Archive for the ‘Tech’ Category

9 employee insiders who breached security

 

These disgruntled employees show what can happen when an employer wrongs them.

Security admins used to have to worry about keeping the bad guys out of the network, but there have been many documented cases where the devil you know is sitting right next to you. A review of recent FBI cyber investigations revealed victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees, according to AlgoSec. Here are just a few over the years of insiders trying to take down their employer’s network.

Terry Childs, the former network administrator for the City of San Francisco, held the city’s systems hostage for a time. He refused to surrender passwords because he felt his supervisors were incompetent. Childs was convicted of violating California’s computer crime laws in April 2010.

In June 2012, Ricky Joe Mitchell of Charleston, W.Va., a former network engineer for oil and gas company EnerVest, was sentenced to prison for sabotaging the company’s systems. He found out he was going to be fired and decided to reset the company’s servers to their original factory settings.

It was discovered in 2007 that database administrator William Sullivan had stolen 3.2 million customer records including credit card, banking and personal information from Fidelity National Information Services. Sullivan agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine.

Flowers Hospital had an insider data breach that occurred from June 2013 to February 2014 when one of its employees stole forms containing patient information and possibly used the stolen information to file fraudulent income tax returns.

According to Techworld.com, 34-year-old Sam Chihlung Yin created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating after he was fired in May 2010.

Army Private First Class Bradley Manning released sensitive military documents to WikiLeaks in 2009. Manning, now known as Chelsea Manning, was given a sentence of 35 years in prison.

Back in 2002, Timothy Lloyd was sentenced to three-and-a-half years in prison for planting a software time bomb after he became disgruntled with his employer Omega. The result of the software sabotage was the loss of millions of dollars to the company and the loss of 80 jobs.

Earlier this year, NRAD Medical Associates discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.

And of course there is the most famous whistleblower of all time: Edward Snowden. Before fleeing the country, he released sensitive NSA documents that became a blowup about government surveillance.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

8 cutting-edge technologies aimed at eliminating passwords

In the beginning was the password, and we lived with it as best we could. Now, the rise of cyber crime and the proliferation of systems and services requiring authentication have us coming up with yet another not-so-easy-to-remember phrase on a near daily basis. And is any of it making those systems and services truly secure?

One day, passwords will be a thing of the past, and a slew of technologies are being posited as possibilities for a post-password world. Some are upon us, some are on the threshold of usefulness, and some are likely little more than a wild idea, but within each of them is some hint of how we’ve barely scratched the surface of what’s possible with security and identity technology.

The smartphone

The idea: Use your smartphone to log into websites and supply credentials via NFC or SMS.

Examples: Google’s NFC-based tap-to-unlock concept employs this. Instead of typing passwords, PCs authenticate against the users phones via NFC.

The good: It should be as easy as it sounds. No interaction from the user is needed, except any PIN they might use to secure the phone itself.

The bad: Getting websites to play along is the hard part, since password-based logins have to be scrapped entirely for the system to be as secure as it can be. Existing credentialing systems (e.g., Facebook or Google login) could be used as a bridge: Log in with one of those services on your phone, then use the service itself to log into the site.

The smartphone, continued
The idea: Use your smartphone, in conjunction with third-party software, to log into websites or even your PC.

Examples: Ping Identity. When a user wants to log in somewhere, a one-time token is sent to their smartphone; all they need to do is tap or swipe the token to authenticate.

The good: Insanely simple in practice, and it can be combined with other smartphone-centric methods (a PIN, for instance) for added security.

The bad: Having enterprises adopt such schemes may be tough if they’re offered only as third-party products. Apple could offer such a service on iPhones if it cared enough about enterprise use; Microsoft might if its smartphone offerings had any traction. Any other takers?

Biometrics
The idea: Use a fingerprint or an iris scan — or even a scan of the vein patterns in your hand — to authenticate.

Examples: They’re all but legion. Fingerprint readers are ubiquitous on business-class notebooks, and while iris scanners are less common, they’re enjoying broader deployment than they used to.

The good: Fingerprint recognition technology is widely available, cheap, well-understood, and easy for nontechnical users.

The bad: Despite all its advantages, fingerprint reading hasn’t done much to displace the use of passwords in places apart from where it’s mandated. Iris scanners aren’t foolproof, either. And privacy worries abound, something not likely to be abated once fingerprint readers become ubiquitous on phones.

The biometric smartphone
The idea: Use your smartphone, in conjunction with built-in biometric sensors, to perform authentication.

Examples: The Samsung Galaxy S5 and HTC One Max (pictured) both sport fingerprint sensors, as do models of the iPhone from the 5S onwards.

The good: Multiple boons in one: smartphones and fingerprint readers are both ubiquitous and easy to leverage, and they require no end user training to be useful, save for registering one’s fingerprint.

The bad: It’s not as hard as it might seem to hack a fingerprint scanner (although it isn’t trivial). Worst of all, once a fingerprint is stolen, it’s, um, pretty hard to change it.

The digital tattoo
The idea: A flexible electronic device worn directly on the skin, like a fake tattoo, and used to perform authentication via NFC.

Examples: Motorola has released such a thing for the Moto X (pictured), at a cost of $10 for a pack of 10 tattoo stickers, with each sticker lasting around five days.

The good: In theory, it sounds great. Nothing to type, nothing to touch, (almost) nothing to carry around. The person is the password.

The bad: So far it’s a relatively costly technology ($1 a week), and it’s a toss-up as to whether people will trade typing passwords for slapping a wafer of plastic somewhere on their bodies. I don’t know about you, but even a Band-Aid starts bothering me after a few hours.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Gartner: IT careers – what’s hot?

Do you know smart machines, robotics and risk analysis? Gartner says you should

ORLANDO— If you are to believe the experts here a the Gartner IT Symposium IT workers and managers will need to undergo wide-spread change if they are to effectively compete for jobs in the next few years.

Gartner 2014

Gartner: Top 10 Technology Trends for 2015 IT can’t ignore
Gartner: Top 10 strategic predictions for businesses to watch out for
Gartner: IT careers – what’s hot?
Gartner: Make way for digital business, risks or die?

How much change? Well Gartner says by 2018, digital business requires 50% less business process workers and 500% more key digital business jobs, compared to traditional models. IT leaders will need to develop new hiring practices to recruit for the new nontraditional IT roles.

“Our recommendation is that IT leaders have to develop new practices to recruit for non-traditional IT roles…otherwise we are going to keep designing things that will offend people,” said Daryl Plummer, managing vice president, chief of Research and chief Gartner Fellow. “We need more skills on how to relate to humans – the people who think people first are rare.”

Gartner intimated within large companies there are smaller ones, like startups that need new skills.

“The new digital startups in your business units are thirsting for data analysts, software developers and cloud vendor management staff, and they are often hiring them fast than IT,” said Peter Sondergaard, senior vice president and global head of Research. “They may be experimenting with smart machines, seeking technology expertise IT often doesn’t have.”

So what are the hottest skills? Gartner says right now, the hottest skills CIOs must hire or outsource for are:
Mobile
User Experience
Data sciences

Three years from now, the hottest skills will be:
Smart Machines (including the Internet of Things)
Robotics
Automated Judgment
Ethics

Over the next seven years, there will be a surge in new specialized jobs. The top jobs for digital will be:
Integration Specialists
Digital Business Architects
Regulatory Analysts
Risk Professionals


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack

Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run code on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.

Why this matters: A large swath of the web-connected devices, web servers, and web-powered services run on Linux distributions equipped with the Bash shell, and Mac OS X Mavericks is also affected. The fact that Shellshock’s roots are so deep likely means that the vulnerability will still be found in unpatched systems for the foreseeable future—though the odds of it directly impacting you appear somewhat slim if you use standard security precautions.
MORE ON NETWORK WORLD: Free security tools you should try

Heartbleed redux

The news comes as the security community is just shaking off the effects of Heartbleed, a critical vulnerability in the widely used OpenSSL security protocol. “Today’s bash bug is as big a deal as Heartbleed,” says Errata Security’s Robert Graham, a respected researcher.

Hold your horses, Robert. Before we dive into dire warnings, let’s focus on the positive side of this story. Numerous Linux variants have already pushed out patches that plug Shellshock, including Red Hat, Fedora, CentOS, Ubuntu, and Debian, and big Internet services like Akamai are already on the case.

But Graham says Shellshock’s danger will nevertheless linger for years, partly because “an enormous percentage of software interacts with the shell in some fashion”—essentially making it impossible to know exactly how much software is vulnerable—and partly because of the vulnerability’s age.

“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

Now consider that more than two months after Heartbleed was disclosed, hundreds of thousands of systems remained vulnerable to the exploit.
Maybe not Heartbleed redux?

But don’t panic! (Or at least not yet.) While Heartbleed had the potential to be widely exploited, Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant.

“The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue,” Ellis writes. “In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash.”

As a result, Ellis and Rapid7 urge keeping a level head about the bug.
“We’re not keen to jump on the ‘Heartbleed 2.0′ bandwagon. The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild. Heartbleed was much easier to conclusively test and the impact way more widespread.”

While older Internet-connected devices (like, say, security cameras) seem to be likely victims of Shellshock, respected security researchers Michal Zalewski and Paul McMillan note that many embedded devices don’t actually use the Bash shell at all.

Beyond Linux-based systems, Graham and Ars Technica report that Mac OS X Mavericks contains a vulnerable version of Bash.

To test if your version of Bash is vulnerable to this issue, Red Hat says to run this command:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system responds with the following, then you’re running a vulnerable version of Bash and you should apply any available updates immediately:

vulnerable
this is a test

“The patch used to fix this issue ensures that no code is allowed after the end of a Bash function,” Red Hat reports. So rather than spitting out “Vulnerable,” a protected version of Bash will spit out the following when you run the aforementioned command:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ this is a test

What does this mean?

When it boils down to brass tacks, most major websites and modern gadgets you own likely won’t be affected by this Bash vulnerability, and Apple will no doubt patch the OS X implementation quickly. (Here’s a highly technical DIY fix for now.)

It’s impossible to know just how far this flaw reaches, and it’s likely to linger on in neglected websites, older routers, and some legacy Internet of Things devices—many of which are impossible to patch—providing an opening for determined hackers to sneak into those systems.

So what should you do? Here’s some actionable advice from security researcher Troy Hunt’s tremendous in-depth primer on Shellshock:

“In short, the advice to consumers is this: watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software – events like this are often followed by phishing attacks that capitalize on consumers’ fears.”

PCWorld’s guide to protecting your PC against devious security traps can help you I.D. bad actors, while Ian Paul has three tips for spotting malicious emails over at his Hassle-Free PC column.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

 

Sneak Peek: New features coming to Internet Explorer

Microsoft’s new Developer Channel offers glimpse into upcoming features of IE.
Microsoft recently released a “Developer Channel” edition of Internet Explorer, launching a new way in which upcoming features will be previewed, and laying the groundwork for a business strategy focusing on web services. Here’s what you need to know about the future of Internet Explorer.

Developer Channel version offers sneak peek at new features
Though it’s available for the public to freely download and install, Internet Explorer Developer Channel is not meant for everyday use, whether business or casual. As its label implies, IE DC is primarily geared toward developers with which to play around. But anyone can try out the browser to see what new features are being worked on by the IE development team.

No more betas
Instead of releasing betas, the IE development team will update IE DC with the latest features, fixes and optimizations. Throughout this process, you’ll be able to keep up with the work-in-progress of IE by downloading the most current release of IE DC. When the IE team determines this code is ready for public consumption, it will then be rolled out as the next version of IE.

Compatibility is limited to Win 7/8.1
IE DC is available for Windows 7 and Windows 8.1 only. Either OS also must have Internet Explorer 11 installed on it. You should probably also ensure your Windows 7 or Windows 8.1 system has the latest official updates for the OS installed, as recommended by Windows Update, prior to installing IE DC.

Caveats
IE DC runs within a virtualization system, which keeps the browser in a “sandbox” operating separately from the rest of your Windows environment. This is for reasons of security. The consequences are that IE DC cannot share add-ons or settings that you already have in place with your installation of IE 11; IE DC may run slower than IE 11; and it cannot be used as the default browser.

Tracking features in development
The IE development team set up a web page where you can follow the latest features they’re working on to possibly add to future versions of IE. It also lists features that are already in the most recent final releases of the browser, and ones they are considering, but not officially developing yet. You can easily set this list to show only features that are in development, under consideration, under which version number of IE they first appeared, or their interoperability with the other major web browsers.

New features in IE DC
As of this writing, release of IE DC includes only a few new technologies being actively worked on. Two are interesting for the average user: GamePad and WebGL Instancing. They obviously tell that the IE development team is expanding the capabilities of the browser for gaming. (WebGL Instancing utilizes a system’s GPU, graphics processing unit, to more efficiently draw copies of an object without hitting up the system CPU for this task.) These technologies could alternately be integral for less leisurely pursuits, like using a controller to interact with a productivity web app.

Features in development
Other technologies listed as “In Development” (which also means they are not yet implemented into the actual IE DC browser) include Media Capture and Streams, and Web Audio. The first indicates a web app in IE would be able to access audio or video from your computer’s or device’s mic or webcam. Web Audio would enable a web app to produce audio through JavaScript.

Features that are being considered
Listed as “Under Consideration” are features that point to granting web apps even more access to control or receive feedback from the hardware of a computer or device (Ambient Light Events, Battery Status, Vibration). Web apps could also be allowed to encode audio or video from within the browser (MediaRecorder), incorporate speech recognition and synthesis (Web Speech), and manipulate the local files on a Windows system (Drag and Drop Directories, FileWriter).

End of numbered versions?
This new system of providing early looks at IE under a continuous development cycle could suggest Microsoft may de-emphasize version numbering. If this happens, then, as far as the general public is concerned, the upcoming 12th release of IE could be referred to by Microsoft as simply “Internet Explorer.” As for new features, IE appears to be becoming a more technologically capable browser for using with sophisticated web apps. The IE development team isn’t just looking to make a better browser; they’re aiming to make Internet Explorer a better web app platform.

 

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

 

Let’s scuttle cybersecurity bachelor’s degree programs

It may sound counterintuitive, but the way to increase the number of cybersecurity professionals is not to start granting degrees in cybersecurity

I suppose it sounds logical.

We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs.

And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs.

Unfortunately, the logic of these statements is about a micron thick.

Let’s look at those cybersecurity degree programs first. In no other computing discipline do you have a specialized degree program. You do not earn a bachelor’s degree specifically in software engineering, computer graphics, artificial intelligence, database management, systems administration, Web applications programming or project management. Why should there be a bachelor’s degree specific to cybersecurity? (And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)

There shouldn’t be. Security professionals need to function in a variety of disciplines. They can be called upon to evaluate software for security vulnerabilities, to determine whether a user interface is suffering from information leakage, to design secure databases, to secure operating systems, to assess and shore up the security of websites, to incorporate security requirements into new developments and so on. The person you ask to do all of those things needs to be well rounded. But a cybersecurity degree program offers many security classes at the expense of classes that would normally be required to get a general degree in computer science or information systems.

With exceptions like architecture and nursing, bachelor’s degree programs are not intended to be trade schools. The best college degrees strive to help people have a broad understanding of not just their field, but culture in general. Personally, the skills that have helped me most in the cybersecurity field did not come from computer courses, but from the mandatory writing and business classes I took, which taught me to be a better communicator and how to determine what was valuable to decision-makers.

To paraphrase Jim Rohn, the value of going to college is not in the degree you are awarded, but in what you had to become to earn that degree.

My feelings about cybersecurity degree programs isn’t bias of the “that’s not how it was done in my day” variety. I sincerely believe that cybersecurity degree programs are producing graduates inadequately prepared for the positions they believe they are training for, and quite possibly compromised in their ability to get any job at all.

Consider the National Security Agency, a promoter of the cybersecurity degree movement and a highly coveted employer in the field. The NSA designates some cybersecurity degree programs as Centers of Excellence in Information Assurance Education. So, the graduates of those programs should have no problem getting hired by the NSA in a cybersecurity capacity, right? Well, maybe not. Take a look at the NSA’s cybersecurity professional development program. It wants people with strong programming skills. But many cybersecurity undergraduate programs do not offer any programming coursework. It’s been cut out to make room for more classes in things like writing security policies.

Now, a general degree in computer science can pretty much qualify a person for any entry-level position in the computer profession, including a cybersecurity position. But a person with a highly specific degree may have a problem getting a broader position. And I don’t think new graduates armed with a bachelor’s degree in cybersecurity are going to want to limit themselves to that relatively small subset of available jobs.

Think of it from a hiring manager’s perspective. She has an opening for a database manager and must choose between two candidates. One has a general CS degree, and his studies included classes in database management. The other has a cybersecurity degree, but though he says he can write a database management security policy, he never took a course in database management. Welcome aboard, CS graduate!

While you might contend that the cybersecurity graduate will look for the plethora of cybersecurity job openings, and not a database management position, this first assumes that the new graduate wants to limit themselves to a very specific, and small, subset of computer related job openings. Again, they will still be competing with general computer degree holders.
My Magic Wand

If I could wave a wand to fix the problem of a lack of information security knowledge in college graduates, I would have the NSA and other stakeholders invest their time and money not in developing Centers of Excellence, but in influencing computer science and information systems departments to incorporate security into all relevant courses and degree programs.

This is actually the direction recommended by the Association for Computing Machinery and the IEEE Computer Society in their most recent update to their recommended curriculums for computer science programs and for information systems programs.

Unfortunately, I recently reviewed introductory computer science courses from a wide variety of prestigious universities, and none of the courses that I looked at seemed to be implementing the guidance. Incidentally, in the course of doing some volunteer work, I spoke to some college officials about adding a security course to their curriculum. Next to impossible, they said, since curriculums go through lengthy approval processes. To get a course to include security, you have to find a textbook that covers the subject. Good luck. Few of the most popular textbooks used in computer science classes have even one chapter devoted to security, and many have no specific content. Some of the newer introductory IS textbooks cover security to some extent, but I have yet to see any detailed security content in textbooks for advanced courses.

So, magic wand, let the NSA and other organizations begin to write content for such textbooks, and then offer grants to colleges to enhance their curriculums.

The issue is to create not a handful of people who have a little extra specialized education, but to ensure that the future computer professional community, as a whole, at least has the fundamental knowledge to begin proactively securing their work products.
Thinking Inside the Box

And what about the idea that the graduates of cybersecurity programs should be drawn from students who somehow are better at thinking outside of the box? Quite simply, it is a notion that is grossly ignorant of what has actually been working for decades.

Until recently, the NSA had never hired anyone with a cybersecurity degree. And yet the NSA is widely considered to be the world’s leader in information security and information warfare. How then did the NSA establish such pre-eminence in the field?

It searched among its employees for high-caliber people and then cross-trained them. It is that simple. The NSA continues to do so in many fields, including information assurance.

But will cybersecurity degree programs give the NSA and other employers people who think outside of the box? And will such new graduates have an edge over experienced professionals? No; that is frankly delusional. The proponents of such nonsense argue that hackers are able to get through the strongest security countermeasures by dint of some unique thought processes.

Wrong. Teenagers have been able to break into systems not because of superior skills, but because the people running the systems in question have inadequate professional security training. The hackers aren’t thinking outside of the box; they are just thinking about the task at hand.

Skilled professionals are not usually asked to break into computer systems. As a rule, violating laws is not their task at hand. But look at what happens when you make it their job. When I recruit a new trainee for penetration testing, I look for the smartest, most experienced computer professional available — not a teenager. When I tell them what I want them to do, they’re generally shocked. They have never applied their skills to such a purpose. But after they get over the surprise, they do things that make my head spin. What they tend to do is to perfect the attacks that they have had experience repelling on a regular basis, and incorporate their detailed knowledge of operating systems gained from years of administering systems.

(Some IT professionals do indeed pursue such activities as part of their job, but we only catch glimpses of the successes of these U.S. government “hackers,” who break into highly secure foreign government systems, such as Iraqi air defense systems. They were also prepared to cripple the Iraqi financial system. There are also claims that U.S. cyberwarriors designed the Stuxnet virus to damage Iran’s nuclear capability. These hackers accomplish tasks that teenagers think are science fiction. Their exploits are just rarely publicized.)

But we give young hackers more than their due. Some people say we should harness their supposedly superior knowledge of security and recruit them to protect the systems they break into. Need I point out the absurdity of this idea? It is akin to thinking that just because some idiot is capable of stealing a car and crashing it into a wall, he should have the skills to fix the damage. I’m sorry, but anyone claiming that the idiot could fix the car should likewise be thought an idiot. It is exponentially easier to break something than it is to fix it, especially when computers are concerned.
The System Ain’t Broke

I find the idea that what the U.S. government really needs is a crop of new cybersecurity graduates to be insulting to the hundreds of thousands of current government computer professionals. The government needs to stop this nonsense and focus on expanding programs to cross-train highly skilled and immediately available workers.

Similarly, private organizations need to properly invest in their staffs. Just as they expect to train new employees in their job functions, they need to expect to have to invest in the training of their cybersecurity professionals.

What we need are not a bunch of cybersecurity degree holders, but a willingness to invest in current employees. Employees who earned a broad-based CS degree and then gained years of experience on the job are quite simply a better resource than a green graduate.

Don’t get me wrong. I have nothing but admiration for the young people who are pursuing cybersecurity degrees. Most of these degree programs are tailored to part-time students, who usually have to juggle full-time jobs, coursework and a family life during a program that can take more than seven years to complete. That demonstrates true character and perseverance, which is more important than skills. However, a breadth of knowledge is still more important than the topic of the degree.

Unfortunately, the colleges are often selling these people hype, not reality. For example, one college is telling people that they are training them to be cyberwarriors, while the actual coursework teaches them to write security policies, not to be hands-on practitioners. This is like telling someone that you are training him to be a Navy SEAL, while you are only training him in logistics, qualifying him at best to be a quartermaster for the SEALs.

When you come right down to it, though, there is little in the world of information security that is more valuable than experience. And new graduates nearly always lack it to any significant degree. Just think about someone who takes a class in security policy. Say there are 15 class sessions that average three hours each. Then let’s generously assume that the student does 115 hours of work outside of class. By putting in 160 hours, the student can rightly be said to have worked hard for his grade. But all that time is still the equivalent of just four workweeks. Would you trust someone with that level of experience to develop a policy document for a large office or to meet some regulatory compliance standard? Clearly not. It is nice that they have this experience, but it just makes them better than a person with no experience at all.

Undergraduates don’t have expertise in their major; they have a slightly enhanced background. As for being qualified to combat the most elite hackers in the world, well, what exactly in a degree program that focuses on policies is preparing you to take on the hackers?

If the NSA and other parties want to reward promising students with scholarships for studying cybersecurity, then they need to think long and hard about what they expect to gain from such programs.

Scholarships are great. I believe in giving a hand to young people who show aptitude. But highly targeted scholarships can go wrong when the grantors expect to get certain results in return. And just consider some of the ways they could be disappointed in the results of their cybersecurity scholarship programs.

First of all, up to 80% of college students change their majors in college at least once. This means that as many as 80% of the people who receive cybersecurity scholarships are likely to not want to be in the cybersecurity profession by the time that they earn their undergraduate degrees.

Worse, in a way, are the incompatible goals of an organization such as the NSA. It wants to give cybersecurity scholarships in particular to young people who have a tendency to think outside of the box. The funny thing about young people who think outside of the box: They often do things that will disqualify them for the security clearance they will need to get a job at the NSA.
Opinion by Ira Winkler

Let’s say that they are encouraged to develop their hacking skills. Will they resist the urge to use those skills, or will they do something like join up with Anonymous? If they do, the NSA is not going to get the benefit of their education in cybersecurity. Even more common, though, are young people who download music and other intellectual property illegally. I have heard that this has become a reason for denying clearances. What I hear is that there is a floor in the value of what was downloaded for a clearance to be denied. OK, but students who were selected because they are on the edge are probably more likely than other students to breach that floor.

When you come right down to it, there is more than a little bit of wishful thinking in this entire drive toward granting cybersecurity degrees. This is actually a case where the thing that we have been doing for years, specifically taking high-caliber people and cross-training them for cybersecurity roles, is a better approach than what has been proposed to replace it. It puts highly skilled people to immediate use, solving immediate problems. We simply have to fully commit ourselves to expanding a proven model, instead of grasping on to what is literally a science fiction plot and hoping we will get results many years from now.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Tech giants appeal settlement decision in Silicon Valley hiring case

Attorneys for Google, Apple, Adobe Systems and Intel have appealed a judge’s decision to throw out a proposed settlement in Silicon Valley’s employee hiring case.

Attorneys for the companies filed a petition Thursday evening with the U.S. Court of Appeals for the 9th Circuit, appealing Judge Lucy Koh’s recent decision to throw out a proposed US$324.5 million settlement. Plaintiffs in the class-action case, Silicon Valley technology workers, accuse executives at the companies of conspiring not to hire each other’s workers between 2005 and 2009, which they say suppressed their wages and restricted their mobility.

Federal district court Judge Koh rejected the settlement in early August, on the grounds that it was too low given the strength of the evidence—specifically emails between executives—that would support a trial. That decision was a “clear error as a matter of law,” attorneys wrote in the Thursday filing.

“The district court applied a mechanical formula that overrode sensitive judgements of the class’s own counsel based on confidential information regarding the serious risks posed by their claims and their chances of success at trial,” it said.

“The ruling will inflict significant harm on all parties and the class action procedure,” it said.

A proposed start date for a trial has already been set for Jan. 12. Attorneys for both the defendants and plaintiffs have until Monday to file a joint statement regarding the proposed pretrial and trial dates.

If there is a trial, the reputations of several major technology companies could be re=evaluated, particularly if executives like Google executives Larry Page or Eric Schmidt take the witness stand.

Google and Intel declined to comment beyond the filing. Apple and Adobe did not immediately respond for comment.


Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

 

 

How to Identify Soft Skills in IT Job Candidates

As IT departments are called upon to play larger, more public roles in today’s businesses, the skill set of the ideal IT employee has changed. How can companies identify whether a job candidate has the ‘soft skills’ to bridge the gap between IT and the rest of the business?

IT is out of the backroom and in the front office – so it’s time to hire candidates who match that new reality.

This presents a vexing problem for both recruiters and employers alike. In a recent survey, the National Association of Colleges and Employers found that employers look for candidates who are decisive, can solve problems, are good communicators and are analytical.

That need is the same for technology hires. Given how the role of IT has changed, employers see soft skills mattering more than ever.

“IT is no longer in the back room with the lights off writing code,” says John Reed, senior executive director at Robert Half Technology, an international technology recruiting and staffing company. “IT is in the room with the business leaders when decisions are made.”

It’s also important to consider whether your IT people are working directly with customers or internally with other employees, says Tammy Browning, senior vice president of U.S. field operations for Yoh, a consulting organization that provides IT talent.

“The heads-down IT person who’s just programming is becoming less and less attractive to employers, because you have to be able to communicate with your business partners or their customers,” Browning says.

What Soft Skills Do IT Workers Need?
Reed says you want your IT people, whether they’re servicing external customers or employees within the company, to be able to communicate efficiency, understand business issues and offer resolutions, and possess problem-solving skills.

A separate survey conducted by the Workforce Solutions Group at St. Louis Community College found that 60 percent of employers say applicants lack “communication and interpersonal skills.” According to the report, this is up 10 percent from two years ago. “Many people tell me they’re looking for someone who has almost a customer service mindset,” Reed says.

Browning says she looks for candidates who can act almost like consultants – people who “can really coach non-IT people on how to articulate their needs.” She wants people who can reverse engineer a solution to a problem for someone, or even change the mindset of a person who says she needs A but would really do better using Z – even if Z hasn’t been created yet.

“In IT, it’s important to go to the non-IT people who don’t understand what technology can actually do,” Browning says. That’s where soft skills in an IT person come into play.
How to Identify a Candidate’s Soft Skills in the Interview?

This isn’t always easy. At the recent Microsoft Worldwide Partner Conference, Reed says he found that soft skills were a clear differentiator in tech candidates. But soft skills are hard to find.

Beyond asking potential tech hires about their hard skills and abilities, include questions that you’d ask people you’re hiring in any other part of the company. “IT should come out of behavioral interviewing,” Reed says.

In talking about past work experience, or suggesting hypothetical situations, follow up with questions such as the following:

“What was your approach to resolving that issue?”
“Talk to me about scenarios you’ve had previously where you’ve been put in this position.”
“How did you use your analytical skills to solve those problems?”

Reed says this is “a very different interview process for a lot of people in tech.” While you may ask a candidate to architect a tech infrastructure on a whiteboard, make sure to follow up with questions that will help you see how that person would work with a team or interact with customers. Spend as much time in the interview on both hard and soft skills, he says.
What About People Who Aren’t Actively Looking for a Job?

If you’re recruiting from a pool of people who aren’t active job seekers, you can also look at a possible candidate’s interests and activities outside of their work lives, says Pete Kazanjy. He’s the co-founder of TalentBin by Monster, a company that recruiters use to find what TalentBin calls “unfindable passive candidates” – people who companies want to hire but who aren’t actively looking to change jobs.

“Individuals signify this kind of information naturally by virtue of what they’re doing on the Web as opposed to a more artificial approach that’s associated with LinkedIn or posting a resume,” Kazanjy says.

For example, in addition to being part of an Oracle Database group on MeetUp.com, the person may also be involved in mentoring programs or active in Oracle forums helping other people solve problems. This indicates that he or she would be a good mentor within your company and open to problem-solving activities, he says.

At the same time, someone who picks fights on Twitter or blogs about hating his or her current coworkers may not be the right person to call in for an interview, Kazanjy says. “Those are the sort of things that may fall out in the interview process and reference checking.”


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

How to Survive 4 Cloud Horror Stories

For all its promise, the cloud still brings some peril (like sleepaway camp or that dirt-cheap fixer-upper on the outskirts of town). Here are four cloud horror stories – along with spoilers so you know how to make it out alive.

Horror stories don’t just happen at the movie theater. In a few cases, companies make a big play to use the wrong cloud application or experience widespread outages in their connection to cloud storage.

While vendors claim that cloud services are secure and reliable, that’s not always the case. A better way than relying or vendor promises? Make sure your migration plans, budgets, existing infrastructure, security and any ancillary services all match up before making the jump to the cloud.
What Happens When a Cloud Provider Declares Bankruptcy?

Late last year, a cloud storage company called Nirvanix shut down and gave customers only a few weeks to move data to a different provider. According to Charles King, an IT analyst, this meant companies with terabytes or even petabytes of data in the cloud had to act quickly. “A business should always have a strong sense of the assets it has stored in the cloud, but it needs to consider those points in terms of the time and cost of retrieving them,” King says.

In the case of Nirvanix, one client noted that, due to the company’s download bandwidth limitations, it would need 27 days, in a best-case scenario, to recover all data. “That was cutting things pretty close since they were given just 30 days’ notice to remove everything,” King says.
What If the Wide Area Network Is Faulty?

Before attempting to use cloud applications to run your business, you might want to check with your network engineers first.

John Eisele, the vice president of business development at The DDC Group, a business process outsourcing company, tells the story of a major networking snafu. A preexisting condition related to router configurations at a customer location became exacerbated once the company started using cloud apps. Slow, sometimes broken connections were the main problem, though there were some issues using a virtual network with an external VPN. Fortunately, the network engineers and WAN experts ran diagnostic tests. The culprit? Outdated router configurations.

“In the end, the customer’s end-users could successfully access the cloud-based applications quicker than they could before the migration – which should be the case with all cloud solutions),” Eisele says.

What If Your Cloud Service Provider Has No Disaster Recovery Plan?
Disaster recovery is far more than just having a good backup. There has to be a more thorough way to get a system back online. This can include restoring data, applications, server access, user accounts and much more.

Code Spaces, a company that let developers host their code on a cloud server, learned this the hard way. Last month, the company announced that its Amazon Web Services account had been breached. The hack wasn’t just a way to change passwords and block access, either. Code Spaces found that its Apache Subversion repositories and Elastic Block Store volumes had been deleted.

It gets worse: The company posted a message on its site saying that it wouldn’t be able to rebound from the attack and would be closing its doors. A spokesperson for Amazon told CIO.com the breach had nothing to do with the AWS services and that companies must follow the AWS security precautions.
What if You Forget About Compliance and Security?

Most companies know the cloud is a secure portal. In some cases, the disaster recovery techniques and backup processes are even more rigid than an on-premises approach. According to analyst Rob Enderle, though, that’s not quite the whole picture.

Enderle tells the story of two engineers at an enterprise-level pharmaceutical company who were tasked with analyzing the results of a drug trial that required an investment in hardware and software. The IT contacts told the engineers the budget would be around $100,000 and would take nine months to deploy. They decided not to wait. After finding a cloud provider and spending about $3,600 using their own credit cards, they rented the resources and finished the work. Then an executive found out.

“The engineers were terminated the following day for the massive violation of security policy,” Enderle says. “There was no way to determine where the data resided after the work was done but, generally, it was believed to be in Eastern Europe.”

How should your company respond to all of these horror stories? With due diligence. The experts all says cloud infrastructure is just an extension of your own data center and computing services. Somewhere, there’s a server and a storage array housed in another city – or another country. Research all of the variables, ask the right questions and be thorough about your strategic plan.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Horrible bosses are all too common — there’s even a movie about them. Here, three experts weigh in on how to spot a bad boss before you accept a position and offer tips on how to make sure you’re making the right employment choice. Everyone suffers under a bad manager – morale sinks, productivity tanks, absences increase. Even those above a bad manager in the corporate hierarchy feel the impact; executives must dedicate time to resolving conflicts, and often end up assuming the role and responsibility for those who aren’t adequately doing their job, says says Patty Azzarello, CEO of Azzarello Group, and a business advisor, author and executive. But there are warning signs, red flags to look out for when searching for a job and while interviewing that can identify a bad boss or an untenable work environment before you accept a job. Do Some Early Detective Work Your first step should be researching the company online – but go beyond the obvious corporate Web site and Facebook profile, says Craig Bryant, founder and product manager for Kin HR, which provides human resources software solutions for small businesses. [Related: How to Write a Job Description That Attracts Top IT Talent ] “Before you even start the interview process, research the company online. Go to Glassdoor and other feedback sites to see what current and former employees have to say about the company,” Bryant says. While the comments on sites like Glassdoor aren’t entirely objective, you can get a good sense of whether or not employees are happy with the company, their management hierarchy, whether or not there are advancement opportunities, says Johanna Aiken, human resources director at ecommerce solutions company Cleverbridge. “Especially in the technology arena, it’s critical to use social media to your advantage,” Aiken says. “Use sites like Glassdoor, sure, but don’t discount LinkedIn. Use LinkedIn to do keyword searches and connection searches; reach out to current and former employees and ask if they’re happy with the company, do they like their job, that sort of thing. If they’ve left, ask why,” Aiken says. What you’re looking for are patterns of behavior: Does every junior programmer leave that company only to reappear as a senior programmer at a different company? That could be indicative of a lack of advancement or promotion opportunities, says Kin HR’s Bryant. In addition, find out as much as you can about the company culture and work environment, says Bryant. Finding a good fit is as much about character, culture and personality match as it is about hard skills, and it’s important to make sure you’ll mesh well with the company. “When we hire, we’re looking for character and cultural fit, not just hard skills,” says Bryant. “We’re looking at who and what that person will eventually become at the company. Are you a freewheeling, work-anywhere night owl? You might not perform at your best for a company with strict nine-to-five hours and not a lot of flexibility, for instance,” he says. Look to Your Future Even more important than the immediate impact of starting a new job is the future potential, both for the company and for the employee, says Bryant. Starting as early as the interview process, candidates should focus on how the company will contribute to their professional growth and development and make sure that aligns with their career goals. “During the interview process, candidates should probe for details on how the company will contribute to their professional growth,” says Bryant. “Not just the raw skill sets, but learn what you can expect in terms of continuing education, personal growth, travel. If you’re going to pour your passion and devote most of your waking hours to a company what will you get in return?” he says. [Related: Inside the Changing Role of the CISO ] “You want to ask, specifically, how your own personal and professional objectives fit in with those of the company, and how that ties into your compensation, too,” says Bryant. “If you get a ‘deer in the headlights’ look in response, that’s a red flag and there most likely won’t be that much room for personal growth and advancement,” he says. As an example, Azzarello Group’s Patty Azzarello describes an interview she had for a position that was described as “strategic.” “Everyone I interviewed with was saying they’d be thrilled to have me on board to drive this ‘strategic position’ and help grow the business in a certain direction,” Azzarello says. “But when I talked to the CEO, and I delved into the ‘strategic’ aspects of the role, he simply nodded and didn’t seem to be on the same page. He didn’t understand what I was talking about!” she says. Azzarello adds that it’s important to make sure your own expectations and objectives fit with those of the company, and that candidates are very clear about what’s important to them, both personally and professionally, she says. “Make sure you’re not the only one talking about these objectives, and the interviewing team isn’t just ‘nodding along’ to placate you,” she says. “That’s a huge red flag, and you’re not going to be happy or successful if you’re feeding them lines and they’re agreeing just to get you into the position,” Azzarello says. Make sure you ask about performance reviews, mentoring programs and other on-the-job training and support relationships, adds Bryant. These are more important to your success and happiness than most candidates realize, and are often overlooked. Observe and Interact With Your Potential Colleagues Your powers of observation can be critical when scoping out a potential new job or career path, says Cleverbridge’s Johanna Aiken. Plan to arrive at the interview location early, and simply sit and observe, she says. “I recommend arriving at least 10 minutes early; sit in the lobby and just observe, because you can gain a lot of insight just by watching the employees interacting with each other in a non-professional way,” Aiken says.”Take note of the general ‘vibe’ in the office. Do you see people coming and going frequently? How do they talk to each other? What’s their tone of voice? Their body language? How do the employees seem that differs from what the company claims is their culture?” she says. “If you see behavior or overhear conversations that make you uncomfortable, don’t ignore it. This is one of the best ways to gauge what the working environment will be like,” she says. Azzarello suggests going out to lunch or for a cup of coffee with the interviewing team, if that’s possible, to get an inside look at how your potential supervisors and colleagues handle their ‘power,’ either real or perceived. “If you can, to out to lunch and closely observe how they treat the waiter,” she says. “People who are otherwise smart and competent can turn into narcissistic, controlling jerks when in a position of power, and you need to gauge how they treat others who they perceive as being in a ‘lesser’ position. If you can’t go out to lunch, notice how they treat their assistants, their office staff, and people who walk into the office,” she says. Kin HR’s Bryant suggests asking to spend some time with the people who could become your colleagues, too. “You can talk to — or at least request of the interviewing manager — to spend some time with the folks who are your peers at the job,” he says. “Ask them what expectations they held coming into the job and whether or not those were met. Ask them if they have the tools and resources they need to do their job effectively. Ask what the biggest obstacles are to success, and why those aren’t removed,” Bryant says. “If you’re looking for specifics about the person who’ll be your immediate supervisor, ask things like, ‘How does s/he communicate? What are her/his methods for holding people accountable? Can you describe a typical decision-making process? Do you feel like you have the support and freedom to do your job or are you micromanaged?” says Azzarello. But remember, Aiken cautions, to take some of this information with a grain of salt. Since the interviewing team will be selecting the folks you’ll have access to, you may not be getting the entire, unblemished picture. “Now, you must remember that management is going to select the people you’ll be talking to, and they’re going to choose employees they feel will give the most positive view of the company,” she says. “So, just remember that there will be a bias,” she says. ‘At-Will’ Employment Goes Both Ways If you do end up in a situation with a bad boss or a poor working environment, it can be helpful to know if your state supports the idea of “at will” employment, says Bryant. While “at will” statutes empower employers to hire and fire as they see fit, employees can also benefit, especially in a booming tech industry market where employment’s plentiful, he says. “If you’re in an at-will employment state, you’re not bound or beholden to the company to stay, or even to give two weeks’ notice if you decide to leave,” Bryant says. “Especially in IT, it’s a bustling economy and you can walk away; with a low unemployment rate, it can be much more productive to find another situation than to stick it out under a bad boss or in a bad work environment,” he says. “Always remember to ‘run to’ a job for the ‘right’ reasons,” says Cleverbridge’s Aiken. “Even if you’re currently in a bad situation, make sure you’re taking a job opportunity because it’s the right thing for you, not just because you hate your current situation,” she says. That said, it can happen that sticking it out under a bad boss or in an otherwise less-than-ideal job situation is worth it if it opens doors and clears the way for even greater professional and personal growth and advancement, says Azzarello. “From my own experience, I worked under a boss who was a walking red flag,” she says. “But that position and the experience I gained opened up so many more opportunities for me later — jobs with global scope, with increasing external responsibilities, rapid advancement. So, you should always gauge the pros and cons and decide what’s the best for you and for your future,” Azzarello says.

Horrible bosses are all too common — there’s even a movie about them. Here, three experts weigh in on how to spot a bad boss before you accept a position and offer tips on how to make sure you’re making the right employment choice.

Everyone suffers under a bad manager – morale sinks, productivity tanks, absences increase. Even those above a bad manager in the corporate hierarchy feel the impact; executives must dedicate time to resolving conflicts, and often end up assuming the role and responsibility for those who aren’t adequately doing their job, says says Patty Azzarello, CEO of Azzarello Group, and a business advisor, author and executive.

But there are warning signs, red flags to look out for when searching for a job and while interviewing that can identify a bad boss or an untenable work environment before you accept a job.
Do Some Early Detective Work

Your first step should be researching the company online – but go beyond the obvious corporate Web site and Facebook profile, says Craig Bryant, founder and product manager for Kin HR, which provides human resources software solutions for small businesses.

[Related: How to Write a Job Description That Attracts Top IT Talent ]

“Before you even start the interview process, research the company online. Go to Glassdoor and other feedback sites to see what current and former employees have to say about the company,” Bryant says.

While the comments on sites like Glassdoor aren’t entirely objective, you can get a good sense of whether or not employees are happy with the company, their management hierarchy, whether or not there are advancement opportunities, says Johanna Aiken, human resources director at ecommerce solutions company Cleverbridge.

“Especially in the technology arena, it’s critical to use social media to your advantage,” Aiken says. “Use sites like Glassdoor, sure, but don’t discount LinkedIn. Use LinkedIn to do keyword searches and connection searches; reach out to current and former employees and ask if they’re happy with the company, do they like their job, that sort of thing. If they’ve left, ask why,” Aiken says.

What you’re looking for are patterns of behavior: Does every junior programmer leave that company only to reappear as a senior programmer at a different company? That could be indicative of a lack of advancement or promotion opportunities, says Kin HR’s Bryant.

In addition, find out as much as you can about the company culture and work environment, says Bryant. Finding a good fit is as much about character, culture and personality match as it is about hard skills, and it’s important to make sure you’ll mesh well with the company.

“When we hire, we’re looking for character and cultural fit, not just hard skills,” says Bryant. “We’re looking at who and what that person will eventually become at the company. Are you a freewheeling, work-anywhere night owl? You might not perform at your best for a company with strict nine-to-five hours and not a lot of flexibility, for instance,” he says.
Look to Your Future

Even more important than the immediate impact of starting a new job is the future potential, both for the company and for the employee, says Bryant. Starting as early as the interview process, candidates should focus on how the company will contribute to their professional growth and development and make sure that aligns with their career goals.

“During the interview process, candidates should probe for details on how the company will contribute to their professional growth,” says Bryant. “Not just the raw skill sets, but learn what you can expect in terms of continuing education, personal growth, travel. If you’re going to pour your passion and devote most of your waking hours to a company what will you get in return?” he says.

[Related: Inside the Changing Role of the CISO ]

“You want to ask, specifically, how your own personal and professional objectives fit in with those of the company, and how that ties into your compensation, too,” says Bryant. “If you get a ‘deer in the headlights’ look in response, that’s a red flag and there most likely won’t be that much room for personal growth and advancement,” he says.

As an example, Azzarello Group’s Patty Azzarello describes an interview she had for a position that was described as “strategic.” “Everyone I interviewed with was saying they’d be thrilled to have me on board to drive this ‘strategic position’ and help grow the business in a certain direction,” Azzarello says. “But when I talked to the CEO, and I delved into the ‘strategic’ aspects of the role, he simply nodded and didn’t seem to be on the same page. He didn’t understand what I was talking about!” she says. Azzarello adds that it’s important to make sure your own expectations and objectives fit with those of the company, and that candidates are very clear about what’s important to them, both personally and professionally, she says.

“Make sure you’re not the only one talking about these objectives, and the interviewing team isn’t just ‘nodding along’ to placate you,” she says. “That’s a huge red flag, and you’re not going to be happy or successful if you’re feeding them lines and they’re agreeing just to get you into the position,” Azzarello says.

Make sure you ask about performance reviews, mentoring programs and other on-the-job training and support relationships, adds Bryant. These are more important to your success and happiness than most candidates realize, and are often overlooked.
Observe and Interact With Your Potential Colleagues

Your powers of observation can be critical when scoping out a potential new job or career path, says Cleverbridge’s Johanna Aiken. Plan to arrive at the interview location early, and simply sit and observe, she says.

“I recommend arriving at least 10 minutes early; sit in the lobby and just observe, because you can gain a lot of insight just by watching the employees interacting with each other in a non-professional way,” Aiken says.”Take note of the general ‘vibe’ in the office. Do you see people coming and going frequently? How do they talk to each other? What’s their tone of voice? Their body language? How do the employees seem that differs from what the company claims is their culture?” she says. “If you see behavior or overhear conversations that make you uncomfortable, don’t ignore it. This is one of the best ways to gauge what the working environment will be like,” she says.

Azzarello suggests going out to lunch or for a cup of coffee with the interviewing team, if that’s possible, to get an inside look at how your potential supervisors and colleagues handle their ‘power,’ either real or perceived.

“If you can, to out to lunch and closely observe how they treat the waiter,” she says. “People who are otherwise smart and competent can turn into narcissistic, controlling jerks when in a position of power, and you need to gauge how they treat others who they perceive as being in a ‘lesser’ position. If you can’t go out to lunch, notice how they treat their assistants, their office staff, and people who walk into the office,” she says.

Kin HR’s Bryant suggests asking to spend some time with the people who could become your colleagues, too. “You can talk to — or at least request of the interviewing manager — to spend some time with the folks who are your peers at the job,” he says.

“Ask them what expectations they held coming into the job and whether or not those were met. Ask them if they have the tools and resources they need to do their job effectively. Ask what the biggest obstacles are to success, and why those aren’t removed,” Bryant says.

“If you’re looking for specifics about the person who’ll be your immediate supervisor, ask things like, ‘How does s/he communicate? What are her/his methods for holding people accountable? Can you describe a typical decision-making process? Do you feel like you have the support and freedom to do your job or are you micromanaged?” says Azzarello.

But remember, Aiken cautions, to take some of this information with a grain of salt. Since the interviewing team will be selecting the folks you’ll have access to, you may not be getting the entire, unblemished picture.

“Now, you must remember that management is going to select the people you’ll be talking to, and they’re going to choose employees they feel will give the most positive view of the company,” she says. “So, just remember that there will be a bias,” she says.
‘At-Will’ Employment Goes Both Ways

If you do end up in a situation with a bad boss or a poor working environment, it can be helpful to know if your state supports the idea of “at will” employment, says Bryant.

While “at will” statutes empower employers to hire and fire as they see fit, employees can also benefit, especially in a booming tech industry market where employment’s plentiful, he says.

“If you’re in an at-will employment state, you’re not bound or beholden to the company to stay, or even to give two weeks’ notice if you decide to leave,” Bryant says. “Especially in IT, it’s a bustling economy and you can walk away; with a low unemployment rate, it can be much more productive to find another situation than to stick it out under a bad boss or in a bad work environment,” he says.

“Always remember to ‘run to’ a job for the ‘right’ reasons,” says Cleverbridge’s Aiken. “Even if you’re currently in a bad situation, make sure you’re taking a job opportunity because it’s the right thing for you, not just because you hate your current situation,” she says.

That said, it can happen that sticking it out under a bad boss or in an otherwise less-than-ideal job situation is worth it if it opens doors and clears the way for even greater professional and personal growth and advancement, says Azzarello.

“From my own experience, I worked under a boss who was a walking red flag,” she says. “But that position and the experience I gained opened up so many more opportunities for me later — jobs with global scope, with increasing external responsibilities, rapid advancement. So, you should always gauge the pros and cons and decide what’s the best for you and for your future,” Azzarello says.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com