2010 PMF Program Opens Today
The 2010 Presidential Management Fellows program is accepting applications starting today, October 1, 2009. Applications will be accepted through midnight, October 15, 2009. The job announcement is on USAJOBS.
For more information about the program and how to apply, check out my blog post, or go to the PMF web site.
If you do apply, why not stop back by and share your thoughts and questions? I’ll be happy to help in any way I can, and a number of my readers might also have some information to share.
On Universal Ethics
I just finished Coyote Horizon by Allen Steele. It is the fourth book directly in the Coyote series of space colonization novels (so it’s sci-fi). While in the rest of the series the author engages in the occasional philosophical musings, they are nonetheless quite a bit lighter in tone, despite the drama and tragedy that you can only assume would follow human colonists to another planet. In Coyote Horizon, however, Steele holds no punches and assails religious mythologies head on. What he uses is something intended to serve as the primary system of beliefs shared by all the starfaring races of the universe. The form of this system (referred to as a higher code of ethics called Sa’Tong) dispenses with the mysticism of religious trappings and instead boils down such dogma into logical constituent parts, of which there are five (each is called a Codicil).
Now, I am going to list the text of them here, and my intent is to solicit and offer commentary on what they represent. To help frame your thoughts, let me describe the context in which I present them.
Given that humans are not the only beings in the universe capable of interstellar travel; given that the evidence for a divine power/creator appears to preclude its existence; and given that this life is the only one any such being gets (that is, no reincarnation, and no afterlife); construct what will most likely pass as a universally agreeable system of beliefs to guide the behaviors of all such beings.
There is, of course, one more thing I have to mention. Since we have not yet discovered alien life forms, we can only speculate about what form they will take. It is quite conceivable that their level of sentience and awareness compared to ours is in the same proportion ours is to an ant or even a bacterium. If that were the case, communication between us and them would probably be impossible. Nevertheless, let’s assume for this article that all beings capable of interstellar travel have awareness and sentience that is roughly on par with our own, or at least compatible in some way.
The establishment of “intelligent” life across the universe would indicate that humans, while potentially unique as a species, are not unique in the intelligent life sense. Thus we can surmise that any spacefaring beings would have gone through stages of understanding not unlike our own. Emerging into early “consciousness” they would have struggled to make sense of the world around them. Their limited understanding at this point would force them to seek explanations to fill the gaps in their knowledge, and thus would be born their various religions. Simultaneous with emergence into consciousness is a continuing trend from earlier points of their evolution: cooperation and altruism, wherein the group is rewarded (success in evolution occurs by achieving greater reproductive success) for playing nicely together and creating win-win situations out of non-zero-sum situations. Religions would have served both to explain the universe and to reinforce the cooperative/altruistic behaviors that increased the species’s reproductive success. Unfortunately, those same religions can be usurped for militaristic purposes, especially in cases where the the game has become zero-sum (like when scarce resources mean that only some members of a species can eat), and when the dogma of such religions creates differing societal classes (the chosen/saved/enlightned, and everyone else). So this is the path down which evolutionary processes would have led the ancestors of pretty much any spacefaring species. Their religions would have asserted (since space is big, and it’s hard for two intelligent species to meet in the short term) that they were unique in the universe, that they were created as special creatures, and possibly that the universe was created just for them (such hubris!). And they would have been able to hold on to those beliefs indefinitely if they had never met any other spacefaring species. But a funny thing tends to happen as these species develop more sophisticated instruments for studying the cosmos: they begin to understand the limitations of their religions for explaining the universe, and this, coupled with first contact, might cause them to eventually abandon the mystical dogma in favor of something more logical. Since their religions have been teaching them certain kinds of lessons on cooperation, they are already equipped with instructions that are inherently compatible with those held by other species.
Thus the form of a universal system of beliefs (I hesitate to call it a religion since there are connotations to religion that are not appropriate or even necessarily communicable across species) might have the following characteristics.
1. Self-deification to establish the supreme importance and specialness of “sentient” life forms. This also distances a species from its reliance on an external supreme being.
2. Recognition of the deification of others; this requires some form of the Golden Rule, which has been emphasized as a characteristic of every human religion surviving today (it makes sense in the context outlined above).
3. Moral code that follows from understanding and accepting the first two characteristics. If there is no god and no afterlife, then how we treat one another becomes the most important consideration.
What other characteristics can you think of?
Steele, in Coyote Horizon (142), presents us with a set of five codicils, truths that speak to the best possible set of behaviors that mindful sentient beings can exercise in their dealings with one another, regardless of species.
1. You are God, for God is the creation of the self.
2. If you accept the first principle, you must also accept the fact that everyone else is God, and therefore must be treated as such, with the same amount of reverence and respect.
3. In order to obey the second codicil, you must never take any action that will harm others or yourself.
4. Likewise, your inaction must not lead to the harm of others or yourself.
5. Wrongful acts must be atoned with righteous acts of equal or greater proportion.
As you can see, these five principles can be distilled from just about every human religion, and it’s not too incredible to discover that omnipotent gods are unnecessary if the best possible set of behaviors can be so readily gleaned from them. What sort of civilization would we have if we could all embrace these tenets? What kinds of art, scholarship, prayers and rituals might support them? Are they even achievable?
Leveraging Web 2.0 and Social Networking for Talent Acquisition
My Social Network by luc legay, used without permission according to CC Attribution-Share Alike 2.0 Generic license.
Many companies are just beginning to explore ways to leverage Web 2.0 and social networking technologies for a host of goals. Among these are the typical ones: brand management, driving product awareness, marketing, etc. These are all good uses of these technologies, insofar as some of the largest companies have already adopted them and somewhat proven their worth. But these technologies can also be useful in talent acquisition, especially in situations where frequent communication is crucial. I included the generic Web 2.0 label because some of the things I discuss have yet to be implemented by a good percentage of companies, regardless of whether the technology is available to them (it is trivial enough to build that it might as well be readily available). Specifically, I am talking about the exchange of structured information between machines either with no direct human interaction (more Web 3.0 than 2.0) or only set in motion by one act of human interaction. The form this would take could be RSS (which is what I will discuss), or it could be anything else that can be dreamt of. Specific social networking technologies in this case include Facebook, Twitter, and blogs, but I am certain that cooler and better things are in store for us within the next 3-5 years, so take this for what it’s worth. The point, despite my reliance on specific implementations, is to point out larger patterns of behavior that companies can and should adopt to reach candidates.
One final disclaimer before we move on: If you are a company who has considered this in the past but decided against it, you may have come to the conclusion that, because you don’t specifically target a certain demographic (in this case divided along generational lines), your job listing site does not need features geared toward a small segment of the population. I am here to tell you that your conclusion, though seemingly sound, is baseless. As a manager, there is a good chance you are at least Generation X, but probably a Baby Boomer. These generations both started cycling through a workforce largely composed of Baby Boomers (~80 million in 2005), who by many accounts outnumber Gen X by at least 2 to 1 (20-40 million). Because of this (and at the risk of veering into gross generalization), workplace norms were set somewhat democratically by the larger group, the Baby Boomers. But as we all know, the oldest Baby Boomers have already reached retirement age, and while a number of them have put off retirement in light of the larger economic situation, the fact remains that they will not stay in the workforce forever. Gen X is a fixed size, and it’s comparatively small. Those who are entering the workforce now are Gen Y/Millennials and beyond, and Gen Y alone is nearly the same size as the remaining Baby Boomer generation. This means several things, of course, especially in the context of this article. First, we have a situation where workplace norms have a possibility of being shaped, not by the preceding generations, but by the succeeding ones. Second, these younger generation grew up on technologies that the previous two generations have had to adopt (they are so-called Digital Natives). The second factor alone shapes their expectations of what companies should be like, and this includes how they conduct themselves online. If companies do not behave in ways that are predictable and familiar to these younger generations, especially in the area of recruitment (although this is just the tip of the iceberg; I will have to write a follow-up on how companies can engage and retain the younger workers), then they risk losing some great talent to companies that “get it.” Now do I have your attention? Read on.
Intuitive Search, Listing, and Sorting
While not *strictly* Web 2.0 in their own right (and certainly not social networking in any sense of the phrase), these three elements represent some of the lowest hanging fruit available to companies looking to appeal to, well, anyone. What I am saying is that improvements in this area do not require any generational understanding; nearly everyone who has had to look for a job can appreciate being able to understand intuitively how to find what they are looking for on a site. Some of the concepts of Web 2.0 can be applied to this, however, mostly in the form of sorting, ala AJAX-ified results listing and RSS. Just as important is the ability to search open postings for specific things, including keywords, locations, and salaries (and for those of you who don’t post salaries with your positions, you should realize you are turning away candidates who have too little time to sift through listings that lack enough meaningful information; perhaps another follow-up is in order: a candidate’s view on how to write job listings). Most everything in this arena can be made more responsive through AJAX, but intuitive searching can also be highly innovative. Given the number of web-based APIs in existence, it’s not hard to conceive of some interesting visualization tools that could help candidates narrow down their searches. For instance, if you plotted all of your job listings on a Google Map, candidates could zoom in to a particular location; further, you could leverage Google’s geocoding features to vastly improve your location-based search capabilities. For structured, well-understood data, utilizing such interfaces is mind-numbingly simple (well, if you’re a developer this is easy; for everyone else, if you can grasp the concept, you’re halfway there). In the area of listing, it is not enough to simply present a mega list of job openings (even if you can search them). Many candidates appreciate the idea of not having to manually re-enter their successful search queries each time they go back and visit your site. Older (read: dated) solutions involve setting up push-based job agents that email matching results to the candidates. This has a number of drawbacks. First, people change email addresses frequently enough that companies spend a portion of their outgoing bandwidth generating emails that either bounce or pile up in unchecked accounts. Second, sometimes people forget that they signed up for email notifications and subsequently mark those communications as spam. All it takes is a small percentage of an email provider’s users reporting the mailings as spam before either the messages are auto-flagged (and sent to spam folders) or the email provder simply blacklists the sender (imagine what such a disruption can do if you are running a high visibility email campaign). A partial solution is to allow candidates to subscribe to an RSS feed of their customized search results. If you want to know what this looks like, take a look at Craigslist and Indeed.com for inspiration; they’ve been offering this for quite some time now.
New Supporting Behaviors
- Improve responsiveness of your site by always using AJAX where it makes sense. Searching and sorting grids of information are perfect uses for AJAX.
- RSS-ify anything on your site that continually updates, such as company news, job listings, and special announcement sections. Also, allow for custom job searches to be encapsulated in RSS so people can save them off and let their feed readers do the work.
Streamlined Registration and Application
A candidate’s online experience while applying for a job will determine his or her willingness to come back to the site. One of the most frustrating things you can present to job applicants is a cumbersome form that they must fill out to complete their application, especially if you’ve already allowed them to upload their resume. Even if they only have to go through the process once, it can be just daunting enough that they give up entirely. Instead of making them spend all that time structuring their skills and experiences in some format you believe your mining operations can read, why not take the semi-structured data they’ve already provided (or at least probably have on hand)? Applicants have already spent time on their resume, and much of the data is already structured (in fact, if you aren’t aware of it, it can be reduced to a standard specification known as HR-XML). Technologies to parse and leverage resume data have improved in the last decade, and with refinements of semantic ontologies like HR-XML and improvements in text mining, there is no reason that we cannot achieve near-perfect parsing and matching capabilities within the next decade. As it stands, such technologies are GOOD ENOUGH for the purpose of populating a candidate profile with job history and education information. They should be used whenever possible. In fact, the process of registering an account can also be reduced, since the rest of the information can be gleaned from a typical resume. The goal here is two click registration (register, submit) with a minimum of information collection (email address, desired password, password confirmation, and that’s pretty much it), followed by essentially two-click profile generation (OK, so it takes more clicks to go through the resume upload process, but that’s the easy part; the two clicks I am talking about are parse resume followed by submit after a review ensures that the fields were parsed correctly). Reducing the amount of effort involved in these two steps will save an applicants enormous amounts of time while providing you with structured and actionable resume data. After the ease of registering and generating a profile, the next step is to streamline the actual application process. Assuming it’s been easy for the candidate to find a job that matches (and this can also be achieved through resume parsing tools, although it remains to be seen whether the various methods are actually any good; the alternative is to roll your own), the goal for application is essentially 2-4 clicks (again I am talking about the actual continue or submit buttons on the web page; the clicks are: apply, submit reviewed profile, submit answers to optional questions, including EEO information and, if you need it for some reason and routinely collect it, SSN or other identifier). And that’s it. I feel compelled to note again that many of these goals are achievable without the use of any specific Web 2.0 technologies, and none of them rely on social networking.
New Supporting Behaviors
- Institutionalize the understanding that the application process is not a test of an applicant’s patience and perseverence. Treating it this way risks disenfranchising otherwise qualified candidates.
- Design your application process (and the code that drives it) so that your kids or grandkids (teenagers) can use it with no coaching or instruction. While Web 2.0 largely describes the technological paradigm supporting collaborative communication and web experiences, some of its hallmarks include intuitive and easy forms and simple registration (often AJAX-powered).
- Rethink what you know about resume parsing and realize that it can improve your chances of sourcing high quality talent.
Keep the Updates Coming
Have you ever submitted a job application to a company, only to have it “disappear” into a veritable black hole, with no information about the status of your application? Then this item will be important to you. Quite often, business processes built around paper fail to translate into the on-demand environment enabled (or demanded) by the Internet. Before the Internet, job applications were handled only on paper, collected at job fairs or delivered by hand (or mail, or fax) to the human resource office for processing. Applying was, if not exactly easy, at least not more cumbersome at one company than any other. Providing applicant status, on the other hand, especially for postings that generated a great number of applications, was time consuming and therefore expensive. In fact, the old paper applications generally stated that candidates would only be contacted if the company decided to move forward with an interview (actually many online job postings still say this, but that’s only because the Internet has also increased the reach of a typical posting). Because the Internet has increased the number of applicants that submit to any given job, one might think that the challenge of providing status to applicants has also increased. But one thing the Inernet is really good for is communication. One might say it was built for just that purpose (it was). The snark here is intended to emphasize something: we already have great tools at our disposal to let our applicants know what’s going on, so why not use them? Like job agents and custom RSS feeds for job listings, these approaches also suffice in alerting candidates that something with their application has changed. We can (and often do) email candidates when any change occurs in the application process (including at the point of application submission), but I’ve already discussed the perils of relying on email as a sole means of providing any information to candidates, so the same applies to applicants. In addition to email, applicants should be able to see, at any given time, the entire history of their job applications and the full history of the status changes on those applications. Also, they should be able to get this in an RSS feed (these can be authenticated, so no worries about exposing account access). The goal here is that applicants know, through multiple approaches, exactly where they stand on any given job application. Don’t just email them and consider it done.
New Supporting Behaviors
- Email is good, but it’s not the only way people like to get one-way communications. In fact, it might be inefficient to rely on it, so you might as well get used to the idea that email has been reduced to merely one (as opposed to the primary or even preferred) option in the average user’s inventory of communication tools.
- Modernize your business processes to provide applicant status; paper applications are going away, and your business processes should reflect that. Again, you can test out your methods on your kids or grandkids. If they can’t figure it out, then you need to change it.
Speaking of Updates, Let’s Go Social
Lest you think this article is simply buzzword hyping with no substance, we can finally approach the idea of social networking. Of course, I realize that the term has no fixed meaning, but it does convey an idea, and there are three particular platforms that embody its spirit (ok, one is a type of platform): Facebook, Twitter, and blogs. Once again, I should mention here that I am not telling any company to use Facebook; instead, I am suggesting patterns of behavior by which the tools LIKE Facebook become natural extensions of the company, and not just for marketing and brand management purposes. If you’ve already embraced the concepts outlined above, then you have nearly bridged the gap to what it will take to embrace social networks. For instance, it is not a giant leap to move from the idea of providing RSS feeds of job listings to the idea of pushing those same listings through Twitter (reformatted for 140 character limits, of course). If you don’t post a large number of listings in a given day, this can be effective. If you do post lots of jobs in a day, you could still use Twitter, but you have to do so without overwhelming subscribers (100 new postings in a day will be ignored). One way of achieving this is through the use of hash tags (#) for the job category or field (like a subject line). In case you don’t want the hassle of publishing each job to Twitter with its own hash tag, why not enable others to share your job postings to Twitter and other sites (Digg, Facebook, Reddit, Slashdot, you name it)? Easily employed tools already provide this functionality, so all you have to do is provide the content. Will job listings be as popular as snarky news stories and tech/celebrity/general gossip? No, but just because companies aren’t doing this on a large scale doesn’t mean there isn’t potential. Some candidates will appreciate the ability to remix your postings, commenting on them and drawing awareness to them (sometimes this is good, and sometimes it’s not; also, be prepared to give up some of your operational secrecy if you make it easy for people to analyze your recruiting trends). For the lower traffic options, you should also be prepared to use Facebook as a recruitment tool; making information about job fairs, hiring trends, and general thoughts about your company’s evolving goals available to the public through media they already use will engage your potential talent pool and allow you access to talent that may have had no interest in your company otherwise. Note that blogs can serve the same purpose, although they are better at general purpose news and identity management in this case.
New Supporting Behaviors
- Why stop at email and RSS, when you can leverage a number of well-used and proven technologies to beam your job listings far and wide? Realize that increasing your access to talent is the only way you will be able to compete in an information economy.
- Analysts (and even competitors) will be able to make reasonably accurat conclusions about your operational goals based on analysis of your job listings, but if you are already posting online, they can do that anyway. Social networking just makes it easier, because the data is collectible in standard formats.
- Realize that the genie is already out of the bottle on social networking; get on board or risk becoming irrelevant (I don’t guess I need to tell you how becoming irrelevant could be detrimental to your succession planning goals and ultimately the success of your company).
When I Said Social, I Meant SOCIAL
You see, the last section was only the beginning, and it’s representative of what some companies are doing NOW. One thing companies have avoided to date has been true two-way communication through social networking sites. There are Good Reasons for this, but in my opinion they are not good enough. By the time the Post-Millennial generation enters the workforce, most of the rest of us will have spent that generation’s entire life to date adopting social networking technologies, and the demands on companies to follow suit will only rise. At present we only have glimpses into what such technologies will settle into in the next few years, but they are compelling ones. For one thing, the ability to comment on pretty much anything is growing more ubiquitous every day. Blogs? Check. Twitter? Check (through re-tweet and @user conventions). Facebook? Check. I see a near future where users can comment on just about anything posted on the Internet (and indeed, this is already possible in limited manners by, for instance, submitting links to Digg, posting them on Facebook, or posting their tinyurl in a Twitter post; all of these allow others to comment on what was posted). One reason for companies to avoid this is to keep negative and/or uninformed comments away, but my suggestion is to let them have their say where they can be addressed directly and corrected (and, if the comments are abusive, deleted). Another thing that will emerge is the ability to moderate anything. Again, look at Digg, Slashdot, and Reddit for this, as well as rating and ranking systems like those provided by Amazon and Netflix. This encourages people to participate, because not everyone will have to come up with witty and insightful comments to do so; they can instead vote for comments and postings that they found particularly helpful.
New Supporting Behaviors
- There will be trolls (that is, abusive commenters). Do not feed the trolls (by arguing with them); most of the time they will disappear if you simply ignore them or limit the damage they can do.
- Learn to handle two way communication without revealing company secrets and without making every posting sound like a press release. This can be a fine balance, but building a community of active voices around your company can provide an excellent opportunity to source top notch talent.
- Produce compelling (but honest) content, especially if you want your job postings to serve as something besides obligatory public notice and are truly interested in engaging potential sources of talent before they become candidates.
Conclusions
There is a vast repository of Web 2.0 and social networking tools available for companies to leverage if they want to engage their talent pool in the overall recruiting process. By applying these to your site, you can broaden your appeal to younger workers and widen the net for great talent, and let’s face it: with the oldest Baby Boomers on the verge of a mass retirement (just as soon as the economy improves), you can’t afford to wait on this. It will take new patterns of behavior that are perhaps unfamiliar to your company, but by embarking on this path, you will ensure that the stage is set early for succession planning through the Post-Millennial generation and help ensure your company’s long term viability.
On Web Filtering by Employers
If you’re like many employers, especially the federal, state, and local government kind, you may have in place technological measures, including web filtering (content and destination based) and port blocking (to keep certain kinds of programs from operating correctly) to curb casual internet use by employees on the job. And just like every one of those employers, you have some grand vision of how these will keep people productive, prevent network bandwidth strains, and protect your critical networks from malicious infection and your data from unauthorized disclosure. In this article, I will outline some of the many reasons why these are not incredibly efficient and in some cases do at least as much harm as good.
Before we get started on the reasons why such measures are doomed, let’s take a look at some of the possible reasons why employers implement them in the first place.
- Casual surfing/chatting/internet use is seen a drain on productivity.
- Unrestricted internet use opens the company to liability for things like copyright infringement, illegal activities, or any other set of unsavory or disreputable things.
- Users are going to watch YouTube videos and stream internet radio, leaving no bandwidth for actual job related traffic.
- Unknown and unauthorized internet programs can expose confidential data and risks introduction of malicious software includind viruses and spyware.
Next let’s take a quick look at what measures are usually employed to tackle these risks.
Web Filtering
Ranging from simple domain restriction to real time traffic or content inspection (read: cheap to expensive), web filters attempt to shape the Web that employees can access according to the employer’s values. Most companies (rightfully) agree on not wanting porn on their networks, so that’s the first thing that gets blocked. Next up are bandwidth hogs such as streaming radio, music download sites, streaming video sites, and the like. Time wasting sites such as certain kinds of humor sites and personal email often follow. Finally, sites that provide instant messenger programs are also usually included. This isn’t a comprehensive list, but it illustrates the kinds of things proxy server administrators look for when evaluating sites for inclusion on a list.
Web filtering technologies run a whole range of cost and feature sets, but in general, the less sophisticated the filter, the cheaper it is. These are almost always employed as proxy servers that dictate what traffic may pass to requesting hosts (as opposed to the kind that simply makes certain web browsing faster by caching frequently requested data). Simple ones manage a list of blocked domains and IP addresses (blacklist), but do not have the ability to inspect incoming and outgoing content. Simple proxy servers and firewall software can be obtained free of charge as open source software, so they represent the cheapest of the web filters. More sophisticated filters can do what the less powerful ones do, but can also attempt to inspect some portion of incoming data for further investigation or proactive blocking. These are generally not free, and the level of sophistication is usually reflected in the price.
Now, I mentioned that sophisticated filters can attempt to inspect data, but that doesn’t mean they really can. Web content over an encrypted channel (HTTPS) can’t be inspected without being decrypted, and if decryption were that trivial, nobody would use the Web for banking. Plain text content can be readily inspected for keywords, which might flag the site for human investigation.
Firewalls
To keep employees from using unauthorized network services (like instant messengers or peer to peer clients) within the employer controlled network, companies usually block the ports that those services use to communicate. Typical (and wise, unless you need them) services to block include FTP and Telnet. Such a setup could operate under an “Allow All Except” policy where every service is open unless specified in the list, but the more common approach is to “Deny All Except,” where only the service ports specified are able to connect. More sophisticated network devices can perform this on a per-host basis, so that certain groups of computers can still use the otherwise blocked services and programs.
Computer Account Policies
Most employer computers are operating with Windows XP, although some have begun a migration to Windows Vista. Both of these operating systems include user permissions schemes that allow pretty restrictive use policies to be applied on the computer. Windows XP, for instance, is capable of stripping an average user of the ability to install almost any kind of software (including, as I have seen, the Office 2007 compatibility packs). This not only keeps users from being able to install software that is not specifically approved by the company, but also helps keep the computers standardized to a great degree and may prevent viruses or malware from propagating.
Why They’re Useless
I am going to do the controversial thing and suggest that all of these methods, while having at least SOME merit, are nonetheless useless against someone like me. This is not an argument against using them; rather, it is intended to serve a cautionary function. Just because you employ these measures does not mean you are safe from the threats they were designed to prevent. Their proper use should be as augmentations to clearly defined employer policy regarding the acceptable use of company resources, and should in no way replace such a policy. Note that this also does not serve as a recommendation for users to find creative ways to circumvent your carefully placed controls (they will do that anyway, without my help).
Domain/IP Blacklists
Let’s make something clear. Blacklists are only as good as your ability as a company to actively maintain them (i.e., they aren’t). While they are partially capable with lists of known malware sites (you can subscribe to these from third party security firms), they fail miserably once you start considering almost any other kind of site. Sure, it’s easy to knock out the low hanging fruit; after all, most people only know about a mere handful of sites you might want to block, but that’s not enough. The Internet, and the Web in particular, move and change at a phenomenal rate. New sites appear all the time offering snazzy new widgets, social tools, and eye candy. No matter how tech savvy your proxy administrator is, he/she has not heard of all of these sites. I am constantly surprised by new sites and services that, by the time I get to them (and I read tech news incessantly), already have sizeable user bases. In short, there is no way that any small group of people can be fully aware of all of the new ways web developers come up with to collaborate, chat, share files, and/or waste people’s time. Additionally, some web sites allow access in various ways, so for instance if a site allows both SSL and non-SSL connections, blocking the non-SSL option is only halfway effective. I will reiterate: maintaining awareness of this and continually applying it is probably impossible. Escalated efforts to do so will undoubtedly incur increasing costs while providing diminishing returns.
Content Filtering
While we’re on the subject of web filters, we can’t forget about the (over-hyped) promises made by content filters. First off, they are completely useless against encrypted data, as mentioned above. Second, even keyword matching and rudimentary context matching are guaranteed to produce false positives and keep proxy administrators running circles investigating news sites. In short, this technology has a long way to go, and unless it can decrypt SSL traffic, it is easily circumvented. Gmail is a perfect example. Since Gmail allows users to turn on SSL access, filters that rely on text-based analysis will fail. Blocking domains in conjunction with content filtering can be effective, if you know all the permutations of a site’s URL structure, but as I stated in the previous section, it’s unlikely that any one person will know all of these.
Firewalls and Computer Account Policies
These are the preferred methods of preventing users from abusing their systems, as long as such controls make sense. In essence, they are “set once, then forget” kinds of measures, and consistent with the nature of such measures, they can be heavy handed. Firewalls simply block incoming or outgoing (or both) communications on certain ports, like blocking off roads into or out of a city to shape traffic flow. Only open ports will allow traffic; firewalls either discard data destined for a blocked port or log the incident for further inspection. Since many programs, such as instant messengers and file sharing/transfer applications, rely on specific open ports, cutting off acccess to the ports they use means the programs will not operate. That is, unless they can bypass firewalls by masquerading as other kinds of traffic, the allowed kinds (many programs can do this). In cases like this, prevention at the firewall level may be inadequate (though not wholly so, since firewalls can be quite sophisticated and include their own IP-based blacklists). To augment this control, users are often restricted from installing new software on their employer-provided computers. Such restrictions come at a price and still may have little effect on the introduction of unapproved applications in the enterprise network. First, they are costly because tasks that users may be fully capable of doing (like installing printers and other hardware) now have to be done by the company’s IT help desk; this can mean lost productivity on the employee’s part plus the salary to staff the IT help desk with enough people to handle these issues. Second, such policies do nothing to curb the introduction of programs via portable media, especially those that run directly from USB drives (PortableApps and the like). Technically it is possible to restrict these as well, but such restrictions may also impact the user’s ability to connect hardware that has already been installed (USB can be funny like that). Plus, if the assumption is that users with USB drives are only carrying documents (most are), then it’s likely that the designer of the policy has not considered the implications of allowing USB drives. Granted, not all applications can be made portable (some rely very heavily on the Windows registry), but there is a growing list of programs that can. Many of these are network-aware and capable of routing themselves around your firewall; you may or may not be able to stop them from communicating.
What to Do
After reading this, you may come away with the impression that technological measures that restrict users’ access to various resources and services are not worth the effort. In large part, that was the point. But all is not lost here. The most important point is that technology is not a panacea, and sometimes high technology is easily subverted by the most low-tech workarounds. Such approaches require a sufficient understanding of what it is you are trying to prevent coupled with the right set of technological and non-technological measures to prevent the threat. Users have an unlimited capacity for rule-bending, internal justification, and creativity with regard to system use. There are a few things that companies can do to limit the risks posed by employees’ unrestricted use of the Internet.
Company Policy
First and foremost, companies should have a well-documented, enforceable (and enforced), and above all well-communicated policy that details what can and cannot be done on company time and with company resources, including computers and the network; also, the policy should specify what the company’s rights are and inform the employee whether monitoring occurs (this is permissible in the US; in other countries such laws vary). This is the most effective method of limiting risk. Will employees still engage in behaviors that put the company at risk? Almost certainly. But they will think twice about it if they clearly understand the consequences of getting caught. To make the policy binding like a contract, simply have the employees read it and sign their agreement with it AT LEAST ANNUALLY, but also each time it is revised. Is it cumbersome? Maybe, but it also provides a clear communication channel to the employee about what is expected of him or her, and moreover, such contracts, when properly administered, have been held as enforceable in the United States.
Technology
Only now is it appropriate to mention technology, and while the previously mentioned tools can fill important gaps in a company’s security policy, they are not the primary ones that should be evaluated. As outlined above, the technology-based risks to the enterprise network primarily revolve around resource use, malware infection, and disclosure of sensitive data. The most effective tools to combat these things are a combination of discussed (and other) methods. First, good antivirus software is an absolute must. These days, AV software is capable of real time monitoring for other kinds of malware in addition to viruses, making it one of the best investments a company can choose. Second, firewalls should block inbound and outbound services that are not needed. While this does not mitigate the risk posed by programs that can bypass firewalls, it does mitigate risks posed by malware programs that communicate with one another or a central server. Third, well constructed computer account policies should strike a balance between users being able to install any program they like (they shouldn’t) with the reality that many such programs can be run portably anyway. Fourth, implement monitoring of Web activities that can be audited and used to generate usage reports when needed (this should be specified in the policy along with a schedule for random audits and the method for determining who gets audited). And fifth, use web site blocking tools that subscribe to published malware blacklists to keep users from inadverently visiting malware sites (especially the kind that like to show up in one’s email).
This combination of policy and technology represents the best a company can hope for in terms of security from internal threats. Proactive blacklisting has little impact on actually improving such security and can even drive users to create new risks through creative approaches and workarounds. The best technology in the world cannot anticipate everything a user can do, and people are certainly not capable of keeping up with the march of innovation and progress on the Internet. So my advice is that, if you rely on web site blocking to keep employees in line, you should reevaluate what it is you are trying to accomplish; the procedure above will be sufficient to address your needs most, if not all, of the time.
2010 Presidential Management Fellowship Program
Are you a graduate student in your last year of school? Are you wondering how to capitalize on that expensive graduate degree, or even how you are going to pay off the loans? Does the economy have you looking over your shoulder wondering when the next round of layoffs will be? Why not work for the federal government? Your country needs you! Use your education and skills, get a better job, and serve your country in the process! Oh, and while you’re at it, maybe you can get the government to pay off some or all of your loans, pay moving expenses, and lots more. Interested? Read on!
What is it?
The PMF program is a highly competitive and highly prestigious leadership program that recruits outstanding gradutes students for a two year, full time, paid federal internship. Its purpose is to source the federal government’s future leaders from the top graduate students in the country.
What are the benefits?
- Good pay: as a PMF, you start off somewhere between the GS-9 and GS-12 pay levels, which in 2009 can be anywhere from about $46,000 to $79,000 depending on where you live.
- Federal benefits: federal agencies offer a wide variety of benefits; each agency offers different things, but you can count on good health insurance at the least. Also, some agencies pay for relocation expenses, pay back student loans, and may offer starting bonuses.
- Accelerated promotion: Typical promotion path could be appointment at GS-9, one year promotion to GS-11, and promotion at 2 years to GS-12.
- Developmental rotations: PMFs go on at least one 4-6 month rotation, often outside their hiring agencies, to pursue special interests and fulfill specific career enhancement goals.
- Individualized training: PMFs are mandated at least 80 hours of training per year; courses will be dependent on the needs of the agency, but can be tailored to an individual’s long term career goals as well.
Who are PMFs?
PMFs are graduate students who will complete a graduate degree sometime in the application year (September 1 to August 31 of the application year). What this normally means is that you should be graduating in the Fall or Spring semesters of the academic year in which you intend to apply. PMFs have a wide array of academic backgrounds and work experience, although in 2009 about 2/3 of the finalists got their degrees in Law, Public Affairs, and Public Administration. What this means for you is that, if your background is something besides those three, you have a great chance of landing a position without too much competition. Academic background is important, but work experience and your own interests are even more so. You should note that becoming a finalist is not a guaranteed job, but if you are diligent and open-minded, you will find something.
What kinds of jobs are there, anyway?
The jobs agencies fill are very diverse and depend largely on the agencies that participate, but you might be surprised at where you might fit in. As you can imagine, budget plays a big role in the federal government, so finance and accounting are always in style. IT, especially in the Gov 2.0 climate, is increasingly important, and the government is always in need of those with good business, project management, organizational leadership, and human resources to keep the government doing what it does. Some agencies use the program every year and recruit large numbers of finalists, and some agencies will try it out for the first time. It’s always worth talking to agency PMF Coordinators ahead of time to see if they are interested or participating.
How do I apply?
To get started, logon to USAJOBS and follow the application instructions for the PMF vacancy announcement. Make sure to print out the nomination form so you can take it to your school. Then contact your school. Your school will collect the applications and screen for basic qualifications, then forward its list of nominees to the PMF Program Office. How easy is that? Oh, and if you’re a preference-eligible veteran, make sure you let the university know; the school has to nominate anyone with a veteran’s preference. The vacancy announcement will be open from October 1 to October 15, and the school has to have the nominations in by October 31, 2009.
What happens next?
Once the nomination deadline passes, nominees are notified (sometime in November) of their status and invited to take the PMF assessment in January or February at one of the testing centers around the country. The exam covers critical thinking, writing, and life experiences. The exam is what determines finalist status, so it is very important to do well. The number of finalists chosen from the nominees is largely determined by cutoff scores, but veteran’s preference can affect the assessment score. Sometime in February or March, those selected as finalists are notified of their status and may begin seeking out federal jobs. A job fair scheduled for the end of March or beginning of April allows finalists to interview with the agencies one on one, and it is not unusual for finalists to have an offer in hand before they leave the job fair (but don’t count on it!).
Where can I find out more?
Visit the official PMF web site. On it you can find more detailed application information and instructions, available PMF positions for finalists, rotational and training opportunities, and lots more. Also, I have collected a great deal of information, anecdotal and otherwise, here on my blog (look for the PMF tag for posts specific to the program).
What if my university doesn’t know about the program?
Start with whoever works with scholarships and fellowships for your university or school, then follow up with the director of your program or dean to get things moving. Many schools have never participated, and they may not know about the program at all; you can help them out by pointing them to this PDF.
