people – Page 2 – Alice, Eve and Bob

Who gets acknowledged?

Some of the less obvious folks who get a mention in my book, and why

After last week’s post, noting that my book was likely to be delayed, it turns out that it may be available sooner than I’d thought. Those of you in the US should be able to get hold of a copy first – possibly sooner than I do. The rest of the world should have availability soon after. While you’re all waiting for your copy, however, I thought it might be fun for me to reveal a little about the acknowledgements: specifically, some of the less obvious folks who get a mention, and why they get a mention.

So, without further ado, here’s a list of some of them:

David Braben – in September 1984, not long after my 14th birthday, the game Elite came out on the BBC micro. I was hooked, playing for as long and as often as I was allowed (which wasn’t as much as I would have liked, as we had no monitor, and I had to hook the BBC up to the family TV). I first had the game on cassette, and then convinced my parents that a (5.25″) floppy drive would be a good educational investment for me, thereby giving me the ability to play the extended (and much quicker loading) version of the game. Fast forward to now, and I’m still playing the game which, though it has changed and expanded in many ways, is still recognisably the same one that came out 37 years ago. David Braben was the initial author, and still runs the company (Frontier Developments) which creates, runs and supports the game. Elite excited me, back in the 80s, with what computers could do, leading me to look into wireframes, animation and graphics.
Richard D’Silva – Richard was the “head of computers” at the school I attended from 1984-1989. He encouraged me (and many others) to learn what computers could do, all the way up to learning Pascal and Assembly language to supplement the (excellent) BASIC available BBC Bs and BBC Masters which the school had (and, latterly, some RISC machines). There was a basic network, too, an “Econet”, and this brought me to initial research into security – mainly as a few of us tried (generally unsuccessfully) to access machines and accounts were weren’t supposed to.
William Gibson – Gibson wrote Neuromancer – and then many other novels (and short stories) – in the cyberpunk genre. His vision of engagement with technology – always flawed, often leading to disaster, has yielded some of the most exciting and memorable situations and characters in scifi (Molly, we love you!).
Nick Harkaway – I met Nick Cornwell (who writes as Nick Harkaway) at the university Jiu Jitsu club, but he became a firm friend beyond that. Always a little wacky, interested maybe more about the social impacts of technology than tech for tech’s sake (more my style then), he always had lots of interesting opinions to share. When he started writing, his wackiness and thoughtfulness around how technology shapes us informed his fiction (and non-fiction). If you haven’t read The Gone-Away World, order it now (and read it after you’ve finished my book!).
Anne McCaffrey – while I’m not an enormous fan of fantasy fiction (and why do scifi and fantasy always seem to be combined in the same section in bookshops?), Anne McCaffrey’s work was a staple in my teenage years. I devoured her DragonRiders of Pern series and also enjoyed her (scifi) Talents series as that emerged. One of the defining characteristics of her books was always strong female characters – a refreshing change for a genre which, at the time, seemed dominated by male protagonists. McCaffrey also got me writing fiction – at one point, my school report in English advised that “Michael has probably written enough science fiction for now”.
Mrs Macquarrie (Jenny) – Mrs Macquarrie was my Maths teacher from around 1978-1984. She was a redoubtable Scot, known to the wider world as wife of the eminent theologian John Macquarrie, but, in the universe of the boarding school I attended, she was the strict but fair teacher who not only gave me a good underpinning in Maths, but also provided a “computer club” at the weekends (for those of us who were boarding), with her ZX Spectrum.
Sid Meier – I’ve played most of the “Sid Meier’s Civilization” (sic) series of games over the past several decades(!) from the first, released in 1991. In my university years, there would be late night sessions with a bunch of us grouped around the monitor, eating snacks and drinking whatever we could afford. These days, having a game running on a different monitor can still be rewarding when there’s a boring meeting you have to attend…
Bishop Nick – this one is a trick, and shouldn’t really appear in this section, as Bishop Nick isn’t a person, but a local brewery. They brew some great beers, however, including “Heresy” and “Divine”. Strongly recommended if you’re in the Northeast Essex/West Suffolk area.
Melissa Scott – Scott’s work probably took the place of McCaffrey’s as my reading tastes matured. Night Sky Mine, Trouble and her Friends and The Jazz provided complex and nuanced futures, again with strong female protagonists. The queer undercurrents in her books – most if not all of her books have some connection with queer themes and cultures – were for me introduction to a different viewpoint on writing and sexuality in “popular” fiction, beyond the more obvious and “worthy” literary treatments with which I was already fairly familiar.
Neal Stephenson – Nick Harkaway/Cornwell (see above) introduced me to Snowcrash when it first came out, and I managed to get a UK trade paperback copy. Stephenson’s view of a cyberpunk future, different from Gibson’s and full of linguistic and cultural craziness, hooked me, and I’ve devoured all of his work since. You can’t lose with Snowcrash, but my other favourite of his is Cryptonomicon, a book which zig-zags between present day (well, early 2000s, probably) and the Second World War, embracing cryptography, religion, computing, gold, civil engineering and start-up culture. It’s on the list of books I suggest for anyone considering getting into security because the mindset shown by a couple of the characters really nails what it’s all about.

There are more people mentioned, but these are the ones most far removed either in time from or direct relevance to the writing of the book. I’ll leave those more directly involved, or just a little more random, for you to discover as you read.

Don’t forget: if you follow this blog, you’re in for a chance to win a free copy of the Trust in Computer Systems and the Cloud!

Recruiting is hard

It’s going to be easier to outsource this work to somebody who is more of an expert than I’ll ever be, would ever want to be, or could ever be.

We (Profian) are currently looking to recruit some software engineers. Now, I’ve been involved in hiring people before – on the interviewing side, at least – but actually doing the recruiting is a completely new experience for me. And it’s difficult. As the CEO of a start-up, however, it turns out that it’s pretty much down to me to manage the process, from identifying the right sort of person, to writing a job advert (see above), to finding places to place it, to short-listing candidates, interviewing them and then introducing them to the rest of the team. Not to mention agreeing a start date, “compensation package” (how much they get paid) and all that. Then there’s the process of on-boarding them (getting contracts sorted, getting them email addresses, etc.), and least some of which I’m pleased to say I have some help with.

The actual recruiting stuff is difficult, though. Recruitment consultants get a bad rap, and there are some dodgy ones, but I’m sure most of them are doing the best they can and are honest people. You might even be happy to introduce some of them to your family. Just a few. But, like so many other things about being start-up founder, it turns out that there comes a time when you have to say to yourself: “well, I could probably learn to do this – maybe not well, but with some degree of competence – but it’s just not worth my time. It’s going to be easier, and actually cheaper in the long run, to outsource this work to somebody who is, frankly, more of an expert than I’ll ever be, would ever want to be, or could ever be. And so I’ve found someone to work with.

What’s really interesting when you find somebody to help you with a new task is the time it takes to mesh your two worlds. I’m a software guy, a we’re looking for software people. I need to explain to the recruitment consultant not only what skills we’re looking for, but what phrases, when they appear on a LinkedIn page or CV[1], are actually red flags. In terms of phrases we’re looking for (or are nice to haves), I’d already mentioned “open source” to the recruitment consultant, but it was only on looking over some possible candidates that I realised that “FOSS” should be in there, too. A person whose current role is “Tech lead” is much more likely to be a fit than “Technical manager”. What’s the difference between a “cloud architect” and a “systems architect”? Is “Assembly” different to “WebAssembly” (yes! – oh, and the latter is sometimes shortened to “Wasm”).

There are, of course, recruitment consultants who specialise in particular technical fields, but what we’re doing (see the Enarx project) is so specialised and so new that I really don’t think that there are likely to be any specialist recruiters anywhere in the world (yet).

So, I feel lucky that I’ve managed to find someone who seems to get not only where we’re coming from as a company, but also the sorts of people we’re looking for. He wisely suggested that we spend some time going over some possible candidates so he could watch me identifying people who were a definite “no” – as useful for him as a definite “must interview”. Hopefully we’ll start to find some really strong candidates soon. If you think you might be one of them, please get in touch!

(Oh – and yes, I’ve invited him to meet my family.)

1 – that’s “resume” for our US friends.

3 things you need from a VC

A perspective from a first-time start-up founder.

As I discussed in a recent article (Announcing Profian), we recently received seed funding for our start-up from two Venture Capital firms: Project A Ventures and Illuminate Financial (thanks again, folks!). When you’re looking for start-up funding, in my experience, you’re focussed at the beginning on one thing, and one thing only, and that’s money. The clue’s in the phrase: raising a funding round is about, well, funding. So you might think that the answer to the question “what 3 things do you need from a VC” is “money, money and money”. However, you’d be wrong.

I found, at the beginning of the process, that this was absolutely our focus. This was our first time doing this, and we were desperate to get enough money to be able to start the company and get things moving. That didn’t change, but along the way, I received some very good advice about other areas we should be thinking about, and I really think it’s worth sharing this perspective from a first-time start-up founder.

1. Money

OK, so the first one is money, but it’s not money at any cost. You need to have enough funding to be able to see your way through to your next injection of cash (whether that’s an A Round, loans or just revenue), but a VC-led seed round isn’t the only way. There are angel investors (we had some in our seed round, in fact – thanks to them as well!), enterprise capital, crowd-funding, grants and other options. Even if you are going to do a standard VC-led seed round, you need to think about how much equity (your share of the business, as a founder) you’re will to give up, what further financial help your VCs will give you in the future, what timescales they’re looking at, and what sort of exit they’re looking for. For instance, if they want to sell the company as soon as possible and you want to spend 10 years building a multi-billion business, you need to consider whether they’re the right investors for you right now.

2. People

What is your relationship with your investors? What personal chemistry do you share? How well do you get on? Do you trust them? Are they people you can contact for advice when you have a tricky problem? What experience can they (or their partners) bring to the table when you encounter a situation which is new and you could use some guidance? I’m not suggesting that they should be the first person on your speed-dial list for every bump in the road, but you’re going to be spending a lot of time with these people over the next few years, and their views, expertise and advice are likely to be instrumental in the successful running (or unsuccessful running…) of your company. If the relationship breaks down, they can make life difficult for you (very difficult, if the board composition is such that they can control it). You want people who you trust, and preferably get on well with: these should be people you can turn to when things are tricky. They have experience which should help you navigate difficult situations – particularly ones which are new to you, but which they’ve seen many times before.

3. Network

VCs bring networks with them. They should have a portfolio of companies who they have funded in the past, and set of companies they didn’t end up investing in, but continue to be on good terms with, companies they’re considering investing in, and the customers and business partners of all of those companies. You want to be choosing investors who can put you in front of all of these people as possible partners and customers, experienced hands and even future investors, and you want them to be relevant. If you’re launching a consumer financial product, and all of your VCs’ networks are in institutional medical pharmaceuticals, then you should probably reconsider. Choose investors who can help you.

There’s another type of network: some VCs are what are called operational VCs, meaning that they provide specific services for their portfolio companies. Some of these may be free, others provided at discounted prices, and they may include everything from branding services, marketing, accounting, recruitment or the opportunity to embed one of their staff in your organisation for a while to fill a requirement while you find a permanent employee. Again, choose investors who can help you.

Conclusion

Without funding, your start-up will, eventually, fail, or it just won’t happen. You need money, and the venture capital market (it is a market) is one proven way to get it. It can be a hard slog to get the initial interest – we got very close to giving up – but once you do get that initial “bite”, try not to jump for the very first VC who shows a sign of giving you a termsheet. We decided not to follow up with a number of VCs for all of the reasons above (specifically – differing expectations on exit; no personal chemistry; no strong match with portfolio), and are happy with our decision. If you’re going to make your start-up business succeed, it deserves – and you deserves -the best fit: and that’s not just money.

10 ways to avoid becoming a start-up founder

It’s all rather like hard work, and so best avoided at pretty much all costs.

In last week’s article, I announced the start-up, Profian, for which we’ve just got funding, and of which I’m the co-founder and CEO. This week, I want to give you some tips so that you can avoid the same fate that befell me: becoming a founder, a role which is time-consuming and stressful. Just getting funding can take (did take, in our case) months of uncertainty and risk, and then, when (if) you get funding, there are the responsibilities towards your employees, your investors, government, the law and all the other pieces that whirl around your head (and into your inbox). It’s all rather like hard work, and so best avoided at pretty much all costs. Here’s my guide to doing that.

1. Avoid interesting work

Probably the biggest reason that I fell into the trap of starting a new company was that I couldn’t see myself doing anything other than working on Enarx, the open source project for which Profian is custodian, and on which we will be basing our products and services. I’d had other responsibilities in my previous job, but Enarx was what I cared about the most, and the idea of giving up working on it was unconscionable – I just had to do it. So started the quest to find a way to continue working on Enarx, and to do it full-time.

2. Don’t be passionate

It’s also probably best to avoid getting too excited about what you do. That way, you can give up after a while, and stop bothering your family and friends with your annoying obsession. Most importantly, investors are much less likely to give you money (not to mention customers much less likely to buy your products and services) if you’re basically luke-warm about the whole idea.

3. Work with dull people who you dislike

If you have the misfortune to enjoy spending time with your co-founder(s) and founding team, you’ll have less interest in working with them, not to mention working through complex and sometimes awkward topics such as how to split equity, who can absorb upfront expenses before funding comes through, when it’s appropriate for either or any of you to take some holiday (and for how long), and even more important questions like what colour your logo should be, and what font family best defines your brand. If you don’t like your team or co-founders, or find their company uninteresting, you are much more likely to give up on working with them, hence avoiding getting too far down the start-up road.

4. Ignore customer need

You may not have actual, paying customers early on (we don’t, yet), but at some point, you are probably going to need to get some. And one of the things that investors seem completely fixated on, in my experience, is how you’ll get revenue (very customers). The investors seem to think that you should listen to customers and gear what you’ll be producing to their (the customers’) needs and requirements. This suggests that your vision for the company should be diluted – nay, adulterated – by the market, as opposed to what you want, and what you think should be happening. In the very worst case, your investors may require you to talk to actual people from actual possible customers. If you can ignore their views, you’re much less likely to have to accept funding, and can give up much earlier.

5. Assume you know best

Related to our last point, if you know best, then you don’t need to take advice from anyone. Possible investors love providing their expertise and experience, and there’s a wealth of material in blogs, wikis, podcasts, news articles, LinkedIn posts and beyond which allow you to tap the collected wisdom of thousands of people who’ve trodden similar paths before you. The excuse you can give is that they can’t all be right, so rather than listening to the various advice you’re offered (for free!), reading, listening to and watching the various sources and then taking the time to sift through them all and work out what’s relevant and useful, you might as well assume that you know best (and always have done), and keep plugging away at what you’re already doing. This is almost guaranteed to remove any chance of funding (let alone anyone wanting to work with you).

6. Set your pitch deck in stone

Before I started on this journey, I’d heard about pitch decks: they’re what you show to possible investors to try to interest them in working with you. They should be short, punchy and lacking in extraneous information. I could have suggested long, waffly decks with random cat pictures and irrelevant market sector data, but I think that an even safer way of avoiding attracting interest for your start-up is to create a one-off pitch deck right at the beginning of the process and then never to change it. This is related to the previous point about knowing best, but the pitch deck is such an important tool in the journey towards creating your start-up that I felt it was worth its own section. As you learn more (well, assuming you do – see last point) and get more advice, the way you present your great idea for the company, if not the idea itself, will change. Having a pitch deck which reflects this new, improved thinking, will only aid you on your path, and as we’re trying to avoid such a dangerous move, you’ll want to have a single pitch deck, crafted at the beginning of your quest, and completely immune from improvements or changes of any kind.

7. Tell investors what you assume they want to hear

This one is a little counter-intuitive. You might assume that telling people what they want to hear is a sure-fire way to ensure that they give you money, and will therefore make you more likely to end up as a founder. But no! If you tell people what you think they want to hear, rather than what you actually believe, investors will either see through you (most of them have met many, many founders and heard many, many pitches – they’re not stupid) and reject you, or you’ll end up with a bunch of investors who actually think you’re doing something completely different to what you want to do, and things will fall apart as soon as it becomes clear that you’re not aligned. This is likely to be around the time that you’re getting into the nitty-gritty of your business plan or agreeing final terms, and is a pretty safe way of guaranteeing that everything will implode just in time to stop you having to becoming a founder.

8. Reject support from friends and family

I mentioned, right at the top of this article, that the journey to founding a start-up was long and stressful. Well, there’s a possibility that, from time to time, friends and family will want to discuss things with you, and offer you support to get through the hard times. Taking this sort of support significantly reduces that likelihood that you’ll burn-out before the process is complete, as they may help you to keep some perspective, provide emotional support and generally keep your mental health on an even keel. Crashing and burning because you’ve failed to accept support offered by people outside the process, who can see things in a different light, where the entire world isn’t bounded solely by just incorporating the company, getting through the funding round, hiring your first employees, filing initial tax returns, setting up bank accounts and the rest, is an easy way to avoid becoming a founder. As an extra bonus, failing to involve your close family (spouse, partner, etc.) in the decisions about financial risk, likely time pressures, etc., is a recipe for family break-up if ever I heard one.

9. Remember it’s all about you

Who knows best? You (see above). Who’s running this show? You, again. Who’s this all about? You. Other co-founders, employees, investors, customers (again, see above) are incidental to the main event, which is you, the “hero founder” who will carry the company through thick and thin, providing the vision and resources to succeed, no matter what. This is the attitude you need if you want to alienate everyone around you (including family and friends, see above), and cause all your possible allies to desert you. Working as a collaborative team is so trendy and 21st Century: who needs support and buy-in when you have the drive to make it all happen yourself? Well, the answer will be you, as you won’t have any funding, employees or customers – but that’s what we were trying to avoid in the first place, right?

10. Don’t take any time off

You can fail to do all of the above, ignoring my advice and setting yourself up for a collaborative, well-funded, supported, successful company and still fail with this one, simple trick: make your entire life – every waking moment, every dream, every action, every thought and every word – about the start-up. Find no time for anything else. Become unhealthily obsessed with the company to the exclusion of all other. And you will fail. Taking time off would help recharge your passion, give you insights into other people’s views, allow you to accept support from friends and family and give you a sense of perspective: all things we’re trying avoid in our quest not to become the founder of a start-up. Refusing to take time off might seem like a way to concentrate all your efforts on succeeding, but in the longer term, it’s the opposite.

Summary

I find that writing “how not to” articles is a useful and fun way to provide a different perspective on sometimes important topics. I can’t pretend that the road to start-up foundership has been easy, nor that I’ve avoided taking some of the advice above, but it’s certainly exciting and worthwhile. And I wish I’d seen this article, or one like it, before I started.

Next I’ll … have a sleep

Sometimes, it’s time to break the cycle.

I’ve had a crazy week and a half, and I have another crazy week or two coming. Last night (as so often, it seems) I didn’t get as much sleep as I would have liked – for various reasons, the main of which includes an anxious 9 year old basset hound – and I have a busy day. So many important things to do. And they’re all important, and I need to do all of them. Of course. That’s what I’ve been allowing my brain to tell me, anyway.

So far, I’ve had breakfast, brushed my teeth, shaved, put the washing out, seen two kids off to school, got dressed, and walked the dogs with my wife (who’s about to head off to spend a couple of days with family – she’s been busy, too). I could (should?) get right down to the work that I need to do today. That’s the work that I’ve not already looked at – emails, documents, spreadsheets. It’s just gone 8am, and I don’t officially start my work day till 10:00am (I allegedly finish at 6:00pm).

But I’m going to have a sleep – just an hour, probably no more. The mountain of work (as it seems) isn’t going to go away, but it’s not going to get appreciably worse. And if I don’t take a bit of time, it’ll feel worse, I’ll probably do a worse job of managing it, and I’ll feel worse. An hour, I know, will make all the difference.

The fact that I can do this is one of the benefits of working from home. I’m not going to say “temptations”, because I don’t see it as a bad thing. This is partly because I’m not sure it would be as much as an issue if it weren’t for the fact that I’m working from home in the first place. There’s no easy dividing line between work and home, and there’s no commute to force me to take some time out and do something else, either. I can (and do) start checking my email at 6:05am, and only stop at, well, far later than I should have done. To be claer, I’m not asking for sympathy, but trying to identify the problem, own up, and encourage other people to take it seriously, too.

Sometimes, it’s time to break the cycle, or just realise that a cycle is about to start. We don’t want to be grumpy (grumpier?) with our family, or quietly seethe at our colleagues or work acquaintances, or resent the people on social media who seem to have it all covered (they don’t, at least most of them). We need to take a break, and that’s what I’m about to do. I have work support, and I don’t need to do everything myself, right now. It’s time for a sleep. See you in a while. In fact, do tune it next week: there will be some exciting news.

Organisational suppleness

Growing the ability to react to the unexpected is a valuable skill.

“In preparing for battle I have always found that plans are useless but planning is indispensable.”
Dwight D. Eisenhower

Much of this blog is about security – cybersecurity – in one way or another, but on occasion I do try to take a broader view. Cybersecurity is often modelled or described in military terms, talking about “fighting battles”, “wars of attrition” and “arms races” with “attackers”. These can be useful metaphors (and it’s why I started this article with a quote from a general), but there is a broader set of responsibilities that many of us in the sector need to consider, which is the continued (and hopefully healthy) functioning of our businesses and organisations. In particular, I like to talk about risk and how it relates not just to security, but to how businesses work and plan. One theme that I’ve visited before is that known or planned degradation of a service is often significantly better than failure, or even planned closure (see Service degradation: actually a good thing). My argument is that there are many occasions where keeping a service or business function running, albeit at reduced capacity, or with reductions in known capabilities, allows for better continuity than just stopping it.

Keeping a service running requires work. You can’t just hope that everything is installed and will run as you expect: what happens when your administrator is ill, your fibre-optic cable gets severed by a back hoe, or a DDoS attack is directed at you? You need to plan and practice what to do in these situations. What I’d like to explore in this article goes somewhat beyond the expectation of that planning in three directions. Let’s call them scenario coverage, muscle memory and organisational suppleness.

Scenario coverage

The first, and most obvious of the three directions, is about understanding eventualities. The more scenarios that we model and practice, the more we reduce our risk, simply because we have reduced the number of unknown eventualities in the probability space. There is a actually a side benefit to modelling lost of scenarios, which is that the more situations you consider, the more will come to mind. Every situation involves sets of choices or probabilities – “after the door closes, will it lock or not?” or “if the coolant fails, will the system turn off or burst into flames?” – and the more scenarios you consider, the more questions will arise. This can be daunting – and it’s almost impossible to consider every eventuality – but the more options are covered, the better your opportunities to mitigate the various risks they present.

Muscle memory

Muscle memory is what comes with training and practice. Assuming that you are including your teams in the scenario planning

And I’m assuming here that the planning isn’t solely a paper exercise. Theoretical planning, while useful, only goes so far, for a couple of important reasons:

systems will always fails in unexpected ways
people will do unexpected things.

What the first of these means is that however much you assume that your back-up generator will kick in if there’s a power outage, until you test it, you can’t be sure that it will. The second of these relates to the fact that however much you tell people what to do, when it actually comes to the doing of it, they’re unlikely to as you expect. This is likely to be even worse if there’s been no training, and you’re just assuming that person X will know how to operate a fire extinguisher, or that team Y will, of course, exit the building in an orderly manner via exit Z (rather than find fourteen different exits, or not even leave the building at all).

For both of these reasons, getting people together to work through possible scenarios, and then, where possible, actually practising what to do, means that you have a higher assurance that when one of the situations you’ve considered does arrive, that they will know what to do, and act as you expect.

Organisational suppleness

While you cannot, as we’ve noted, plan for every eventuality or know exactly how an employee or team will react when things go wrong, there is another benefit to involving a broad group of people in your scenario planning and training. This is that their very involvement gives them practice in dealing with uncertainty, working out how they will react, and giving them experience in how those around them will act. While I may not know exactly what to do if the payroll system goes down an hour before it is due to run, if I have worked with colleagues on scenarios where the sales processing system fails, I’ve got a better chance of making some sensible choices about who to contact, initial steps to take and information to collect than if this is the first time I’ve ever seen anything like it. Likewise, we may not have modelled our response to a physical failure of one of our network links, but our shared experience of practising our response to a DDoS attack means that we have an idea of what to do.

And it is not just having an idea of what to do that is important, but also having gathered and practised the cognitive skills associated with investigating failures, collating data, sharing information and working with others to ameliorate the situation which allows a team or an organisation to respond better to new, maybe unexpected situations. We can think of this as suppleness, as it means that rather than just failing, or cracking, an organisation can react as a tree does to strong winds, or a gymnast does to a new exercise. Growing the ability to react to the unexpected is a valuable skill for an organisation, and knowing that it is supple allows its leaders to plan with more certainty and mitigate more risk.

Buying my own t-shirts, OR “what I miss about conferences”

I can buy my own t-shirts, but friendships need nurturing.

A typical work year would involve my attending maybe six to eight conferences in person and speaking at quite a few of them. A few years ago, I stopped raiding random booths at the exhibitions usually associated with these for t-shirts for the simple reason that I had too many of them. That’s not to say that I wouldn’t accept one here or there if it was particularly nice, or an open source project which I esteemed particularly, for instance. Or ones which I thought my kids would like – they’re not “cool”, but are at least useful for sleepwear, apparently. I also picked up a lot of pens, and enough notebooks to keep me going for a while.

And then, at the beginning of 2020, Covid hit, I left San Francisco, where I’d been attending meetings co-located with RSA North America (my employer at the time, Red Hat, made the somewhat prescient decision not to allow us to go to the main conference), and I’ve not attended any in-person conferences since.

There are some good things about this, the most obvious being less travel, though, of late, my family has been dropping an increasing number of not-so-subtle hints about how it would be good if I let them alone for a few days so they can eat food I don’t like (pizza and macaroni cheese, mainly) and watch films that I don’t enjoy (largely, but not exclusively, romcoms on Disney+). The downsides are manifold. Having to buy my own t-shirts and notebooks, obviously, though it turns out that I’d squirrelled away enough pens for the duration. It also turned out that the move to USB-C connectors hadn’t sufficiently hit the conference swag industry by the end of 2019 for me to have enough of those to keep me going, so I’ve had to purchase some of those. That’s the silly,minor stuff though – what about areas where there’s real impact?

Virtual conferences aren’t honestly too bad and the technology has definitely improved over the past few months. I’ve attended some very good sessions online (and given my share of sessions and panels, whose quality I won’t presume to judge), but I’ve realised that I’m much more likely to attend borderline-interesting talks not on my main list of “must-sees” (some of which turn out to be very valuable) if I’ve actually travelled to get to a venue. The same goes for attention. I’m much less likely to be checking email, writing emails and responding to chat messages in an in-person conference than a virtual one. It’s partly about the venue, moving between rooms, and not bothering to get my laptop out all the time – not to mention the politeness factor of giving your attention to the speaker(s) or panellists. When I’m sitting at my desk at home, none of these is relevant, and the pull of the laptop (which is open anyway, to watch the session) is generally irresistible.

Two areas which have really suffered, though, are the booth experience the “hall-way track”. I’ve had some very fruitful conversations both from dropping by booths (sometimes mainly for a t-shirt – see above) or from staffing a booth and meeting those who visit. I’ve yet to any virtual conferences where the booth experience has worked, particularly for small projects and organisations (many of the conferences I attend are open source-related). Online chat isn’t the same, and the serendipitous aspect of wandering past a booth and seeing something you’d like to talk about is pretty much entirely missing if you have to navigate a set of webpages of menu options with actual intent.

The hall-way track is meeting people outside the main sessions of a conference, either people you know already, or as conversations spill out of sessions that you’ve been attending. Knots of people asking questions of presenters or panellists can reveal shared interests, opposing but thought-provoking points of view or just similar approaches to a topic which can lead to valuable professional relationships and even long-term friendships. I’m not a particularly gregarious person – particularly if I’m tired and jetlagged – but I really enjoy catching up with colleagues and friends over a drink or a meal from time to time. While that’s often difficult given the distributed nature of the companies and industries I’ve been involved with, conferences have presented great opportunities to meet up, have a chinwag and discuss the latest tech trends, mergers and acquisitions and fashion failures of our fellow attendees. This is what I miss most: I can buy my own t-shirts, but friendships need nurturing. and I hope that we can safely start attending conferences again so that I can meet up with friends and share a drink. I just hope I’m not the one making the fashion mistakes (this time).

Eat, Sleep, Wake (nothing but…)

At least I’m not checking my email every minute of every hour of every day.

If your mind just filled in the ellipsis (the “…”) in the title of this article with “you”, then you may have been listening to the Bombay Bicycle Club, a British band. I’ve recently seen them live, and then were good – what’s more, it’s a great (and very catch) song. “You” is probably healthy. If, on the other hand, your mind filled in the ellipsis with “work”, then, well we – or rather, you – have a problem.

When I wake up in the morning, one of the first things I do – like many of you, my dear readers, I suspect – is reach for my mobile phone. One of the first things I do on unlocking it is check my email. Specifically, my work email. Like many of us, I find it convenient to keep my work email account on my personal phone. I enjoy the flexibility of not being tied to my desk throughout the working day, and fancy myself important enough that I feel that people may want to contact me during the day and expect a fairly quick reply. Equally, I live in the UK and work with people across CET (an hour earlier than me) to Eastern US time (5 hours after me), often correspond with people on Pacific US time (8 hours after me), and sometimes in other timezones, too. In order to be able to keep up with them, and not spend 12 hours or so at my desk, I choose to be able to check for incoming emails wherever I am – which is wherever my phone is. So I check email through the day – and to almost last thing at night.

This is not healthy. I know this – as do my family. It is also not required. I know this – as do my colleagues. In fact, my colleagues and my family all know that it’s neither healthy nor required. I also know that I have a mildly addictive personality, and that, if I allowed myself to do so, I would drown in my work, always checking email, always writing new documents, always reviewing other people’s work, always, always, always on my phone: eat, sleep, wake…

In order to stop myself doing this, I make myself do other things. These aren’t things I don’t want to do – it’s just that I would find excuses not to do them if I could. I run (slowly and badly, up to 5 kilometres) 2-3 times a week. I read (mainly, but not exclusively, science fiction). I game (Elite Dangerous, TitanFall 2 (when it’s not being DDoSed), Overwatch, Civilization (mainly V, Call to Power), and various games on my phone), I listen to, and occasionally watch, cricket. And recently, I’ve restarted a hobby from my early teenage years: I’m assembling a model airplane (badly, though not as badly as I did when I was younger). I force myself to take time to do these things. I’m careful to ensure that they don’t interfere with work calls, and that I have time to get “actual” work done. I keep block of time where I can concentrate on longer tasks, requiring bouts of concentration. But I know that my other work actually benefits when I force myself to take time out, because a few minutes away from the screen, at judicious points, allows me to step back and recharge a bit.

I know that I’m a little odd in having lots of activities – hobbies, I guess – that I enjoy (I’ve only listed a few above). Other people concentrate on one, and rather than interspersing blocks of non-work time into their day, have these blocks of time scheduled outside their core working hours. One friend I know cycles for hours at a time (his last Strava entry was a little over 100km (60 miles) and a little under 3 and a half hours) – an activity which would be difficult to fit in between meetings for most working routines. Others make the most of their commute (yes, some people do commute still) to listen to podcasts, for instance. What’s in common here is a commitment to the practice of not working.

I realise that being able to do this is a luxury not shared by all. I likewise realise that I work in an industry (IT) where there is an expectation that senior people will be available at short notice for many hours of the day – something we should resist. But finding ways of not working through the day is, for me, a really important part of my working – it makes me a more attentive, better worker. I hesitate to call this “work-life balance”, because, honestly, I’m not sure that it is a balance, and I need to keep tweaking it. But at least I’m not checking my email every minute of every hour of every day.

Recruiting on ability and potential

Let’s not just hire people who look and think and talk (and take exams) like us

This is one of those more open-ended posts, in that I don’t have any good answers, but I’ve got a bunch of questions. I’d love to have feedback, comments and thoughts if you have any.

This week, it turns out is “results week” in the UK. Here, there are two major sets of exams which most students take: GCSEs and A levels. The former generally are taken by 16 year olds, with around 8-12 in total, and the latter by 18 year olds, with 2-4 in total (3 being the strong median). A level results are one of the major criteria for entry into universities, and GCSE results typically determine what A levels students will take, and therefore have an impact on university course choice in the future. In normal years, A level results are release a week before the GCSE results, but (Covid having messed things up), A level results day is Tuesday, 2021-08-10, and GCSE results day is Thursday, 2021-08-12.

Both GCSEs and A levels are determined, in most cases, mainly by examination, with even subjects like PE (Physical Education), Dance and Food Technology having fairly large examination loads. This was not always the case, particularly for GCSEs, which, when they were launched in the mid 1980s, had much larger coursework components than now, aiming to provide opportunities to those who may have learned retained lots of information, but for whom examinations are not a good way of showing their expertise or acquired knowledge base.

At this point, I need to come out with an admission: exams suit me just fine. I’ve always been able to extricate information from my memory in these sorts of situations and put it down on paper, whether that’s in a school setting, university setting or professional setting (I took the CISSP examination ages ago). But this isn’t true for everybody. Exams are very artificial situations, and they just don’t work for many people. The same is true for other types of attempts to extract information out of people, such as classic coding tests. Now, I know that coding tests, when designed and applied well, can do a good job in finding out how people think, as well as what they know – in fact, that should be true for many well-designed examinations – but not only are they not always well administered, but the very context in which they are taken can severely disadvantage folks whose preferred mechanism of coding is more solitary and interactive than performative.

A family friend, currently applying for university places, expressed surprise the other day that some of the Computer Science courses for which he was applying didn’t require any previous experience of programming. I reflected that for some candidates, access to computing resources might be very limited, putting them at a disadvantage. I’ve made a similar argument when discussing how to improve diversity in security (see Is homogeneity bad for security?): we mustn’t make assumptions about people’s potential based on their previous ability to access resources which would allow that ability to be expressed and visible.

What does this have to do with recruitment, particularly? Everything. I’ve been involved in recruiting some folks recently, and the more I think about it, the more complex I realise the task is. Finding the right people – the people who will grow into roles, and become really strong players – is really tricky. I’m not just talking about finding candidates and encouraging them to apply (both difficult tasks in their own rights), but choosing from the candidates that do apply. I don’t want to just people who examine well (looking solely at their academic grades), people who perform well (who shine at coding exercises), people who interview well (those who are confident in face-to-face or video conference settings). I want to find people who have the ability to work in a team, grow the projects they’re working on, contribute creatively to what they’re doing. That may include people who fall apart in exams, who freeze during coding exercises, or whose social anxiety leads them to interview “badly”.

I’m not sure how to address these problems completely, but there are some things we can try. Here are my thoughts, and I’d love to hear more:

Look beyond exams, and rate experience equally with academic attainment
Accommodate different working styles
Be aware that the candidate may not share your preferred interaction style
Think “first language” and work with those whose native language is not yours
Look beyond the neurotypical

None of these is rocket science, and I hope that the recent changes in working habits brought around by the Covid pandemic have already started people thinking about these issues, but let’s work harder to find the right people – not just the people who look and think and talk (and take exams) just like us.

In praise of … the Community Manager

I am not – and could never be – a community manager

This is my first post in a while. Since Hanging up my Red Hat I’ve been busy doing … stuff. Stuff which I hope to be able to speak about soon. But in the meantime, I wanted to start blogging regularly again. Here’s my first post back, a celebration of an important role associated with open source projects: the community manager.

Open source communities don’t just happen. They require work. Sometimes the technical interest in an open source project is enough to attract a group of people to get involved, but after some time, things are going to get too big for those with a particular bent (documentation, coding, testing) to manage the interactions between the various participants, moderate awkward (or downright aggressive) communications, help encourage new members to contribute, raise the visibility of the project into new areas or market sectors and all the other pieces that go into keeping a project healthy.

Enter the Community Manager. The typical community manager is in that awkward position of having lots of responsibility, but no direct authority. Open source projects being what they are, few of them have empowered “officers”, and even when there are governance structures, they tend to operate by consent of those involved – by negotiated, rather than direct, authority. That said, by the point a community manager is appointed for a community manager, it’s likely that at least one commercial entity is sufficiently deep into the project to fund or part-fund the community manager position. This means that the community manager will hopefully have some support from at least one set of contributors, but will still need to build consensus across the rest of the community. There may also be tricky times, also, when the community manager will need to decide whether their loyalties lie with their employer or with the community. A wise employer should set expectations about how to deal with such situations before they arise!

What does the community manager need to do, then? The answer to this will depend on a number of issues, and there is likely to be a balance between these tasks, but here’s a list of some that come to mind[1].

marketing/outreach – this is about raising visibility of the project, either in areas where it is already known, or new markets/sectors, but there are lots of sub-tasks such as a branding, swag ordering (and distribution!), analyst and press relations.
event management – setting up meetups, hackathons, booths at larger events or, for really big projects, organising conferences.
community growth – spotting areas where the project could use more help (docs, testing, outreach, coding, diverse and inclusive representation, etc.) and finding ways to recruit contributors to help improve the project.
community lubrication – this is about finding ways to keep community members talking to each other, celebrate successes, mourn losses and generally keep conversations civil at least and enthusiastically friendly at best.
project strategy – there are times in a project when new pastures may beckon (a new piece of functionality might make the project exciting to the healthcare or the academic astronomy community for instance), and the community manager needs to recognise such opportunities, present them to the community, and help the community steer a path.
product management – in conjunction with project strategy, situations are likely to occur when a set of features or functionality are presented to the community which require decisions about their priority or the ability of the community to resource them. These may even create tensions between various parts of the community, including involved commercial interests. The community manager needs to help the community reason about how to make choices, and may even be called upon to lead the decision-making process.
partner management – as a project grows, partners (open source projects, academic institutions, charities, industry consortia, government departments or commercial organisations) may wish to be associated with the project. Managing expectations, understanding the benefits (or dangers) and relative value can be a complex and time-consuming task, and the community manager is likely to be the first person involved.
documentation management – while documentation is only one part of a project, it can often be overlooked by the core code contributors. It is, however, a vital resource when considering many of the tasks associated with the points above. Managing strategy, working with partners, creating press releases: all of these need good documentation, and while it’s unlikely that the community manager will need to write it (well, hopefully not all of it!), making sure that it’s there is likely to be their responsibility.
developer enablement – this is providing resources (including, but not restricted to, documentation) to help developers (particularly those new to the project) to get involved in the project. It is often considered a good idea to separate this set of tasks out, rather than expecting a separate role to that of a community manager, partly because it may require a deeper technical focus than is required for many of the other responsibilities associated with the role. This is probably sensible, but the community manager is likely to want to ensure that developer enablement is well-managed, as without new developers, almost any project will eventually calcify and die.
cat herding – programmers (who make up the core of any project) are notoriously difficult to manage. Working with them – particularly encouraging them to work to a specific set of goals – has been likened to herding cats. If you can’t herd cats, you’re likely to struggle as a community manager!

Nobody (well almost nobody) is going to be an expert in all of these sets of tasks, and many projects won’t need all of them at the same time. Two of the attributes of a well-established community manager are an awareness of the gaps in their expertise and a network of contacts who they can call on for advice or services to fill out those gaps.

I am not – and could never be – a community manager. I don’t have the skills (or the patience), and one of the joys of gaining experience and expertise in the world is realising when others do have skills that you lack, and being able to recognise and celebrate what they can bring to your world that you can’t. So thank you, community managers!

1 – as always, I welcome comments and suggestions for how to improve or extend this list.