Marina Gorbis's Blog, page 1432

Designers and entrepreneurs have been experimenting with live prototyping — putting unfinished product ideas in the context of real markets and real customer situations — for years, and now bigger businesses have begun to catch on. Many executives, eager to avoid over-investing in the wrong ideas, are intrigued by this approach, but they’re leery of putting unpolished products and services out in the market. Might we tarnish our brand? Will customers trust us less once they’ve experienced the rough edges of our prototype? Might we expose our strategy to competitors?

The concern can be valid, but by answering a few questions, and playing with a few variables, you can usually find a way to conduct market experiments that does not put your relationship with customers at risk.

A good first step is to get a sense of your customer’s sensitivity to change and to “rough edges” in your offer. We find the following approaches useful to help executives understand the degree of caution they need when running market experiments in public:

Assess your brand history: Does your company have a record of experimenting in public? If so, how have consumers responded? Do your core customers value your inventiveness or your reliability? If you’re H&M, your customers expect you to be “out there.” If you’re Levi’s they might be fiercely loyal to your classics, and wonder why you’re shaking things up.
Assess competitive benchmarks: Identify the quality “floor” of your offer. Is quality essential in your market, or simply a nice-to-have. For a car or legal services, this floor will be very high, but for an entertainment service, it might be low.
Assess analogous industries: Looking at direct competitors can sometimes be misleading. Look across adjacent industries. If you’re in automotive, you might look at other highly regulated industries, like healthcare and finance, which manage to experiment considerably despite stringent regulatory environments.
Prototype prototyping: Most simply, this means talk to you customers about prototyping. Instead of simply launching the prototype, bring your concepts or prototypes out and talk about them with customers. Get them to imagine what it would be like to come across these prototypes without knowing that they aren’t “real” products. Would they be excited about trying new things? You might have a group of customers who are willing to experience some rough edges of an unfinished product to feel part of building something new.

Armed with an understanding of your baseline customer expectations it’s time to plan your experiment. The most effective way to reduce your risk is typically to invest more to achieve an acceptable level of quality. But you have to be sure that increased spending will improve quality, and that you’re not simply wasting money. Consider investing more per customer, rather than investing in the operations that deliver quality. For example, in evaluating an automated digital legal service, you might have actual lawyers working behind the scene to deliver the service to test the market need first. You can invest in algorithms and automation later.

Another effective de-risking approach is to contain the experiment to specific moments of the customer experience. Focusing initially only on those moments that highlight the biggest business risks can decrease development requirements and customers’ interaction time with your prototype. For snack products, one of these key moments is when a customer chooses the product, so you might produce high-fidelity packaging so that the concept stands out against the shelf of competitors, but fill the packages with Legos (which sound and feel a lot like a crispy snack through the package). At this point, you’re testing the brand promise, not the customer’s willingness to pay or how the taste fulfills on the brand promise, so you don’t need to provide a full end-to-end experience.

You can also contain your experiment by calibrating exposure. Testing with large audiences might yield greater statistical significance, but nuance can get lost. Perhaps more importantly, testing new ideas with smaller audiences means that you can be bolder. Some companies like Facebook and AirBnB use limited release to allow any employee to release their product changes — large and small — to the public. These companies measure the impact of shipped features on customer behavior. Changes that have desirable outcomes are released to bigger audiences. This approach is easier for software companies, but manufacturing innovations like 3D printing have provided ways to launch physical products at limited scale.

If, after following these approaches, you feel that your market may still be hostile to the experiment or that the prototype still doesn’t deliver the value proposition to the customer, be transparent about that fact. Let participants know that they are engaging with a prototype that may not launch. One way of doing this is to create a sub-brand that is clearly about introducing new and unfinished ideas. For example, Google Labs is an arm of Google that focuses on creating revolutionary new products. They have been able to release Google Glass to the public before it’s ready for mass market use. We find that customers are generally enthusiastic about giving input if they know what they’re getting themselves into.

To protect against potential inconvenience to the customer, you could offer the option to switch back to the original service or product if they lose patience with the prototype. For example, if you’re developing software you might ask customers to opt in to product updates for the services that they would consider purchasing to get a sense of genuine product interest. This approach yields valuable information about product appeal, and you’ll gain access to a community to tap for feedback as your product evolves. Meanwhile, when customers opt-out, take it as an opportunity to understand why via a survey or even a live conversation.

While running prototypes can seem scary in the moment, the risks are much lower than launching a flawed product or service. Think about the above levers to reduce risk and avoid cutting corners in a way that is detrimental to your experiment. Markets move fast, and more of your competition will be experimenting to improve their market position. It’s better to test and build than be left with an outdated business.

In the 1989 movie Dead Poet’s Society, Robin Williams, playing the iconoclastic English teacher John Keating, dismisses the notion that you can judge the perfection of a poem mathematically by plotting how artfully it employs meter, rhyme, and metaphor against how important the subject is. Rather than have his students think they could graph the relative merits of, say, a Shakespeare sonnet against a poem by Alan Ginsberg, he has them rip up their textbooks. Data can’t tell us anything about stories, he’s saying, as pages of Understanding Poetry, by Dr. J. Evans Pritchard, Ph.D., fly all over the room.

Businesspeople are often advised to turn their data into stories to make them more persuasive. And that is certainly good advice. But they are given precious few tools to help them do that. It turns out though, John Keating notwithstanding, that graphs can be remarkably useful in demonstrating the mechanics underpinning an effective story. One person who’d given this a lot of thought was novelist Kurt Vonnegut, a real-life literary iconoclast if there ever was one.

Harvard’s Nieman Foundation for Journalism recently shed a spotlight on Vonnegut’s story graphs in its publication Nieman Storyboard (a wonderful resource on the art of storytelling in itself). Vonnegut devoted his master’s thesis at the University of Chicago to studying the shapes of stories. The thesis was rejected (apparently, Vonnegut’s advisors were of the John Keating school of literary criticism). But his ideas are thriving online in various storytelling tutorials.  Nieman offers up Vonnegut’s original presentation, now on YouTube, in which he graphs some of the most basic story structures and explains how they work.

“There’s no reason why the simple shapes of stories can’t be fed into computers,” Vonnegut begins. First up is one he calls Man in a Hole. “It needn’t be a man, and he needn’t fall into a hole,” he adds, for the metaphorically challenged among us. “That’s just an easy way to remember it.”

In the tradition of J. Evans Pritchard, he starts by drawing the vertical Good Fortune/Ill Fortune (or G-I) axis, with “sickness and poverty” at the bottom and “wealth and boisterous good health” at the top.  At the midpoint, he draws his x axis – B (for beginning) to E (for electricity). He’s joking of course, but he also wants to underscore the point that this is an exercise in relativity, since it’s the shape of the curve that matters, not the specific data points.

Then he places his chalk on the y axis a bit above the midpoint (“Why start with a depressing person?” he quips), draws a sine wave dropping down toward the bottom and rising up again: Somebody gets into trouble and gets out of it. “People love that story,” he says. “They never get sick of it!”  (This is doubly obvious is when you draw the business parallel by substituting a term like business, strategy, revenue, IT, HR, or whatever for the word somebody).

He goes on to graph Boy Meets Girl, starting right at the midpoint of the y axis – “an average person on an average day, not expecting anything.”  He draws a double sine wave rising up and then down and then up again. “Something wonderful happens, Oh hell. Got it back again” In business terms, the classic turnaround story (IBM comes to my mind here, and more than once).

The next one is more complicated, he warns. Despite what he’s just said, he starts at the bottom and stays there—a wretched person, a little girl, no less, has lost her mother and her father has married again to a horrible woman. The curve hovers at the bottom. A fairy godmother arrives, bestowing much-needed resources (shoes, a dress, mascara). With each gift, the line goes up incrementally, like a bar graph. The girl goes to a dance. The clock strikes 12:00. The resources dry up. The line drops almost straight down, but not all the way back (she has those memories, and maybe some IP or a valuable customer base). The prince finds her, the shoe fits. Facebook buys your start-up, the curve shoots up as you achieve off-scale happiness.

It so happens, he says, that this Cinderella story is “the most popular story in our Western civilization. Every time it’s retold somebody makes another million dollars. You’re welcome to do it.” Well, sure…

Here are all three stories, conveniently plotted on a single graph:

But watch the video (it’s less than five minutes long), and two things become apparent. The first is certainly that so many successful business stories follow patterns embedded in Western civilization’s most primal literary conventions. It’s easy to see why marshalling data to tell one of these kinds of stories – rags turning into riches, mistakes rectified, challenges overcome, the right resources and the right contacts saving the day — would be so compelling. And there’s probably an argument here for reading more fiction, to give John Keating his due.

The second is that Vonnegut’s delivery matters as much as his ideas. His timing is perfect.  His language is concrete and unexpected. He’s showing you the simplicity that underlies apparent complexity – that’s what data are so good at doing. But he’s just as concerned with making sure you’re paying attention — since no one is persuaded by something they don’t remember.

Persuading with Data

An HBR Insight Center




Don’t Read Infographics When You’re Feeling Anxious
How to Tell a Story with Data
To Go from Big Data to Big Insight, Start with a Visual
How GE Uses Data Visualization to Tell Complex Stories

“It’s 9:00am, you’re across the table from a colleague who doesn’t like you or the changes you’re proposing, she’s pushing all your hot-buttons and resisting your efforts to get her to support the change. What’s your typical reaction?” I recently posed this question to a group of executives.

About two thirds of the executives admitted that their typical behavior is competitive: return the aggression and argue to win. The other third said they typically do the opposite:  retreat, recoup, and try again later. But either way, it was a default reflex – not a strategic response.

We all have default behaviors. And when we are in the moment, trying our best to perform well, how we handle these automatic reflexes can be the difference between success and failure. It’s these moments that add up to the larger tasks and projects that are our work. Moments in which behavior – what we think, feel, say, and do ­­– is the primary driver of performance.

I can remember a pivotal meeting after weeks of working with a team on a product idea.  After presenting it to a colleague, I found myself fielding unexpected negative feedback.  My default was to fight back, with facts. I’m an evidence-based manager, and this approach often works, and works well. But not this time. I hadn’t included this colleague in the process, and he was upset despite the facts. Unfortunately, my highly automated default behaviors were running the show. Had I paid more attention to his tone and body language, and been able to put a little mental distance between the “automatic-me” and the situation, I would more easily have seen what was happening.  I had experienced a failure of attention and self-control.

Automatic behaviors do have their place – they save time and effort. When you continually face the same type of meeting, with the same people, with the same objective, what has worked for you in the past may work again now.  So why not embrace these defaults? Wouldn’t our professional lives be easy if we could allow well-tuned default behaviors to take over at work, in the same way we can put our minds on auto-pilot while we drive there?

The problem with that approach is that the workplace is too dynamic. Situations rarely repeat. Human behavior is diverse, erratic, and often unpredictable.

As I experienced when arguing the facts with my upset colleague, and as I have seen over and over again with executives and management students, defaults are dangerous and too often lead to unproductive behaviors and outcomes.

We know this – and yet our defaults are devilishly hard to overcome.

Imagine you’re a judge, and you’re trying to decide whether a convicted felon should be given parole. What would be your default? One would hope that parole judges override their default behavior to think carefully before each ruling. In a study published in the prestigious Proceedings of the National Academy of Sciences, researchers found that a group of highly experienced parole judges did reason more carefully – particularly at the start of the day and after every food break, when on average they granted parole to 65% of the felons. However, as judicial sessions wore on, favorable parole judgments fell to an astonishing 0% prior to each food break.

Research like this shows just how much evading our defaults requires self-control, and how much our level of self-control varies throughout the day depending on a range of psychological and physiological factors like how well we slept, the time since our last meal, how hard we’ve already worked to control ourselves. And critically, like those parole judges, we are often not aware of these fluctuations in self-control as we wend our way through the workday. When self-control wanes, our ability to catch and override default behaviors also wanes. Our more planful selves can lose control, giving way to reflex behaviors triggered on the spot.

So what you can you do to avoid unconscious defaults and provide yourself more behavioral flexibility in the moments of truth that matter most?  Here are three suggestions that I have seen work well:

Know your defaults: Make a list of the frequent “moments of truth” that populate your workday: the meetings, conversations, negotiations, conflicts, and other situations when your behavioral performance is of paramount importance. These are typically challenging interpersonal situations in which how you react, what you say, and what you do can be commandeered by defaults. Take your list, bring each of these situations to mind, and then identify your defaults. You will find them, and likely culprits will be behaviors such as interrupting, becoming aggressive or passive, taking ownership of ideas, micromanaging, and jumping too quickly to negative judgments of others.
Anticipate and plan your overrides: Once you know your defaults, you can give yourself greater control by anticipating and planning ahead before these challenging moments of truth arise. Research shows that if you prepare and plan behaviors in advance and mentally rehearse them, you are 2-3 times likely to succeed in carrying out your plan. So in advance of your difficult end-of-day meeting, if careful listening is your goal — but frequent interruption is your default – rehearse a plan for better listening you’ll have a better chance of overriding your automatic reflexes.
Design your days: Because self-control varies across a day and a workweek, it makes sense to track it and even plan your schedule around it. Why schedule high-conflict conversations before lunch, at the end of the day, or at the end of a tough week when your self-control is likely to be low? If an easy day has unexpectedly become difficult, consider shuffling your afternoon. You may very well avoid letting slip a snide comment you’ve held back or sharing half-baked criticisms that you know deserve more thought.

Too many professionals who are high-performers in their area of work pass through the behavioral situations of their day on auto-pilot, with defaults running the show. By getting to know your defaults and practicing working around them, you can take greater control over your workday and lead yourself and others more productively, moment to moment.

Evolve or die. If it ain’t broke, break it. If you don’t like change, you are going to like obsolescence even less.

By now, the idea that organizations must adapt in order to maintain both relevance and market share in a rapidly changing world is so ingrained that it’s been reduced to pithy sayings. And there are many organizations — from Blockbuster to Kodak, print-only newspapers to pay-phone makers — that no doubt wish they’d followed the advice.

But is constant adaptation always the best policy? Our research indicates it isn’t. Indeed, any company considering an adaptation initiative should first ask itself five questions:

Do your customers really want you to change? The offerings from privately-held Berger Cookies in Baltimore have been the same for 179 years. The company’s continued success shows that people crave consistency. When you taste your favorite cookie, you don’t want to suddenly discover that the recipe has changed.
Will change alienate your base? Earlier this year, executives at Sirius Satellite Radio decided to capitalize on the renewed interest in singer-songwriter Billy Joel by creating a temporary channel dedicated to him and his music. But it replaced one that had played music of the 1930s and ‘40s, prompting those customers who enjoyed classics from the likes of Irving Berlin, Cole Porter and the Gershwins to cancel their subscriptions.
Will you confuse people? If you bounce from one strategy (say, low prices) to another (full service) and back again, people won’t know what you stand for. The recent failures of mass market retailers Sears and J.C. Penney are clear examples of the problem with inconsistency.
What is the cost? When remaking or radically changing your offerings, you must always weigh the risks against the rewards. This is a lesson Starbucks learned the hard way in the late 1990s. To expedite its expansion, the company made several tweaks: For example, it started shipping its coffee in flavor-locked packaging, which was more efficient but also eliminated most of the aroma; it also streamlined store design to gain economies of scale. But the result was “the watering down” and “commoditization” of the Starbucks experience, founder Howard Schultz later reflected. The company struggled, and its stock price fell, until Schultz came back and reversed those decisions.
Will the change make you vulnerable? When you add to, or alter, your offerings, you can open the door to competitors. For example, Cadillac decided to offer a smaller car, the Cimarron, in the early 1980s. The diluted management focus, coupled with the car’s poor sales, hurt the brand and allowed competitors — especially luxury imports — to gain market share.

It’s important to remember that some companies manage to have it both ways – adapting on the periphery to capture new opportunities while also maintaining their existing businesses. Brooks Brothers serves as a case in point. Instead of simply sticking to selling classic clothing, and waiting for outside catalysts (such as the popularity of the fashion in the television show Mad Men) to increase its popularity, the chain innovated around the edges by offering more fashionable accessories — shoes, belts, bags and the like — while leaving its core basically unchanged.

We like this model of adaptation because you haven’t lost much money, time, or management effort if the changes don’t move the sales and earnings needle. Even more important, they will not have damaged how your base sees you. If the changes are well received, you can expand and integrate them, and/or spin them out into a separate store, division or product line.

The point here is simple: Your customers will dictate when and how much to change. Keep asking them what they want (we recommend a formal or informal audit every six months) and keep watching their behavior, since they aren’t always able to articulate their desires. Then change as they do, or just a little bit faster.

If adults assume that their ability to discern trustworthiness, or the lack thereof, in strangers’ faces is a skill honed over a lifetime, they’re wrong. Children ages 5 and 6 made very nearly the same judgments about the trustworthiness of computer-generated faces as adults, and children ages 3 to 4 were off by just a few percentage points, says a team led by Emily J. Cogsdill of Harvard. People make inferences—right or wrong—about strangers’ characters within 50 milliseconds of viewing their faces, prior research has shown.

Some people have a way of making the complex clear.  They know who they are, why they do what they do, and where they want to go. Because they have internalized all this, they are able to sharply crystallize ideas and vision. They speak in simple, relatable terms. And they can get a lot accomplished.

Making your words understandable and inspirational isn’t about dumbing them down. Instead, it requires bringing in elements such as anecdote, mnemonic, metaphor, storytelling, and analogy in ways that connect the essence of a message with both logic and emotion. Almost everyone leading or creating has a vision, but the challenge is often expressing it in ways that relate and connect. Quick, think of some former Presidents of the United States and presidential candidates. Which ones are most memorable? Which ones are most likable? Which ones won?  The leaders who stick in your mind are likely the ones who humanize their message and deliver it in ways that connect with everyone at some level, in turn inspiring others to relate to them while better appreciating the mission at hand.

I have enormous respect for poets and writers who are able to touch our souls and enhance our understanding of concepts and ideas by writing simply and straightforwardly. Take, for example, Arthur Miller’s Death of a Salesman — the tale of a tragic hero, Willy Loman, whose fallibility lies in his lack of self-awareness. The play’s enduring power comes from its straightforward telling of the human story — our aspirations and disappointments and how we deal with them. There is something in it for almost everyone to relate to.

In his book The 5 Essentials: Using Your Inborn Resources to Create a Fulfilling Life, anthropologist-turned-entrepreneur Bob Deutsch describes the importance of what he calls “self-story”:

There is much to be learned from the lessons that fictional characters and their creators teach us… All of our lives have stretches filled with the rising and falling action of a well-plotted story… The best fiction writers capture the core of that.  Our most enduring stories and novels live in our hearts because they distill our essences.

I recently read an exceptionally thoughtful but accessible book on wine — The Essential Scratch and Sniff Guide to Becoming a Wine Expert, by Richard Betts.  Richard is one of fewer than 200 master wine sommeliers in the world, but instead of speaking of wine in professorial tones he conveys the simple message that nearly every wine’s attributes can be summed up by three things — fruit (red fruit or black), wood (oaky or not), and earth (soil, floral, or “funk”).  I’m a longtime wine enthusiast, and this was the first time I’d read a book on the subject that so simply distilled how to think through the smell and flavor of a wine. It made the subject much more accessible, understandable, and enjoyable by bringing structure and and common language to something elusive.  Betts’ book is now one of my favorite gift books, and a go-to reference alongside my Robert Parker wine guides.

In my day job as a venture capitalist, I also look for stories I can connect to — in this case the human stories behind the entrepreneurs who are looking for investors.  Often the more important questions to ask are things such as, How did this person grow up? What were their past successes and struggles? Why is it that they really want to pursue this big idea? What is their underlying purpose?  The answers to these types of questions are what often determine whether we will back an entrepreneur or not. It’s not the facts of the presentation that matter most, it’s the person and the way that person shares his or her story and how that fits with our fund’s objectives. Heart, guts, and the ability to connect are critical in the early stages of company creation and beyond. The durability or effectiveness of any leadership or partnership requires this ability to connect and share a story — people need to just feel it.

Last week, Amazon founder and CEO Jeff Bezos released his annual letter to shareholders. As is the case every year, it is a tour de force of ideas and initiatives about the customer experience (Amazon Prime), disruptive technology (Fire TV), fast-growing product initiatives (Amazon Web Services), and strategic consistency. (As he does every year, Bezos attached his first letter to shareholders from back in 1997 to underscore the company’s long-term commitments.)

Still, for all these big, cutting-edge innovations, it was a small, pre-existing idea, something that Amazon borrowed from one its subsidiaries, that generated the most public attention. Bezos’s letter unveiled his well-named Pay to Quit program, in which the company offers fulfillment-center employees one-time payments to leave Amazon. Each employee gets the offer once a year. The first time, it’s for $2,000. The offer increases by $1,000 each year after that up to a maximum of $5,000.

If Pay to Quit sounds familiar, there’s a reason. The idea was invented several years ago at Zappos, the online retailer based in Las Vegas that has become iconic for its zeal about customer service. Tony Hsieh and his colleagues call their program The Offer, and it’s made as new recruits experience the company’s deep-dive training program. The Offer, which applies to all new Zappos employees, not just front-line service people, started at $100, went to $500, then $1,000, and now stands at one-month’s salary. Amazon bought Zappos back in 2009, and now Jeff Bezos is shipping some of this upstart’s ideas into his behemoth organization.

So what to make of this pay-to-quit boomlet? Why are high-profile innovators like Tony Hsieh and Jeff Bezos making it easy, even attractive, for employees they worked hard to recruit to leave their companies and move on to the next thing?

The first (and most obvious) answer is that unhappy people make for unsuccessful companies. As Bezos notes in his letter, “In the long run, an employee staying somewhere they don’t want to be isn’t healthy for the employee or the company.” This is not, it should be stressed, an indictment of the organization or people who choose to leave. Great companies are great precisely because they stand for something special, different, distinctive. That means, almost by definition, that they are not for everybody. It takes a certain personality type to thrive in the extroverted, almost theatrical, culture of Zappos, or the driven, no-nonsense culture at Amazon. If there isn’t the right fit, it makes perfect sense to quit.

But the more valuable role of these offers may be their impact on the employees who choose to stay. Once a year at Amazon, front-line employees, whose jobs are anything but glamorous, get a chance to sit back, reflect, and choose whether to re-commit to the company and their colleagues. In a sense, Pay to Quit is an annual performance review of the company by its employees: Can I imagine not working in this department, with these people, for this company? It is they who are making the call, they who are choosing not to take the money and run — which creates a deeper sense of engagement and affiliation.

Who can forget the memorable scene in The Godfather, when Michael Corleone explains to his older brother, “It’s not personal, Sonny. It’s strictly business.” (The Corleone’s, of course, had different techniques for persuading colleagues to, ahem, leave the organization.)  The spirit of enterprise today, the energy that makes great companies tick, is precisely the opposite of that much-quoted piece of management wisdom.

Work is personal. That’s the driving force behind the truly great companies I’ve gotten to know, an unshakable sense that a company’s capacity to create economic value for its customers connects directly to its ability to create a sense of meaning and camaraderie for its people at every level of the organization.

And that, I’d argue, is the real takeaway of these programs for leaders in other companies, whether they choose to implement some version of them or not. With all the threats and challenges and competitors in the world, so many of the business leaders I meet focus on the age-old question: What keeps you up at night? What are the problems and worries that nag at you? But the much more powerful question, especially for people on the front-lines of business is: What gets you up in the morning? What keeps everyone more committed than ever, more engaged than ever, more excited than ever, even as the competitive environment gets tougher than ever?

Sure, the most successful innovators think differently from everyone else — Hsieh and Bezos personify that mindset. But the most successful companies care more than everyone else — about customers, about colleagues, about how the organization conducts itself in a world with endless opportunities to cut corners and compromise on values.  You can’t be special, distinctive, compelling in the marketplace unless you’ve built something special, distinctive, compelling in the workplace. Your strategy is your culture, your culture is your strategy.

Here are the questions that matter: How engaged are people at every level of the organization in the company and their work — how personally do they take things? How much money would it take to persuade them to leave the organization? And, in the spirit of The Godfather, what are you doing to make sure Pay to Quit is an offer they can refuse?

One week later, and the Heartbleed Bug news cycle is winding down without any known reports of catastrophic damage. A case of security wonks crying wolf? No, says cryptographer and security expert Bruce Schneier, who is known for measured, thoughtful responses to vulnerabilities and called this one “catastrophic.” HBR spoke with Schneier about what he considers the surprisingly effective response to Heartbleed, how difficult security is because of humans, and why he’s happy Heartbleed wasn’t discovered in the near future, when the Internet of Things will make it much more difficult to fix bugs.

You’re not known for hyperbole, but on your blog you called Heartbleed ‘catastrophic’ and said that on a scale of 1 to 10, it’s an 11. What makes it so bad?

Heartbleed is a vulnerability that affected an enormous number of servers on the Internet, and affected them in unpredictable but potentially disastrous ways. Turning the vulnerability into viable attack code was trivial — a few lines of scripting code is all you need — and could be executed without leaving a trace. Stealing the SSL key of a site is an enormous deal, and one that affects all of the site’s users. Fixing it was hard, and required multiple steps and coordination between people. In that way, the fix was both technical and procedural. Basically, it was so bad because there was so much uncertainty. We didn’t even know how to quantify the risk.

Has anything changed in your opinion about how bad it is?

Yes and no. One site suggested it may not be as easy to get private SSL keys as we thought, which would make it less dire. And the process of patching the vulnerability and regenerating keys and certificates is going smoother than anticipated. But we’re finding the vulnerability in unpatchable hardware systems, and we haven’t yet seen how criminals have taken advantage of this.

It appears that the introduction of this bug into the OpenSSL encryption system was an honest mistake. Can we afford to have honest mistakes when coding encryption?

Unfortunately, everything will always have the risk of mistakes. People are fallible, and everything we do involves people.

But we ought to come as close as we can to eliminating such mistakes. When websites say they are secure, what can we expect that to mean?

We can expect it to be more marketing than anything else. Secure isn’t an on-off binary property. It’s relative and situational. I feel secure in my home, even though it’s vulnerable. I feel secure on airplanes, even though they occasionally crash. Websites are no different.

Do people understand this risk the way they do those others? Are they aware of the hazards of being so ubiquitously connected?

People definitely don’t understand SSL and what it does and does not protect. But, in general, Internet security is pretty good. The Internet is surprisingly safe. We’re able to work and play on the Internet without many problems. Of course there’s a lot of cybercrime, but it’s minor.

The social Internet seems like the perfect medium to create overreaction and hysteria about a bug like this. Surprisingly it hasn’t happened. It has all felt rather orderly and measured. Why is that?

We in the security community are generally terrible about communicating information about vulnerabilities to the general public. Heartbleed has been an exception; the researchers did an excellent job explaining the problem and the fix. They had a slick and informative website. And they gave the vulnerability a cool name and a logo. That logo worked; all the news outlets used it, and it gave people a visual reminder of the story. It created broad awareness in a smart way.

In other words, it was branded.

Yes. There’s a risk that we’re going to be accused of “crying wolf.” If there isn’t blood on the streets or planes colliding in midair, people are going to wonder what all the fuss was about — like Y2K. If you slap logos on every vulnerability, people will ignore them and distrust your motives. But it’s like storms. The bad ones get names for a reason.

What else are we learning from Heartbleed?

We’ve learned how hard the human aspects of a security system are to coordinate. We’re learning that we don’t have the infrastructure necessary to quickly revoke millions of certificates and issue new ones. We’re learning that some of our critical open-source software is maintained by volunteers who have busy lives, and that often no one else is evaluating that software’s security. We’re learning how complicated the process of disclosing a vulnerability of this magnitude is. Some larger companies got advance warning so they could fix their sites. Those that didn’t get advanced warning are understandably annoyed, but if everyone gets advance warning then it isn’t advance warning anymore. We’re learning how difficult it is to build security involving people.

On a distributed system like the Internet, how can we ensure near-total eradication of vulnerable systems?

We can’t, but we can monitor progress. We can scan the entire Internet and compile a list of vulnerable sites in less than half an hour. Many groups are doing this, and we’re learning that most sites have patched and re-secured their systems. I worry less about them, and more about the embedded systems — like cable modems and routers — that don’t have a means of upgrading. With devices like those, fixing the vulnerability involves a trash can, a credit card, and a trip to the computer store.

Beyond cable modems and routers, there’s the Internet of Things. Should we be thinking about Heartbleed in the context of that phenomenon?

Yes. I recently wrote an essay that talked about the difficulty of securing all of the low-cost embedded computer systems that are going to become common in our lives over the next few years. These are devices that are made cheaply with very low margins, and the companies that make them don’t have the expertise to secure them. Heartbleed would have been much worse in a world of Internet enabled thermostats, refrigerators, cars, and everything else, and that’s the world we’re headed toward.

It sounds like we’re going to need some way to classify infrastructure as critical and non-critical. Or we’ll need to license the people who are allowed to tinker with critical code like OpenSSL? Are we moving toward a more deeply regulated environment? Should we be?

A lot of our critical computer infrastructure is in private hands, both corporate and community. There’s value in having regulations surrounding this code, but there are risks as well. Better is to build resilient systems that are better able to survive things like Heartbleed. And remember, this is a singular event. It’s not like this kind of thing has been happening every month, or even every year. This is the worst vulnerability the Internet has had to weather in a long time.

When you hear that OpenSSL, which is considered critical infrastructure, is being developed by four underfunded developers, are you surprised? Should we be shocked to know that this critical piece of security is an economically challenged, somewhat neglected coding project?

Yes, it was surprising. And again, this is where resilience is important. It’s going to be a long time before we are sophisticated enough to prevent these kind of vulnerabilities. We need to learn how to thrive despite them.

What attracts top talent? Is it great benefits, flexible hours, steep pay packages, or state-of-the-art training? New research suggests it’s something simpler – but more difficult to obtain.

Prestige.

The status of a firm is quite possibly the leading driver in attracting the best of the best, at least in investment banking, according to a paper recently accepted by the Strategic Management Journal. Matthew Bidwell, an assistant professor at Wharton, and his colleagues wanted to better understand how something not-so-concrete like reputation stacks up against more tangible enticements. And, in particular, they wanted to find out whether the ability to offer more money is really a competitive advantage. Investment banking in particular offered a good testing ground for these questions because there’s a clear hierarchy of firms, and because a firm’s place in that pecking order is readily quantifiable via surveys on websites like Vault.com.

The researchers found that business school graduates “who had won more awards or graduated with honors took jobs at higher status firms,” supporting their hypothesis that top talent flocks to firms with better reputations. And when they polled current MBA students applying to work at investment banks, “the extent to which firm reputation would help with future employability” was ranked as their most important decision-making factor.

Because of this, high salaries aren’t a competitive advantage, at least at first. “You get the best people, and you don’t have to pay as much as you should early on because they want the stamp of ‘Goldman Sachs,’” Bidwell told me. Employees also want to work with other top talent, which helps when it comes to building strong networks. “When people are thinking about jobs, it isn’t benefits, flex time, or pay,” said Bidwell. “It’s how it will position you for the next step of your career.”

But when Bidwell and his co-authors took a long view of how people choose and then manage their careers over time, a couple of interesting things started to happen. First, they found that the benefits of working for a high status firm don’t take hold until about five years in. And in general, people at top firms wind up seeing those benefits, via more money or better jobs elsewhere. Indeed, the researchers found that that “an employer whose status is ten units higher (e.g. Goldman Sachs vs. Vanguard) pays about 15 percent more for employees at the VP level.” There’s no significant pay difference for new MBAs — Goldman essentially gets better talent for the same price. “In the early stages of your career, positioning yourself for later is important,” Bidwell says. “Subsequently, it’s not – you’re good, and you want to see the benefits.”

Second, and perhaps more importantly, status and reputation start to become the very reason great people leave places like Goldman Sachs – by design. “There’s an increasing tension,” Bidwell told me. “These companies are attractive to join because they’re attractive to leave.” They effectively make a person’s next career step more valuable, and there’s never a shortage of new grads willing to step in to continue the cycle.

For investment banking, Bidwell says, this system works pretty well. “You bring in people young, you don’t pay them much, and you get a lot of value out of them. At the same time, you don’t want everyone to be managing director.” But he cautions that reputation as a hiring advantage might work very differently across other industries and organizations that actually want to retain great employees. And there’s also the sticky problem of how a company develops a high-status reputation in the first place: “The reason why status creates advantage is that it’s very hard to get.”

But in a lot of ways, Bidwell’s findings illuminate the need for strong alumni programs like McKinsey’s, and calls for what LinkedIn CEO Reid Hoffman calls the new employer-employee compact – in which employees invest in the company’s adaptability, and the company invests in employees’ employability. Indeed, a Knowledge@Wharton article about this research notes that firms might look for ways to help advance workers’ careers as a way of being more competitive in the labor market.

And while Bidwell notes that status-as-competitive-advantage might work well for other industries in which a firm’s status is clear, those companies pining for Facebook’s reputation might be at a loss, and not just because status is hard to obtain. Technology companies, in fact, may be the most prominent example of when reputation has a whole different meaning: status doesn’t necessarily flow from size, or novelty, or any other easy-to-predict variable. “Do you want to work for Google and Apple because they’re at the top of the tree,” Bidwell asks in Knowledge@Wharton. “Or is it actually better to go work for a really cool start-up?”

Even in investment banking, where the pecking order of prestige and the benefits of status are clear, young MBAs won’t accrue those benefits if they don’t remain with that elite company for at least five years. In an industry not known for happy employees or good work-life balance, that may be longer than most want to pay their dues.

Most companies will tell you they want to hire and retain “A players”, and why not? It’s hard to object to building a company around the best possible talent. But what is it about superstar talent that actually improves performance? A recent paper from the National Bureau of Economic Research examines this question by looking at academic departments, where productivity can be measured in terms of papers published and citations from other researchers. Superstars were defined as academics who ranked above the 90th percentile based on citation-weighted publications. The paper points to three different ways that superstars can improve an organization, and measures the magnitude of each in the context of academic evolutionary biology departments. The first, and most obvious, is the direct increase in output that a superstar can have. Hire someone who can get a lot of great work done quickly and your organization will by definition be producing more great work. But, perhaps surprisingly, this represents only a small fraction of the change that superstars have on output. The authors write:

On average, department-level output increases by 54% after the arrival of a star. A significant fraction of the star effect is indirect: after removing the direct contribution of the star, department level output still increases by 48%.

Some of that remaining increase stems from the fact that departments hiring superstars tend to be growing. Even so, output per researcher also increases substantially, well beyond the added output that the superstar adds herself. So if the superstar isn’t responsible for the organization’s increase in productivity directly, what is? The paper looked at two different explanations: that the superstar makes her colleagues more productive, and that she helps the organization recruit better talent going forward.

The researchers found that the superstar’s impact on recruiting was far and away the more significant driver of improved organizational productivity. Starting just one year after the superstar joins the department, the average quality of those who join the department at all levels increases significantly. As for the impact of a superstar on existing colleagues, the findings are more mixed. Incumbents who work on topics related to those the superstar focused on saw their output increase, but incumbents whose work was unrelated became slightly less productive. (This latter effect was too small to be statistically significant, and the authors posit that allocation of resources toward the areas the superstar works on could explain it.)

“Additional research is required to have confidence in generalizations, but there are reasons to suspect that the broad findings are not unique to academic science,” said Ajay Agrawal, professor of entrepreneurship at the University of Toronto and one of the paper’s authors. He pointed to the research on clustering, whereby the geographic concentration of talented individuals and firms in a sector increases the productivity of those participants, as consistent with the idea that talented workers can have measurable indirect effects on those around them.

Nonetheless, he suggested, the effect of superstars likely varies across and even within industries, and previous research has demonstrated that superstars do vary in how much they help their colleagues.

While generalizing these results to a particular industry or firm is unwise, the research nonetheless provides a framework for firms to think about hiring top talent. The direct benefits of a superstar can be substantial, but it’s also important to consider how the hire will effect other employees’ productivity. Not all superstars are equal in this regard, so look for someone who’s likely to up the game of those around her. Finally, it’s critical to consider the impact the hire might have on recruitment. In at least some cases, the biggest effect of hiring a superstar is who it allows you to hire next.