Appraisal Season Never Ends for Security

Feb. 16, 2012

I recently got a rather amusing forwarded e-mail from a friend who is a senior security guru in a large IT company. He had just received the news he had to prepare for the annual corporate appraisal season, and wanted to share the corporate e-mail with me. I had to look again. Appraisal season? Yep, it said season — not an event or a document, but an entire season. Welcome to Corporate America in the 21st century.

When I was a young Air Force enlistee many years ago, I received an annual performance review (shortened for us as an acronym: APR). The APR was a document you received once a year, as the title implied. It was the responsibility of your supervisor to fill it out. Your boss typed it up on a one-page, two-sided form using an IBM Selectric III typewriter. It was then reviewed by an administrative specialist for spelling, grammar and format, and was sent up the chain of command for two more levels of endorsements. It was then signed and filed, and you got “Copy C.”

My buddy’s e-mail from his corporate overlords contained a far more intimidating process. It started with a month of self-assessment. It began by requiring him to fill out an onerous, 10-page online form where he was charged with evaluating his own performance, citing his strengths, weaknesses and areas for improvement. In order to be able to accurately fill out the forms and get the proper endorsements, there are also three hour-long training sessions that are mandatory during the first month of the process…er, season. In addition, he had to seek out peers to also comment on his performance. He was then required to schedule a meeting with his boss to review these efforts. After the meeting, his boss is then required to fill out a similarly staggering amount of information about his performance while commenting on the self-assessment and integrating the comments and observations from his peers. This segment requires another month of effort.

After this monstrous two-month data call, there is now another month dedicated to correlating all these data and ratings into another online document. In addition, some new data needs to be generated to create a personal improvement plan, followed by a separate corporate development plan that will supposedly guide him into promotion opportunities. Total time: four months. If this sounds like an incredible amount of tedious effort, it is.

Who came up with all this? Certainly not his corporate HR department — no, that’s too much work for them. They bought a “program” from a vendor that claims to provide the best rating system available (apparently, the bigger and more time-consuming the process, the better). The computer-managed program tracks all the data input into the rating system, and automatically generates deadlines, reminders and exception reporting.

Consider work appraisal in a simpler time. Og is leading some members of his tribe out to hunt mastodon; Urp manages to fall asleep on his rock waiting for the mastodon to crest the hill, and the hunt is a bust after the animal slips past. Before the hunting party returns to camp to eat another meal of grass, Og sidles up to Urp and explains that Urp is going to be relegated to remain fireside, stirring the grass soup during the next hunting party. That’s simple, effective feedback.

I cannot fathom how a four-month “appraisal season” with several training sessions, numerous meetings, and dozens of pages of text makes this process any more effective or valuable, either for the ratee or the organization. I’m sure someone has been awarded their doctorate in the subject, and I suspect they now own the software company that sells the complex time-sink to my buddy’s company.

As security professionals, we have a pretty brutal self-appraisal system that doesn’t usually align with the ones implemented by our leaders or the HR department — it comes from the threats that besiege our organizations. Every security professional I have known felt personally affronted by attacks and especially breaches of their defensive controls. Our vocation provides its own rewards, but especially punishes the crushing realities of being bested by our often anonymous and faceless opponents.

Our unique perspective enables us to look at the corporate appraisal system with a mixture of annoyance and amusement. Most of us get our feedback almost daily as we tackle the challenges of facing mounting threats to our organizational resources. This isn’t a career for the faint-hearted or the indecisive. No one can appraise us any more critically than we appraise ourselves. It is the reason for the season, and the season is always now.

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].