Advertising company culture

April 14th, 2012

I wrote recently about Twitter advertising that job applicants should like to drink beer. I still think this advert was poorly judged, but after some reflection I wonder if I reacted too hastily. One of the reasons that Twitter’s advert stood out to me was that few job adverts bother to say anything about the company culture. It seems to me like maybe Twitter is on to something here.

Culture varies a lot between companies, and getting the right cultural fit between employee and employer is a big part of making the relationship a successful and long-lasting one. So why do we so often leave culture until the last stage of the interview, usually in the “so, do you have any questions for us?” phase? Why are we content that organisational culture is so often judged by simple stereotypes: “They are a start-up! They can’t be bureaucratic!”

I suspect one reason is that the people writing the job descriptions and running the interviews lack the skill to effectively communicate about non-technical aspects of the job. Sure, we all know words like “dynamic” and “entrepreneurial”, but these are hackneyed to the point of being useless, like the proverbial “good team player” that every applicant describes themselves as. Another sticking point might be the difficulty of communicating about the culture on behalf of the whole company. I can describe the technical aspects of a role pretty objectively, but in describing the subjective aspects there’s a much higher chance that I’ll say the wrong thing and get myself in trouble.

Another issue, and I suspect a significant one, is that any statement about culture necessarily dissuades some people. This is simple information theory: if a description doesn’t put some people off, then it isn’t conveying any information. Descriptions that appeal to everyone will (unless they are simply and objectively disprovable) be slapped on every job advert. Although companies are usually interested in finding people who are a good fit, in markets where qualified employees are in short supply (as in software at the moment), there’s a great deal of resistance to cutting down the field of prospective candidates in any way.

A better way to go about this might be to identify some qualities for comparison that are deliberately divisive. These would form axes where neither extreme was right or wrong. If we can come up with some kind of de facto standardisation of this, then companies need not lose out by being honest—indeed over the longer term they would lose out more by pretending to be something they aren’t. Eventually, it might reach the point where companies look like they have something to hide if they don’t publish these details.

In Cultures and Organisations: Software for the Mind, Geert Hofstede identifies a number of statistically significant variations between organisation cultures, which I’ll loosely summarise:

  • Process-oriented vs. results-oriented: In a process-oriented culture people follow their job description, while in a results-oriented culture they do what’s necessary for the end result. If this sounds like the former is obviously “wrong”, consider safety-critical work where performing to a consistent standard is more desirable than performing better with occasional lapses.
  • Employee-oriented vs. job-oriented: In an employee-oriented culture the company takes more interest in an employee’s life outside work, including any personal problems that may affect their work. On the negative side, some people find this overbearing.
  • Parochial vs. professional: In the former model, employees identify more strongly with the organisation they are a part of, while in the latter case their strongest identity is with their type of job.
  • Open systems vs. closed systems: Open companies are very open to outsiders joining the company, and new people quickly feel “at home”. Closed companies are less open to outsiders, but once people become accepted by the team they can enjoy stronger and more stable relationships.
  • Loose control vs. tight control: Looser companies have fewer rules (explicit and implicit) about standard of dress, behaviour etc., and tend to have less punctual meetings and more irreverent talk about the company.
  • Pragmatic vs. normative: Pragmatic cultures respond to the needs of the market, while normative cultures tend to follow rules or structures that are viewed as unchangeable.

In my experience, software companies tend to cluster at the same general places on each of these axes, so perhaps these aren’t the ideal ways of judging. Even so, there’s some room for information to be conveyed: just because I like an organisation that’s pragmatic and results-oriented doesn’t mean that I want an organisation that’s jammed right up against the far extremes on these axes. Choosing between a company that’s 60% pragmatic versus one that is 75% pragmatic may feel like small potatoes, but the consequences of employment decisions play out over many years, so I think we can afford to be picky.

Posted in Business | 1 Comment »

A surprising requirement for having a job at Twitter

April 3rd, 2012

I got one of the standard emails from a recruiter saying I had been “referred” for a job at Twitter (they were apparently “very excited” about me). Now, I figure these things are about as real as the Reader’s Digest prize draw, and I’m not in the market for a job anyway, but curiosity got the better of me and I had a quick look at the jobs they were offering. I got a bit of a surprise:

Do you see it? In the same block as the requirements for technical skills, they request that you enjoy beer.

It’s pretty clear what’s going on here. It’s not really a job requirement, but they were brainstorming ways to make the company appear cool and sociable and whatever, and this seemed like a fun way to do it. It sets the company apart, because nobody else writes about drinking alcohol on their job description.

Unfortunately, there’s a very good reason for that. I hate to go all knee-jerk politically correct HR on you, but you just can’t do this kind of thing. At a stroke, you’ve ruled out muslims, recovered alcoholics, methodists, pregnant women, people who just don’t like to drink, and all sorts of other classes of people I’ve not thought of here. Sure, it’s only in the “pluses” section. Yes, nearly everybody in this category will understand that it’s just light-hearted fun, and that it won’t really be used to distinguish candidates. That doesn’t matter. You can’t afford to make people of any sort of minority feel unwelcome in your organisation.

Realistically, every company has a non-neutral culture, and for every culture there are going to be some people who feel they don’t fit into that. Completely neutralising this kind of culture is impossible and to a large extent undesirable—the best you can do is to maximise diversity while preserving the positive aspects of what makes your culture unique. But job advertisements are a special sort of communication: they are very public indeed, and they are often the first chance you get to communicate your message to prospective candidates who know nothing else about you. Inviting someone out for a drink after you’ve got to know them is a completely different proposition from broadcasting the desirability of drinking.

Posted in Business | 1 Comment »

How not to do online security

March 30th, 2012

I’ve been having trouble with the online access to one of my bank accounts. Due to a combination of disorganisation and poor memory (it’s not one of my commonly used accounts), I’ve had to reset the password several times. It’s always a frustrating experience, but on the most recent occasion they hit me with something entirely new: they wanted me to “change your mother’s maiden name”.

My response was probably more sarcastic than it really deserved, especially given that it turned out not to be quite as silly as it sounded: I merely had to change the answer I gave to the question “What is your mother’s maiden name?” It didn’t matter what my answer was so long as I could remember it and produce it on demand.

This situation wrong on several levels. First of all, it’s pretty terrible from a usability perspective. Remembering that I should reply “sausages” when asked for my mother’s maiden name is not particularly hard (at least if only one of my bank accounts suffers from this peculiarity, and I log in often enough that I remember this), but it’s an ugly wart on the user experience and leaves the impression of a bank that is pretty half-arsed.

At a deeper level, this is wrong because it’s symptomatic of poor application architecture. At some point during the software development, somebody must have looked at a database diagram like this:

Somebody else must have known that, under certain circumstances, the security question would have to be changed. Unfortunately, these two people weren’t the same person, and don’t appear to have talked to each other. The architecture clearly doesn’t support the ability to change the security question. Sure, this kind of bug happens all the time—except that security, more than anything else, deserves the kind of architectural attention that’s obviously missing here.

But there’s an even more fundamental reason why this situation is wrong. The bank appears to be confused about the very purpose of using the mother’s maiden name (or any other personal information) as a credential.

Time was when finding out someone’s mother’s maiden name was seriously difficult, unless you happened to know it. Marriage certificates are public record, but (and I’m guessing here) they aren’t indexed in the right way to make it a tractable problem to look up the maiden name from the married name. In the days of paper files, it didn’t matter if something was O(n) provided that n was large.

Nowadays, it no longer works this way. The population of married people is large by human standards, but small enough to be searched in seconds by a computer, even if the search method is inefficient. I don’t know how marriage records are exposed, but it’s reasonable to suppose that a sufficiently motivated attacker can get the data set. Even if not, plenty of people have enough information on their Facebook or LinkedIn profile to infer a mother’s maiden name.

Personal information still has a role to play in security, but not in the same way. People tend to think of password cracking as trying lots of attempts to guess one person’s password, but an alternative is to take one obvious password and try it against a number of people. Money is money, and you don’t care much whose account you rob. For a given common password, a large enough bank is almost certain to have somebody who uses that password.

Against this kind of attack, the trusty old mother’s maiden name comes in handy. If it only takes 2 minutes of snooping on Facebook to find the information you need, then this doesn’t stop you attacking one particular person’s account. But if you want to try ten thousand accounts to find the one whose password is “5au5age5″, then you’re out of luck.

A crucial point here is that this kind of security benefits only marginally by changing the secret answer. By hypothesis, the secret answer is pretty easy to get hold of anyway. The great strength of personal information is that you don’t forget it; if this wasn’t an important part of the design then everyone could just make their password twice as long and get exponentially greater security. But passwords are already pretty much at the limit of what human beings can cope with, and personal information is a low-cost way to extend security against an important class of attacks.

Posted in Business, Software Development | No Comments »

« Older Entries