Human Capital: Our Most Important Asset

I have recently been reading about a selection of topics surrounding employees, skills and how we hire, onboard and engage with our staff. This has brought me on to the concept of ‘human capital’ which is:

Human capital is a measure of the “knowledge, skills, competencies and attributes embodied in individuals that facilitate the creation of personal, social and economic well-being”
(Organisation for Economic Co-operation and Development).

In my role as a Managing Consultant, I’m often involved in the hiring process, from writing job specifications to technical screenings, and over the last year, one of two final interviewers for almost all our Security Engineering hires. When driving this process to find and hire great people, I sometimes find it hard to articulate the non-technical knowledge, skills and competencies I’m looking for in a candidate. That is where I think human capital can help in the definition of, key indicators and metrics for candidates and already existing employees.

Quoting the CIPD: “business has yet to come to an agreed way of valuing and reporting on the value of a workforce’s knowledge.” Searching for a simple (yet well thought out) collection of metrics to search for and define, this paper (PDF) introduced me to KSAOs (knowledge, skills, abilities and other characteristics). In the following weeks I hope to do some further research and trial integrating this into the job specifications and interviewing guidelines I have written.

I thought I would add this interesting checklist from SF Magazine which aims to get you up and running with human capital strategy ASAP:

Further Reading

Continue Reading

Seek Security Platforms that Integrate

It’s an established problem that many organisations have too many security tools deployed. Each one requires expertise, integration points, patches and in the case of many, they can even extend your attach surface. I recently read this article by Rick Howard from Paloalto Networks* and it calls attention to the fact that platforms which don’t integrate [easiliy] are likely to fail the test of enterprise deployments and will not be extensible in the long term, minimising the value they bring to the business. 

[…] most network defenders. For their entire careers, they have been trained that vendor-in-depth and best-in-breed are golden principles in cybersecurity. When all else fails, follow the golden principles. […] 

Ironically, these same network defenders have missed the point advocated by Geer’s monopoly paper. In it, the authors advocate several actions designed to limit the attack surface of the Microsoft operating system platform:

  • Publish interface specifications to major functional components of its code, both Windows and Office.
  • Foster development of alternative sources of functionality through an approach comparable to the highly successful “plug and play” technology for hardware components.
  • Work with consortia of hardware and software vendors to define specifications and interfaces for future developments in a way similar to the Internet Society’s RFC process to define new protocols for the internet.

[…] you will find that adopting a security platform that integrates with other vendors is exactly the same solution.

Source: https://researchcenter.paloaltonetworks.com/2018/03/cso-security-platform-monopoly/ 

Rick’s conclusion is valuable and in my experience, a path only some vendors are taking this space.

Publishing open APIs and carefully documenting how to extend and integrate the software with other vendors should be the baseline and not a ‘gold standard’. 

*Note that I don’t endorse Paloalto Networks, I just found this article informative and inline with my own beliefs. 

Continue Reading
1 2 3 35