Thoughts on Revamping our Industry
In the last post, I introduced the need to revamp our industry and step up professionalism. I proposed the first two pillars: Profit and focusing on backup and maintenance first.
In this installment I address education, certification, and core values.
These are the natural elements of a profession. Think about any profession (teaching, accounting, legal, financial, etc.) and you'll find that the industry became professional when it adopted standards for continuous education, certification of experts, and adoption of some core values.
The background for all of these is the transition from amateur to professional. All industries attract new members from among interested amateurs. The road to professionalism starts with experience. But at some point, informal training and then formal education are needed to make the big steps in knowledge.
Certifications follow from education and provide acknowledgement that certain standards have been met. The more evolved the profession is, the more standardization there is on the focus of this certification. And while our industry is typified by change, we need to acknowledge that other industries also deal with constant change. I always joke with my tax accountant that every change in tax law should simply be titled, "The Tax Professionals Full Employment Act."
The specific elements of our areas of knowledge will change over time. Ultimately, the definition of an industry is determined by values and standards that guide the industry. The only real moral difference between people who make a living from ransomware and those who make a living selling office apps is the underlying core values about appropriate behavior in the market. And when an industry evolves into a profession, it has to have a public discussion about values.
Here, then, are the next two pillars.
The Third Pillar: Education
Education and certification are central to professionalism and continual renewal.
We all start out knowing nothing. And we all become masters of a few things. And, if we're lucky, we become excellent at several things and good at many things. No one can be a master of all knowledge. For almost any technology, there are many layers of knowledge. There's the one paragraph description, the 1,000 word discussion, the 350 page book, and the library filled with books.
One of the not-so-secret dirty little secrets in our profession is that people over-use Google to pretend they know more than they do. At some level, this is the very definition of an amateur trying to work their way into "semi-pro" status. Amateurs know just enough to figure stuff out. They are slower than professionals. Their solutions are less elegant. Sometimes they break more than they fix. But, ultimately, they figure it out and figure out how to do it better the next time.
All professions grow because hobbyists become amateurs, and amateurs (apprentices) grow to become professionals. Experience is one big piece of this transition. But education and certification are another. Anyone can stop growing at any point and simply stay where they are (amateur, apprentice, or professional). But for the true professional, "staying where you are" means sliding backward. The technology and business processes keep evolving. Without continual training, you cannot keep up.
At some point, there is a real limit to what an amateur can achieve. And you cannot be a master of all things. So when you choose something to get good at, you need to dig in and educate yourself. That might include books, classes, or even formal schooling (a collection of classes).
Think about how we naturally learn technology. Take firewalls for example. You can dig in and "figure out" a lot about setting up a firewall. But you will never get beyond the "figuring out" level without some real education on TCP/IP, ports, protocols, routing, and so forth. And there are multiple levels of education in each of these.
There is a fairly obvious period of being aware of your amateur status. At some point, you decide to either be amateur, semi-pro, or dig in and really become good with firewalls. Or at least one brand of firewall. But even if you decide to specialize in Fortinet or Sonicwall, formal education includes a great deal of generalizable knowledge. At some point, you learn a great deal about routing, filtering, and traffic management that goes beyond the brand of a specific product.
Some people tend to dismiss education and certification. Their argument sounds something like this: Anyone can spend a bunch of money, go to a "bootcamp," and get all their certifications in one weekend. Okay. There was a time when people did that.
But here's the reality: I've never met someone who passed seven or eight exams from Microsoft or Cisco who didn't also know a great deal about a variety of technology. Even if you cram for such exams, there is a moment in time when you knew the topic well enough to pass the exam. We all know that the real work of "knowing" something involves the daily application of what we've learned.
I've taken lots of Microsoft exams. Most of that information was never useful to me. But that arcane and archaic knowledge is still rattling around in my head. And I could apply that knowledge with just a little tune-up.
There are two kinds of education and certification in our industry - technical and business. Technical education is widely available. Vendors provide education on their own products and services. Some of it is free and some is for a price. Of course, Microsoft is the big example for most of us. If you are willing to dig around on their web sites and train yourself, you can get virtually all the knowledge they have to offer for free. Or, you can pay for officially-sanctioned training and get a good chunk of that data distilled into a day or a week.
There are also third-party training opportunities, but they are fewer. CompTIA probably has the most well-known training and exams. Third Tier and other independent organizations provide great training, but on a limited number of topics. Happily, almost all community colleges (and some high schools) provide a wide variety of technical training.
Business training is a little different. Vendors only train you on processes that promote their view of the world. You should be leery about adopting a business model based on the needs of your vendors. As brutal as it sounds, they only care about you to the extent that you use and sell their products and services.
Business-focused training is harder to come by. Many coaches and organizations provide training on the business side, but we have yet to see a really large organization offer business-focused training on a grand scale. Most of the coaches or communities you've heard of offer business-level training (myself included). But our industry could use some serious standards and increased consistency on this front.
As an industry that wishes to become a profession, we could advance a lot by agreeing on some standards for education and certification. At a minimum, we should focus a lot more on the training that's already available. If I had to propose a slogan for this campaign, it would be:
Google less. Read more.
In isolation, anyone can watch a YouTube video and see how to export a PST file. That's a far cry from understanding all the elements of migrating a client's entire operation to cloud services securely with zero downtime.
Read more. Google less.
The Fourth Pillar: Core Values / Statement of Ethics
Ethics and principles ultimately define an industry and build the path to the future.
Here and there throughout our industry, you might find a Code of Ethics or a statement of core values. But there are three common problems with such statements. 1) They tend to be very long, overly detailed, and therefore go unread. 2) They tend to be too vague and end up repeating a few meaningless phrases. 3) They tend to be hidden away.
At some level, we all have a vague sense that we share a set of values. I love to quote Bill and Ted's Excellent Adventure: "Be excellent to each other." And while we would all love to live in that world, it's just not real (yet). There are people in our industry who will undercut your quote, lie to prospects, and then bully them into paying a higher price even thought they promised a lower one.
I'm sorry to say that I have only appeared in court as an expert witness on three occasions, and ALL of them were to evaluate the appropriate behavior of other technology consultants. People in our industry do lie. They do steal intellectual property. They do take move from clients and not provide the services promised. Not you, of course. But you have to live with the fact that these people represent themselves just as you do - and clients have no measuring stick to compare the difference.
We need to adopt a handful of key values that we agree to be measured by, and which we can use to hold one another accountable. And while there's great value in something like Ray Dalio's Principles, a usable code of conduct needs to be brief in order to be effective.
Many dismiss the need for a common code of ethics, but our industry is surrounded by behavior that makes the need for such a code greater than ever. Money has an amazing power to increase the flexibility of some people's ethics. And, today more than ever, money is flowing through our industry in vast amounts.
When I first started consulting in the small business space, I felt like I had stumbled onto the wrong profession altogether. Again and again, I met prospects who had been ripped off by their previous IT consultant. Very often, hardware and software were registered in the consultant's name and not the clients. Eventually I discovered that this was done to take advantage of distributor spiffs, or because both hardware and software had been resold more than once, always sold as new.
The first time I ever met a Microsoft MVP, he casually mentioned that you can always "flip" an MSDN license and install something a client needs. There was a total disconnect between stealing in general and stealing software.
In another form of stealing, I witnessed time and time again that people took jobs they were not remotely qualified for, gave bad advice, and simply walked away when it all blew up. Many, many times I took over networks after someone had over-sold the client, did a half-assed job of setting things up, provided zero documentation, and then simply disappeared.
Some will make the argument, "I'm honest. I act with integrity. Why do I care whether the whole industry has a code of ethics?" Well . . . because you work in that industry.
We make fun of the entire car sales industry, but we're basically in the same boat. If the perception is that "all" MSPs sell security management and then let ransomware attack their clients, that reflects on you. You might have had a perfect zero-bytes-compromised year. But when regulators and legislators are going after your industry, the actions of other players IS affecting your reputation.
One piece of the ethics puzzle is to simply have a code of ethics. But the more important piece is to agree to hold each other accountable (and to be held accountable).
Think about what a company values statement does within your company: It allows everyone to ask whether proposed decisions or actions are consistent with our stated values. A professional code of ethics is a public statement that says that we hold ourselves to these standards, and we invite the public to hold us to them as well.
I propose a few thoughts here as a place to start the discussion around a Professional Code of Ethics for IT Service Providers. Note that this is short enough to print on a single sheet of paper. I welcome your feedback and comments, especially if I left out some very obvious element.
A Draft Professional Code of Ethics for IT Service Providers
As a professional IT service provider, we pledge to:
- Be competent. IT Service Providers will work to stay educated and capable in all areas for which they represent themselves to be competent. They will not knowingly claim competence that they do not possess.
- Be honest. In presenting themselves to prospects, and in all engagements with clients, IT Service Providers will provide honest information about products, services, pricing, and related matters. This includes the accurate representation of work performed and the products and services offered for sale.
- Be forthright with clients. This includes registering client hardware, software, and services in the client's name and not the IT Service Provider's. It also includes providing the client with a reasonably useful copy of their network documentation. Implicit in this requirement is the fact that the client has paid for all of these things and that ownership or licensing should be in the client's name/possession. This also includes disclosing any possible conflict of interest between the IT Service Provider and the client.
- Be legal in all activities. IT Service Providers will follow applicable laws with regard to business operations, sales, data protection, privacy, and all other manners.
- Be professional. IT Service Providers will sign contracts with clients that are reasonable in nature and not intended to give an unreasonable or undue advantage to the IT Service Provider. IT Service Providers will conduct all business with the highest standard of ethics.
- Be fair. IT Service Providers will treat everyone (clients, employees, suppliers, vendors, etc.) impartially without regard to ethnicity, age, gender, disability, sexual orientation, nationality, language, religious beliefs, or political beliefs.
- Be discreet. IT Service Providers will sign non-disclosure agreements with all clients and employees, and work earnestly to protect client confidentiality and intellectual property.
Ideally, a profession-wide code of ethics should become something we all post on our web sites and publicly agree to guide us.
-- -- --
Next time: Ransomware and How We Handle It
-- -- --
Here are links to the entire series: