By chance (conferences, public announces from authorities) and by design (I have been working or studying these two subjects for some time), over the last two weeks I published articles on two main issues: managing of resources, and security.
Conveniently, this week-end comes half-way through the month, and today and tomorrow I would like to share few forward-looking thoughts based on experience and observation.
As it is my tradition for week-end articles, I will try to keep both short, and to inject some “pointers” from my experience, should somebody be curious about the pre-conditions that seeded both the experience and the observation.
First, a shared introduction (500 words).
On Thursday I attended an interesting conference organized by ISSA and hosted by Deloitte here in Brussels, with a presentation from Microsoft of their U-Prove initiative/platform, followed by a discussion from Deloitte about what they observe on the market for “identity-related” projects.
If it does mean nothing to you: when you surf on the web, sometimes you are on the web, and your identity is checked by the website that you visit, but increasingly you see “use your Facebook login”- i.e. Facebook is “vouching” for you, giving you access to the services of somebody else, because that somebody else trusts that Facebook has the ability to check your identity.
At the same time, for your convenience and to reduce costs, also when you use your computer at work applications often work through your browser- and sometimes you do not really know if you are working inside the company, or using an external service provided by somebody else.
In both cases, you need “trust”, and you inherit “rights” once your “identity” is acknowledged.
On a broader sense, this applies also outside the working or browsing environment, and, by using more and more Internet-based services, we share into the unknown information about who we are, what we do- and “meta-information”, i.e. information about the information that we search, like, with which frequency, under which name, and so on.
The “under which name” sounds funny- but only if you use Internet just to read newspapers that do not require registration: otherwise, most people have multiple identities online, including to “mask” their real identity from stalkers etc, or to try to keep a residual privacy.
But beside the “identity”, there is also the issue of “profiling”- beyond what your supermarket does whenever you pay with plastic instead than cash, with or without you loyalty card.
And, of course, the strictly related issue of “rights”- Internet is a global environment, but how do you marry the global network with a local legal framework, i.e. the 1990s “think globally, act locally” transposed to the Internet?
I promise that I will keep both articles to few pages- this blog is anyway sharing online drafts for future publications, so there will be time to expand (or amend).
If you have any feed-back, twitter me: @robertolofaro.
PRINCE: PRofiling IN a Controlled Environment
No, I am neither referring to aristocracy nor to project management- but the concept is shared with both.
But I couldn’t resist, on a week-end, the temptation to refer to “Il Principe” written from Machiavelli, and to PRINCE2, the project management methodology.
Anyway: in both cases, the key issue is the same- you have a reference framework (a person and what that person represents, or a purpose and a temporary organization assembled to produce specific results).
Why my twist on “profiling”? Because it is something that used to be “technical”, but “profile” is a concept that now is familiar to whoever goes online, not only the usual early adopters (thanks mainly to Facebook- not being the first sometimes pays off, as you can walk on the shoulders of giants- and leap forward).
And when I say “technical”, I mean for experts, not necessarily computer experts: psychologists, criminologists, suppliers to know which services you buy, etc.
Profiling is embedded in human nature- it is what helps us to adopt concept such as “multicultural”, and allow us to quickly interact with people that we do not know.
Translating a terminology from another field, in person-to-person interaction we never operate on a “zero-based” budget, i.e. starting afresh with each person that we meet: we assess the new “relationship budget” based on our prior experience.
Before discussing profiling as an activity, and why I think that it is a nice industry, but at least few decades behind reality, a first reference, a scholarly review of professional profiling, from law enforcement to HR management to social science- stating why profiling does not work and it is a massive waste of resources.
I believe that a sense of humour is an important element in managing change (and in keeping long-term personal and business relationships), as it allows to avoid head-in-the-sand attitudes.
Therefore, few visual references on profiling (admittedly- my sense of humour could be different from yours):
- Profiling fooled: “The Serpent” / “School for Scoundrels” (the original one, not the remake)
- Deterrence based on profiling: “Deterrence” / “Doctor Strangelove”
- Profiling gone awry: “Good night and good luck” / “The Green Man” (yes, I know- so Curzon Soho)
There are tons of books about real-life decision-making mistakes based on profiling, but I suggest just three:
- “A short history of financial euphoria” (just over 100 pages)
- “A legacy of ashes” (sorry- over 700)
- IEEE Spectrum, on the 170+ USD million attempt on the FBI Virtual Case File system”
Before coming to Brussels, 360 degree view was something that I linked to mathematics and flight-plans.
In my experience from both sides of the table in selecting personnel, at most the research was on checking character and references with previous contacts- and creating incidents to test was done only in controlled environments, e.g. to prepare on “live activities” for moments when you would need to know how people would react.
The emphasis, is, of course, intentional: creating “profile testing” events in an open environment is a potentially damaging waste of resources, as you can neither know nor measure how the environment could react, potentially generating an undesired feed-back (“butterfly effect”).
But it still makes sense in a controlled environment, and I would like to share my “progression”.
First, a digression on profiling.
I will skip the old history- politics, book/technology selling, ghost-writing in high-school, volunteer support in the IT laboratory in the university (to design tools based on profiling the behaviour of the typical student).
Because, if you read again the list, you will see that each one of those experiences was based on the voluntary participation by all the parties involved- i.e. a controlled environment that you voluntarily joined, assuming to know the rules.
My first experience in a semi-controlled environment was in the Army, during my compulsory service.
Out of boredom for being confined to the infirmary, I volunteered my experience in using a typewriting machine and doing bureaucratic tasks (I was called “the perfect bureaucrat” – I always embed in the job :D).
Eventually, as at 20 by choice I had grown an off-regulation beard, and people assumed that I was much older- an officer called me “Architetto”, architect, before I said my real age 😀
I already wrote the logic online: basically, to keep being an individual by using the perception on the side-effects that the beard has on my skin- pretending that cutting the beard would be not possible.
Thanks to my appearance, role (on scheduling work, suggesting time off, and other bureaucratic tasks), and… patience, I had everyday quite a few coming to plead their case, negotiate a change in service, snoop on opportunities for more relaxing services, or just complain/confess.
Moreover: once a month there were about 20 new recruits: and I had to interview them, check their papers, studies, work experience, and so on.
I call it “semi-controlled”: the environment was well-defined, but the attendance wasn’t: almost none of the recruits would have been there, if it weren’t a legal requirement.
I quickly developed the ability to profile vs the job from the reaction to a phrase, how they talked, etc (two “socio-economic tribes”- with an unusual level of high school diplomas and university students/graduates, at a time when about just 5% of the Italian population had an university degree).
After the Army, I ended up on the other side- I was the profiled and “tested” one, but, in this case, in a controlled environment, and based on “profiling” tests during our training period (training on methodology and mainframe software development).
The first “on-the-job” test was from my branch manager, who dumped on my table the request to prepare a budget for the first fixed-price project in the company, and a large one as well
While my coursemates where idling by, waiting for the project to start, I was crunching and assembling numbers, using as a reference material that I had received on how to structure the budget.
In the next project, I was given half a day to read the documentation on a General Ledger project (my colleagues had been dispatched first, and had been given a full week), studying more when off-duty, but starting then to receive, beside programming tasks, budget controlling and QA/QC tasks of increasing difficulty.
And so on. As I recognized later, those tasks were a profiling activity for another series of tasks, e.g. sometimes, when I started living alone, I was at home around midnight after taking a airplane, with a taxi waiting for me at 5am… to catch another airplane, with maybe (it was before e-mail and mobiles) half an hour before the meeting to prepare a brainstorming session.
That’s the beauty of profiling: also if you already did it before, you need experience on the same type of profiling to notice it.
But those were all “stress tests” in a controlled environment.
When I had to help to select some critical people, usually the “test” was done after discussing with the usual sources, using a mix of formal and informal meetings (both are required, as you have to use different activities and environments to extract information or to check information).
When we could not give a positive or negative answer, we identified “test” activities that enabled assessing not a generic, theoretical profile, but a profile vs our purpose.
Whenever I was asked to profile people, teams, companies, I always kept in mind the boundaries of the profiling activity.
And always shared with my customer/employer what I was taught by auditors and former auditing managers to do: you have a framework of reference (in my case, the purpose), and you have either a clear case, or you can qualify your answer; you are the analyst, not the decision-maker.
As described in the article linked above, unfortunately most of the “profiling” industry works on pre-conceptions and as if they were operating in a controlled environment, as it was before the Internet and low-cost travel, using standard profiles that match maybe the experience/training/coaching of those doing the tests, but do not necessarily match the profiles of those that they are trying to investigate or hire.
What I observed in open-ended reviews is fascinating: the reviewers behave as if they had full control of the environment, also when they generate situations in travels, social networks, and in other open environments.
In the end, beside running against costs, it becomes a matter of generating a result, not observing it.
As a matter of professional pride (i.e. generating a self-fulfilling prophecy based on pre-conceptions not supported by reality): a XIX century attitude using XXI century technology.
Personally- I still rather use my method: it is based on reality, not assumptions, and allows a constant monitoring, to identify any corrective action required (Six Sigma is not just for cars!)