It’s no secret that finding and keeping talent in the Information Security space continues to be challenging for organizations. 

 We must continue to think differently about how we recruit and retain talent, what resources we utilize, and how we engage in the community.

Why Developing your teams is critical to building a robust security program:

Things for consideration in building a training program:

Finding Talent:

For the Ohio Information Security Conference, ReynCon will present “Building a Cybersecurity Culture: It’s Time to Think Differently About Training.” Join us at Sinclair Conference Center at 10:45 am on 03/01/23

The United States' communication supply chain is a critical infrastructure that enables the country's economic and national security. However, it is also a vulnerable target for foreign adversaries looking to exploit weaknesses and gain access to sensitive information. In this article, we will discuss the importance of protecting the US communication supply chain and the steps that can be taken to do so.

One of the biggest threats to the US communication supply chain is the potential for foreign adversaries to introduce malicious hardware or software into the system. This can be done through various methods, such as compromising manufacturing processes or infiltrating supply chains. Once in place, these malicious components can be used to steal sensitive data, disrupt communications, or even gain control of critical infrastructure.

It is essential to take a multi-layered approach to Cybersecurity. Implementing network segmentation is one of the best ways to protect networks from foreign interference. This involves dividing a network into smaller segments, each with its own security controls. This makes it more difficult for attackers to access sensitive data and systems.

Another way is to be sure you have a good inventory of your network. What's operating on your network? Remember the CIS Controls and the two most important controls. Know your hardware and know your software. You can't mount any defense or response if you don't see what you have. 

TikTok, the popular social media app known for its short-form videos, has become a household name in recent years. While the app has been praised for its creativity and entertainment value, it has also raised concerns about its potential security risks. 

Another threat of TikTok is the potential for foreign interference. The app is owned by Chinese company ByteDance, which has been accused of censoring content and spreading disinformation. This has led to concerns about the app's ability to influence public opinion and political campaigns. How do you mount a defense against TikTok?

To protect the US communication supply chain, it is essential to implement strict security measures throughout the entire process, from the design and development phase to the final deployment. This includes conducting thorough background checks on suppliers and vendors and performing regular security assessments and penetration testing on all components of the system.

Another critical step is to increase the use of secure communication technologies, such as end-to-end encryption and security protocols. This can help protect against eavesdropping and other forms of cyber espionage. It's also important to have incident response plans in place so that organizations can quickly respond to any security breaches or disruptions.

The US government can also play a key role in protecting the communication supply chain by implementing regulations and standards for the industry. This includes setting guidelines for the design, development, and deployment of communication systems, as well as providing funding for research and development of secure technologies.

In addition, it is important to have international collaboration and information sharing in order to address the global challenges of the communication supply chain. The US government can work with other countries and international organizations to share information about threats and best practices and to coordinate efforts to protect critical infrastructure.

In conclusion, protecting the US communication supply chain is essential for ensuring the country's economic and national security. By implementing strict security measures, increasing the use of secure technologies, and working with the government and international partners, organizations can better defend against the threats of foreign adversaries and ensure the integrity of the communication supply chain.

I'll be speaking at the Ohio Information Security Conference in March and will go into more detail on how to protect and respond to these and future threats.

The Author: Shawn Waldman is the founder and CEO of Secure Cyber Defense in Moraine OH. Shawn has created one of the only local firms that 100% focuses on Cybersecurity and has built its own Security Operations Center. Shawn is a subject matter expert and thought leader on Cyber and speaks at conferences globally on the topic.

Connect, Strengthen, Champion, and a Partridge in a Pear Tree

We were torn between writing you an annual report or an end-of-the-year holiday newsletter. You know the type: That yearly three-page single spaced book full of family highlights that falls out of your best friend from high school’s glitter encrusted Christmas card.

Instead, we chose to give you a Top 12 List of 2022 in Review. You’re welcome!

January – We kicked off the year helping you get organized with a member-to-member benefit session with Organization Solutions. Our Peer Groups for Infrastructure/Cloud and Women for Technology began their new year’s programming together. We saw the birth of a workforce subcommittee in conjunction with Montgomery County Educational Service Center. We finished off the month hosting our annual CIO Forecast Panel.

February –February’s main event was the annual Digital Mixer held at Wright State University. Over 140 students and employees connected to explore career possibilities. Women 4 Technology had a fascinating conversation around The Great Resignation.

March – If it’s March, then it’s all about the Ohio Information Security Conference. Over 300 people  gathered at Sinclair Conference Center to share knowledge of the latest cybersecurity threats and strengthen their processes.

April –Executive Director, Melissa Cutcher, represented Technology First at a workshop to teach web development at the Innovation Hub in the downtown Dayton Arcade building. We were back in person for a Tech Forum addressing staffing challenges & labor shortages in the IT community with Cassie Barlow, Doug McCollough, Chad Bridgman, and Matt Coatney.

May – May saw the Peer Groups in full swing  championing data analytics and cybersecurity. We ventured down south to Mason for some Tech Thursday networking. Executive Director, Melissa Cutcher, participated in an OCEA panel discussion.

June – Women 4 Technology squeezed over 25 participants into Warped Wing’s Springboro location for a Meaningful Networking session. Members enjoyed a Dayton Dragons’ game courtesy of our annual partners altafiber and ATC. Executive Director, Melissa Cutcher, represented Technology First at a two-day workforce development retreat with Montgomery County Educational Service Center.

July – Given the success of the Springboro event, Women 4 Technology ventured down the road to Fretboard Brewing Company in Cincinnati to offer another Meaningful Networking session to our members.

August – Peer Groups for IT Leaders, Infrastructure/Cloud, Cybersecurity, and Data Analytics all met to learn new or different approaches, validate thoughts, and expand on their existing practices. Technology First partnered with The Circuit for a fun night of IT networking in Hamilton at Municipal Brew Works.

September – We enjoyed supporting some members participating in the COMSPARK conference. We also had a wonderful turnout at the annual Golf Outing benefitting the Technology First Scholarship Fund. You helped us raise almost $7000 to award qualified, regional college students!

October – We are happy a few members of the Board of Directors were able to witness Executive Director, Melissa Cutcher, receive the Jeanne Porter Career Achievement Award from Women in Business Networking at their annual gala. Congratulations, Melissa, so well-deserved! We stopped by SOCHE’s 55^th Anniversary lunch to congratulate them. This month provided members the opportunity to volunteer at the Girl Scouts of Western Ohio’s Cyber Challenge. AND we celebrated Technology First’s 25^th Anniversary! We were honored to receive a proclamation from the State of Ohio from Lt. Governor, Jon Husted.

November – More volunteer opportunities this month through the Dayton Metro Library’s Career Adventure Days and The Girl Scouts of Western Ohio’s STEM Career Fair. And, of course, we gathered with 400+ IT professionals from all over the state for our 16^th Annual Taste of IT conference at Sinclair Conference Center. We ended the day with the 9^th Annual Leadership Awards where we recognized 11 categories of exceptional IT talent from the Dayton region.

December – Since this month just started, here’s a preview instead of a review. We will close out 2022 with these Peer Group meetings: IT Leaders, Data Analytics, Cybersecurity, Infrastructure/Cloud, and Women 4 Technology. Please join us!

Thank you for connecting, strengthening, and championing the best-connected IT community in the Dayton region!

#UniteDaytonTech

One of the biggest mistakes that data teams often make is jumping straight to developing a solution and not spending enough time with the people who will be using them and understanding their true goals.

Sometimes these goals, and the challenges to reaching them, are easy to identify. This is usually true if a data scientist is already working in the problem space or is already integrated into the business processes.

However, many data scientists operate as an outside consultant who is brought in to help drive strategic goals. This can lead to misunderstanding the problem and creating a solution that doesn’t live up to stakeholder expectations.

Or worse — creating the wrong solution.

A data team’s first instinct is often to begin with understanding the data. However, they first need to understand the people involved in the problem and who want a solution to it.

We can have all the data in the world but if we do not know how users or stakeholders interact with it and understand it in their terms, we cannot possibly make a solution that is going to fully solve their problem.

But you’re in luck! There is a framework you can use to help overcome this risk before even seeing any data. This framework is design thinking - a growing trend within data science long used in product development. Empathizing with your stakeholders is the first step to better understanding the problem they are trying to solve.

A simple way to start gaining empathy is by conducting interviews with your stakeholders, leadership, and team leads. You’ll be surprised by what you will learn by spending an hour (or more) in one-on-one meetings.

Importantly, you’ll learn how they are doing the work today. You’ll also begin to learn the language, jargon, and methods that these people use and where they see the gap. Ultimately, you want to gather their ideas on how they would want to use a solution if they had a magic wand to make everything better.

You also want to understand how leadership is currently driving business goals and figure out how a solution could contribute to those outcomes. And if it doesn’t contribute to the business goals, is it something that the stakeholders really want or need?

Data science is a collaborative effort between you and those using your solution. Success starts by fostering a deep interest in the people for whom these solutions are built.

Ascend is a socially impactful technology company that provides data driven products and consulting services to help organizations solve complex community health problems.

For Taste of IT, as part of the Developer/Data Analytics track, Ascend Innovations will be presenting 'Keeping Humans in the Loop: Human-Centered Design in Data Science and Analytics'. Join us in Room 122 at 3:40p.m.

The ever-expanding digital footprint of modern organizations is causing business owners to rethink their security technology stack to address sophisticated new threats. To better manage cyber risk, businesses are evolving and reframing security practices in preparation for the changing cybersecurity landscape. Unfortunately, managing risk is getting more complex every day. Bad actors have adopted their own organizational structure complete with HR, recruiting, training, finance, operations, and development teams. And worse? They use the same tools that the IT community knows and loves.

Some of the go-to-market strategies for cyber criminals involve outsourcing, brokering software, and forming partnerships with other vendors. The web of cyber connectivity that has been woven is extraordinary and has evolved into a professional ecosystem that allows them to attack with impunity. As a result, stronger risk management practices are needed now more than ever. The National Institute of Standards and Technology (NIST), indicates that 93 percent of intentional breaches in 2021 were financially motivated, with only six percent of reported incidents attributed to espionage.

So how do organizations protect themselves against such an intricate ring of cybercrime on a global scale?

The Cost of Cyberattacks on a Global Scale

Globally, the average cost of a data breach increased by 10 percent in 2021, reaching $4.3 million, up from $3.8 million in 2020, according to a recent data breach report conducted by IBM and the Ponemon Institute. The U.S. has continually ranked at the top of the list for costs, increasing from $8.6 million in 2020 to $9 million in 2021. With the cost of breaches on the rise, it’s no surprise that spending on security technology is on the rise as well.

Worldwide spending on information security and risk management technology and services is expected to skyrocket in the next few years. According to a Venturebeat cybersecurity forecast, Gartner predicts end-user spending for the information security and risk management market will grow from $172 billion in 2022 to $267 billion in 2026, attaining a compound annual growth rate (CAGR) of 11 percent. Many businesses are seeking outside aid and partnering with IT consulting firms and cybersecurity experts to help them gain a better understanding of the solutions and services landscape.

Build a Defensible Cybersecurity Posture

A sound security strategy provides unified and reliable protection of your assets from potential threats. Today, every business is vulnerable to attack, not just major global brands, and the consequences of being unprepared can be catastrophic. That’s why along with the constant changes in the cybersecurity landscape, there has to be a continuous change in mindset.

The dialogue around security has evolved as shown below:

1. Organizations ask, “What if we are targeted?”
2. Organizations ask, “Are we ready for when they attack?”
3. Organizations are now asking, “Assuming we’ve already been compromised and don’t know it yet, how can we beef up our cybersecurity posture?”

As the digital footprint of organizations expands, centralized cybersecurity control becomes obsolete. If you’re not looking into encrypted network traffic, you won’t have security. This shift in mindset is the fundamental principle that drives the concept of zero trust.

Zero Trust: What and Why You Need It to Protect Your Business

Protecting the modern business requires a new approach to security, and many are turning to zero trust. A cloud-native zero-trust platform is built on a proxy-based architecture that sits between the user and the Internet to provide secure access with full SSL inspection at scale. The core concept of zero trust is simple: Assume everything is hostile and always verify. In a zero trust architecture, a resource’s network location isn’t the biggest factor in its security posture anymore. Your data, workflows, and services are protected by software-defined micro-segmentation, enabling you to keep them secure anywhere; in your data center or in distributed hybrid and multi-cloud environments.

All data must be protected everywhere—on-premises, in the cloud, in SaaS applications, as it travels on the network, etc. To provide the best possible security, organizations should have all their different layers of defense working together while leveraging the cloud, so that when an issue in any layer is uncovered, the rest of the layers will be informed for total protection.

The painful reality is that all organizations are under attack—whether opportunistic or targeted—and the cybersecurity landscape is continually changing while the attack surface increases and the perimeter dissolves. The new paradigm in security is simple: assume the bad guys are in the system and plan accordingly.

The above submission is compliments of ATC’s Tech Advisor series. Advanced Technology Consulting (ATC) specializes in digital transformation in four core areas; voice, network, cloud, and cybersecurity. In 2023, ATC will be a Technology First annual partner for five years running. For Taste of IT, ATC will be presenting on “SASE, The Edge, and Zero Trust” and exhibiting in booth #11.

You are probably aware that Technology First stands on three pillars: To Connect, Strengthen, and Champion our IT community. What you may wonder is how. 

We Connect by offering our members numerous opportunities every month to network with peers and industry leaders.

We Strengthen by transferring knowledge of industry trends and emerging technology through our two major conferences each year, ToIT and OISC and working in partnership with both IT consumers and IT providers every day.

And one way we Champion our technology community is through our volunteer work.

Last month, Technology First held our 9^th annual Golf Outing. The event raises money for the Technology First Scholarship fund. These scholarships are awarded every year to one or more deserving regional college students. So far, we have helped students from Cedarville University, Central State University, Clark State University, Miami University Middletown, Sinclair Community College, University of Dayton, Wilberforce University, Wright State University, Ohio State University and Xavier University. To be selected, students must be currently majoring in Information Technology-related curriculums, achieved distinguished academic success, and demonstrated authentic character and values, among other rigorous criteria. Here is what winning one of the scholarships means to a recipient:

“Thank you Technology First for your investment in my future as well as the futures of all the other students who received scholarships. The monies will be going directly to my tuition payments to help ease my student debt and make my studies a little lighter”.   ~ Caleb V.

Thank you to everyone who participated in this year’s golf outing. See a few photos from the event at the end of this post. Your generosity raised nearly $7,000. This brings our total donations for the past nine years to over $100,000! We could not provide this resource without both your support and the support of our sponsors; Horizon, Independents Fiber Network and aunalytics.

And that is not all Technology First does to help students discover their place in the IT industry. This month, we will host the Girl Scouts of Western Ohio (GSWO) for their annual Cyber Challenge. The purpose of the Challenge is to grow and shape the future of IT in the Dayton region by getting girls excited about careers in cybersecurity. The Cyber Challenge presents the girls with scenarios of cyber breaches. It is a unique event because the Challenge is designed by girls for girls.    

Then in November, Technology First will participate in the Career Adventure Day event hosted by the Dayton Metro Library. Partnering with organizations including DRMA, CareSource, SOCHE, Dayton Children’s, and many others, we will promote IT career-path opportunities to middle school students using interactive, engaging, hands-on activities.

It's no secret Technology First is all about promoting awareness that every business is a technology business. We exist to help shape the future of IT. It’s also no secret that you support those purposes too. We are always looking for volunteers to champion these efforts alongside us. You could serve as a committee member, event volunteer, Peer Resource Group leader, or any number of satisfying roles. Please email me at mcutcher@technologyfirst.org to learn more.

Let’s face it. Cybersecurity is hard. Between keeping the lights on and the mountain of IT projects, it is tough to stay in the know with current threats. It is common to see organizations attempting to throw software at the problem to stay informed and mitigate risk. However, this approach creates additional challenges. The software requires care and feeding and can produce large amounts of data that someone needs to review and act on. Before long, the software that was supposed to be the answer is just another piece of the enterprise that is getting little attention and presents risks since no one is updating it. While software solutions play a prominent role in understanding your threats and vulnerabilities, organizations should not discount the effectiveness of the basics.  

When working with organizations, the three main focus areas are People, Processes, and Technology. Organizations that invest in these three areas typically have an effective defense against cyber threats and are on their way to maturing their cybersecurity programs.

People:

People play a large part in an organization’s cybersecurity defenses. Your employees can be your best defense or your biggest weakness. Cybercriminals are looking for the path of least resistance; usually, people are the most straightforward way into an environment. Implementing a solid training program for your employees is a low-cost way to ensure cybersecurity is top of mind at every level. Look for ways to implement training regularly throughout the year and create a security culture. In addition, the training that employees receive on the job will often help them stay safe at home.

Process:

Processes within an organization ensure everyone is working with the same set of guidelines. Unfortunately, we often encounter organizations with little documentation on the simplest of tasks. Take user on/off-boarding, for example. How many user accounts are still enabled, with the same password in your environment, and the user has been gone over a year? None, you think, but the reality is we encounter this scenario all the time and not just for one or two accounts. A user moved on, and no one notified IT. Documenting processes like this ensures that essential IT functions do not slip through the cracks. This is just one example, but organizations should take a hard look at their internal policy and procedures and, at a minimum, have an Incident Response Plan, Disaster Recovery Plan, and Business Continuity Plan reviewed regularly and practiced yearly.  

Technology:

Technology in terms of cybersecurity is more than what is implemented to protect the environment. Don’t get me wrong, having a firewall implemented and configured correctly is critical, but the attack vector shifts if you are not regularly patching your systems. Organizations are typically good at pushing Microsoft patches; that’s easy. However, software updates and operating system upgrades are a different story. How many Windows 2008, 2003, or Windows 7 machines are running in your environment? Each machine presents a risk and attack vector. Every known vulnerability since the end of support is available to an attacker. Therefore, organizations should consider upgrades as soon as a system is implemented. I often encounter organizations that utilize software and hardware well past their intended end of life. At some point, IT Administrators simply do not want to touch them for fear of breaking something. 

In short, cybersecurity is more than any one piece of software or hardware. Organizations should take a layered approach to cybersecurity and think about solutions in terms of a program. Simply having good cyber hygiene goes a long way in limiting overall risk and attack footprint. By training your people, documenting your processes and procedures, and putting the right technology in place for your organization, you are well on your way to an effective cybersecurity program.  

If you are looking for a place to start, we can help.

Chad Robinson is the VP of Advisory and CISO at Secure Cyber Defense in Moraine, OH.  In his role, Chad works closely with organizations to develop and mature cybersecurity programs.

Artificial Intelligence (AI) is a growing part of our daily lives. We interact with Siri on our iPhones, we order Amazon products with Alexa and soon we’ll be trusting our cars to safely drive us to our destinations. Now we also have AI helping us write software code by interpreting and delivering solutions by predicting developers’ intention for code. The AI can offer robust code options, complete code snippets, classes, and methods. This is a much more robust contribution and collaboration than a suggested path. It helps you write complete code blocks.

How do we get an AI model that writes code for us? 

Artificial Intelligence is the result of repetitive Machine Learning (ML) using a large dataset. A facial recognition AI, for example, is the result of ML pouring over millions of images of human and animal faces. The success and failure to recognize a human face is tracked and shapes the next repetition of testing.

Similarly, to predict what a developer is going to need for his next line of code the AI would need ML from a large variety of software code. Comparing software code written in different programming languages would also improve the quality of the AI’s code recommendation. GitHub is arguably the largest data store for a variety of software code written in almost every programming language. GitHub has leveraged its vast inclusive content to create an exclusive AI code completion tool called CoPilot.

The controversy of using an AI code completion

Simple code recommendation tools, like Intellisense, have been part of developer toolkits for decades. A more complete AI-driven service as a software substitute has stirred emotional, ethical, and legal concerns.

Job Threat - Software development takes education and years of experience to become proficient. Some software developers could look at AI-written code as a threat to their job or that their expertise is being undervalued. When considering an AI tool to write software, be sure to consider the broader impact on morale and the unity of the development team. It may be a good fit for the team and another tool to use. It could also be a source of resentment and dissolve productivity in highly functional teams.

Exclusive Service Created from Inclusive Community Content - An AI-driven Service as a Software Substitute tool is leveraging available big data to give their AI enough training to be a reliable solution. In his paper ‘Copilot, Copying, Commons, Community, Culture’ Robert F.J. Seddon compares the four conceptions (i) of community written by Peter Dahos - ‘A Philosophy of Intellectual Property” (ii). Since GitHub is arguably the largest repository of publicly available software, it is a resource provided by an inclusive community. When the owner of that inclusive content leverages it into a commodity (a product) it becomes an exclusive resource immediately limiting access to the inclusive community.

Untested Legal Position on Intellectual Rights - If you use an AI-powered code completion tool that has a model built from a public, open-source software, how can this AI-created code be used for commercial solutions? Can this code be merged into an enterprise intellectual property?

In the July 2021 article ‘Analyzing the Legal Implications of GitHub Copilot’ (iii) the FOSSA team interviewed an Intellectual Property lawyer to get answers to these questions. In this article, the lawyer gave a great example of how Google provides sample content from millions of books it has indexed. It was ruled that Google was not infringing on the copyrighted material because a small sample of the material was made available. Comparing that to a code completion tool, it is not providing a complete body of work, only a small section of it.

But you should still be cautious using an AI to provide code completion. “I’d caution anyone using Copilot right now to help write code to pay close attention to the nature of Copilot’s suggestions,” Downing says. “To the extent you see a piece of suggested code that’s very clearly regurgitated from another source — perhaps it still has comments attached to it, for example — use your common sense and don’t use those kinds of suggestions.”

The Future Of AI
The development of AI tools is accelerating at an exponential rate. You can expect it to become more integrated with your personal and work activities. As more samples of big data become available, there are more opportunities to train an AI solution. One prediction I have for an AI tool: A solution that would interrogate an entire enterprise, examining internal file systems, code repositories and network topology then create workflow documentation, offering process improvement recommendations along the way.

Conclusion

I enjoy pair-programming with another developer but if that’s not an option I would consider an AI tool to get a feeling of collaboration during the development process. For some teams, it could be the support a developer needs to be productive.

As a developer, I don’t feel my job is at risk from AI-written code because there is high demand for skilled developers. I see it as a tool, similar to Intellisense, that would help me get the job done.

I know AI-written code raises moral concerns around inclusive vs. exclusive communities. The developer community needs to guard against abusive behavior from companies commoditizing on open and inclusive resources.

References

(i) Copilot, Copying, Commons, Community, Culture

by Robert F.J. Seddon, honorary fellow of University of Durham

https://www.fsf.org/licensing/copilot/copilot-copying-commons-community-culture

(ii) Drahos, Peter. A Philosophy of Intellectual Property. 1996, Dartmouth, pp. 67-70

https://www.researchgate.net/publication/304514536_A_Philosophy_of_Intellectual_Property

(iii) “Analyzing the Legal Implications of GitHub Copilot” - FOSSA 7/14/2021

• 
  

• As we near the end of the third quarter of 2022, it would not be an understatement to say the state of the software development industry remains red hot across the U.S. As I considered how to capture some of that momentum and provide some insight into something as large and complex as the state of software development I was reminded of an important article from the past. On August 20, 2011, Marc Andreesen published a piece in the Wall Street Journal that for many in the business and technology world would become a rallying cry, “Why Software is Eating the World”. In this article, he focused on what many were not as sure of then, as we are today, which is the impact software, software companies, and the start-up companies of that day would forever change the world in which we live and the businesses that many of us work for. (This article can still be found reprinted on his website, a16z.com) The insights still very much hold up today in 2022 which is why I will use it to frame up the current state of software development here in the Midwest as well as across most of the world. Here are just a few of the insights from that article that hold relevance for us in 2022.

  “We are in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy.”

  “Software is also eating much of the value chain of industries that are widely viewed as primarily existing in the physical world.”

  “Many people in the U.S. and around the world lack the education and skills required to participate in the great new companies coming out of the software revolution.”

  Is it hard to imagine that Apple, Amazon, and Alphabet are far from done taking over large swathes of the economy in 2022? While it is still early in the value shift from physical world to virtual we have plenty of samples of this evolution to reference in the last eleven years. FedEx, is now thought of more as a software network that happens to have trucks, planes and distribution hubs attached as an example. How many more physical value chains of industries do you experience weekly that are still in need of a little software revolution? ​Lastly, ​we can still see in ​today's ​news ​headlines that Mr. Andreesen’s concerns ​about the lack of education and skills required to participate in the evolving often software centric economy remains a pressing concern. While those headlines are often about security and privacy issues related to software, they also often highlight the challenges around education and skills gaps in many communities and often across a wide spectrum of people from the youngest to the oldest and the richest to the poorest.

  Here are some additional data points on just the education and skills area and why the last eleven years may have only been the first course in eating the world. This data also provides insight, that even bigger opportunities and challenges lay ahead for software and software development.

• • A shortage of experienced developers continues

In May of this year, the US Bureau of Labor Statistics showed that employer job postings for tech roles reached "a record high", led by new hiring in IT services and software development. Year over year through this same time there was a 52% increase in postings for tech roles with Full Stack Engineers among the most popular title.

Year over Year salary increases through the first half of 2022 remain on a growth fast track. Depending on what part of the US you are living, Hire.com and other sources report salary increases ranging from 7-14% year over year increase and on top of just as robust increases in 2021.

As of July, as many as 26% of the 20 million Americans who quit their jobs in the first five months of this year say they regret that decision according to many surveys. While the numbers for software development I would assume may be lower here given the white-hot salary numbers, it’s a trend to watch also in this space. Given the large, recent layoffs and hiring freezes within technology companies, could there be a Great Regret creeping into the software labor force?

I would like to end with this thought as we sit here in August of 2022. Software is a broad and reaching subject that we all should continue to seek to understand not only from the business perspective. Better understanding how the new generation of developers and technology companies are doing what they do, to what the broader consequences are for businesses and the economy all will remain important investments of our time. By better understanding these and other areas of this layer of the technology industry can we help ensure not only the health of our industry and that of our business community, but also to help ensure better participation for all that it will impact.

As many businesses approach budget season, the truth rears its ugly head again – the business needs 15 projects completed in the next year and the team has capacity for 8. So, you get together with business leaders, you prioritize, make half the room angry, and then because you’ve committed so much, your teams have little-to-no chance of actually delivering the projects you’ve outlined. This painful process repeats itself every year.

The good news is that this isn’t unique to your business. This pattern repeats itself across nearly every IT and development organization. The frustration mounts the same way in nearly every business leader. The math simply does not work – the work exceeds the capacity.

So, we try bonus structures and tightening down the screws but none of it works for long. And of course, we want to hold off on hiring so we need a different approach.

Fortunately, there are some things you can do, so let’s get started:

1. Master Motivation

Something like 60% of all corporate employees are disengaged. No org is immune. This statistic gets cited all the time and shows up in a number of articles. Here’s one that discusses a 38% engagement rate. It’s a pervasive and hidden issue, so let’s try to make it more tangible:

An engagement rate of 38% on a team of 25 people means that 9.5 people are fully engaged.

If the engagement rate increases just 8 points (46%), it means 11.5 people are fully engaged.

That’s the equivalent of hiring 2 people!

Author, Daniel Pink wrote an incredible book on engagement titled “Drive”, that’s a must-read for every leader responsible for engineering teams. Pink’s research showed that humans aren’t motivated by money nearly as much as by having Autonomy, Mastery, and Purpose in their work. When we create environments where people have autonomy, mastery, and purpose, we create environments that lead to engagement. How do we do this?

Autonomy

Leaders who excel at creating autonomy focus on two things: trust and courage. Trust in your team to let them make tech and product decisions in their local context, without significant oversight from you (or another leader). Then, the courage to stick through it and let them make a mistake. It’s like the first time you let your 16-year-old drive on the highway by themselves (a reality in my life right now). Autonomy takes trust and courage.

Mastery

Excelling at mastery requires investment. Financial investment helps, but this one is really about time. Investing time every quarter to allow teams to develop skills (in a SAFe environment, this might be during the IP sprint). Throughout the year, encourage people to take on some new tech and then encourage pairing with someone who already knows the tech. They’ll be slower at first, but as skills develop, you’ll have two people that are masters at the new tech and the org will be twice as fast.

Purpose

Why do people work for your organization? To make money for the business? Doubtful. Making money for the org just doesn’t motivate most people. To make money for themselves? Again, doubtful – you’re probably already paying your engineers more than the money required for happiness (that number is currently $95,000).

People’s deepest purpose is to help others. Purpose provides us with the good feeling of having made the world a better place.

There are two keys to driving purpose: Stories, and Frequency. We must share authentic, believable stories about how our work improves the world and then we must talk about them frequently. Stories are the currency of Purpose.

If you work at a bank, it’s tempting to talk about revenue, but it’s more motivating to talk about helping a family achieve the dream of owning a home by providing a mortgage for them.

If you work at a Consumer Goods company, it might be easy to talk about sales goals, but it’s more motivating to share stories of moms who struggled before using your product and now have a changed life because of it.

2. Become a Culture Curator

We all know that “culture eats strategy for breakfast” but if we look at the past 6 weeks and are honest with ourselves, how much effort have we put into culture? How much to strategy? We have to wonder if the focus on strategy is ruining the breakfast.

The number one job of every leader in a development organization is to create and curate a culture. Every word, every thought, every idea you have should propel the culture in a direction that helps to accomplish the goals of the organization. If the culture needs to be more entrepreneurial, then immersing yourself in the entrepreneurial culture of startup software companies and reflecting that in decisions you make must become a core part of the way you operate.

Leaders’ roles are to eat, sleep, and breathe the culture we’d like to see embodied in our organization. The more we do that, the more we’ll create that culture in our people and our companies.

3. Become a Servant-Leader

Scrum and Agile flipped the script on leadership and it makes the world a significantly better place. Leaders who serve their teams win their hearts, gain their trust, and build more committed teams. As a senior leader, this is what servant-leadership looks like:

●      Asking your teams what help looks like and then doing that for them.

●      Starting every meeting by asking for the room’s thoughts on what should be covered (instead of driving your own agenda)

●      Coaching an employee who shows that they need it and welcomes it.

It may take some time but mastering motivation, curating culture, and becoming a servant leader are very effective ways to increase development capacity. Along the way, you’ll become a better leader and create an even more high-performing organization.