Opinion: Corporate Compliance Isn't Training

I spend a lot of time mentoring on client sites, and many of the clients are large organizations. Often these organizations require me to attend "training" on a regular basis, to satisfy their corporate compliance goals.

I don't mind doing this at all, even though the course on conflicts of interest, or handling private or sensitive data, at company A is invariably almost word for word the equivalent course that I do at company B, and company C.

The ones that I really don't like though, are the ones where the corporate IT security is spelled out like it's obvious, and yet I know that what they're pushing doesn't meet any of the current guidelines that have been created from serious research into the topics. For example, the NIST guidelines on passwords would be a good start.

Training should involve learning something.

The vast majority of staff at the organizations wouldn't learn anything from these "courses" and invariably, the questions that they need to get say 80% correct on, are so mind-numbingly obvious, that I see many staff not even paying attention when the videos are playing, and just quickly answering the questions at the end, to keep their managers happy.

But my biggest issue is that for many companies, almost all the corporate training budget is now going to these "courses". My take on this is that the cost of delivering this material should be in a "corporate compliance" budget, not in anything that pretends to be a "training" budget.

 

 

Basic Photo Viewer in Windows 10 – Where have you been?

I teach SQL Server, BI, Azure, and AI classes on a fairly regular basis, and one thing I love to do is to show attendees images (or photos) of where the application of the technology has gone very right or very wrong. Ever since I'd installed Windows 10 though, that became much harder.

The Photos app that's installed with Windows 10 must have someone who loves it, but that's not me. There seems to be no way to just have it automatically maximize the images, so I'm always showing them, then having to resize them.

What I wanted is an app where I can double-click an image, and it would display it for me, maximized to whatever screen real estate I had available. The old Windows Photo Viewer did that to a reasonable extend, but the new Photos app in Windows 10 just seemed to have no way to do that simple task. I've seen a lot of articles by people desperate to reinstall the old Windows Photo Viewer. Microsoft has been making that harder and harder and even though you can get it working, it doesn't integrate with other things very well.

So the other day, I figured I'd just have to write an app that did what I wanted but thought I'd check the Windows Store first, and I'm glad I did. There's an awesome app called Basic Photo Viewer, and for those that hate paying for apps, even better, it's free. It has an option to upgrade to Pro but there's nothing in that for me at present.

It worked so well, I was wondering where it had been all my life. Well at least since Windows 10.

I set it as my default program for viewing images in Windows, and when I double-click an image file now, I see this:

There's a nice clean image. If I click the mouse up near the top of the screen, the menu bar appears. The top left has this:

 

 

And the top right has this:

There were a few settings that I changed. I chose to hide all pro features (or oddly it lets you set things you can't use), and I chose to have a clean screen by using this option:

The app can also do things like display a slide show by showing all files in a particular folder with a configurable delay, etc. but for me, I just wanted a simple program that displays an image as well as it can, when I double-click the image.

I can't believe I put up with the other app for so long, and didn't go looking for a better one.

Highly recommended !

 

 

 

 

 

Opinion: Having staff stumble around is false economy

One thing that I see time and again on customer sites is staff who really don't know what they're doing in trying to solve a problem, or when they are trying to implement a new solution, yet their company just continues to pay them to stumble around while getting almost nowhere.

I'm not talking about someone who's taking longer to achieve something than an expert. I'm talking about staff who are really out of their depth.

Paying someone to do that rather than getting them help or training, so that they know what they're doing, is simply false economy. Implementing poorly designed solutions is even worse.

An even better option would be to pay someone to sit with them and mentor them while they are doing the work. I have a real preference for this as it allows the mentor to just fill in the knowledge gaps, and after all, it's the staff who will be there later when the solution needs to be looked after.

The real trick for a manager though, is to work out how to detect when this is happening. I see three problems in this area:

  • Often the staff involved will not be keen to highlight their own deficiencies
  • Some staff like to just poke around on a problem or idea as that might be "fun"
  • Often the manager won't have the technical knowledge required to be able to detect the skills shortage and might be blind-sided by the staff

And yes, I understand that at many companies, the training budget is a separate bucket to the payroll. But surely someone must be responsible for the overall profitability (or cost avoidance) at the organization.

I'd love to hear your thoughts.

 

 

Opinion: Design the Business Model, not just the App

I posted the other day about how the pricing of apps has become silly. Most apps are priced so low that there really isn't much income but worse, most don't have a business model for the authors.

I'm sure that many smartphone app developers just think they can offer an app and get a bunch of money in quickly. They don't seem to have thought about what happens beyond that point.

But for both them and the users of the apps, there needs to be an actual business model. 

So many apps require ongoing back-end servers to function, yet they have no recurring funding model within the apps. Users will expect the app to keep working across operating system upgrades to their phones, even though upgrades to the apps will be required for them to still work well. Finally, ongoing bug fixes and security patches need to be funded somehow.

So many vendors ask you for $3 for purchase, yet have no ongoing income to fund back-end services and upgrade coding. They are typically depending on one of two things:

  • There will be a constant stream of new people buying their app so they'll have a good flow of income
  • They'll sell upgrades to the apps

Selling upgrades might work where functionality is added but will be a much harder sell when it's just fixing compatibility issues with later OS versions. Users will see that What I've noted lately though, is that a number of them are starting to realize they really have no ongoing business model at all. Here's an example:

I love the FlightRadar24 on the iPhone. It was cheap to buy and it just kept working, even though they didn't get income from me. Recently though, they offered an upgrade to a new version, but the subtle change was that for the upgrade fee, they'd convert your existing permanent license to a three month subscription for the new version. They're now trying to move existing permanent licensees to a subscription model.

Now they might be really clever and have planned to do all this in the first place, but I suspect that it's more likely they've realized they need ongoing income.

Image by RawPixel
Image by RawPixel

If you're going to design an app, you need to also design the business model. It's much harder to fix that later.

An MVP (minimum viable product) needs to be viable.

Opinion: Just how cheap should applications be?

In a recent post, I talked about my use of SnagIt and how I think people should be prepared to pay a little for applications. I'm endlessly puzzled by people I see stumbling around using free alternatives that don't do the job, when there are good options available.

I had some interesting feedback from that post and it got me thinking further though, about how much we should be prepared to pay for applications? Why is there an expectation that most apps that we use will be free?

The smartphone market is the one that seems most distorted on this. I've seen sophisticated applications that would have sold for hundreds of dollars years ago, being sold for $9. And what do the reviews say?

Great application but so expensive.

The perception is that that application should have been $3 instead. How dare they charge $9 when most apps are $2 or $3.

How did we get to this point? Worse still, the current app stores are making this even worse.

I was talking to a friend in Brisbane recently. He mentioned that he had built an app and put it into an app store. It was being sold for $1.99. When it was being used, it connected back to his servers that he was paying for. After the first month, he'd sold 300 copies and things were looking up. At the end of the second month, there were over 10,000 users connected to his servers but here's the rub:

He'd still only sold 500 copies.

So what on earth had happened? Turns out that someone had reverse engineered his $1.99 app, added advertising into it, and put it back in the app store as a different app, offered for free.

That's just beyond ridiculous, at least if we want there to be apps for us to buy.

I'd love to hear your thoughts.

 

Opinion: Shout out to TechSmith for Snagit

I don't normally do blog posts to just promote products from companies, but two weeks ago I was asked about tools that I use on a daily basis and that I really wouldn't want to do without. Normally with a question like that, I have to think for a while. But this one's easy: It's SnagIt from TechSmith.

It's the one tool that I use in nearly every part of my work. I use it all day long. If I didn't have it, it would harm my productivity in a significant way.

I was using it at a client site the other day, and the client commented on how easily I could do things using it, compared to the way that he did screen captures, etc.

I'm always amazed at how people at various companies will go to extraordinary lengths to avoid paying small amounts for tools that change their productivity. It see people trying to use free snipping tools, etc. and it's all so clumsy.

Don't be that person.

Be prepared to pay a small amount for tools that can change your personal productivity.

Note: TechSmith now give me a free license for this tool but I was buying it long, long before they did so, and I would continue to do so if they stopped providing me with one.

Like with anything you've used over a long time, you can have a love-hate relationship at times. And there have been some very recent updates to the 2018 version where I've had performance issues, but I've just installed the 2019 version and everything seems to be sunshine and unicorns again performance-wise.

Is there anything I wish was better? Yes. A few versions back, they changed how the capture part works, and it's now slower for me to use, in terms of the UI. I takes an extra screen click to achieve what I want. It's hard to describe how little things like that make it feel like you're working slower. I really wish I could just hit PrintScreen, drag and click to capture, and have it already in my clipboard, without needing to go into the editing screen. I don't think there's any way to do that now. When I'm taking a lot of screen captures for recording a step by step process, that would speed things up. But we're talking about pretty minor stuff.

If you haven't tried this tool, just download it and try it. I suspect you won't want to ever then give it up.

 

 

Opinion: Why penguins don't explode and the need for basic research

When government funding is tight, it gets harder and harder to get grants to perform fundamental research. The government always wants to see outcomes, and this means that the grants committees need to show outcomes. In turn, this often leads to research funding bodies doing one of three things:

  • Only funding research that's nearly complete
  • Only funding well-known researchers with a track record of outcomes
  • Only funding research in areas that are already showing promise

Now while at first glance, that might sound a reasonable way to proceed, it's not.

If you only fund research that's nearly complete, you are more likely to get an outcome, but what you are funding is development, not research.

If you are only funding researchers with a track record of outcomes, and in areas already showing promise, you will struggle to get great outcomes.

The best outcomes in science have always come out of left-field. As an example, you might assume that MRIs were developed by medical technologists. However, the work on those came from work by chemists and physicists, based on earlier work by other physicists and an astronomer. None of these people were working on medical technology at the time.

As for fundamental research, one of the best thesis titles I ever saw was "Why Penguins Don't Explode".

Famous image from the wonderful Monty Python's Flying Circus
Famous image from the wonderful Monty Python's Flying Circus

Now before you scoff at anyone proposing a topic like that, it was accepted knowledge for a long time that penguins must only dive down about 20 or 30 metres. But this guy tracked them and found they dived up to 500 metres. He was fascinated by how anything living can dive down 500 metres and not implode, and conversely, how does it come screaming up to the top of the water and not explode. Penguins also don't get the bends.

So how does that work?

We need people noticing these things and researching them. We might have to fund a thousand of these projects to get anything concrete back. But whole new industries can come from the handful that get an outcome.

BTW: I went looking for the final thesis but can't find it at present. My guess is that the academic fraternity made him "tone down" the title of the work.

 

Opinion: Passwords are a completely broken concept

For a long time, passwords have troubled me conceptually. I now believe that, as a concept, they are beyond broken. As an industry, we need to do better.

I might well need to do with more identities, passwords, multi-factor authentication options, etc. than the average consumer but I know it's beyond me to get this right, at least in the way that vendors, financial institutions, and source providers expect me to.

Let's look at at the "simple" requirements that we now ask people to comply with:

  • Use a complex password
  • Don't write it down or record it anywhere
  • Change it regularly
  • Use different passwords for every site that you deal with

Is that even humanly possible?

Is requiring someone to do something that almost no human could do, even legal?

I'd love to see it tested.

Then let's compound this with completely different complexity rules for almost every site. You can't have any sort of mental pattern of how to do this either. Some sites won't allow special characters, some won't allow more than a small number of characters, some want only alphabetic characters, some want numbers only, some want alphabetic characters and numbers mixed, some want upper and lower case combinations, etc. etc. etc.

Password Managers

And yes, I hear some say, everyone just needs to use a password manager. But while they can help, are they all really safe? What do you know about who wrote them? Is putting all your credentials into a single spot really a brilliant idea?

Password Rules

Many of the ridiculous rules that we confront users with on a daily basis are justified on the basis of "security", but how does a user challenge the validity of the requirements?

For example, forced password expiry has been shown time and again (by detailed research) to actual reduce security overall, yet how many organizations still force people to do this.

We need to do better

As an industry, we should be ashamed of what we've created.

Opinion: Start and finish meetings on time – don't wait for stragglers

It's bad enough today that 90% of all online meetings seem to start with endless "can you all hear me?", "can you see this?", "I can hear you but I can't see it", "John's trying to connect but can't", etc. etc.

But the one that annoys me most is:

Let's give it a few more minutes for stragglers to connect in

Why exactly?

This often happened with in-person meetings too but it seems even more prevalent now with online meetings. In both cases, it's inappropriate.

What this actually says is "I know you all connected in at the time we said the meeting would start, but I don't care enough about your time to keep to the agreed schedule. I'm more concerned about the people who didn't connect at the right time."

I used to coach youth baseball teams, softball teams, and soccer teams. I felt the same way with those. Most parents made sure their kids were there on time. A few didn't. But why should I waste the time of those that did, for those that didn't?

People who are late will understand that they're late and they might have missed something. But guess what? They'll also be more inclined to get there on time next time. (Or at least most will).

A similar issue happens when meetings drag on without a conclusion at the agreed time.

Don't do this either

If you didn't schedule enough time, learn to schedule more. If you didn't manage the meeting properly, learn to manage it better next time. But respect the time and other commitments of attendees.

Also, try whenever you can to avoid the meeting in the first place, if there's a better way to resolve whatever needs to be discussed.

Finally, if your meetings are endlessly starting late because of connection issues, fix them too.

 

Opinion: Don't chastise people for not doing a bot's work

I spend a lot of time consulting across a variety of companies. Often I'm there doing what we consider "mentoring" and that means I'm there on and off for longer periods. Because of that, I often have to do the same compliance "training" that their own employees do.

The first thing I'd comment on is that unfortunately this sort of compliance ends up being counted against the company's training budgets. Let's be clear:

That's not training

Most of the staff in the organizations see it as falling somewhere between an annoyance and a joke. The company makes the staff do these "courses" to keep the company out of trouble, not so that the staff actually learn anything. Worse, it's often so the company can blame the staff when they do the wrong thing. The company really doesn't think the staff don't understand conflicts of interest, or email policies. They just want to be able to avoid staff later saying that they didn't know they were doing the wrong thing.

One set of annoying courses forces staff to follow security policies like frequent password resets, etc. "to keep the company secure". Yet time and again, cyber security research has shown that forcing password resets frequently actually reduces security. (See the current NIST guidelines for details on passwords. Here's an article as an introduction). So the company is actually forcing people to take actions to reduce the company's security.

But the ones that annoy me the most are the ones were staff are asked to do things that the company's systems should be doing instead of the staff. Here's a hint:

If you need to run a course to tell people not to follow links in emails where the link address doesn't match the displayed URL, why not get an email system that does that instead?  If it's easy to teach people to do it, then teach a machine to do it instead.

Don't blame people for doing something wrong that a system or a bot should be doing in the first place!