Monday 16 May 2011

What CEOs Do, and How They Can Do it Better

Why did you come in late on Tuesday? Did you really need an hour and a half for lunch on Wednesday? Why wasn't that report done by Thursday? For most of us, justifying our schedules is an expected part of the job.
But what employee hasn't looked at the closed door of the corner office and wondered what the boss is doing all day. For all of the minute-to-minute monitoring of employee performance from the time of Henry Ford onward, it's amazing how little any of us really know about how CEOs of major companies spend their time.
"Fundamentally, it's because no one knows what a CEO should do," says Harvard Business School professor Raffaella Sadun. "Most of the time it's difficult to codify the qualities of a good manager."
"We went in with the curiosity of trying to understand the life of a CEO"
Despite that difficulty, however, it's self-evident that the way a CEO chooses to spend his or her time has much more of an effect on a company's success or failure than if a middle manager spends a half hour more at lunch. With that in mind, Sadun and three colleagues-Oriana Bandiera and Andrea Prat of the London School of Economics and Luigi Guiso of the European University Institute—set out to get to the bottom of CEO time management by following nearly 100 top managers in Italy, as reported in a recent paper with the deceptively simple title, What Do CEOs Do?
"We had no way of knowing what we were going to find," says Sadun. "We went in with the curiosity of trying to understand the life of a CEO."
But what they did discover should help CEOs learn to be more effective with their time, and provide boards with a new tool to help assess the effectiveness of their chief executives.

Under a microscope

Of course, it's not so easy to codify all of the many actions a CEO could take during the course of a day—attending meetings, reviewing a marketing campaign, schmoozing clients on the golf course. So Sadun and her colleagues instead divided up activities with a much simpler measure of looking at the people with whom a CEO spent time.
After all, the boss is in a unique position within a firm not only to spend time with employees, but also with the outside world, making connections and gathering information. However, not all of the time the boss spends with outsiders might help the firm, especially if a CEO's and a company's interests are not aligned.
"CEOs should be working with both constituencies, insiders and outsiders," says Sadun. "However, if there are governance issues, there might be the possibility that the CEO is in the outside world more for his or her personal benefit than for the benefit of the firm."
In order to test whether this was true, the researchers enlisted 94 CEOs of major Italian corporations who agreed to put their lives under the microscope for a period of a week at a time. The CEO's personal assistant was asked to record every activity the boss engaged in that lasted at least 15 minutes.
Tabulating the data, the researchers discovered that the vast majority of a CEO's time, some 85 percent, was spent working with other people through meetings, phone calls, and public appearances, while only 15 percent was spent working alone. Of the time spent with others, chief execs spent on average 42 percent with only "insiders" (employees or directors of the CEO's firm); 25 percent with insiders and outsiders together; and 16 percent with only outsiders. (Exact numbers varied dramatically among the sample, with some CEOs spending more than 20 hours a week outside the office, while others spent almost none.)
Next, the researchers crunched a number of factors measuring company performance—for example, profits per employee—in order to see which CEOs were more productively using their time.

Better on the inside

Their first finding, which might seem unsurprising, was that the top managers who spent more time at work were more productive than those who spent less time at work. In fact, Sadun and company found, for every 1 percent increase in hours worked, there was a 2.14 percent increase in productivity. "That's never been shown before, so that was reassuring," Sadun says.
Likewise, time spent with insiders was strongly correlated with productivity increases. For every 1 percent gain in time spent with at least one insider, productivity advanced 1.23 percent. Less reassuring, however, was that the time CEOs spent with outsiders had no measurable correlation with firm performance.
"It's a way to monitor where the efforts of the CEO are going"
In a final measure of CEO's performance, the researchers rated firms based on the quality of governance, measuring a variety of factors such as the size of the board, the presence of at least one woman on the board, ownership, whether the company was based in another country, and if so, the general level of governance in that country. Again they found a clear correlation: in companies with stronger governance, CEOs spent more time with insiders and less time with outsiders, and at the same time were more productive.
"There are some industries where a CEO really needs to be outside, so we don't need to be proscriptive, but if you were taking these results literally it would tell you that since a CEO's time is constrained, he should be mindful of the time spent with his own employees," says Sadun.
In extrapolating from the data, Sadun cautions the sample size used in the study was relatively small (though exponentially bigger than any past research on the topic), and that the results of the study (especially when it comes to the link between CEO time use and firm performance) should for the moment be interpreted as suggestive correlations rather than firm causality statements. Even so, encouraged by the results of the initial study, the group is planning to continue along this line of research by expanding the data collection in other countries (India, China, and the US) in order to increase the sample as well as to take cultural differences into account.
Sadun says that the group has received nothing but positive feedback from the anonymous CEOs who participated in the study. In keeping with the adage that "it's lonely at the top," many of the managers studied had little idea of how they could make their time more productive. Sadun hopes that the information will be equally helpful for boards in evaluating the performance of their CEOs.
"It's a way to monitor where the efforts of the CEO are going, and to get them understanding that perhaps spending too much time on the outside might not be as beneficial as they might think," she says.
If nothing else, next time employees ask the question "What is the boss doing with all of his time?" at least they'll have an answer.

About the author

Michael Blanding is a freelance writer who lives in Boston.

Reader Comments:

  1. The CEO should be focused on keeping enough financial fuel in the corporate tank. The COO should be focused on productivity. The authors stated "Most of the time it's difficult to codify the qualities of a good manager." The CEO should function as a leader creating opportunities and not a manager solving problems. I have to wonder if the authors were using the best metrics to measure the actions of the CEOs involved.
    Anonymous

  2. The most important thing a CEO needs to spend his or her time on (once the organization is headed in the right direction and performing effectively) is to envision where the organization needs to be five-ten years out and start planning how to get there. This isn't a time-management issue. It's a matter of focusing on the major aspects of the job.
    Robert Liley
    Founder and Principal
    The Signal Group

  3. In my opinion, the function of the CEO is to make effective, efficient and optimal strategic decisions and plans for the company. In order to make such important dicisions and plans, CEOs need a lot of time to think and analyze, but not just sit in front of the desk.
    Great CEOs never stop working, since we are thinking all day long.
    Xiaomeng Shan
    MPH candidate
    Preventive Medicine Department at Stony Brook University

  4. I 100% agree with the authors. This year I am heading an association as Chairman, which has made me to spent most of my time outside my office and working with outside world, industry, government and bureaucracy. I have hardly any time for my company and this has been for last 6 months. I find myself completely cut out of my own organization and even my own people have started complaining that i am not giving them time. I am feeling that i am loosing contact with my people and this article has opened my eyes that working with outside world is not productive at all and not even worth it. With my own experience, i would strongly advocate that 90% of the time CEOs should spend with their own team and the rest 10% with outside business so to keep updated what is going on around.
    Anonymous

  5. This is a very interesting study and tackle a challenging subject. I believe there is no one answer for all questions and also we cant aplly one measure on all CEO's who have different backgrounds, style and work that differ for different industries. However results can be evident of how effective the CEO is and that can be measured not only by figures or how much time s/he spend in and out but more importantly by the cultivating work environment and the organization eagerness to improve, excel and happily evolve. Success and efficient become then self-evident.
    abdullah Bin Zarah
    Executive Director
    Sultan Humanitarian City

  6. In my opinion, an effective CEO must understand the offer from their organisation and its market place. A successful CEO must have the vision of where the organisation is going and how stakeholders can be involved to grow the organisation. Once I was given a very good analogy - the CEO is like the captain of the Titanic. Whilst he has the best engineers in his engine room; best entertainers, chefs, crew to look after the customers; best ship in the world; the captain did not spot the iceberg and sank it.
    Should the CEO be looking inwards or outwards? I will let you be the judge.
    Anonymous

  7. Why do we need CEOs? Every discussion on leadership has always assumed that the CEO position is a given... but no one has ever examined or talked about why these "creatures' are even necessary for an organization to function. If no one knows what a CEO does, then the question that begs to be asked is why do we need CEOs?
    Anonymous

  8. I have been at CXO level for long years with large and small / start up companies. Improved revenues at 300% for 3 years and improved bottom line all through my 33 years plus experience
    I am based in India and have sold to and supported customers from across the world
    Based on my experience, I would summarize as below
    Spend 1/3 of your time for today [operational], tomorrow [current year and upto next 3 years] and day after tomorrow [beyond 3 years]
    Activities for today are obviously spent with your internal team and supply chain and delivery chain partners
    Activities for tomorrow and day after tomorrow are spent essentially with outsiders - who are essentially future supply chain, internal chain and delivery chain partners
    Ganesh Srinivasan
    Management Consultant
    Self Employed

  9. We have to be mindful of the fact that the CEO is the face of the organisation. He is supposed to be visionary. Ensuring the company is on strategic direction. Businesses are build not by sitting down behind the desk but by creating a network of relationships within the ecosystem in which the company operates. That can only happen by spending more time outside.
    Muhammad Jibrin
    Managing Director/ceo
    SunTrust Savings & Loans Ltd

  10. I beg to disagree with comment #4. I don't think it is possible for a CEO to spend 90% of the time with his/her team and only rest of it with the outside world. It very much depends upon the nature of the work and many a times is not at all feasible. I definitely second the contention that the amount of the time passed with team improves productivity but it also depends upon the quality of the time and many a times healthy interactions with the outside world can help a CEO to bring new perspectives to his/her discussions. What I feel is that the first and foremost duty of a CEO is to set a mission and then a vision for an organization while taking in consideration all the stakeholders, value system, and the culture, evolved thus far.
    Aditya Agarwal
    PGDM (MBA) Participant
    IIM, Indore

  11. One aspect of evaluation of CEO time, is what is the mandate given to him? If a CEO is appointed with a mandate to reinvigorate the team then he needs to spend more time with insiders. But if the CEO has a mandate of expanding the business -both existing and new - then the CEO is required to spend more time with outsiders. Similarly, in Family Businesses, professional CEOs are responsible for operations while Family will continue to take care of outside relationships which are built over time.
    RaviParsi
    Senior Faculty Member
    Federation of Universities

  12. I have had a similar experience some 5 years back when I came to this position. Since we assume a new position we tend to move around neglecting all our INSIDE jobs which is going to develop the organization and ourselves. I did the same mistake and at one point of time and I found myself drowning with other activities rather than envisioning for future growth or sustainability of the organization. The order of preferences has changed. In fact my team has almost forgotten me and they had became lazy also. A self analysis and a chat with my mentor made me rethink what I had been doing and what actually I should have done. It took me almost two years to come back to normal and poise for growth. This article is an actual fact and all CEO's must read it and to rethink on their strategies.
    D.RAVI
    Director - Marketing
    TECHNY CHEMY

  13. The number of CEOs spending vast amount amounts of time tending to growing their personal wealth in investments, private companies is increasing alarmingly. The annual general meetings of companies should tranform from 2-3 hours ceremoney to 1-2 days deep interactions with CEO and his team. Proper goverance has to be set up to review all internal systems.
    Anonymous

  14. Its a very important research initiative. All praise to the authors. Any company striving to make its mark has to have serious Vision and Mission. The organization's purpose or reason for being is the vision and CEO will have the main responsibility to propel. This may not be measeurable in the short term but is a DNA of the company and hence off fundamental importance. And Mission part, what the organization does and how, is the measurable part, requiring CEO to lead and guide his work force. What percentage of time a CEO spends out of office and what percentage with his own mangers and staff and what percentage with insiders and outsiders together will be, in my opinion, governed by vision and mission details of the company. It may be a good idea to link the data with vision and mission and see the outcome.
    Dr. G S Singh
    Hon. Professor
    Guru Nanak Dev University

  15. In my opinion, this is useful research for provoking further discussion along these lines with larger samples. Most new CEOs, especially ones appointed from outside the company, are typically ill prepared to initially make effective allocations. Those who survive their first year usually do so because they are astute observers, questioners, analysts and have a deep understanding of appropriate general management Key Success Factors. The survivors typically shape direction, collaboration and supporting operational & cultural factors to get effective near term results as well as commitment to initiatives to ensure continued profitable growth.
    This type of research, to be increasingly useful, will need to identify and categorize the types of companies researched by stage in the life cycle of both the company and the CEOs tenure as well as identifying relevant business tsunami situations.
    Perhaps it could also delve into the kinds of indicators the more perceptive and experienced CEOs use in shaping their calendars. Certainly, the quality and scope of operational and contextual information available internally to the CEO will shape how and when they personally proceed to gather information first hand. The quality of their management team is another. When the incumbent management team is stellar, and then when it is generally incompetent, are situations requiring significantly different requirements are on how the CEO's calendar might shape up, especially if the CEO is new to the industry and the job.
    Let me share a few other observations that may be useful in categorizing situations for CEOs in the process of shaping their calendars.
    I work with over a hundred CEOs, directly and indirectly, and in the US, they just about all changed their calendars dramatically in November 2008 as financial liquidity tsunami began drying up, and most companies cut expenditure dramatically.
    My business dealings are principally with technology companies and healthcare firms. Critical external issues for CEOs in these two industries are very different. Today US healthcare CEOs face special calendar shaping challenges in light of the uncertainties associated with extensive new regulations for the near term future which are also being aggressively challenged the in the courts and by a political party determined to upend various aspects of them. 1993, when Hillarycare seemed a significant possibility, was a somewhat similar time for US health care.
    Dealing with less severe externalities, successful CEOs shape their time management substantially differently when they are running multi billion dollar publicly held enterprises and when they are running hundred million dollar revenue privately held companies. An early stage venture backed company has very different time allocation issues for the CEO than when they are entrepreneurially bootstrapping a company.
    Lastly, Michael Porter and another author recently wrote about beginning to create Corporate Social Value for a company. Launching this kind of initiative could easily be very time consuming for a CEO, especially to ensure it delivers on its promises. In the first place, in my experience, most board members don't really understand how critical such an initiative might be to "ensure profitability" in many increasingly regulated industries, as well as industries threatened with potential regulation because of the negative image of "business" in this country at this time. (Just look at some of the responses this article attracted.) In my experience, CEOs of major corporations who launch initiatives of this sort without board support use up a lot of the kind of "board capital" that can later reduce the time required in selling other initiatives. This low board capital situation can also provide the opportunity to conduct a new job search, out of urg ent necessity.
    I look forward to following your continuing research in this important area.
    Bob Kelley
    CEO
    ABL Organization

  16. Interesting comments and true. AS the CEO to think you need to fuel your thinking with status of reality and know what to beleive and know how to filter out what is being given to you as CEO. When the CEO spends more time outside his "ship" who is he leading or should he send scouts and only appear out there strategically. It is clear that improvements are on time spent with the team, to make them focus on strategies and to give them direction to targets.
    Anonymous

  17. What the CEO does depends on the STAGE OF GROWTH of the business that he is heading. In the early stage of of business the CEO spends a lot of time in the operational aspects of business, while the during the expansion and mature stages, the time spent outside the business increases dramatically as the CEO endeavours to capture all available market opportunities.
    However, whatever the stage of business, two activities, both outside, that always fall in the lap of the CEO are : 1. Networking; and 2. Fund raising
    What percentage of the CEO's time these take would depend on the stage of growth and the state of internal organisation of the business. .
    Pankaj Sahai
    Author
    Smooth Ride To Venture Capital

  18. Most individual at that level tend to occupy their minds with other issues outside the business environment, thinking of either retirement plan or next phase of their lives, as such they relate more with the ouside world in trying to fill the empty space or vacuum created by cravings and needs which are personal and beyound what the company can do to them. It is my considered opinion that the outcome of this research substantiates the fact that CEOs trive predominantly only on the sweat of their immediate subordinates along side other emplyees who are the foot soldiers of the company. I would say that, very closely link to this research outcome is CEOs from developing democarcies. They tend to be more involved with ouside politics under the guise of getting the government or public policies to favour their operations, very often at the expense of the very business and the employees under their auspices. "More of Outside politi cs than the Board room politics".
    Lemun Nuhu YAtu
    Business Development Executive
    Ansi-Global Links

  19. International Corporate Consultant - focus Leadership/Sales Excellence
    working with CEOs for some time I have noticed a direct correlation between the organisation's performance and the lack of thinking time expended by the CEO. Ditto with the CEO spending too much time doing or monitoring other employees' roles. It is clear that this becomes a perpetual loop and usually ends in exit by the CEO. As mentioned above it is not usually a measurement of where the doing or thinking is being undertaken but if and how.
    Anonymous

  20. According to my view the CEO have to focus more on the opporunities avialable to them and the ways they shoule teke this opporunitites to compete for that they should have to take the strategic decitions.
    vaishali
    assistant professor
    H K P

  21. All organisations are different and at different stages within their markets and development, therefore the demands of a CEO will differ. The one key task that is common however, is to galvanise a clear direction for the company and to create the culture that will deliver it. The difficulty in where this can go wrong is when CEO's are provided massive salaries, with only short terms financial targets to hit such as increasing shareholder value, which is usually done by lowering expenses in the short term ie cut staff.
    Anonymous

  22. We need more detail here. Alex Haslam's recent edited text talks of 'in-group' and 'out-group' leaders and their respective characteristics. What qualifies as an insider and/or outsider in the current work? In my work I am seeing increasing numbers of external appointments to senior positions, but all drawn from the same outside organisation. They seem to spend their days talking to one another, while actively avoiding talking to insiders who know the organisation and the parts of it that are working very well. This choice, in Haslam's terms is a recipe for, at best, mediocre performance.
    Anonymous

  23. Job of a CEO is to teach. He needs to share his passion and vision with each and every stake holder he meets. Rest of falls in its place.
    Govind Gadiyar

  24. I agree CEOs should be spending more quality time with insiders particularly with those who are not performing as well within the organisation. In any case for internal meetings, there should be set time limit as I have seen meetings drags on for considerable time without producing effective conclusion thereby resulting (considerable) valuable time loss for the CEO for which CEO alone is responsible. CEO external meetings should be for updating self with industry trends, detect opportunites and sometimes managing much needed funds to meet the immediate requirement of the organisation due to possible cash flow issues.
    R.Viswanathan
    SVP
    Genus

  25. What about Execjutive Directors or CEO's who are employed through the Government Agency or Ministry, and have some measure of responsibility to reespond to the line Minister? To what degree can he/she operate independently and seek to move the organization forward and maintain the executive flavor of the position. There needs to be distinction between those in the private sector, as against those in the public domain.
    Mervyn Extavour
    Director
    Accreditation Council of T&T

  26. Time invested with currant and future customers provides the insight a CEO requires to focus the company resources (financial, human & capital). Time allocated for riding side saddle with the salesmen and living the life of a customer will also contribute to a better understanding of what is required to point the company in the right direction and confirm its competitive advantage.
    Al R Ireton
    Chm/CEO
    Manchester Partners Ltd

  27. It is very easy for a CEO to become trapped in the corporate headquarters office. Rather than spend time with and listen to employees who are far away from customers and where the product or service is delivered, CEO's need to be in the presence of customers on a regular basis: not only to thank them for their business but to find out what they like/don't like about the product or service and about trends in their business. CEO's need to spend time with front line employees to thank them and support them. They are the face of the company! If a CEO practices MBWA they won't need to be the next "Undercover Boss". Academics tend to make leading a company more complex and scientific than it is...
    Mike MacDonald

  28. The comments above are relevant from the respective standpoint of their writers. The Situational theory of leadership is best suited in this context.
    A CEO has to (a) visualize and (b) actualize. The former would involve a better understanding and pulse of the external environment and would necessitate time spent 'externally". The latter involves helping subordinates set up the guide map (time spent internally) and then delegation.
    Brig S Agarwal, SM**
    President, Services Selection Board
    Govt of India

  29. This is a very interesting study. I wonder what we will find if the study is done with say CEOs of Fortune 500, China's Top 500, India's Top 500 and cluster the respondents by industry. May be we can gain some insights that aspiring leaders can learn from given the dynamics of each industry as well as the culture of the countries. Any attempt to understand our leaders is a move towards improving our lives.
    Anonymous

  30. It's indeed an interesting topic, and a rare insight into a CEO's functions. To me, the time allocation will depend on what an organization set out to achieve and at what life cycle stage the firm engaged in. CEO has to balance his time within and outside as he is the face of the organization. He can choose to spend less time with insiders if he is a CEO evolved within the industry or rather within the firm, the balance time can be effectively used with outsiders to improve the market image and productivity. Therefore the effectiveness of a CEO and improved productivity will depend on the time that he spend with the public at large to know the pulse better without compromising time with insiders.
    Ravindran Kanningat
    Faculty - Business Studies
    Edgewater College

  31. I wonder if the authors took the degree of delegations and style of working into account. That might make a difference in the research
    karma lhagyel
    manager

  32. The most critical role of a CEO is to create simplicity around all strategic efforts.
    If a business strategy is to be viewed as mission critical, it has to be simplified enough for everyone to understand, talk about, and exectute, or - with no pun intended - it simply won't work.
    Stephen Melanson
    President
    Melanson Consulting

  33. What about all the time which a CEO spends which is not of a 15-minute duration?
    A 30-second phone call can be far more valuable than a 30-minute meeting, whether inside or outside the organization.
    It is quality of time invested that matters, not so much for how long, or where it is invested.
    This study ignores such factors, and is too broad brush and simplistic to be of much value, in my opinion.
    Plus, simply having an Admin Asst record the time in a log says nothing about what really transpired in the time blocks.
    So to then try to equate that against company performance is irrelevant.
    Frank
    Feather
    CEO, Geo-Strategies

  34. How a CEO spends his or her time is substantially a function of the kind of company, the stage in which it is, and the burning questions of the day.
    For example, the CEO of a PR firm would have vastly different activities than the CEO of a high-volume tier 1 manufacturer in the automotive space. Similarly the CEO of a mature company looking for acquisitions will not be spending the same amount of time on activities on which the CEO of a growing company does.
    Also, the sample of CEOs itself might have substantial diversity in cognitive and other skills. What's good for one CEO might not be good for another. The study doesn't identify this and taking group averages and using standard statistical techniques in heterogeneous samples could be of little value and potentially misleading.
    I also didn't see any corrections for the organizational structure, depth of management team, etc. either. One could argue that the presence of a COO could have a significant impact on the internal/external allocations.
    Having said that, this is still an interesting study and continued research in this area could provide valuable insight into drivers of value and productivity.
    Pavan
    Muzumdar
    Pieris Capital

  35. This is very interesting, but I wonder what REAL results you would get if the CEO didn't know they were being tracked?
    Anonymous

  36. I work in an organization where the CEO/Founder's pet project is sinking the company. Millions of dollars of resources and cash (as well as the CEO/Founder's own $$) are poured into a product which, while innovative and need meeting (in the big picture), has yet to create the market in which it needs to sell. His control over the department seems to stifle any innovation beyond his idea (which he began working on 5 years ago), and he's been hesitant to embrace elements of strategy which would lead to opening up the market for the product (i.e. Social Media). He hired a "yes" man to run the department who is the "nice guy" that the CEO is not, who takes any constructive criticism of things/processes he's created completely personally - so much so that innovators and leaders on his team no longer want to go to him with ideas that would increase the bottom line. i.e.: a colleague of mine made a contact with some one who could have increased the product/license sales 1000% but the dept. leader would have provide an example of the product--something he had provided to another lead 12-15 months ago, and went nowhere. Based on the first experience the CEO said let's not do this any more, therefore the Dept leader chose not to take the risk. The Company as a whole looks at the dept. in question with disdain and jealousy (think Joseph & the Technicolor Dreamcoat) though in this case the dept. is in danger of making the company "bleed out." Yes, i put this anonymously, but i feel a lot better just typing it out. A.N.
    Annie Nonnimus
    Pawn/Flunkie

  37. Before my time in the business consulting arena I was a CEO of a manufacturing company. It is lonely at the top . . . I read the article and all of the comments with great interest. The truth is that many of the claims in the article are surprising and must certainly apply to the situation of each company and CEO at the time. However, the time frame and method of study is clearly too short and simplified to be meaningful.
    For instance the CEOs that were spending lots of outside time may have been setting in motion strategies and arrangements which may take months or years to be fruitful, whereas the CEOs spending much time inside may have spent time outside a few months or years earlier which created the profits / productivity being measured during the collection of the data.
    I like the idea of this study, but time and how it is spent is in question and the flaw is that company performance is more of a motion picture than it is a snapshot.
    Dennis Thurman
    CEO
    Biz-Align Strategies and Consulting

  38. I am a strong advocate of the distinguishing leadership qualities identified by Jim Collins in his book "Good to Great" - "disciplined people", "first who, ...then what". So, the researchers' approach to study "with whom" the CEO spends his/her time resonated with me.
    I would have liked to have seen a deeper probing into the "what" after the study identified the major categories of "who". Some of the troubling findings for me - 1) of the time spent with outsiders, CEOs spent most of that time with consultants; where is the contact and engagement with customers? 2) of the time spent with insiders, the time spent with people involved with Strategy was the second lowest category. I concur with Ganesh (comment #8) - two-thirds of the CEO's time should be spent on near-term and long-term strategic planning and implementation.
    Mary Dillman

  39. My personal framework for time allocation:
    1. Future: 40% time steering the organization to future opportunities, mentoring future leadership
    2. Present: 30% time in tactical, day to day biz decisions to improve current performance
    3. Past: 10% time in analysis and review
    Invest 20% time in self-reflection, planning and thinking.
    Rahul Pandit
    President & COO
    The Lemon Tree Hotel Company

  40. Actually bodies which operate outside the organisation usually try to have negotiations with top level management and thats why CEO spend more time with them. This problem can be solved by Delegation of Authority to middle level management or Managers,so that they can handle the different issues with outside parties.Then only CEO will be able to spend more time with the people inside the organisation. The task is more closely headed by PR Departments but important issues related to government could not be handled by them.
    Anonymous

  41. Very Interesting white paper. Congrats to Sadun and team.
    I manage a very small proprietary limited firm. I feel there is a fundamental difference in how a CEO spends his/her managerial time in proprietary limited vs. public limited. For the simple reason that in proprietary limited, the boss is has more ownership and is seen more responsible. Whereas, when a public limited CEO's interests might not align with his company's interests, his managerial time is spent more outside the company than inside.
    Janaki
    Janaki Pendyala
    CEO
    NetAdwise Solutions

  42. Very interesting study. More work along these lines will help.
    If many more cases are studied, I wonder if different patterns will emerge for different sizes and stages of organizations. I can easily see how CEO can help small or start up firms become more productive.
    Very large organizations, or very mature organizations - will inputs from the CEO matter quite as much?
    Productivity is often a function of expertise and skills. Large established firms have a wealth of internal expertise, often well beyond that of the CEO. They also have the resources to integrate these deep skills in productive ways. There the CEO can probably help more in terms of leadership development, and of course this is valuable.
    Anonymous

  43. How a CEO expends his/her time is a very contradictory subject. In Brazil where it has the Best CEO's in the World have a very interesting reason. Here we used to have an unsure or fluctuated economy, changing the rules of the game frequently. Our politics were and still are very corrupted, which leads the legislation to a predisposition to overcharge the companies with laws and rules very difficult to follow making the CEO's brain to swallow in order to find solutions and new ways where many could feel desperate. In fact, the most difficult experiences support and keep the leader refreshed with thousands of ideas that come from every direction, even outside the company. For this reason I think that the authors of this study should apply or extent the time of the feedback from the companies and CEO's report since its can vary enourmously during a longer period of time.
    Ronald
    CEO
    BrazilStateRoyalProperties

  44. While my position as the Head of a Independent Middle School appears to have little in common with a CEO, I know that the more time I spend with my teachers engaged in dialog about their work connects to my/the school's vision, the more productive they are and the more sustainable the positive energy becomes. This article is a great reminder of that fact.
    Todd
    Head of Middle School
    The Pennington School

  45. Strong governance is a must so that the agency problem is minimised and striving to achieve planned results becomes the focus and credo of the company. Today's competitive environment means that an organisation can only thrive through continuous transformation. A CEO together with his Board should therefore share the passion and capacity for visionary strategy and strategic implementation. An inadequate Board will impair the effort. As the champion of change and sustainable growth the CEO should be continually engaged with driving both operational and change issues with his staff, listening to customers, collaborating with existing and potential business partners. The cycle of change will inform the extent to which the internal and learning perspectives have to be leveraged to in turn create a new dimension for existing and new customers that sustainably grows the bottom line. It is therefore quite conceivable that an internal emph asis supported by activities with outsiders results in higher productivity. Activities with outsiders are vital and cannot be excluded from the equation. The research requires to go deeper.
    Stephen Wandera
    Managing Director
    British-American Insurance Co. (Kenya) Ltd

  46. Were any of the CEOs under the microscope from Professional Service Firms (PSFs) ?
    Don Miskell
    Managing Director
    Boffa Miskell

  47. Your research is intriguing, recording what CEO's actually do is insightful, and the early findings of this work as presented in the article are very interesting. Better yet look at the breath and depth of comments this article has stimulated, to me that is most interesting (and telling). This work has great promise.
    When you start a CEO assignment, the only resources you have are Time and Influence... and one or two shots of limited positional power, that's it. The uses of these resources, the direction, intellectual and emotional content, the methods of applying them to the many centers of demand for these resources in a business vary almost exponentially based on the type of business, the stage of the business, the way it is financed, the types of stakeholders, the strengths and weaknesses of the CEO. This is not to say the CEO job is not worth studying, it is to say that you can generalize yourself out of getting useful information. Research is good, especially research that focuses on what really happens to people doing this job as opposed to how others think they doing the job. We are talking about CEO behavior, doing stuff, making decision about what to do, so need to appreciate the autodidactic nature of the CEO experience.
    Put 15 active CEO's at a conference table, give each a piece of paper and a pencil then give them two minutes to write an eight word (or less) job description for themselves AS CEO, with no help from others. Then have each CEO share their newly minted summary with the group and get ready for laughter and loud conversation. I've lead this simple activity many times and am still surprised, along with the participants about how different their summarized job descriptions are. Yet it confirms my own experience (23 years as a CEO of four different companies), because were I a participant in an eight word contest I would have written different things at different times, and laughed along with others at parts of my own list. Of course, the CEO's themselves don't always interpret their world or actions clearly, hence your research. You can observe (more objectively) and help interpret, good science.
    My hope is you can you sift through this continuing research to produce strong findings. In doing so I suggest staying with the granularity, measure success in business and community terms. See if there is support in the research that will illuminate methods to give a CEO a menu from which he/she can choose and consider how to best augment what is for most of us a singular autodidactic journey... the life of a successful CEO, using his/her time and influence as successful leader of a commercial community.
    So, again, look at the comments your've stimulated with this article. If you look at the CEO journey as an autodidactic experience, and if you can help CEO's (or their boards or investors or their stakeholders) find ways to help, encourage, judge the actions of a successful CEO, well then you have something.
    Nice work and thanks for the article. You clearly have struck a chord.
    Sincerely,
    Walt Sutton Ex CEO (23 Years, Four Business) CEO Advisor (15 years) Author "Leap of Strength"
    Walt Sutton
    Ex CEO, Author, CEO Advisor
    W. G. Sutton International Ltd.

  48. Good efforts! But the research is extrinsic and on intrinsic side. Definitely it(time spent) has impact on productivity but much lesser then the qualitative approach. Need not to mention that you would find the noticable difference with countries having different Political/ Cultural setup.
    NIPUN PHARLIA
    ASST MANAGER
    NTPC

  49. Productivity (One aspect of growth) is not the best criteria to testify the CEO's approach towards company. Productivity may keep you moving but can't make you the leader in market. CEO should posses the quality of a leader not of a manager, he should generate motivation by creating more opportunities that is only possible by spending time on outside relations and influences. A best leader needs to have good mix of time spent on productivity and creation of new opportunities. This mix of time should be forecasted on the basis of company's curent position.If the company is market leader then CEO needs to focus on sustanibility (productivity) and if the company is growing at constant rate then CEO must focus on new opportunity creation to be the market leader.
    Abhishek Kumar
    Sr. Solutions Integrator
    Ericsson

  50. A mentor told me that the job of CEO is to ensure that anyone that works with the entity from clients to suppliers to employees, shareholders et al grow and advance and are better off as a result of their effort.
    Adding to that, the job is to lead from your core, set the pace, communicate the values and vision an direction, be the CBO (Chief Brand Officer) in the marketplace, drive continuous improvement and ensure that there are sufficient resources, apportioned to the most beneficial and aligned activities
    Brad
    CEO
    Marich

  51. The Ceo must see the forecoming of his enterprise actions. So it is the brand progress in the market what really matters, the time is always short so expend it where it really makes the difference and this is simple to say but very hard to implement.
    Paulo Wilson Rodrigues
    Founder
    EEL - USP

  52. Under the microscope scanning by subordinates for CEOs it appears positive thinking towards the organisation. However to the oppportunities and responsibilities given by CEO is with positive attitude
    Anonymous

  53. This question as to what exact it is I do and how I can do it better , is best crystallized by how I go about earning what I am worth. By following the deeds I do to accomplish my earning and by learning to change , hopefully I can increase my earning power by changing the top and bottom line results of the organization that I have de facto control and final executive decision making authority.
    Now having said,that it is a proven fact absolute power corrupts absolutely , I have an executive chairman and a board of directors to hold my feet to the fire , and whose policy it is for me to express in the actions and culture of the people talent within and without the organization and this goes for branding of the goods and services we provide.
    Personal speaking , I see myself as the moral compass of the entire team , my actions and choices reflect my value system and global perspective of my universe , and this resonates through the people I affect directly and indirectly. Hence it is incumbent for me to be relevant and effective in delivering revenue , styming waste, demonstrating employment of board directives and mandates , deliver to our shareholders who I ultimately work for that I am creating a higher value return on their equity in our organization within the risk reward parameters of the industry, keep ourselves compliant to existent laws and remain a legal moral captain of this organization. Thank you Adrian Matadeen Group Managing Director Fatz Express Packaging Services Limited www.fatzgroup.com
    Adrian Matadeen
    Group Managing Director
    www.fatzgroup.com

  54. I am afraid the authors of this study, while noting that their findings are not prescriptive, have neverthless suggested an interpretation that is inconclusive at best, and potentially harmful at worst. As other commenters have also noted, I hold quite strongly the belief that what a CEO does is dictated primarily by a set of factors that are unique to the present challenges of the organization s/he leads, the industry it operates in, her / his personal working and delegation style, personality, and the strengths and composition of his top team. If the suggestion is being made that linkages be drawn between company performance, CEO's personal integrity, and the time spent outside the organization, it would be entire unfair to many organizations and individuals who lead them. When managing the environment is more critical and more complex than managing the people and internal processes, the CEOs would of course need to spend more ti me with outsiders. For testing predictability of a potential CEO's performance, or indeed, potential integrity pitfalls, I would think that Boards should look elsewhere, beyond data on the extent which the CEO candidate spends time with insiders or outsiders.
    Anonymous

  55. Thanks a lot for tackling such a great topic. In my opinion, a good CEO must balance his/her time between strategic development and implementation, liaising with his BOD for growth policies and more importantly interacting with his staffs with a view of maximizing their potential. Research should also be a big priority for the CEO.
    Joseph K Batume
    CEO
    BatGroup - Uganda

  56. I believe the CEO must see beyond what the inner organization sees. He is like the eagle taking care of his organization below and looking straight against the challenging path ahead. He should guide his organization to its rightful destination. So a one eye outward and one eye within will be the balancing trick to win the game.
    To understand your challenger and your self will help you evaluate the outcome.
    Sairam Sekar
    Project Engineer
    Wipro

Thursday 12 May 2011

The Ten Worst Things to Put on Your Resume



According to a 2010 Accountemps survey, 28% of executives say the resume is where most job seekers make mistakes in the application process. But what exactly constitutes a mistake?
We talked with career coaches and resume writers to find ten gaffes that will guarantee that your resume never makes it past round one.
Related: Explaining Job Gaps in Your Resume | How to Gather References and Make Them Work For You


1. Unnecessary Details About Your Life
There are a few personal details you should include on a resume: full name and contact information, including email, phone number and address. But beyond that, personal details should be kept to a minimum. If the prospective employer wants to know more than the minimum, they will ask you or figure it out for themselves.
"Your age, race, political affiliation, anything about your family members, and home ownership status should all be left off your resume," says Ann Baehr, a certified professional resume writer and president of New York-based Best Resumes. "What's confusing is that [a lot of personal information is] included on international CVs. In the U.S., including [personal data] is a no-no because it leaves the job-seeker open to discrimination."
The exception to the rule: If you're looking to work for an organization closely tied to a cause, you may consider including your race, political party, or religious beliefs.
"Personal data may suggest a bias, unless what you want to do next is directly tied to one of those categories, because it shows aligned interest," says Roy Cohen, a New York City career coach and author of The Wall Street Professional's Survival Guide. So, unless you're looking to work for a religious, political, or social organization, you're better off keeping personal philosophies to yourself.


2. Your Work Responsibilities as a Lifeguard When You Were 16...
"Don't include information that will not advance you in your work goals," says Rena Nisonoff, president of The Last Word, a resume-writing and job-coaching company in Boston. "Anything extraneous should be left off your resume." That includes hobbies and irrelevant jobs you held many years ago.
Unless you're an undergraduate student or a freshly minted professional, limit your work history to professional experience you've had in the past 10 to 15 years (or greater, if it was a C-level position).


3. A Headshot
In some industries, being asked for and including a headshot is commonplace, but unless you're a model, actor, or Miss America, the general rule of thumb is that photos should be left out.
"To many [hiring managers], including a headshot feels hokey," says Cohen. It can give off the wrong impression, and isn't a job-seeking tactic that's customarily received well.
Furthermore, it's illegal for employers to discriminate against job candidates based on appearance, so attaching a headshot can put employers in an awkward position, says Nisonoff. Unless it's specifically requested, and it's relevant to the job at hand, keep your appearance out of it.


4. Salary Expectations
Most job candidates feel uneasy discussing salary requirements. For good reason: Giving a number that's too high or too low can cost you the job. You should keep it out of your application materials entirely, unless the hiring manager asks for it.
"If they specifically ask for it, you should give them a range," says Nisonoff, but even still, that information should be reserved for the cover letter and not put on the resume. If you have the option, save that discussion for a later stage of the interviewing process, ideally once the interviewer brings it up.


5. Lies
This should really go without saying, but career coaches and resume writers alike report that the line between embellishment and fabrication is often crossed by job applicants -- and that they've seen it cost their clients jobs.
One of the most common areas in which people fudge the facts is the timeline of their work history.
"A client of mine who worked for a Wall Street firm had moved around quite a bit," says Cohen. The client, who was a registered representative, intentionally excluded a former employer from his resume, and covered it up by altering the dates of employment at other firms. "Registered representatives leave a FINRA trail, and when his resume was checked against his FINRA trail, [the company] saw he had left off a firm and they pulled the offer," Cohen explains.
Whether it's using false information to cover a blemish or exaggerate success, there's no room to lie on your resume. No matter how miniscule the chance is that you'll be caught, you should always represent yourself as accurately as possible.


6. Things That Were Once Labeled "Confidential"
In many jobs, you will handle proprietary information. Having inside information from your positions at previous employers might make you feel important -- but if you use that information to pad your resume, chances are it will raise a red flag.
"Confidential information should never be shared, it shows poor judgment," says Cohen.
If you're sharing the names of your clients, in-house financial dealings, or anything else that might be for your eyes only, it can backfire in two ways. The prospective employer will know that you can't be trusted with sensitive information; and your current (or former) employer might find out what you have been sharing and it could be grounds for dismissal or even a lawsuit.


7. If You Were Fired From a Job -- and What You Were Fired For
Your resume should put you in a positive light. Including that you were let go for poor performance, stealing from the company, or any other fault of your own will have the exact opposite effect.
"Leave out information about a situation that positions you negatively, such as 'I got fired' or 'I mishandled funds,'" says Cohen. "Anything that suggests you used poor judgment in your current or former job."
Following this advice does not violate the rule about lying (No. 5). If you're asked to explain why you left a job, you need to bite the bullet and be straightforward, but until then, make sure you're putting your best foot forward.


8. Overly Verbose Statements
There is a pretty fine line between selling yourself and overselling yourself. Too many resumes overstate the importance of job responsibilities.
"Job seekers with limited experience [try] to put themselves in a 'management' light," says Baehr, using phrases like "'Spearheaded high-profile projects through supervision of others, leading by example.'" Keep your flair for the dramatic to a minimum, so resume readers can get a picture of what your real responsibilities were with your past or current company.


9. "References Available Upon Request" and Your Objective
The age-old "references available upon request" has become archaic. You should have solid references lined up from the get-go, so when the hiring manager asks for them, you're ready to share them.
"It's not really an option," says Baehr. "If they want your references, they're going to get them."
Also nix the objective statement. It's not really necessary to explain your career goals unless you are a recent graduate or are switching careers. If necessary, work your objective into a summary of your qualifications, says Cohen.
"It explains what you want, which may not be readily apparent from the resume," he says, "and it also tells a story to explain why you want to make the career change."


10. TMI
Too much information is almost never a good idea. It's particularly bad when it's put in front of hiring managers who are busy, tired, and quite frankly, probably not going to read your resume word-for-word. If you put too much information in your resume, recruiters will likely not read it at all or just scan it quickly.
"Far too much detail is damaging because it won't get read," says Cohen. "It suggests that you get lost in seeing the forest for the trees and also suggests an attachment to information. It's a burden to the reader, and these days, readers of resumes don't want to be burdened."

Friday 6 May 2011

How to Select a Great Domain Name for Your Company

Here's what to look for in a good domain name.
  1. A good domain name is relatively short. A short name -- if you can get it -- is important for several reasons. It is easy to fit into logos, makes a better brand, is more easily recognizable, and is harder to misspell. Some companies have 50-character domain names spelling out their whole company name. That's unwise. Long domain names don't fit in forms, on billboards, or in Google PPC ads. Keep them relatively short.
  2. A good domain name is memorable. You remember generic names, such as Art.com and Garden.com. But you also remember more unique names such as Amazon.com, Google.com, and FogDog.com. Putting together strange combinations of words is fun and can be very productive. It helps if it rhymes like FogDog, or repeats sounds such as Google, or is sing-songy like WilsonWeb. Say your prospective domain name out loud to listen to its sounds. See if your tongue gets twisted around any syllables. Whatever your domain name, it should stick in the mind.
  3. A good domain name isn't easily confused with others. In their desperation to find a domain name, some grasped at hyphenated names and put "the" in front of a word, as in TheStandard.com. The problem is confusion. Trademark laws are designed to prevent customer confusion. If the holder of a similar domain name is first to trademark his combination, it could threaten your domain name, or at least your ability to use it as a brand. Be sure to check with the US Patent and Trademark database (www.uspto.gov/main/trademarks.htm) or the trademark database for your country. Another consideration is how you'll need to say your domain name over the phone. If you always have to say "spelled ding-hyphen-doodle.com" you'll soon wish you'd left out the hyphens. Do your best to find a name that can't be confused.
  4. A good domain name is hard to misspell. If people can misspell something, they will. The longer and more complex your domain name, the harder it is for your customers to type it in correctly. Many of them can't type well to start with, so to type in a long name may lose you lots of business. At the low price of domain names, it may pay you to purchase the misspellings of a domain name, too. This way you'll get the traffic intended for your site and discourage poachers from buying up the variants. Poachers can be driven off by lawsuits if you have trademark protection, but you don't want that hassle.
  5. A good domain name relates to your business name or core business. It's best if your domain name can be guessed from your company name. But in your search for a domain name, don't give up if you can't find the domain for your exact business name. Find functional names, names that describe your uniqueness, names that express an emotion or attitude.
  6. A good domain name sounds solid to your target audience. If possible, get a .com domain or the domain that has the most respect in your country. You can get a .biz or .info, or .cc, .ws, .tv, and .to. (The latter are the country top level domains of the small nations of Cocos (Keeling) Islands, (Western) Samoa, Tuvalu, and Tonga, respectively). The problem is that the general public, in the US anyway, is accustomed to .com, or maybe .net (though .net and .org aren't nearly as well regarded). Offbeat domain names sound ... offbeat and suspect. Your main domain should be the one that people expect it to be. In the US, that's probably .com. In France it would be .fr. If you want to appeal to an international audience, .com is probably best. Having said that, I think it's wise to buy up other common domain name endings. They're cheap. If you become successful you'll wish you had kept them away from poachers. This helps your main domain name stay unique.

Getting the Creative Process Going

Several tools can help you in the process of coming up with a company name or a domain name -- most of them owned by domain registrars to attract business. Some of the best are no longer available online, but here are a few:
DomainFellow.com (www.domainfellow.com) lets you start with a keyword and then adds up to 1,000 popular prefixes or suffixes to that word. For each combination you can see which domains are available and which have been taken.
MakeWords.com (www.makewords.com) lets you select the length and language of a possible domain name, plus a prefix and suffix. Then it generates possible matches and tells you if they are available.
NameBoy (www.nameboy.com) is one of the oldest and best. You enter a primary and a secondary word to work with, select the type of site you have, and whether or not you want to turn on the hyphenation and rhyming features, then let 'r rip! It works like one of those children's books that allows you to play with multiple head, body, and leg combinations.
DomainNameSoup.com (www.domainnamesoup.com) allows you to mix and match words with domain names. Tools allow you to experiment with various combinations of hyphens, prepending and appending words, changing letters of a domain anem, searching for typos, trying multiple choices, looking for synonyms, jumbling word combinations, etc. For the results they'll tell you what's available and what's not.
Be aware! The above services don't necessarily have the best or lowest cost domain registrar services. For that I recommend GoDaddy (www.wilsonweb.com/afd/godaddy.htm), the one I currently use.

Domain Names as Branding

Don't forget that your domain name automatically becomes your brand-name, whether you intend it or not. It will forever after affect how your company is perceived.
The time you take to select your name is time well spent. The money you spend for marketing or branding consultants to help you get the very best name is a good investment, too.

Wednesday 4 May 2011

How to Use Network Behavior Analysis Tools

 Network behavior analysis tools can help tune operations as well as improve security. Here are five tips for getting the job done.
What's happening on the enterprise network—or more to the point, what's occurring on the network that should not be—is a major concern of security executives. If someone is trying to hack in, or a virus or worm is spreading, or a denial-of-service attack is underway, there might be evidence of these types of activities before they become a major problem.
Network behavior analysis (NBA) technology helps organizations detect and stop suspicious activity on corporate networks in a timely manner—possibly preventing, or at least limiting, serious damage from attacks. NBA is designed to give security managers a level of network visibility they need in order to make sure security threats are quickly identified and remedied.
The products analyze network traffic through data gathered from devices such as IP traffic flow systems, or via packet analysis. They use a combination of signature and anomaly detection to alert security and network managers of any activity that appears to be out of the norm, providing a view of the network that lets managers analyze activity and respond before there's damage to systems and data.
"A key benefit of NBA systems is the [network] visibility that they provide," says Lawrence Orans, research director at Gartner, who leads the firm's NBA coverage. Orans says this visibility helps in two areas: network operations (for example, troubleshooting and performance) and security (i.e. malware monitoring and detecting unwanted applications).
NBA can be used to detect behavior that might be missed by other security technologies such as intrusion prevention systems (IPS), firewalls and security information and event management (SIEM) systems, according to Gartner. Those technologies might not identify threats that they are not specifically configured to look for. Gartner says NBA is suitable as a complementary technology to intrusion detection and prevention software, which is effective for addressing network attacks that can be positively identified.
Vendors addressing the network behavior analysis market include many of the broader, established network and security companies as well as niche players that specialize in the technology. Those that focus specifically on NBA are Arbor Networks, Lancope, Mazu Networks and Q1 Labs. Companies including Cisco Systems, Internet Security Systems (part of IBM), NetFort Technologies, Sourcefire and Securify (to be acquired by Security Computing) also offer products with some type of NBA capabilities.
Among the common functionality and features of behavior analysis systems are the use of network flow data to identify suspicious behavior on the network and where it's coming from; mitigation to stop malicious activity and fix network problems; and reports on all network configurations and user behavior.
Orans says some NBA vendors are enhancing their products by adding identity capabilities. "Specifically, some vendors have added the ability to map a user [identification] to an IP address," he says. "This provides the benefit of quickly identifying a user who is responsible for anomalous or malicious traffic." So, instead of being notified that a particular IP address is exhibiting anomalous behavior, a manager can know exactly which user in the organization is conducting the anomalous behavior.
"This is especially valuable for forensic analysis," Orans says. "If you are using an NBA system to analyze a breach that occurred in the past—maybe three months ago—then it is often difficult to map the IP address, which is assigned dynamically, to a user. It's difficult unless your NBA system can do it for you.
Before deploying NBA, security managers need to figure out which system is a good fit for their network and how best to use the technology. Here are five tips on evaluating, purchasing and implementing NBA offerings.
1. Before putting in NBA, first deploy intrusion prevention technology.
"NBA systems are best for organizations that have already implemented IPS systems" and are looking for more visibility into their network and network traffic, Orans says. "NBA is not something that you do before IPS or instead of IPS. It is done afterward because it provides visibility."
After successfully deploying IPS and firewalls with appropriate processes for tuning, analysis and remediation, consider adding behavior analysis to identify network events and behavior that are undetectable using other techniques, Orans says. He notes that the size of an organization does matter when it comes to NBA.
"NBA is for large enterprises, it's not for SMBs," Orans says. "The expertise and experience level needed to tune an NBA solution and interpret its results is beyond most SMB network and security professionals."
2. Conduct a thorough analysis prior to selecting a vendor's offering.
It might sound obvious, but NBA systems can cause more harm than good if they're not carefully selected based on the needs of the organization, existing network components, level of in-house expertise, etc.
When evaluating NBA systems, make sure they meet the organization's requirements for analysis and reporting, and can be integrated with existing networks. Also, consider how easy or difficult the system is to calibrate and use.
"Think of all the devices you need to collect flows from," says John Kindervag, senior analyst, security and risk management, at Forrester Research in Cambridge, Mass. "Will they all support sending flows? Will enabling flows on the device negatively impact its performance?"
Depository Trust & Clearing Corporation (DTCC), a New York—based firm that provides clearing, settlement and information services for a variety of financial instruments including equities, corporate and municipal bonds, and government and mortgage-backed securities, evaluated several NBA vendors and reviewed market research on the technology within its security department, before selecting a product from Mazu Networks, says Neil Wasserman, vice president, Core and Smart Network Services at DTCC.
"We installed a Mazu demo and ran it through a rigorous evaluation," Wasserman says. "The product met our requirements—and the rest is history."
3. Test before broad rollout.
Experts say it's important to thoroughly test an NBA system before moving ahead with a full-scale implementation. That way, security managers can see what kind of actual reporting they will get on network activity.
"The only way to properly evaluate the tools [is] to install them in your live production network," Kindervag says. "Any other evaluation methodology, lab, etc., will not provide true results."
AirTran Airways, Orlando, Fla., a low-fare airline designed for business travelers, had vendor Lancope conduct an onsite proof-of-concept trial of its StealthWatch product before the system was rolled out broadly, says Michelle Stewart, manager of information security at AirTran. The proof-of-concept "had no impact [on] our production environment and demonstrated the effectiveness of the reporting."
During the implementation, AirTran worked closely with a Lancope engineer and deployed the system according to Lancope best practices, Stewart says.
AirTran's security team uses StealthWatch for network monitoring, reporting and forensics. The network team uses the system to troubleshoot behavior-related network issues, Stewart says. Managers can examine granular data about network behavior by zone, node and user, and collect historical data to view trends.
4. Tune NBA systems to cut down on false positives.
Experts says it's important to take the time to effectively tune NBA systems to gather relevant network data and help reduce false positives.
If an organization fails to fine-tune NBA systems adequately, it might have to contend with a lot of false-positive readings that overburden the network and security managers who need to examine all the alerts.
"We did this tuning exercise immediately upon implementation, and it proved extremely valuable," Stewart says. "After segregating our network geographically and logically into zones, we examined the behavior within our high-risk zones for volume and type of traffic. In several cases, the port/protocol information we were given from our application vendors was found to be incomplete, but by using StealthWatch we were able to properly fingerprint the application behavior."
After tuning the zone behavior policies appropriate to the high-risk zones, "our alarm count was much more manageable and useful," Stewart says. "This information also allows us to properly plan WAN bandwidth growth, as we can determine how much legitimate network traffic is required for business."
5. Use NBA data to help determine network usage patterns.
Stewart says it was important that AirTran managers spend as much time as necessary reviewing the behavior data gathered to appropriately classify zones, zone policies and services.
"We discovered a great deal about ports, protocols and chattiness of third-party applications during this exercise," Stewart says. "Our zones include geographic segregation, allowing both security and networking to quickly review and treat WAN location issues. We defined server zones by behavior, allowing more granular control over alerting."
Also, in using NBA systems, it's important to create focused views and logical groupings within the tool that make sense, says Wasserman. "Strive for ease of use and an easy understanding of common sense nomenclature and device or host groupings," he says. "Limit the number of flows that need to be queried or viewed" in order to get useful network information on a more timely basis.
That way, NBA can provide not only greater network visibility, but an effective way to deal with trouble when it arises.



Firewall audit tools: features and functions


Why would anyone need firewall audit software? If you're already jugging hundreds of rules on multiple firewalls, here's what these tools can do for you.

Firewall audit tools automate the otherwise all-but-impossible task of analyzing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes.
Although the market has been driven by compliance—it was essentially created by PCI DSS—these tools can also allow organizations to improve network performance, reduce downtime, improve security and reassign staff from shooting down firewall issues and analyzing configurations to taking on tasks that help grow the business.
The problems are familiar to organizations of all sizes—from those with just one or two overtaxed and inefficient firewalls, to large, distributed enterprises with scores or hundreds of firewalls administered by many business units, often all following different policies that may have been written before the units' acquisitions.

Also see Firewall audit dos and don'ts for practical implementation advice


Not long ago, 200-300 rules was considered excessive. Now, it's not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones. Analyzing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation.

Firewall Audit Tools: Key Benefits and Use Cases

Business efficiency and security may be the goals, but regulatory requirements frequently open up the budget. The firewall audit market, pegged by Forrester Research at $25 million to $30 million in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.
Enterprises exhaust countless man-hours analyzing firewall and router configurations to produce audit reports, only to realize that they do not have a firm grasp on their network access controls and the change-management processes that enable them.
"How do you demonstrate that a 2,000-rule set is robust and secure?" says a security officer for a telecommunications company, which uses SkyBox Security's SkyBox Assure solution. "It's impossible to do manually."
These automated tools run complex algorithms that evaluate the actual rules against corporate policies and best practices to identify gaps, verify changes and produce audit reports. They enable organizations to verify and document the entire configuration-management lifecycle to demonstrate to auditors that practice follows policy, and that changes were completed as authorized and grant the intended access.
"There's nothing more embarrassing or devastating to an organization than when you tell an auditor, 'This is how we do it,' and when they look, there is no semblance of what you said," says Jeff Sherwood, principal security strategist for H&R Block, a Secure Passage customer. "Now we can come out of the gate and say, 'This is what we do and here is proof we do it.'"
While compliance automation may be sufficient justification for their implementation, firewall audit tools also offer tangible business benefits that go beyond surviving the audit ordeal.
Performance and Optimization: This is a prime function of all these tools. Firewall performance degrades because excessive rules eat up CPU cycles, and critical access rules are situated too far down in the hierarchy because when additions were made, the focus was on speed of implementation, rather than on optimizing the configuration. Firewall audit tools clean up redundant rules and requests for service that have already been enabled, and flag rules that apply to objects that are no longer in use or even in existence.

Also see SIEM Dos and Don'ts


Optimizing firewalls and network devices can improve performance problems that companies might otherwise have had to throw new hardware at. Benefits will be even more noticeable as traffic increases.
Business Continuity: Performance and optimization issues can seriously slow or even bring down critical business processes. This costs the business not only revenue, but also the man-hours it must spend to deal with the problems.
"Before, our team was heavily weighted—30 percent of their time—to firefighting, toward fault analysis and fault fixing," says Colin Miles, corporate network manager for U.K.-based Virgin Media, a Tufin Technologies user with a network infrastructure that includes more than 100 firewall pairs. "Since Tufin was implemented, that's turned to proactive capability, rule-based efficiency and optimization of the network, driving toward people savings."
Security: Complex configurations make security analysis very difficult. Obsolete or misconfigured rules can be exploited to give attackers access to sensitive data. Firewall administrators under pressure to fulfill business requests are likely to err on the side of granting too much access rather than too little. Firewall audit tools improve security by determining optimal rules and detecting unused and misconfigured rules.
Firewall Upgrade and Migration: Upgrading firewalls and consolidating onto fewer platforms create excellent opportunities for organizations to use an audit tool. It's a good time to cost-justify configuration cleanup and firewall optimization, rather than carrying over the old infrastructure's issues. Since these products support multiple firewall platforms, they are well-suited for consolidation, streamlining the configurations on each and translating them onto the new platform. Virgin Media, for example, consolidated from numerous legacy platforms brought over through corporate acquisition to Check Point firewalls for its dynamic environments and Cisco for more static conditions.
Change Management: Change-management policies and processes can fall short when requests are made out-of-band, which happens when either someone fails to follow procedure or there's an urgent need to enable or restore service for critical business processes. Several vendors have complementary workflow products that automatically document all configuration changes and reconcile them with ticketing systems.

Firewall audit dos and don'ts

Firewall audit products are maturing, but the product class is still a relatively young, small market, defined by compliance requirements. You have a fairly limited choice of vendors, including Tufin Software Technologies, AlgoSec, Secure Passage and Athena Security, which all come with firewall audit pedigrees, and RedSeal Systems and Skybox Security, which are primarily vendors of risk-mitigation tools, and so go beyond firewall audit to feature sophisticated risk-assessment and risk-management capabilities.
Take the time to define your requirements, narrow down your choices and put candidates to the test.

See the companion article Firewall audit tools: features and functions on CSOonline.com

DO look at platform and device coverage. These products generally support all the major firewall vendors and some others, as well as major network devices, so you should be covered. Take both present and future needs into account. For example, you may run a single platform across the organization now, but future acquisitions may run on other vendors' infrastructures. These tools should be able to help whether you plan to migrate onto a single platform or continue to manage several while still realizing the efficiencies they promise. See if the vendor has a software development kit that can allow it to integrate with unsupported platforms.
Check that coverage for network devices is included. There are a couple of considerations here. First, it may be important to you to clean up and optimize access control lists on your routers, and second, routers are increasingly featuring more built-in security capabilities.
DON'T overlook scalability. Those vendors that focus largely on enterprise deployments claim they can scale up to thousands of devices. Determine what that actually means in terms of management and the ability to perform under stress.
"In addition, the magnitude of environment brings huge demands on technology and methods that can be used," says the telecommunications company security officer. "What in a smaller company can be rock solid may not be applicable in a big environment. You need be cautious about the limitation of technology."
Choose with growth in mind. Even if a product scales to your current requirements, how well-suited is it to meet greater demands as the business grows, services are added, acquisitions are integrated and traffic increases?
DON'T buy more than you need. Some of these products are aimed at complex, heterogeneous environments with hundreds of firewalls and network devices. Measure the tool's capabilities and cost against your environment. If your firewall environment is relatively simple and static and your traffic is fairly predictable, choose a less-expensive product that you can apply initially for your optimization project and periodically to keep your firewalls under control.
DO put these products to the test once you narrow your choices to those that claim to meet most of your requirements.
"Pick two or three of your favorites and bake them off in real-world situations," says John Kindervag, senior analyst at Forrester Research. "The nice thing about firewall-auditing products is that you can test them on a live production environment because they are passive tools."
Kindervag recommends testing how well they do at finding unused rules, optimizing configurations and so on, then comparing reports.
"Run the results by your firewall guru or bring in one who can say, 'Yes, that's a good rule change,'" he says.
You can also determine whether they actually scale and deliver analysis at the speeds they claim and what kind of hardware they'd require.
DO determine your reporting requirements and evaluate the products' capabilities accordingly. Audit reports should come first and foremost for most organizations. Evaluate the quality of summary reports—are they sufficient to prove that your control policies are, in fact, carried out?
Also, make sure that you can produce satisfactory reports on demand in response to specific auditor queries. Some products offer regulation-specific reports, usually for PCI DSS, which may be useful.
Since these are management tools, you'll want to see useful operational reporting that quickly lets you see what has been done and what needs to be addressed. Make sure the reports deliver the information you want at the level of detail you need. For example, rule usage can change over time. A rule that was optimally placed at first may become a bottleneck as it's hit with more and more traffic, and may need to be moved up in the hierarchy.

Also see How to Use Network Behavior Analysis Tools


Finally, high-level reports can demonstrate overall improvements in efficiency and security, as well as highlight which business units may be lax in properly managing their networks.
DO consider workflow integration. Most vendors offer complimentary workflow products to integrate their core capabilities with change-management workflow tools, such as ticketing systems. This may not be important if your organization has a well-defined process and supporting tools, either homegrown or commercial. But some companies find this capability useful in automating their change-management programs.
DON'T give short shrift to hardware, especially if you are running one of these products in a virtual environment in which resource-sharing may be an issue.
Make sure you have enough CPU and memory muscle to support the product under live conditions, and make provisions for growth as traffic increases.
Alternatively, you could go with one of the three appliance-based solutions Tufin offers in addition to its software.
DO review and refine your policies and procedures before buying and deploying a firewall audit product.
Enterprise IT governance and information security is built on well-defined policies and processes. Technological tools reduce error, improve efficiency and automate analysis that frustrates manual efforts, but you won't get their full benefit if you are simply throwing technology at a problem. Every organization is different, but here are some basic guidelines:
  • Examine corporate practices and procedures across business groups and departments. Make sure they can be applied across the organization while allowing for acceptable deviations to meet specialized needs.
  • Create a process that is documented at each step and holds each stakeholder accountable.
  • Where possible, express requests in terms of business need, rather than in narrow IT terms.
  • Have a team that evaluates requests in terms of adherence to corporate policy.
  • Conduct both business- and technology-based risk assessments. Implementation should be dependent on passing the risk assessment.
  • Test implementation for final sign-off by both IT and the business owner.
  • Document.
  • Rinse and repeat.

Penetration tests: 10 tips for a successful program


Penetration tests need to accomplish business goals, not just check for random holes. Here's how to get the most value for your efforts.

Why are you performing penetration tests? Whether you're using an internal team, outside experts or a combination of the two, are you simply satisfying regulatory or audit requirements, or do you actually expect to improve enterprise security?
We asked penetration testing experts for guidance on how to improve your program to get the most benefit for your time, money and effort. If you turn to outside expertise, their advice will show you what to expect and demand from consultants. The following 10 tips will show you understand the goal and focus of your testing; develop effective testing strategies; make effective use of your personnel; and make the most effective use of pen test results to remediate issues, improve processes and continuously improve enterprise security posture.

Penetration Test Tip 1: Define Your Goals

Penetration testing—really, all information security activity—is about protecting the business. You are taking on the role of attacker to find the vulnerabilities and exploiting them to determine the risks to the business and making recommendations to improve security based on your findings. Attackers are trying to steal your data—their techniques are a means to an end. So too, penetration testing: It's not about the cool technical things you can do to exploit a vulnerability; it's about discovering where the business risk is greatest. "If can't express things in terms of my business, you're not providing me value," said Ed Skoudis, founder and senior security consultant at InGuardians. "Don't tell me you've exploited a vulnerability and gotten shell on that box without telling me what that means for my business."
Also see Network stress test tools: dos and don'ts on CSOonline.com
With that understanding, from a more tactical perspective, penetration testing is a good way to determine how well your security policies, controls and technologies are actually working. Your company is investing a lot of money in products, patching systems, securing endpoints etc. As a pen tester, you are mimicking an attacker, trying to bypass or neutralize security controls.
"You're trying to give the company a good assessment if their money is being well spent," said Alberto Solino, founder and director of security consulting services of Core Security.
The goal should not be to simply get a check box for pen testing to meet compliance requirements, such as PCI DSS. Pen tests should be aimed at more than discovering vulnerabilities (vulnerability scanning should be part of a pen testing program but is not a substitute). Unless the testing is part of a sustained program for discovering, exploiting and correcting security weaknesses, your money and effort will have gained you at best that check mark, and at worst, a failed audit by a sharp assessor.

Penetration Test Tip 2: Follow the data

Organizations have limited budget and limited resources for pen testing, regardless of whether you are conducting internal tests, hiring outside consultants or using a combination of both. You can't conduct penetration tests across your entire IT infrastructure, spanning hundreds or thousands of devices, yet pen testers will often be told to try to compromise devices across an extensive range of IP addresses. The result is likely to be the most cursory of testing regimens, yielding little or no value. You can't even expect to conduct vulnerability scans and remediate flaws across a very large number of devices in a reasonable amount of time and at reasonable cost. "In many cases customers have thousand of IP addresses they want us to pen test," said Omar Khawaja, Global Products Manager, Verizon Security Solutions. "We could run vulnerability tests and see what's most vulnerable, but they may not be the most important to your organization."
Step back and ask, "What am I trying to protect?" What critical data is at risk: credit card data, patient information, personally identifiable customer information, business plans, intellectual property? Where does the information reside? Do you even know every database, every file repository and every log store that contains sensitive data? You may not know, but chances are an attacker will find it.
So, the first critical step is to narrow the scope of pen testing is data discovery: determining which sensitive data is at risk and where it is. Then the task is to play the role of attacker and figure out how to get at the prize. (Read Red team versus blue team for more ideas on this approach.)
"The idea to mimic what a real attacker will do during time frame agreed to with the customer," said Core Security's Solino, "not to find all the possible problems."

Penetration Test Tip 2: Follow the data

Organizations have limited budget and limited resources for pen testing, regardless of whether you are conducting internal tests, hiring outside consultants or using a combination of both. You can't conduct penetration tests across your entire IT infrastructure, spanning hundreds or thousands of devices, yet pen testers will often be told to try to compromise devices across an extensive range of IP addresses. The result is likely to be the most cursory of testing regimens, yielding little or no value. You can't even expect to conduct vulnerability scans and remediate flaws across a very large number of devices in a reasonable amount of time and at reasonable cost. "In many cases customers have thousand of IP addresses they want us to pen test," said Omar Khawaja, Global Products Manager, Verizon Security Solutions. "We could run vulnerability tests and see what's most vulnerable, but they may not be the most important to your organization."
Step back and ask, "What am I trying to protect?" What critical data is at risk: credit card data, patient information, personally identifiable customer information, business plans, intellectual property? Where does the information reside? Do you even know every database, every file repository and every log store that contains sensitive data? You may not know, but chances are an attacker will find it.
So, the first critical step is to narrow the scope of pen testing is data discovery: determining which sensitive data is at risk and where it is. Then the task is to play the role of attacker and figure out how to get at the prize. (Read Red team versus blue team for more ideas on this approach.)
"The idea to mimic what a real attacker will do during time frame agreed to with the customer," said Core Security's Solino, "not to find all the possible problems."

Penetration Test Tip 3: Talk to the Business Owners

Work with the business people. They know what is at risk—what data is critical, what applications create and interface with that data. They will know at least the more obvious places in which the data resides. They will tell you which applications must be kept up and running.
You'll learn much of what you need to know about the threat level associated with particular applications, the value of the data and the assets that are important in the risk equation.
An important part of this process is to work with people who understand the business logic of the application. Knowing what the application is supposed to do and how it's supposed to work will help you find its weaknesses and exploit them.
"Define the scope that includes critical information assets and business transaction processing," said InGuardians' Skoudis. "Brainstorm with the pen test team and management together."
Skoudis also suggests asking for management to give their worst case scenario, "what's the worst thing that could happen if someone hacks you?" The exercise helps scope the project by determining where "the real crown jewels" are.

Penetration Test Tip 4: Test Against the Risk

The value of the data/applications should determine the type of testing to be conducted. For low-risk assets, periodic vulnerability scanning is a cost-effective use of resources. Medium risk might call for a combination of vulnerability scans and manual vulnerability investigation. For high-risk assets, conduct exploitative penetration testing. For example, the security director for a large university said they started performing pen testing to meet PCI DSS requirements. Once that program was in place, it became the model for testing a potential attacker's ability to penetrate their systems. The university classifies data as public, internal, sensitive and highly sensitive.
For information that's highly sensitive, we perform pen testing under much the same guidelines as PCI," he said. "We back off from there, based on some specific criteria and some subjective judgment that goes into what level of pen testing, if any, will be done for system."
So, for example, on the lower end of the risk spectrum the university will test a random sample of systems and/or applications, depending on criteria for a particular category and time and budget constraints. With tens of thousands of devices on a campus network, even a low-level scan of all of them would be infeasible.
"You can test on a business system that has a clear owner and systems administrator," he said. "But when you have 3,000 Wiis attached to the network, you don't want to scan those and figure out who they belong to."

Penetration Test Tip 5: Develop attacker profiles

Your pen testers need to think like and act like real attackers. But attackers don't fit into one neat category. Build profiles of potential attackers. External attackers may have little or no knowledge of your company, perhaps just some IP addresses. They may be former employees or work for partners or service providers and have considerable knowledge of the inside of your network. An insider may be a systems administrator or DBA with privileged access and authorization and knows where critical data resides.
Motive is a factor in developing profiles. Is the attacker after credit card numbers and PII that can be turned into cash? Intellectual property to sell to a competitor or gain a business advantage? The attacker may be politically/ideologically or competitively motivated to bring your Web application down. He may be an angry ex-employee who wants to "get back at the company."
Work with business owners to help fashion these profiles and learn what types of potential attackers they are most concerned about.
The profile narrows the focus of the pen testing, and tests will vary based on each of these multiple profiles.
"We get a snapshot of what a particular attacker can do against a target, and we don't mix results," said Core Security's Solino. "For every profile, we get the result of the pen test and do another profile."

Penetration Test Tip 6: The More Intelligence the Better

Information gathering is as much a part of the process as the actual exploit—identify devices, operating systems, applications, databases, etc. The more you know about a target and its connected systems, the better chance you have of breaking in.
Each step may yield valuable information that will allow you to attack another asset that will eventually get you into the target database, file share etc. The information will allow you to narrow the search for exploitable vulnerabilities. This reconnaissance is typically performed using automated scanning and mapping tools, but you can also use social engineering methods, such as posing as a help desk person or a contractor on the phone, to gather valuable information.
"We're increasingly starting to do social engineering," said Verizon's Khawaja. "It's essentially reconnaissance—performed with the permission of the customer—to let us find everything in the environment that could assist us in breaking in."
Multi-stage penetration testing typically is a repeated cycle of reconnaissance, vulnerability assessment and exploitation, each step giving you the information to penetrate deeper into the network.

Penetration Test Tip 7: Consider All Attack Vectors

Attackers can and will exploit different aspects of your IT infrastructure, individually or, frequently, in combination to get the data they are seeking. Thorough pen tests will leverage any and all of these potential attack vectors, based on the attacker's end goal, rather than the vulnerability of each.
"A few years ago we would do network penetration testing, and application pen testing and wireless pen testing, and then we stepped back and said 'that makes absolutely no sense," said Solino. "The bad guy doesn't say, 'I can only break into a system using the network.'"
Successful pen tests, like real attacks, may leverage any number of paths that include a number of steps till you hit pay dirt. A print server may not seem particularly interesting, but it may use the same admin login credentials as a database containing credit card information.
"Pen testers find flaws and exploit them, then pivot from that machine to another machine, to yet another," said InGuardians' Skoudis.
An attack on a Web application might fail in terms of exploitation, but yield information that helps exploit other assets on the network. Or an attacker might get information about employees without high privileges, but with access to the internal network that act as a springboard.
Also see How to compare and use wireless intrusion detection systems
So, a critical resource may not be directly assailable, but can be compromised through other systems.
For example, said Khawaja, Verizon pen testers were unable to directly compromise a Web server that had access to a sensitive database. If the testers focused narrowly on testing the Web application on that server, the conclusion would be that the data was safe. But by taking a data-centric approach, they discovered that the Web server was connected to a second Web server, which had a critical vulnerability that an attacker could exploit to gain access to the first Web server and, hence, the database. (Read more about Web application attacks in How to evaluate and use Web application security scanners.)
"We care about anything that isn't cordoned off from the network segment we are targeting," he said. "Are there any network controls to prevent an attacker from jumping from a vulnerable low-value system to a more critical system?"
That being said, there are valid cases for vector-specific testing. For example, a company may be particularly concerned about wireless security, because it knows it has been somewhat lax in this area or may have recently installed or upgraded WLAN infrastructure. But even if you are confident that a particular vector is safe—for example , if the wireless network is isolated from the credit card database—don't be too sure. Attack paths can be complex and byzantine.

Penetration Test Tip 8: Define the Rules of Engagement

Pen testing simulates attack behavior, but it is not an attack. Whether you are conducting in-house testing or contracting with a consultant, you need to establish parameters that define what can and cannot be done, and when, and who needs to know.
The latter depends on whether you are conducting white box or black box testing. In the former case, there's probably an acknowledgement that the security program of the company (or a particular department or business unit) needs a lot of work, and the pen testing is open process known to all involved.
On the other hand, black box testing is more clandestine, conducted more like a real attack—strictly on a need to know basis. You are determining how good the company's people are at their jobs and the effectiveness of the processes and systems supporting them.
"Whether it's the operations center, or the investigative response team or physical security guards, everyone has to pretend it's just another day at the office," said Verizon's Khawaja.
Typically, companies will perform white box testing first to learn the security issues that have to be addressed. Subsequently, black box testing will help determine if the initial findings have been effectively remediated. Sometimes, for example, a CSO will want to know not only how vulnerable critical systems are, but how good their personnel are at detecting and responding to an attack.
In either case, certain key people need to be involved to avoid problems that might impact the business or undermine the testing. At least one person in the target environment who is involved in the change control process should be in the loop, said InGuardians' Skoudis. Under the rules of engagement, for example, the company may permit the pen testers to install software on the target devices to do more in-depth pivoting, but at least that one person has to be involved to make sure that the testers are not stopped by dropping their IP address from a router ACL or invoking a firewall rule.
In both white box and black box scenarios, Skoudis recommends daily briefings with the test stakeholders to let them know what the testers are doing. For example, the rules of engagement may allow the pen testers to exploit vulnerabilities, but the briefing can be used to give folks a heads up that they are about to do it.
"It builds bridges," he said. "It shows the pen testers are not a distant, evil group that is out to 'catch me.' Rather, it's all about transparency and openness."
The rules of engagement also may set limits on what may and may not be exploited, such as client machines, or techniques that may or may not be used, such as social engineering.

Penetration Test Tip 9: Report Findings and Measure Progress

The goal of penetration testing is to improve your security posture, so if you are conducting internal tests, your report should provide useful, actionable and specific information.
"The goal is to help improve security, for management to make decisions to improve business and help the operations team improve security," said InGuardians' Skoudis.
You should provide an executive summary, but the heart of your reporting should include detailed descriptions of the vulnerabilities you found, how you exploited them and what assets would be at risk if a real attack took place. Detail every step used to penetrate, each vulnerability that had to be exploited, and, most important, perhaps, all the attack paths.
"The beauty of identifying the attack path is that it allows you to solve specific problems by breaking the path," said Core Security's Solino.
Be very specific about recommendations. If architectural changes are required, include diagrams. Explain how to verify that a fix is in place (use this command, or that tool to measure). In cases where multiple systems are involved, explain how to mass deploy a fix, using GPOs if possible.
Make sure that each recommended remediation includes a caveat that the solution is thoroughly tested before it is implemented in a production environment. Enterprise IT infrastructure may be very complex.
"This is a huge issue," said Skoudis. "You don't know all the subtleties. You don't want to break production."
Penetration testing should not be a one-time exercise, and successive results should be compared. If you are performing internal testing, put together deltas to measure how your people are addressing issues. If the problems from the last test—or the last two—remain unaddressed, you may have a problem. Perhaps the software patching program isn't working as it should, or developers are not being properly trained to write secure code.
"What we're looking for are trends," said the university security director. "It's just like you would treat an audit report. If you have repeat findings, it indicates you might have a more serious problem."

Penetration Test Tip 10: Decide Who Your Pen Testers Are

The decision to use in-house staff for pen-testing depends on the size of your organization, the value of the information you are trying to protect and where you want to put your internal resources. A company may have a dedicated pen testing team or a group within the security team. An internal team is in a better position to conduct regular testing. If your organization is large and distributed, create mechanisms and promote an environment in which information can be shared.
"If have internal community that can share information, make sure they have a strong knowledge base backed up by mature knowledge management systems," said Verizon's Khawaja . "You want to make sure that what happened in your Beligian unit doesn't happen in Brazil."
Even if you do some in-house testing, there are good reasons for hiring consultants to perform at least some of the work. Some regulations require external companies to perform pen tests; consider that insiders may have too much information about the target systems, as well as a vested interest in the outcome. So, beyond compliance requirements, it's a good idea to bring a fresh view from the outside periodically.
For the same reasons, if you do hire outside testing consultants, rotate among vendors, just as would with auditors every few years.
"Bringing in outside people gives an added degree of confidence in the results," said the university security director. "There's no perception of conflict of interest."—
For your internal team, look for the right blend of knowledge and curiosity.
A good training candidate, said Core's Solino, has a strong knowledge of networking and application protocols as a foundation. Mostly, he looks for curiosity and a hacker mentality.
"It's IT knowledge and that attitude, a specific mindset that denies something is secure and says, 'Go for it!'"
"This is an art," said Skoudis. "Although there are tools and methodologies, you have to be creative in finding problems in target systems and applications."