Kanban for Infrastructure & Security Teams

I work at IGS Energy in Dublin, Ohio. My team and I are responsible for Information Security, Network Engineering, Systems Administration, Telecommunications and Technology Support. We work in a fast-paced environment with frequently changing priorities and deadlines. A few weeks ago, I set a goal to improve and streamline our project communication/collaboration.

We work in a department comprised of several agile development teams. From the moment I started at IGS, I was very impressed with the open and transparent communication involved with running an agile team. In the back of my mind, I always wondered if I could make that work for the Infrastructure & Security teams at IGS. Our team already held daily stand up meetings and worked very closely with the development groups. Could we take it a step further?

We ended up attempting to leverage agile for an Infrastructure-related project. The goal of the project was to replace the portion of our network that is leveraged by our end-users. Unfortunately, we struggled to leverage agile for this project. We found that the work didn’t always fit into standard delivery time slots and often had to be delivered continuously due to inconsistent maintenance windows, etc. We also found that we had to frequently change the schedule to allow us to occasionally focus on daily maintenance and keeping the lights on. Finally, we noticed that attempting iterative delivery of this specific infrastructure project was actually hindering the user experience and negatively impacting the goals of the project.

We ended up trying other methods of project delivery and communication. Everything from sending email status updates to holding individual project meetings. We even tried using Microsoft Teams to document status updates. These solutions were good but we wanted something great.

We really just needed a few things:

  • Open/transparent communication
  • Continuous delivery
  • Clearly articulated priorities

I ended up asking friends and colleagues for advice. I reached out to App Dev Managers, Business Analysts, Infrastructure Leaders and even our VP of IT. I ended up getting some great advice that lead me to the Kanban Methodology. I ended up doing some research and found that several Infrastructure & Operations teams had successfully implemented this form of project flow.

I ended up deciding that it’s worthwhile for us to test out Kanban and see if it works for us. At that point, we had to make a few decisions. Should we have a physical or virtual Kanban board? It made a lot of sense for us to use a virtual board but we still had to decide what product to use. Our organization already had subscriptions to Jira and Office 365 which both offered tools for virtual Kanban boards. However, a member of the team was already using Meistertask and after exploring the UI, we decided to give that a shot.

We ended up starting out with 5 categories:

  • Backlog – Tasks that haven’t been assigned. I was given some great advice to purge items from this category if they remain dormant for an extended period of time. If they’re dormant for that long, clearly they aren’t a priority. An extended backlog of tasks that are never prioritized could turn the board into a source of anxiety.
  • Hold/Blocked – Tasks that have been assigned but can’t be completed at this time. This could be as simple as a task being contingent on the completion of another task.
  • Work In Process (WIP) – Active tasks. Our goal is to limit the amount of WIP to items that can be focused on at that point in time.
  • Validate – Tasks that are being tested.
  • Complete – Completed tasks. It’s important that we take time to recognize these items and celebrate success.

After discussing this with the team, there were a few questions that ended up causing us to make a few adjustments to the process. For example, he team already receives a high volume of requests/tasks through ServiceNow. Should all of those flow through Kanban as well? We made the decision that only items that will take more than 3 business days will be added to the Kanban board.

The team also discussed who could actually create items for the Kanban board. It’s important that we had a clear sense of priorities and didn’t introduce too many cooks in the kitchen. We decided to add an extra category for “brainstorming”. This is an area that anyone on the team can add an item to. During our weekly project review meeting, we will discuss all open brainstorming tasks and decide whether or not they are added to the backlog.

We plan on communicating the status of our tasks during Daily Stand Up Meetings, Weekly Status Meetings, and a Monthly Retro. During our retro, we will review what went well, what we could have done better and what our next steps are. We will also hold retros for any unplanned downtime.

I’m looking forward to seeing how this works out. Have you implemented Kanban for an Infrastructure or Operations team? If so, let me know how it went!

Why I believe in i.c.stars

After finishing grad school in 2015, I had a strong urge to volunteer. I wanted to make an impact. Unfortunately, I didn’t quite know how to devote my time. Should I go to a soup kitchen? Meals on wheels? I reached out to Jen Bowden (Director of Community Investment at IGS) and she gave me some wonderful advice. She told me to find a problem that I was passionate about fixing.

The more and more I thought about it, I was frustrated by the unnecessary barrier that was preventing talented individuals from entering the IT workforce. I was fortunate enough to have an opportunity to invest time and money into receiving a formal education at Ohio University. My formal education served as a great way to demonstrate my work ethic and desire to learn. It ultimately got my foot in the door of a great company and helped kick-start my career. In my mind, there had to be a way to help less fortunate individuals demonstrate those same capabilities while gaining some practical experience. After all, I learned more about business working at our family-owned shoe store in High School than I did receiving a Minor in Business Administration.

Rather than sit back and complain, I decided to try and fix the problem from the inside. I started teaching classes at Franklin University. As much as I loved helping the students, it wasn’t enough. I wanted to do more to remove the barrier preventing talented individuals from entering the IT workforce.

Fast forward a few months and the aforementioned Director of Community Investment at IGS introduced me to Ryan Frederick. Ryan spoke to us about a program that had started in Chicago called i.c.stars. The program identifies, trains and jump-starts technology careers for low-income young adults who, although lacking access to education and employment, demonstrate extraordinary potential for success in the business world and for impact in their communities. Candidates that enroll in the i.c.stars immerse themselves in the program. They go through a 4 month training cycle and spend 60+ hours a week working on a real project for organizations.

The numbers from the original office in Chicago speak for themselves…

  • 300+ total alumni
  • 95% initial placement rate
  • $9,915 average annual earnings before the program
  • $57,240 average annual earnings 30 months after program completion

Honestly, even after seeing those statistics, I was skeptical. I didn’t think that i.c.stars could prepare individuals with little-to-no technical experience for a career as a Business Analyst, Project Manager, QA Analyst or Developer in 4 short months while also managing to deliver a working product. The team at IGS decided to serve as the first project sponsor for i.c.stars Columbus. We saw a partnership with i.c.stars as an opportunity to give back to our community and change lives for the better.

The i.c.stars group was split into several teams that worked to build IGS a dashboard to display information about our EDI transactions. I can definitively say after serving as the organization’s first project sponsor that I had no reason to be skeptical. I am still amazed by the growth that I witnessed during the initial 4 month program.

If you’re interested in learning more about i.c.stars, contact me and I will introduce you to some of their awesome team members. In fact, along with Josh Miller (Training Manager at i.c.stars), I’m establishing a Mentorship Committee at i.c.stars in an effort to help recruit candidates around Columbus to help mentor future classes. We’re looking for folks with experience in Software Development, Database Administration, Business Intelligence, Engineering, Project Management, Leadership, Information Security, IT Infrastructure, QA Testing or Technical Support. The time commitment to mentor could be as much or as little as someone is willing to contribute. If you’re interested in joining the committee and helping recruit mentors for the organization, please let me know. Also, click here if you’re able to spend some time serving as a mentor.

Protecting Yourself From WannaCry Ransomware

Over the last few weeks, I’ve had a few friends ask me for advice related to the recent WannaCry Ransomware attacks. For those of you not familiar with Ransomware, it is a type of a computer virus that restricts access to a system until a sum of money is paid to the attacker. WannaCry is a dangerous variant of Ransomware because it is designed to spread very quickly throughout corporate and private networks. At the height of the WannaCry Ransomware infection, it crippled organizations ranging from auto manufacturers to hospitals.

Unfortunately, this virus has affected consumers as well. People all over the world have lost access to their most prized digital assets including family photos and videos. My advice to the average consumer about Ransomware really boils down to three basic concepts. You need to take steps to make sure that you’re able to prevent, detect and respond to Ransomware. Fortunately, you can take the necessary steps without a ton of effort or financial investment.

Obviously, it would be ideal if you could just prevent Ransomware from infecting your computers. Preventing a computer virus starts with being vigilant. Most infections of WannaCry began with a simple phishing email. It’s very important that you exercise caution when opening emails from unknown senders. Also, be sure to look for the signs of a phishing attempt.

I’m sure at some point you’ve had to respond to an annoying message asking whether or not you want to install a software update. I’ll be the first to admit these tend to happen at the most inconvenient time. Most of the time you don’t even notice a difference after these updates are installed. However, these updates often contain important security fixes and should be installed on a regular basis. In fact, installing one of these updates for Microsoft Windows would have drastically reduced the likelihood that your computer would have been infected with the WannaCry Ransomware.

Another way of preventing a Ransomware attack is to leverage Antivirus. It’s important to note that installing Antivirus won’t guarantee that you’ll be protected from malware. However, it will likely protect you from a majority of potential Ransomware infections. Also, with effective and free Antivirus solutions from companies like Sophos, there’s no excuse not to have Antivirus installed on your PC/Mac.

Normally, you need to take special steps to ensure that you’re able to detect that your computer has a virus. The main difference with Ransomware is you’re almost always aware when it happens. This is because attackers typically display a large message on your computer screen indicating that your files have been locked along with instructions for payment. However, behavior-based Antivirus software can be effective in notifying you that it has detected a Ransomware infection before a majority of your files have been locked/encrypted.

It’s important to prepare yourself for the likelihood that all of your methods of detection and prevention will fail. Even if you have Antivirus installed and are extremely cautions when opening emails, you can still end up with a Ransomware infection. There are a few steps you can take to make sure that you’ll be able to recover from the attack. The most step is implementing automated cloud-based backups.

As I mentioned previously, even the best defenses can eventually fail. Despite the best efforts and intentions, you might discover that your most important files have been encrypted. This is why it’s important to have some form of automated cloud computer backups. By using a backup service like Carbonite, you will be able to recover your files from the backup provider without paying a ransom to the attacker that encrypted them. Also, cloud-based storage providers such as Dropbox provide easy mechanisms to recover your files in the event they become encrypted by Ransomware.

If you find out that one of your computers has been infected by Ransomware, do everything you can to avoid making the payment. Making the payment will likely just put a bigger target on your back and it will become that much more likely that you’ll be targeted again. If you find yourself in a situation where your files are encrypted without a backup, you can attempt to leverage a 3rd party tool to decrypt/unlock the data. However, there is no guarantee that a decryption tool will exist for the particular Ransomware variant that you have.

  • Just to summarize…
    • Exercise caution when opening emails from unknown senders
    • Make sure that you have automated cloud backups using a service such as Carbonite
    • Verify that an updated version of Antivirus is installed on your computers
    • Install security updates on a regular basis
    • Do everything you can to avoid making the Ransomware payment

3 Recommended Entry-level IT Certifications

I’ve spent a lot on a formal education at Ohio University. However, it seems to be my industry certifications from Microsoft and VMware that get noticed by recruiters and hiring managers. My certifications were obtained for just a few hundred dollars in examination fees. I was able to prepare for these exams using free materials from the vendor.

It’s always a great thing to have a respected vendor’s logo on your resume/LinkedIn profile. If you’re looking to kick-start your IT career, I highly recommend checking out the certifications that I’ve listed below. I selected each of them based on their low-exam cost and availability of free training materials.



My advice on starting a career in IT

I’ve had several people reach out to me over the last few months asking for advice on how to land their first job in IT. Several of these individuals do not have any formal IT education, training or experience. I decided to consolidate some of the advice that I’ve given on securing an IT job over the last few months into a blog post.

I was very fortunate to have had a 3rd grade teacher (Mr. Fouts) that exposed me to personal computers before they were personal. Mr. Fouts and another teacher set up a Wildcat! BBS server at our Elementary School. From the moment I first remotely connected the BBS system, I was hooked. I was also very lucky to have had an older Brother and two Grandfathers that encouraged my passion for technology. I don’t know when I decided on a career in IT but I also don’t recall ever considering anything else.

I graduated college in June 0f 2008. This was just a few months after the collapse of Bear Stearns. Even with a degree in Information and Telecommunication Systems, I really struggled to find a job. At one point, I had applied to over 100 positions and only been granted a handful of interviews. Finally, I accepted an internship at a local hospital where my primary focus was loading pre-configured images onto desktops/laptops.

The experience of struggling to find an entry-level position in IT helped shape my career in a positive way. I learned that obtaining an education isn’t enough and that I needed to obtain some relevant experience and marketable skills. I quickly found out you often have to make sacrifices to obtain the aforementioned skills and experience. This could mean taking a position with less pay in an effort to learn more about a piece of technology. I also learned the importance of discovering your passion within IT. In my case, I realized that I enjoyed IT Infrastructure and Information Security while serving as an Intern.

When my friends and family members ask me about obtaining positions in IT, I always ask them to be a little more specific. I eventually ask them what area of IT they want to focus on. If they actually have an answer, I try to validate what drove them to that conclusion. If they can’t answer that question, I instruct them to find an answer before going through the steps to seek an entry-level position. If not, they run the risk of committing to a field that they hate. I really recommend performing this task before committing to obtaining a degree (or at least in parallel while obtaining a degree).

How can you find out what area of IT you’re interested in without committing? I’d recommend attempting to find a job shadowing/internship opportunity. If you don’t know anyone who can help secure the internship or shadowing opportunity, start reaching out to individuals on LinkedIn. You’d be surprised how many people are willing to help. Plus, I can’t stress enough how important it is to build out your personal network at the early stages of your career. As my Father always told me…”It’s not just what you know but who you know.”

If you’re still convinced a specific part of IT is for you after completing Internships and/or Job Shadowing, then it’s time to focus on gaining additional experience/knowledge. This is the point in your career transition where you may want to consider obtaining a vendor certificate and/or formal education. You may be fortunate enough that your internship and/or job shadowing leads to a full-time position. If not, don’t get discouraged. Keep reaching out to your connections and applying to as many entry-level roles as you can find. As I mentioned earlier, I applied to almost 100 entry-level positions early in my career before finally being hired.

When it comes time to selecting your first entry-level position, I highly recommend starting at a small or medium sized business. This will allow you to gain a wider range of skills. For example, my first real role in IT was working on the Help Desk at a smaller organization. The small size of the team/company allowed me to begin working on the organization’s servers and networks within a few months. I can definitively state that I wouldn’t be where I am in my career without this first position.

Unfortunately, obtaining industry experience in a new field or area of expertise often requires taking a step back financially. This can be a tough pill to swallow but the experienced gained in an entry-level position is invaluable. I tend to tell people to imagine as if they’re being paid to go to school and learn about the specific area of technology.

In short, take the time to find the right fit. Don’t invest too much time or money into exploring a career path without validating that it’s the right role for you. Also, don’t underestimate the importance of building your personal network.


IT Career Advice For College Students

I recently completed my first term as an Adjunct Professor. It was important to me that I shared some “real-world” advice with the students before the start of their careers. So, I asked some of my colleagues at IGS if they had any words of wisdom to share with my students and I presented their answers on the first day of class. Here are a few of their responses…

  • You should always treat your customers (or people who need your help) as if you’re a customer of theirs; in other words, when you get asked to do something, it may seem insignificant to you compared to other things you’re doing, but your efforts may have downstream impacts that aren’t apparent to you. Your time might translate to something very significant to someone else.
  • Looking back, nothing was more instrumental to my success than an internship. Applying what you learn in class to real world problems takes your learning to the next level. In the three months of my internship, my skills grew at an exponential rate. I made lifelong friends, I learned about new technologies, and I learned how Information Technology can support and even drive the business.
  • “Do not sacrifice theoretical learning for implementation centric learning, and vice versa. They are both duals of each other, and not at odds with each other. If you sacrifice theory, it will deprive you of a much needed analytical framework to rigorously scrutinize the complexity of algorithms. If you sacrifice implementation, you might as well be a math major specializing in discrete math. Likewise, do not sacrifice depth for breadth or vice versa.”
  • Focus on people and learn your business/industry. The technology will come naturally.
  • Always tell the truth. The cover-up is worse than the crime.
  • If you focus on automating yourself out of a job, you’ll never have to look for employment.
  • You’re going to cause an outage. Learn from your mistakes and don’t repeat them.

My encounter with an IRS scammer

For those of you that don’t know, phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Last year, I almost fell for a phishing attempt by someone claiming to be an IRS employee.

I’ve held a variety of roles in Information Security and you’d think I would try to hide the fact that I almost fell for a phone-based scam. However, I think my story can help others so I’ve decided to share it on my blog. Also, it’s not like I’m the only IT Security professional to almost fall for a phishing attempt. Chris Hadnagy literally wrote the book on Social Engineering/Phishing and has been tricked by a an Amazon phish.


At the time I first was contacted by a fake IRS employee, I was in the middle of a legitimate dispute with the IRS over a tuition deduction from a few years prior. I working from home and randomly received a call from a number in Cincinnati from someone claiming to be an IRS employee. I knew that the IRS had an office in Cincinnati and despite the fact that all of my prior correspondence related to my aforementioned dispute had been written, I didn’t think it was out of the realm of possibility that someone from the IRS would call me.

The “employee” began the call by stating that I was going to be taken to court over unpaid taxes. The caller gave me a case number and knew enough about the inner workings of the IRS to sound legitimate. It didn’t make any sense to me why I would suddenly be taken to court when my last document submission was mailed several months before the stated deadline. This should have been my first clue that the call was not legitimate. Unfortunately, due to the fact I was actually worried about my legitimate issue with the IRS, my guard was down.

I was obviously distraught at this point. If my dispute went to court, I would possibly spend more on legal fees and accountants than I actually owed to the IRS. Even though I knew I did nothing wrong, the idea of a settlement went through my head while the caller discussed the issues. However, I wanted to make sure that my accountant was involved in the final decision.

The “employee” let me know that I could avoid court and the associated fees by simply settling over the phone. It was if they could read my mind. I let them know that I wanted to consult my accountant and a few family members with deeper knowledge of tax law before making a final decision. The caller started to get very impatient at this point.

I started to get more of a sense that this call was fake. I eventually asked the “employee” to provide me with a publicly posted phone number for their office. I wanted to call a validated phone number to confirm that I was speaking with an actual IRS employee. I felt that this was a completely reasonable request.

The scammer became enraged, they told me that if I hung up the phone that they would issue an arrest warrant. They demanded that I drive straight to the bank while leaving them on speaker phone. They wanted me to wire them money to a specific account. I was now 100% confident that I was being phished.

If this ever happens to you, this is the point where you should just hang up and report the incident. However, I decided to have a little fun. I decided to keep the scammer on the phone for around 30 minutes while I “drove” to the bank to wire them the money. In reality, I was just sitting at my desk listening to music and catching up on email. I asked them for the account number and routing number so I could “wire” them the money. Armed with that information, I placed the scammer on hold and called the Ohio Attorney General’s office. I filled out a form to inform the IRS as well.

After providing the Ohio Attorney General’s Office and IRS with the details, I hung up on the scammer. They called me back about a dozen times in rapid succession before moving on to their next attempted victim. I’m now almost certain this fraud attempt originated from India where dozens of people were arrested for operating entire call centers filled with fake IRS agents. A few weeks later, I received a letter from the IRS stating that my dispute had been resolved based on the documentation that I provided and I no longer owed any money.

Lessons Learned:

  • The IRS has an entire webpage devoted to validating communications received by their employees. The page also has information for reporting phishing attempts.
  • The IRS will never
    • Call to demand immediate payment, nor will they call about taxes owed without first having mailed a bill.
    • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
    • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
    • Ask for credit or debit card numbers over the phone.
    • Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

My Thoughts On IT Certifications

A few days ago, a former colleague asked me about IT certifications. They’re at a bit of a career crossroads and wanted to know whether or not I thought obtaining a certificate was worth the investment of time and money. Given their circumstances, I told them that I thought it would be worthwhile for them to learn about a specific piece of technology and take an exam. However, I was sure to specify that obtaining an IT certification won’t necessarily guarantee that they’ll get that big promotion or secure their dream job.

It’s important to note that every hiring manager is different. As a hiring manager myself, I personally don’t hold a whole lot of stock in certifications. I’ve had coworkers with a half-dozen certifications that were very unreliable when it came to implementation and troubleshooting. I have also worked with some extremely talented individuals that don’t hold a single certification. There isn’t necessarily a correlation between a cert and success.

Don’t get me wrong, there are definitely benefits to obtaining IT certifications. In fact, some organizations won’t consider candidates without relevant certs. During my most recent job search, I ended up getting more questions about my certs from VMware and Microsoft than I did about my Master’s degree. I’m positive that those little vendor logos went a long way to get my resume past HR and to the hiring manager. However, that’s only half of the battle when attempting to secure a position.

Certifications aren’t ever going to be a silver bullet. At some point, you’ll need to rely on your reputation and industry experience to advance your career. That being said, certifications won’t hurt you. They can expose you to technology that you may not get a chance to interact with on a daily basis. Every circumstance is different but if you’re looking to gain exposure to a new area of technology or feeling a bit stale, obtaining a vendor certification is the way to go.


Lessons Learned During My First Term As An Adjunct Professor

This fall, I taught my first undergraduate course. The class was an overview of Network Engineering and covered everything from the OSI model to DNS best practices. Despite a few hurdles, the students all passed the course and I really got a sense that a majority of them learned a lot in the process. As someone who struggled academically high school, the successful completion of my first college course as an Adjunct Professor felt like quite an accomplishment. My confidence was through the roof until a student informed me that they decided against a career in Network Engineering after taking my course.

At first, I was crushed. This student received an A and was very engaged throughout the course. I assumed this meant that I failed my first attempt at teaching. I suddenly began second-guessing the lecture material and lab content. I eventually asked the student more about their decision and was pleasantly surprised by their answer.

It turns out, I actually did the student a service. They stated that they really learned a lot throughout the course. They gained enough information about Network Engineering to decide that it wasn’t something that they wanted to pursue. It didn’t have anything to do with the content of the lectures or the structure of the labs. They simply didn’t feel passionate about this aspect of technology.

Looking back, I’m really glad this student found out what they weren’t passionate about without endangering their career. I will keep this experience in mind as I teach additional courses. As I help students embark on their careers in IT, I will encourage them to seek internships or job shadowing opportunities. This will help them identify if they are truly following their passion or just attempting to earn a paycheck.

Overall, I loved my first experience as an Adjunct Professor and I can’t wait to teach future courses.