Book review: The Next Rules of Work

I have known Gary Bolles for decades. Back when I was putting together the first editorial staff for Network Computing magazine, Gary was one of my early hires. He had a curious resume, made even more so by the fact that his father was infamous for the “Parachute” career counseling books. He was a quick learner — so quick that when I left the magazine to start my own consulting business he was my pick to succeed me, and then went on to found other publications and eventually his own consultancy. He has written his first book, and it complements the family business by showing how we have evolved in how we approach work. His thesis is that we are in a new era, where the old rules of pre-learning isn’t sufficient, and we need to become lifelong learners with a deep portfolio of experiences, interests and job-like skills.

Part of the new rules is directed towards managers, who have to transition from being the “sage on the stage” to the “guide on the side.”

Like the Parachute series, there is assigned homework, which is just as annoying as when I read Bolles Sr. books back in the day. The model canvas can be found on Gary’s website here.

Most of his book is focused on adjusting three frames of reference for both individuals and the new companies that they work for: Mindset, toolset and skillset. You will need to adjust your mindset to handle what the world needs, what you love and are good at, and what you can actually be paid hard cash money for.) The Japanese call this Ikigai. You will need to adopt what he calls “flash problem solving” skills with an ad hoc group he calls the coalition of the willing. This may mean “unbossing” yourself, which sounds scary but millions of gig workers have already succeeded.

Another concept is one that I wrote about last week, how to become a life-long learner and what this means for retirement.

There are a lot more thought experiments and Venn diagrams to illustrate his points. If you are ready to make the jump and sign on to this new way of life, you might find the book a useful manual. Bolles book is available on his website, and if you are still unsure you might want to sign up and watch a couple of his classes on LinkedIn Learning ($30/mo).

Avast blog: Here’s how hackers can steal your data using light, radio, and sound waves

Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.

In my post for Avast’s blog, I summarize these methods and provide some advice on how to avoid these sorts of attacks.

Why we need girls’ STEM programs

Like many of you, I have watched the horrors unfold in Afghanistan this week. There has been some excellent reporting — particularly by Al Jazeera on their English channel — but very little said about one massive and positive change that the past 20 years has seen: hundreds of thousands of boys and girls there have received an education that was previously out of reach. I am particularly glad to see that many students have also gotten interested in STEM fields as well.

I was reminded of something that happened to me nine summers ago, when I was one of the judges in the annual Microsoft Imagine Cup collegiate software contest, held that year in Sydney. By chance, I ended up judging three teams that were all female students from Ecuador, Qatar and Oman. Just so you understand the process: each country holds its own competition, and that team goes on to the finals. That means that the women bested dozens if not hundreds of other teams in their respective countries.

My post from 2012 shows the Omani team (above) and how carefully they branded themselves with red head scarfs (their app was something dealing with blood distribution, hence the color and the logos on their shirts). The Qatari team had a somewhat different style: one woman wore sweats and sneakers, one wore a full-on burka covering everything but a screen for her eyes, and the other two had modest coverings in between those points. It was my first time seeing anyone give a talk in a burka, and it was memorable. All four of them were from the same university, which was also an important point. While none of my teams were finalists, it didn’t really matter. They all were part of the 375 students who made it to Sydney, and they all got a lot out of the experience, as did I.

The reason I was thinking about the issues for women’s STEM education was this piece that I found in the NY Times about the FIRST robotics competition and the Afghan girls team. The story was written two years ago, and pre-dates what is happening now.

The girls were able to made it out of Kabul on Tuesday to Oman, where they will continue their STEM education. But there are certainly many thousands of girls who aren’t so fortunate, and we’ll see what happens in the coming weeks and months. I think many of us are literally holding our breaths and hoping for the best.

One of the reasons for the FIRST girls team’s success was great mentorship by Roya Mahboob, an Afghan expat tech entrepreneur and the team’s founder. She — yes you might not know that Roya is a woman’s name and is Persian meaning visionary — isn’t the only one that got behind these girls — if you read some of their own stories you can see that they had the support of an older generation of women who had gotten STEM education — the “tech aunties brigade” as I would call them — who were important role models. It shows that this progress happens slowly — family by family — as the old world order and obstacles are broken down bit by bit. Think about that for a moment: these girls already had older family members who were established in their careers. In Afghanistan, there isn’t a glass ceiling, but a glass floor to just gain entry.

While there is a lot to be said about whether America and the other NATO allies should have been in Afghanistan to begin with, I think you could make an argument that our focus on education was a net positive for the country and its future. From various government sources cited in this report, “literacy among 15- to 24-year-olds increased by 28 percentage points among males and 19 points among females, primarily driven by increases in rural areas.” This is over the period from 2005 to 2017. And while I couldn’t find any STEM-specific stats, you can see that education has had a big impact. I don’t know if the mistakes of our “endless war” can be absolved by this one small but shining result, but I am glad to see more all-girls STEM teams take their message around the world, and to motivate others to try to start their own STEM careers.

The period of your life formerly known as retirement

I have known quite a few of my contemporaries who are contemplating the next phase of their lives. In April, 4M people quit their jobs.  This used to be called retirement but now we need a better word to indicate more of a transition rather than a choice.  I now think of this differently. No longer is this the time to relax, to travel, to see the grandkids, to take up new hobbies or volunteer work.

This isn’t exactly a new idea. Pablo Casals once famously said that he was motivated to continue to practice the cello in his 90s because he was making progress.

One friend of mine is hyper-organized: he has five volunteer jobs — one for each day of the week to keep himself busy. Others have a part-time job that gives them some flexibility. As to travel — well, we have the virus to change those plans.

Gary Bolles in his first book, called The Next Rules of Work, plots out a new vision for how we relate to work, to jobs, to bosses, and to our lives. You can click here for my full review of his book. My takeaway for this blog post is the changing way we need to approach retirement — no matter what is your age.

For many years now you didn’t have to be receiving Social Security payouts to retire. I know plenty of teachers and military members who began working at age 20, and were able to retire with full benefits when they turned 40, often starting new careers.

When friends ask me if I am planning on retirement, I say no. And this is because I am completely aligned with Bolles’ Next Rules. I consider myself a lifelong learner, and designed my freelance business to ensure that I would always be learning something new about the tech fields that I write about. It wasn’t too hard: I imagine if I was writing about the sporting goods or home appliances businesses I would have a lot less learning to do year-on-year. (Maybe not, but you get my point.)

No matter where you are in your life, you have to figure out how to continue to learn new stuff. When we are working every weekday, we tend to have someone else force us into this learning-as-part-of-the-normal work process. But as more of us become gig workers, we have to create these situations on our own, and that is the manual that Bolles has constructed.

You could build it in, as “if it is Tuesday I volunteer at X” how my friend does. Or you could have other mechanisms that force the learning, such as a book club (where the group actually does read the assigned books), or a travel schedule (if we can ever get back to that again), or something else that forces you out of the house so you aren’t locked into daydrinking/Netflix bingeing cycles. Of course, for some of us that just may be an intermediate goal, which is fine.

So if you aren’t happy in your current job, think about making this transition to becoming a life-long learner. Don’t wait until you reach your 60s.

FIR B2B podcast episode #149: Cutting out the middleman in B2B PR

For years Paul and I have used Help A Reporter Out. The service — now owned by Cision —  aims to eliminate the gatekeeping middleman role of corporate PR, and put sources directly in touch with the journalists that want to quote them. HARO, as it is known, has been less useful as of late, but there is a new, venture-backed startup called Qwoted that is making some important inroads. We spoke to its CEO and co-founder, Dan Simon. He told us Qwoted had close to a thousand inquires last month and is growing. The service has a free tier (individuals can make three monthly requests, agencies five) and a paid tier.

Qwoted flips the PR paradigm on its head by letting journalists initiate the conversation and cutting out the need for pitches.

Simon has lots of pointers to help PR and marketing staff get the most out of his service. He is deeply steeped in the field, having been president of Cognito, a New York financial services agency, among other roles. Simon recommends that you use the tools he provides to search on previous successful match-ups and examine the job titles more carefully, as well as to fill out the profiles to make your expertise more transparent and compelling.

You can listen to our 16 min. podcast here:

Speech: Using NetGalley to Promote Your Self-Published Book

One of the best ways to promote your book is by reaching new readers with pre-release copies, and thanks to a service called NetGalley, you can add this to your toolbox.

I have been using NetGalley as a reader for the past several years: the idea is that I can read new books that interest me for free, provided that I review them and post my reviews on Amazon and other book selling sites. In this presentation, I will show you the author’s point of view. Yes, it does cost to make your pre-release “galleys” available—but the fee is a very reasonable $450 per book, or $200 if you are a member of IBPA. In this presentation, I will show you how NetGalley works, what kinds of books are best for the service (including audiobooks) and the best time to take advantage of it as part of your book marketing efforts. 

This speech will be given to the St. Louis Publishers’ Assn September 8.

Here is a copy of my presentation slides

Two new posts on cybersec certifications advice from Infosec Resources

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary. I wrote two posts for Infosec Resources.

In our first post, we presented the issues a manager should consider in building a training program for their company. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers. In this first post, I talk about what are some of the benefits of training and ways to measure them, explore some of the costs, and the four different modalities that you can use to design your own training program.

In the second post, I explore the benefits and costs from the individual’s perspective and what you should expect from a certificate program and how to evaluate a program. This post also has a handy comparison chart that shows your costs and other considerations from the major infosec certs.

Nine ways to improve your business cybersecurity

Two new reports  show the dismal state of cybersecurity across US federal government networks. First is this report from the General Accounting Office, which found hundreds of its earlier recommendations haven’t been implemented by numerous federal agencies. While there has been some progress since it last review these procedures, much work remains to secure our federal systems.

And more recently is this report from the Senate Homeland Security committee is now out. Despite years of warnings, federal agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards. We all knew that the feds were lax when it came to implementing better cybersecurity practices, but the lack of many basic security practices is alarming.

Here are nine things that most federal departments don’t do and that your company should implement.

1. Maintain an accurate and current IT asset inventory, including apps and OS versions. Do you know where all your critical apps are, and who is responsible for them? How about where outdated systems (Windows XP anyone) still live and lurk? If you don’t know, you will need to find this out, and the sooner the better.
2. Patch quickly and constantly stay up to date with them. Microsoft issues patches weekly on Tuesdays. Adobe is also generous (ahem) with its patches. But you need to get into the regular habit. Some major cyber attacks happened because businesses — some very big ones at that — took a couple of weeks to get around to doing them. (Remember WannaCry?
3. Know your risk factors and assess them regularly. I have written lots of articles about assessing risk, including this one for CSOonline. The key word in this task is being regular. If you are running an online business, your applications are continuously changing, and that means you need to audit these risks and ensure that something isn’t missed. The GAO report found that “while many agencies almost always designated a risk executive, few had not fully incorporated other key risk management practices, such as establishing a process for assessing agency-wide cybersecurity risks.”
4. Do you track unauthorized users’ access to your systems? It is a simple yes or no answer, but often we don’t know enough to be sure. So many attacks happen because the bad guys have gotten into our networks months ago, and had time to mess around with things before we found evidence of the intrusion.
5. Have you implemented any multi-factor authentication methods? One way to shore up your access is to use MFA. This is gaining traction but still far from universal, whether that be inside government or out.
6. Do you protect your personal identifying information (PII) and do you know when you don’t? It is important to first understand where you can find your PII, who has control over this data, and who has control over protecting it.
7. Do you have a CIO or does anyone have that role carry the authority to fix any of the above problems? While many small businesses don’t have budgets to hire a full-time CIO, someone has to take on the job — either inside the company or as a consultant. Make sure the authority to make improvements is also part of the job.
8. Do you know your IT supply chains well enough? The recent ransomware attacks have shown that many businesses haven’t developed any procedures to ensure that they are protected from these sorts of attacks.
9. Have you read and implemented the NIST standards docs? What, you don’t know what I am talking about? Back in April 2018, the National Institute of Standards published its Framework for Improving Critical Infrastructure Cybersecurity.  Speaking of improving supply chains, another NIST document is worthy of your attention — it lists a bunch of mitigation measures for this particular scourge. While a lot of both documents is written in government mumbo-jumbo, the basics are all spelled out how businesses can reduce the risk of cyber attacks.
Good luck with improving your defenses.

How hate can fund a video streaming career

When I last checked in with Megan Squire, a computer science professor who specializes in tracking online hate trends, she was looking at the the far-right users of various messaging services. Last month she presented this paper about how this group has taken advantage of the DLive streaming video service to solicit donations and spread their horrible videos. Some of the Jan 6 Capitol rioters used DLive to broadcast their attack and exploits.

Unfortunately for these users, DLive also has a very robust and public API that allows researchers to track the flow of funds through their platform. Squire was able to examine the accounts of more than 100 different users, half of them active streamers and the other half either large-ticket donors or others of interest to her work. Some of these streamers can make $10k in a typical month in donations, providing a way to obtain regular income to these political extremists. While most of these funds comes from these donors, there is also funds that originate from lots of followers. These donations usually happen during the live broadcasts when the viewers purchase “lemons” (the built-in platform currency).

She mapped the community into this network graph shown below. You can see the pink nodes that are the streamers, and the graph shows a very fragmented audience. The streamers mostly have their own and separate fan clubs (if you analyze their donors who give them at least $120). The cluster marked B in the diagram is an affiliated Proud Boys account and the C cluster represents the activist Peter Santilli. Both Santilli and members of the B cluster are facing various criminal charges.

Now, Squire admits that finding these alt-right streamers wasn’t easy, and by no means representative of the larger DLive community, most of whom are focused on online gaming. Since the January riot, the platform has taken steps to remove these streamers and to cooperate with law enforcement on subsequent illegal usage.

Still, while they were allowed on DLive, many of her streamer subjects have made substantial incomes from their narrowcast supporters. I am sure they have found other online platforms to spew their messages of hate.

If you don’t have time to review Squire’s paper, you can watch a short 10 min. video where she walks you through her research. She hopes that by shining a light on these activities, other researchers will be encouraged to examine other online platforms that have public data.

Avast blog: An Ugly Truth: A book review

56470423. sy475 New York Times reporters Sheera Frenkel and Cecilia Kang have been covering the trials and tribulations of Facebook for the past several years, and they have used their reporting to form the basis of their new book, An Ugly Truth: Inside Facebook’s Battle for DominationThe book is based on hundreds of interviews of these key players  and shows the roles played by numerous staffers in various events, and how the company has acted badly towards protecting our privacy and making various decisions about the evolution of its products. Even if you have been following these events, reading this book will be an eye-opener. If you are concerned with your personal security or how your business uses its customer data, this should be on your summer reading list. The book lays out many of the global events where Facebook’s response changed the course of history.

My review of the book and some of the key takeaways for infosec professionals and security-minded consumers can be found here.