Are you a mechanic?

Frequently, technical contractors will get calls from recruiters and there are only two things they are concerned with (and by extension their clients), your technical skill and your hourly rate.   And buried within this two dimensional assessment are the following assumptions:

  • You should be grateful enormous company x is offering any work in this miserable economy
  • Get ready to adjust your rate down to work with us
  • You have to prove your technical skill despite what is on your resume because you just might be liar

The trouble with this standard script is that technical ability alone is insufficient to be successful in either IAM or GRC.  Most IAM people are not mechanics turning digital wrenches.  They are more than bit flippers.  IAM requires superior social skills the so called “soft skills” in order to be successful. In every job I have worked on in the last ten years where they said “we just need a technical person who can get it done quickly” it has been a nightmare.  When I hear that now I say no thank-you.

One of the problems is that recruiters and corporate managers tend to get ahead of themselves, they just assume that if you can prove you have the skills and the money is right you will jump at the job.  However, a technical interview should not be conducted until you satisfy for yourself you can work with them.  Business is more than just tech and they might be liars.  Just because the company is public or well known doesn’t mean they have integrity.

  • Do they pay their bills on time?  If you’re an independent you are not a bank.  Never finance a billion dollar company or one with access to capital.
  • Are they pleasant and professional to work with?  You may need to ask around first or ask to talk to a contractor working there now.
  • Do they have the right budget or is this under-budgeted slam it in work.  If it is you will be the scapegoat.
  • Does the project have management support or they trying to “fly under the radar.”  Another time bomb waiting to go off.
  • Do they do what they say they are going to do?  Missed meetings, multiple re-schedules, consistently late to interviews, slow follow-up are signs of either unreliability, they don’t think much of you or the petty exercise of power.

The foregoing applies if you are not desperate for work, and desperation should not be that you are little nervous about your bills this month.  Desperation is facing foreclosure or repossession.

IAM Business Cases One Step Back

Over the years I have repeatedly heard that security people in general need to produce better business cases, better analysis (as ROI) if they wish to increase their budget.  I have tried to do just that with minimal results.  Recently, I have changed my approach and now believe that the single most important skill that security people can learn is how to pitch their ideas.   It is getting past this first step that is critical.  It’s the domain of social dynamics  and the perception management of value. What is business really about after all?

As IAM practitioners we live in the domain of first order predicate logic, of complex systems and mentally taxing analysis.  When you become an expert in any field, things that were once difficult to understand become second nature.  So when you go before those who control the budget, those who do not understand the vagaries of identity and access management as a discipline, if you come at them with cognitive fatiguing analytical business cases, it’s going to be a lot easier for them to say no (legal compulsion notwithstanding) than to go through the effort of understanding.  Now you may say to yourself, that it is the manager’s responsibility to understand these things and make rational decisions.  That is true without reservation but we all have limits.  If it’s 4:00 PM in the afternoon, and you are mentally tired is it easier to read something about a field you understand or start a course on statistical physics?  The question is not what is more interesting but was is easier (mentally).   We are all cognitive energy conservationists so to speak.

Before I proceed any further, let me be explicit about the assumptions I am making.

  • It is cognitively less taxing to make a decision based on emotion and justify it after the fact with analytical models.
  • People have a cognitive limit to what they will pay attention.
  • People won’t pay attention to things they find boring.
  • Highly technical discussions or complex topics are boring outside of a fairly small group.
  • This group rarely controls the budget.
  • Even if they do, they may be mentally taxed when you present your business case and find it easier to check-out and say no.
  • Even if they find something completely boring, they might pay attention if consequences of failing to do so are severe enough.

Since the foregoing is qualitative, it will never be proven empirically.  And if you think any of the assumptions are false feel free to comment.  If all the foregoing are true or mostly true then stands to reason that before we ever present a business case, we need to persuade first.  And this is where I have consistently fallen short.

Back in February, I began to work with a boutique investment bank focused on the middle market, and as part of getting a better understanding of that business began looking into their formal processes for winning and pitch decks.  In the process of doing the research, I stumbled upon Oren Klaff’s book Pitch Anything.  It was his book that made me realize that business cases are merely the due diligence portion of the idea you are presenting and if you can’t hold the attention of the room, and get them hooked you will never get to that point.   Since I have made the change, my success rate has greatly increased.   Before I was getting blown out 8 out of 10 times.  I have cut that in half and some of those cases I took a pass because I didn’t want to do business with the client.