep the understaffed and third-hand infrastructure that was thrust upon me in order and I had limited involvement with the executives in those days. I surely did not expect to see it again.

As it happens, Michael D. Joyce is an imaginary person. It is really two principals that mainly staff H-1B contractors (who are easy to exploit) into DC area firms. Their names are Nick Nichols and Rick Makins.

These guys played a bunch of games with me. They were “too busy” to return a phone call or email for literally months at time on issues like “Hey. When are you guys going to give me the money that you have been paid for my work?” I expected to get my invoices paid on a Net 30, but they were never on time. There were also unexpected contract games which were not part of any deal that we discussed. Anything they could make into a problem was a problem.

At the end of my six month engagement, they decided to keep a nice round number of $25,000 of money paid to them for my work. Upon query, they stated that I had either been issued payment or that they never bothered to invoice Fannie Mae for my work properly. I have yet to collect this outstanding balance.

I imagine that I could sue or submit some kind of criminal complaint, but I honestly didn’t know where to begin with it. I just dropped it and moved on to other projects.

Great times.

Here is another first hand example.

I was in Phoenix and working a contract for a company that was having very substantial problems managing their aging infrastructure after being spun off from a parent company. They decided that the best course of action was to completely outsource their datacenter management. In this case, there could have been no better solution as most of their hardware and software EOL‘d many years previously.

I was pretty surprised that anything was still running.

They even arranged for the vendor to purchase their ancient hardware. Clearly someone there knew what they were doing in negotiation.

If plugging around documenting and troubleshooting systems that were in a very serious state of fragility and neglect wasn’t hard enough, I had to contend with a manager who insisted that I call her “mom” amongst other odd requests.

No no. I never called her mom.

This was one of the worst gigs I have ever had to muddle through. To illustrate, I will include a sanitized email (names removed to protect the guilty) that I sent after things had reached a critical point. After having a lunch meeting with my direct reports’ boss, he asked me to keep him informed about developments with her. He also asked me if I would be interested in a permanent senior position there and was surprised when I gave him a firm negative.

It should also be mentioned that “APS” was an internal application and also a major power utility in the southwest to which some of the technical people had fled when the grand outsourcing adventure began. Removing it from this context would make things too confusing.

While reading this email, see if you can picture me in unflappable chill mode taking notes and speaking diplomatically in an office where someone is occasionally shouting at me and pointing fingers dramatically.

Date: Thu, 10 Jun 2004 14:38:04 -0700
Subject: follow up
To: $BIGDIRECTOR

I had paged $MANAGER after our lunch meeting with a relaxed and casual request to speak to her. After chasing her on it for an afternoon and all of yesterday, she made some time for me at around 5pm.

The talk began with mention that $DEVELOPER was not pleased with the response time he had been getting from her department and indirectly myself. He apparently voiced a concern that APS was not bring given the priority handling that it should receive. She then informed me that APS should be my top priority, but in this way: “I’ve told you many times that APS is your top priority.” I asked her how this conflicted with my last instruction that sustaining operations was my top priority as was my previous instruction and was given an unclear response.

She had a couple of other issues to address with me. The next item was regarding information transfer to HP staff. Apparently it is important for me not to tell them that there is not a process in place when there is not a process in place for things, but rather to divert them by saying “I’ll check up on that” and page $MANAGER and await a response. She was unable to give me an example of an instance that I had erroneously informed HP staff of our lack of a policy or procedure when we have one in place.

There was then a question of attendance, working hours, and efficiency. On Tuesday evening, I was here until almost 11pm solving two important issues; one was installing Sun One Studio 8 for $DEVELOPER (APS related) and the other was a workaround for DNS that was requested as a high priority item from infosec that $INFOSECMANAGER asked me to get finished that evening. $MANAGER found general fault with the use of my time on the APS related task in that it was her impression that I did not communicate with the team and did not page her for assistance. I outlined the process of what I went through to solve the problem:

1. Attempt to find software existing on system. Installation media did not exist on any system.
2. Attempt to find media in the “software library.” (I put this in quotation as there is no current method in place in organizing software in this department, but it is jammed in various filing cabinets, cubical, and perhaps other locations.) I found old versions of the software that were not of use.
3. Attempt to download the software from sun.com. Sun’s download site was temporarily down.
4. Opened ticket with Sun to get software. They gave me a workaround to download the software via an alternative method since their download webpage was out of service at the time. They provided me the incorrect software. At this time I checked Sun’s download site again and it was operational.
5. Downloaded software and transferred installation packages to APS servers, installed software, and installed license keys $DEVELOPER provided to me earlier that day.

Her criticism was that I should have asked $DEVELOPER if he had media. $DEVELOPER does not have media as he was kept abreast of my actions and worked to help provide me access to the software. She also mentioned that I should have paged her to ask her where the media could have been and that she would have told me to look in the software library. As I had already taken this action, I asked her what that would have gained me. She had no justification and told me that I was in error.

After being reprimanded for taking a logical and methodical approach to solving this issue given the lack of organization or planning that could have been in place and working the task to its successful conclusion, I asked her what would have happened if I had just bailed on the project at 6pm and had gone home as was her current instruction of what I should have been able to do. I stated that we would be having a very different conversation today if I just dropped the ball on these tasks so that I could be in early the next morning. She then told me that I need to learn to prioritize.

The final issue was one of attendance. She told me that I was chronically late and that she could not count on me because she would never know if I was going to show up. I didn’t make excuses for this, but I did offer that I have had an average time of arrival of 9:30. She told me this was untrue and that it was actually 10 or 11 and sometimes 12 or 1pm. She asked me when I had come in today (Wednesday) and I told her that I arrived shortly before she paged me at 12pm. I volunteered that I had left the office at about 10:45pm last night and was engaged three times by pager between the hours of 12am and 4am. I asked her how I am supposed to manage late working hours to solve problems remaining from the day, being on call for an operations staff that pages unix-on-call for irrelevant, mundane, and frequently with non-specific requests and frequent requests symptomatic of no longer having a international staff, and then arriving in the morning in a timely manner. She had no explanation on how I should accommodate this and told me that she expected me to be here at 9am.

At this point I asked her if she had anything else that I should be aware of or any other points of concern that she wanted to address to me. She took a long moment to consider, and then said that there was not.

So my take-aways from this meeting are:

• APS is my first priority. Sustaining operations support is also my first priority.
• I need to get all work accomplished inside of normal working hours. This includes work that needs to be done outside of normal working hours.
• I need to misinform HP regarding procedures as to, in theory, improve the appearance of current operations.
• I need to not sleep at all so that I can be in the office on time in the morning, available in evenings to stay late on demand (as these things are always at the last minute) and be on call 24 hours a day when on duty.
• I need to ask $MANAGER for advice on things I already know how to accomplish.
• New information is provided in a “you have already been told this multiple times” format.

It should also be mentioned here that there has been issue made of my billable hours even though I bill fewer hours than $UNIXFLUNKY. Without direction from my statement of work or any discussion previous to contract beginning, I have decided that I would bill for what I thought was a fair representation of my time. I had thought that I was erring in favor of $CLIENT and that would be appreciated. It was not.

$SUCKER apparently rarely received a good nights sleep in his tenure here and joked when visiting the office as a consultant that he is apparently no longer sick all the time because he is allowed to sleep at night while consulting at APS where others that used to work here are now employed. It seems this level of self-destructive sacrifice is the expected baseline for salaried employees under $MANAGER.

Hopefully this email is what you were looking for as a follow up. I hope I do not come off as having more of that attitude problem as was addressed to you previously. I have made every effort to handle myself in a diplomatic way while remaining true to my professional convictions.

Regards,

Ian Gorrie

Contracting and consulting is all about learning how to deal with abuse and conflict resolution in environments where normal measures have been proven insufficient or have broken down completely. Add to this that everyone is aware that you have no real authority in your position all without the larger resources and manpower of an organization.

As an independent contractor, you are often completely on your own with few-to-no allies to draw on.

As a consultant, you are a target and often considered a threat from the staff that you are assisting.

It usually isn’t fair, but that’s the gig. You have to suck it up and somehow get things done as you are graded on completion of whatever the goals of your engagement have been defined. You did get them defined, didn’t you?

There are great moments of high accomplishment and glory, but the lows can be a bottomless pit of despair for the unwary or unlucky.

It was fun.

It was uncomfortable.

Dustdevils ate things occasionally.

It was turbulent due to the trouble with Levitate to get hackers to help promote their event for free or they wouldn’t fulfill their agreement to let us use the missile facility for talks and workshops.

There was some excellent music.

There were fine people in [...]]]> Toorcamp was many things this year.

It was fun.

It was uncomfortable.

Dustdevils ate things occasionally.

It was turbulent due to the trouble with Levitate to get hackers to help promote their event for free or they wouldn’t fulfill their agreement to let us use the missile facility for talks and workshops.

There was some excellent music.

There were fine people in attendance as it took some dedication and preparation to get out there and stay there.

Enough said about that. I was expecting more problems. More can be found at the Toorcamp wiki.

My presentation at this Toorcon Seattle area hacker retreat was concerned itself with three main points.

1. How to get a job in todays market
2. Identifying the common players and bad actors in todays organizations
3. How I recommend dealing with them

I entitled my talk Hacking HR in the traditional usage of the word hack. I’ve seen a lot of usage that uses “hack” as a synonym for small tips on how to accomplish obvious tasks. This isn’t how I use the word.

Anyway, let’s get started.

There are some really large problems with our industry at the moment, and they’re not improving. Things are getting worse. They’re getting more complex. There are people who don’t understand their complex systems taking bad advice from people who have profit motives that are not aligned to their customers best interest.

This is a prescription for bad times and, in general, they are upon us.

Bad times are not without opportunity and there is no time like the present to get started.

This is a talk in three acts (without trying to be overly pompous, just for pacing really)

1. How to get the gig you want against all odds
2. Identify the common players and bad actors in organizations and my suggestions on how to deal with them
3. How to effectively change the playing field. Fight bad actors with metrics and data. Change behavior by re-aligning profit motives.

The current state of the industry is in pretty bad shape.

• Compliance drives and funds most IT and security efforts which results in ineffective and cart before the horse risk management and security governance programs.
• More contractors are empowered and employed instead of FTEs
• Hiring managers less relevant in todays hiring and management process.

These are huge problems.

Get powerfully clued individuals out of contracting/consulting/specialty and into positions where they can make an effective difference.

Empower insiders to make effective change and turn around industry trends of ineffective speciality, ineffective governance, and ineffective outsourcing. No consultant can be as effective as an insider who is deeply familiar with the environment, business units, and corporate culture.

The proper mindset. Levity included. There should always be an element of fun in these talks.

A quick blurb about me.

Companies that recognize the rewards of a good risk management program, like insurance and sometimes financial organizations, trend better. Usually for everyone else, important matters need to be presented in terms of business risk or opportunity that everyone can understand. Engaging in this discussion is one of the most important and rarely effectively performed tasks for those in our line.

I consider the things that I describe in my talk to be common and pervasive in moderate to large sized businesses in the United States and in places that follow American business’s lead.

My conclusions are based on my career of consulting and long conversations along this line with many of my trusted peers. I’m confident that you’ll see things my way. If you do not and disagree with me, I want to hear from you.

Act I: Breaking the ice and getting hired.

The current state needs to be understood. If you’ve ever wondered why some people who are not only not good at their role, but really obviously bad at it reached their position, this might help.

How are these bad actors allowed to get into organizations and reap huge rewards from not working towards their employers best interests? It’s because and in large respect, doing the right thing is not what gets rewarded.

The real problem: It is now commonplace that few understand how to effectively manage or hire anymore. The ninjas have been promoted up and away or running their own businesses and the losers have been fired or promoted just enough to make sure everyone else fails. Conflicts of interest are rampant with vendors and are in opposition to their clients running healthy risk management programs.

No one in senior management roles seem to have any clue about technology and treat it as a luxury instead of the bedrock on which modern business is performed.

The right people aren’t rewarded, the right skill sets are not valued and cultivated, and organizations cant attract or retain the right people and skill/experience sets they need to run an effective information security program.

Disclosing these methods and interests to the internet in general will, I hope, change the way business is done over time.

The first step is getting in the door, so how do you get an edge on that position that you want?

Look them up on social networks. Stalk them and cordially meet them at user groups and professional organizations if you’re really motivated.

Use LinkedIn to get insider contacts and internal intel for the players and the organization you’re trying to enter.

Use search engines and social network mining for greater impact. Don’t be shy.

wink.com – Searches on people over social networking sites.

pipl.com – Basically a people-optimized search engine. It’ll help narrow down likely results of interest.

Image credit

Dress right. Not overdressed. Not underdressed. Example: geeks in suits freak out hiring managers whos “dress up” is cleanest-t-shirt and jeans with least holes.

Be a right-fit. Remove overly qualified statements, degrees, or certifications from your resume. Just because you can, doesn’t mean that you should volunteer information that might make you sound bragging or overqualitied. Understated is a good tactic. Be surprising.

Get contact information for those you interview. Consider thanking them for their time and for meeting them. This isn’t always a good idea, but is a class move if the audience is receptive.

Try not to give up any dealkillers. Don’t be late. No one cares if there was a traffic accident on the highway. Don’t have dirty fingernails. Hiring managers have odd dealbreakers sometimes. Try to avoid the common ones.

Staffing is about liking you. Jerks can get gigs occasionally, but only if there isn’t a guy who isn’t almost as good that people would like to work with more.

If you’re going to be an ass in business, you had better have all the answers all of the time to make up for it. It’s usually a better idea not to be a jerk. It’ll make you a stand out; a nail to be hammered.

Be known in the community offline and on. Give back. Write things. Contribute. All of these things help.

It would be better to do useful things, but I’ll bet you can think of some examples of people who have become big deals just for talking to people and being knowledgeable.

Ever submit your resume for a position you were qualified for but never heard back from anyone? It might be because someone is screening applications and looking for keyword matches. It happens all the time. It’s a lousy fit for technology positions, but no one told the human resources industry.

But don’t overdo it. Tailor it to the opening writeup.

If you don’t know someone specific, don’t use a cover letter.

Have a well formatted and presented resume. A bad resume is almost always a dealkiller.

Follow up. Be enthusiastic.

So what’s the problem here? Why doesn’t merit rise to the top and why don’t poor performers get culled from the herd?

The simple reason is that when people get together, things get complicated.

The recent compliance efforts have not got the job done. Worse, most people and many in the industry, don’t know the difference between effective governance (to use an overused and frequently misused term) and just making the minimum effort which is compliance.

A lot of things were funded because of the big scary compliance boogyman, but in general it has only created a huge mess of policy, standards, procedures, outsourcing, controls, contracts, vendors, complicated staffing and dependent org charts, and more.

Sounds complicated? It is.

..and guess who that is going to be.

It’s the attendees of this talk and those like us that are going to be tasked with the big cleanup after conventional wisdom comes back around to reality that convenient and magic bullet solutions aren’t working. It is not going to be pretty.

It’s going to take a lot of work. Things are going to change. Empires are going to fall. Castles built of shifting sand are going to fall into the sea. The current common model is not sustainable and isn’t doing anything for shareholder value. Eventually that will be what brings things around.

The first step is becoming an insider.

Deliverables from important consulting engagements can be left unread. Without commitment from executives or a board, a risk management or infosec program is toothless and can be ignored.

Insiders have a level of familiarity with business practices and behaviors that consultants and contracting outsiders do not by their nature of short-timers. This needs to be valued and leveraged more than it is currently.

Risk to technology systems often isn’t considered a business risk, but a cost center. The benefits are usually overlooked and not capitalized upon.

The root cause here is corporate culture.

There’s a million references out there about why being an agile organization is a good idea. I can only guess at why executive leadership doesn’t make it a bigger priority. The model seems to be worth talking about, but it seems to be rare indeed that anyone wants to take on a difficult job pre-catastrophe.

Two generalized corporate culture examples:

• American: ready shoot aim aim aim
• Japanese: ready aim aim aim aim shoot

Selecting a solution to poorly or undefined problems and fixing deployments of poor-fit solutions can be very hard. If they can’t be fixed, they will be very expensive to operationally support.

Metrics bring an appreciation of quality and total cost. Both are lacking. What is needed, and what are usually unavailable, are more apples to apples comparison of risk and reward. Cherry picking of statistics for TCO and ROI calculations is rampant.

The RFP process: The low bid is often sizably more expensive than others when total ownership and operational cost is considered. Efficiency and elegance has hidden rewards.

Risk management and even assessments are not quantitative product. They are qualitative art.

Specialists, in my experience, tend to have linear and routine thinking in bringing the same approach to every problem. This can yield incomplete answers and piecemeal solutions to complicated problems. Piecemeal means complication, fault intolerance, and expensive operational cost.

Separation or segregation of duties is a good idea and is appropriate often, but that doesn’t mean that there should be a limited awareness of processes and overall architecture.

Reasonable people are often scared off from the technology industry. There are a lot of reasons for this and that could be an entirely different talk.

These people are not a signifigant part of the problem as they can be reasoned with effectively. They’re out there and I hope you can find them.

There are often many solid contributers in successful organizations.

Many of the people I’m about to mention can be effective. I’m going to center on what they’re like when they’re a problem and my take on how to interact with them.

Put things in terms relevant to their interests.

Look out for their ego measuring contests. Outshining them is a sure way to land in their disfavor.

These guys are pretty much irrelevant but common. They are best avoided.

They’re going through a checklist. Give them things to check off and move on to the hiring manager(s).

They want you to sound confident. Very likely to have no idea what you do, why it is important, or how it gets done. They’re looking for you to speak well and sound like you know what you’re talking about.

Sadly too common with downsized efforts, eroded budgets, and no resources to which they can delegate.

They’re looking for someone who can work in a vacuum. Sufficiency is what you need here.

If you’re fortunate enough to interview with a ninja, make the most of it.

BS the ninja at your peril.

Come clean. Tell them what you know and what you do not.

Tell stories from the trenches.

So if we can’t count on insiders to get everything done because the old clue has been promoted or driven out, who’s left?

The previous slides are all mostly hard workers in their own way. The following are not.

Every consultant has worked with this joker.

They can create big problems and large messes of rushed or under-delivered projects that actually have to work.

After signoff, under-baked solutions can be a real operational nightmare. The more complicated and ambitious, the worse the aftermath can be if anything other than ideal.

Can be even less interested in the outcome than all promises sales guy. Relentless in their “buy our stuff. we’re the best” mantra.

When HR doesn’t want to do their job and hiring managers are too busy or not allowed to be involved, the staffing firms soak up a lot of profit by just posting requirements and funneling in bozos.

Getting into a relationship with HR means they can sit at home and capture a significant portion of contractor work effort compensation while adding little (if any) value.

If that wasn’t enough, they also have a profit motive to place as many people as possible, not in placing quality people. Individual headhunters can achieve in extra ordinary ways, but staffing firms almost never deliver in this way.

These people are key actors in the not-my-job industry of lazy.

More times than not, their goals are misaligned to the organization that is employing them. Very rarely is a consultancy interested in solving problems. There’s no profit motive. They’re interested in an increase in revenue and scope of engagements.

The larger the size of the consultancy, the more likely these practices are to arise.

The real magic of the magic quadrant is the ability to get people to pay for the analysis.

Scoped to the average environment in the average business in the average industry.

There is no industry average environment. The best fit for an environment may not be on the leading edge of their wave or quadrant at all.

Yes. You really do have to do your homework.

The classical argument of heterogeneous and homogeneous networks and solutions is usually academic, however interoperability and performance is often misstated or exaggerated.

This individual is the complement to the Industry Analyst. Neither is a replacement for skilled investigation and logical comparison of options.

What is more expensive? A failed implementation following a hasty decision, or a reasoned approach?

My take on how to dig our way out.. but first!

Compliance is a minimum standard, not a gold standard. It is a checklist.

It is not a risk management program or effective governance.

An auditor background and skill set and that of an information security practitioner very rarely intermix.

Harder, Better, Faster, Stronger. This is the way. Always be improving.

Dead Mike knows what was up.

Source. CB4 Video.

Edward Tufte also knew what was up. I’m told that his works are amazing.

Metrics are most effective when cheap to collect and immediately meaningful to the reviewer.

This is a difficult but highly rewarding standard to achieve.

These were some metric suggestions in order to inspire discussion and interaction during my talk.

Some people were pretty heated.

Some didn’t believe that scoring candidates was feasible. It was my contention that academic boards had found effective ways to do just that with their incoming student applicants and surely simple quantitative metric data can be gathered.

One attendee mentioned counting spelling mistakes in a resume.

Another suggested that any metric collection can be gamed nearly immediately. I suggested not disclosing the metric criteria.

If you have your ducks in a row, it will call attention to those that do not. If this does not happen, call attention to it.

Tell the world! Share your data!

When you can rely on data, you can make effective decisions in the light of day based on something more than arbitrary judgement and gut feelings.

When this is pervasive, FUD will be a thing of the past.

Consultants at large failing business are delaying the inevitable unless culture change takes place. The axe man will appear one way or another.

Metrics are factual. They are not slander.

“Oh! Someone might sue you!” That’s what corporate retained counsel is there for. Sharing data in a pay it forward fashion will make the business community and our industry a much better place nearly overnight.

This is important. This needs to happen.

If you enjoyed this talk, you may wish to look at one of my previous talks about security and compliance metrics (a long talk) or the added risks of compliance (a short talk).

Hopefully my sense of humor comes through in this publication method. I attempt to present on issues that I have not heard aired previously in a light-hearted and whimsical way, and only when I feel I can contribute something to the conversation.

Thanks for reading. I’d love to hear from you.

Related posts:

1. ITCi 2007
2. The Politics of Respect
3. What we do