Category Archives: Culture

  • -

Outdated And Unsecured – Your Application Is A Sitting Duck

Companies with revenues in the millions and even billions of dollars face the risk of running outdated software applications. Why do they continue to do so? Are the risks only restricted to outdated software? 

Applications built using the latest stack also risk being vulnerable when appropriate security measures and policies are not followed. Facebook was under scrutiny for storing millions of passwords unencrypted. According to Facebook, the passwords were not stolen. The incident did result in a loss of trust which further exasperated the situation at Facebook. Facebook was fortunate that the passwords were not hacked. There are many instances where encrypted and unencrypted information were stolen. Such was the case with LinkedInYahoo, and many others.

In this article we will focus primarily on the topic of outdated applications and how to approach them.

One major reason that organizations continue to run outdated applications is the cost involved and the return on investment (ROI). Companies see upgrading as not a worthwhile expenditure unless there is no other choice. The organization may be using agile and lean methodologies to build a software. However, they may not necessarily end up with a product that can stay agile and lean.

Stay Relevant

The decision to stay current is largely driven by the culture. An organization that is enthusiastic about the trends in the industry will try to analyze what is worth adopting and go for it. 

When responsive sites were becoming popular, it was an easy win for many. It was like upgrading the upholstery. There was definitely a cost involved but was much less for the new look and feel of the same legacy application.

So, how do you convince your management that your software needs to stay current? Your organization can either be motivated by the new capabilities or be threatened with the consequences of non-compliance, security breach etc. 

The threat factor usually does not work well. The news cycle has so many of those threat factors. The Equifax hackDoorDash breachCapital One breachTarget breach and many more fills our news on a regular basis. Many organizations do not understand their vulnerability. Even if they understand it, it is a complex problem to analyze and mitigate the risk.

If your application has reached a point where upgrading is a high-risk project, remember that not upgrading is of a much higher risk.

The application may be so important that you can’t risk disturbing it. Or it may not be important enough for you to care about it. Either way the risk still remains.

The risk with running outdated applications is that there are a lot of known and exploited vulnerabilities already in them.

How do you bring about change in an organization? Let’s look at a few things that you can focus on to bring attention to the problem.

Be More Specific

  • “There is a new security patch to install. When can we do it?” Vs. “A regular user can impersonate and perform admin functionalities. We have a patch. We need to apply it immediately.”
  • “The next version of software has a lot of good features.” Vs. “The next version of software will allow us to deliver content seamlessly across multiple channels.”
  • “Upgrading to the latest version is going to be a major effort.” Vs. “Upgrading to the latest version is going to take 6 months and cost $500,000.” 

A security alert notification that I received in January 2019 read, “Users with User.VIEW permission can update other user’s password.” The implication is if someone can view your profile information, they can also update your password. What risks are you facing? If you have an SSO with a third party identity manager and that is the only way users can access the affected system, your risk may be low. If not, you are taking a big risk by not applying the patch. A hacker can gain admin access by changing the admin password. 

Equifax security breach due to the failure to patch a vulnerable software resulted in millions of users information being stolen. How do you keep track of such security flaws in a 9 year old library with the flaw being reported only around the time of attack?  There are some vendors who continuously track vulnerabilities and can help generate reports for your application. This will only work on reported vulnerabilities. It is not effective on a Zero-day-Exploit like Equifax where the attack happened even before the vulnerability was publicly reported.

If your application is a moving target rather than a sitting duck, it could help reduce such attacks like that of Equifax. It should be a high priority to keep your application current.

Make It Clear

We all at some point or the other might have heard this. A lasting change comes from within. This applies to individuals, groups, and organizations.

When the drive is not from within the organization, all outside compliance requirements are not that effective. If a compliance requires that you take appropriate backups, a diligent organization will also make sure that the backups are useful. 

You cannot force your business leaders to upgrade if they see no value in it.

What are the advantages and disadvantages to upgrading? More importantly what are the direct and hidden costs. How do you mitigate the risks?

Are Your Clients Happy?

In certain scenarios a major client of yours may mandate that your product is built on current technologies. In this case, there is a financial consequence of losing the client if your product is built on older versions of software.

Do you have a competitor who is offering the state-of-the-art product that uses all the latest advancements in artificial intelligence, machine learning, and personalization and also costs less?

Why not experience new innovation?

You should have innovation labs where your team can explore some of the latest technologies and products.

Talk To Others

I have never heard from a vendor that their new product is very challenging.

Are there other clients who are willing to talk about their experience with the new version of the software? If you really want to hear the true story, try to reach out to other users directly without a sales and marketing pitch from vendors. Many market research papers such as Gartner and Forrester provide valuable insights. The concerns that they raise can be extremely valuable.


Often organizations continue to pay a high price for old technologies when the new subscription model could save them more. Identify the cost differences and the options available. 

You may not be able to tell this to your boss

In a very sensitive environment, a security breach due to outdated software can cost the leadership their jobs. Even if leadership can blame a breach on a systems engineer who did not apply a patch, it is the leadership where the buck should stop.

Build The Right Skills

Are you paying attention to the needs of your team? Are the skills that team has going to become obsolete? Should you invest in your team or risk losing the best? Look out for the soft signs from your teams and see if they are becoming disengaged and disillusioned working with outdated tools and products.

A disengaged team is not going to be able to identify the risks and take proactive steps to mitigate those risks.

One of the major challenges that many businesses face today is that they do not have the people with the right skills to either upgrade a software product to the latest or to analyze the impact of upgrading. 

It is important to build the necessary skills to either be able to do it yourself or at least know when you need help and what type of help.

Any organization that is able to afford a software team should invest in making sure that the team has the capabilities to do it all themselves.

It is perfectly fine to get outside help. But you should not be completely at the mercy of another organization to make you successful.

Upgrades of any major piece of software require preparation and planning. You should expect challenges especially if you have spent a significant amount of time building and customizing the application.


Being current does not mean you can stop monitoring your applications and networks for security threats. Being outdated means that you are risking being a sitting duck that is waiting to be breached. 

Do not stop here. It is time to reevaluate what you have and protect the data of those who have trusted you with it.

  • -

Are You Struck By The Glassdoor?

The blow from anonymous Glassdoor reviews can have serious and disproportionate consequences on small businesses. It may feel like being struck by a revolving glass door. Bad reviews make it hard to hire the best people. Many potential employees review a company before joining them. The same applies to clients who want to know whom they are doing business with. As for the big companies, the reviews may have some effect but not as consequential as to the small companies. This article illustrates our approach to organizational culture building.

Bad reviews deliver a double blow to small companies and a slight dent to big ones.

Some of the reviews are a result of missed opportunities within the company that failed to have the most important conversations with their employees. A few others are systematic failures in the system where many things go on without proper checks and balances. Some percentage is due to failure of organizations to promptly act on the reports by employees.

People who write scathing reviews want to send a message to the companies and future candidates. 

It may not be the most effective way to bring changes in a company. It may serve as a warning for the potential candidates who want to join the firm. A review intended to punish the company will barely have any impact on the leadership. The one who wrote such reviews will be dismissed as a disgruntled employee.

Is Anonymity a Gift?

Anonymity is critical when employees fear some kind of reprisal from the employer whether it be former, current, or future. It is easy these days to pull up someone’s name and see how they behave online. Anonymity has its benefits. However, anonymity does not mean we have the right to irresponsible comments and reviews.

Anonymity has its benefits, but it does not give us the right to irresponsible comments and reviews.

According to a Career Builder survey 70% of employers snoop on candidates. This brings up a very important issue. Every one of us has the utmost responsibility and accountability to everything we say and write whether it be anonymous or with our name attached to it. As candidates research potential employers, employers research their potential employees as well.

In case of any violations that require a legal remedy, affected parties should not hesitate to report to authorities. Do not stop at Glassdoor.

What Are The Common Complaints

I would like to discuss some of the common concerns in the Glassdoor reviews of Fortune magazine’s 100 Best Companies To Work For (2019) list. I will deliberately stay away from telling which specific company the review is about and focus more on the concern than a particular company. Many of these concerns relate to the top ten from the 100 Best Companies list.

Personal Concerns

  • No balance between work and life
  • Insufficient compensation 
  • No proper career path
  • Company specific skills that cannot help with transition
  • Annual pay raise is minimal
  • Not enough perks
  • No appreciation from leadership
  • No one listens

Some of the above concerns are relative. One may complain about no lunch and the other may complain about the quality of lunch. Some are serious concerns. It may not be possible to have a work-life balance without the support of the managers and employers. It is important to invest in people if employers expect a certain kind of commitment.

A sense of urgency cannot be expected from employees when the companies leadership is laid back.

Organizational Concerns

  • Promotion is by favoritism
  • Leaders hiring less qualified buddies from former companies
  • Bad managers are a major source of concern

Unqualified leadership do tag team and migrate from one organization to another organization. It should be a serious concern.

These are serious concerns. Organizations need to take these accusations very seriously and find ways to remedy them. It needs to start from the top. If CEOs encourage favoritism, they can’t expect those who work under them to do the right thing.

Leadership Concerns

  • Task managers with poor people skills
  • Leadership is detached from realities
  • No inspiration or motivational leadership
  • Inaccessible leadership
  • Unresponsive management
  • Incompetent leadership
  • Arrogant leadership
  • Lack of mentorship

Leadership is not determined by title but by qualities within oneself.

Leadership concerns are not just for the top level executives. Every single person is a leader in his/her own capacity within the organization. Appropriate training along with continuous education may help.


  • Shame based culture
  • Blame based culture
  • Highly political environment
  • Laid back culture where no one cares about anything
  • Racism, bias, and discrimination
  • Complaints about reverse-racism (a majority race complaining that the minority is racist)
  • Lack of diversity (ethnic, race, age, gender etc.)
  • Unable to express opinion without reprisal
  • Toxic culture
  • Competitive and not collaborative environment
  • Erosion of culture with growth

Culture is the core of all organizational issues. Culture breeds good as well as bad practices. Organizations should have zero tolerance to racism, bias, discrimination, reverse racism, politics etc. 

How Should Small Companies Respond

Small businesses may not have the luxury to have a peoples department. Some aspects of people management such as payroll and benefits are usually outsourced. What cannot be outsourced is relationship management. Many managers and leaders are not familiar with identifying and having crucial conversations. People are afraid and not comfortable bringing up concerns with the leadership. In some cultures all issues end in gossip that the management may never come to know.

Can your employees bring up a sensitive topic without fearing a reprisal? If not, there is a lot of work that needs to be done. 

It is very important to build a good relationship between employees. It may help to read books such as Crucial Conversations by Patterson et al., and promote a culture where it is comfortable to discuss critical issues without the fear of getting fired or losing a highly skilled employee.

Organizations cannot stay in business if their only goal becomes appeasement of employees in order to get great reviews. The goal should never be that of getting great reviews. 

The goal should always be to become the most cherished place where people love to come and work. 

Everyone is in the business to make money. You cannot make money with a group of unhappy and unmotivated people. It is better to shutdown the business than to insist on squeezing work out of people. Unhappy employees are not good for business. 

If employees are incompetent, do not pamper them. If the employees are competent, do not ignore them.

How Should Large Companies Respond

How should the large companies respond to anonymous reviews? Everything that is said about small companies apply to large companies as well. Large companies often have the capability to bring in the necessary leadership and training to help with building relationships. Large companies should continue to pay attention to what employees say online. Identify the common complaints and address them promptly. It is important to communicate and be transparent.

You can only sweep so much under the rug before it becomes obvious. Companies should have higher moral standards. 

Encourage people to have crucial conversations without the fear of reprisal. Reward employees for introducing positive change in the company. Help employees find a higher purpose in what they are doing.


Let’s acknowledge that we all are human beings. We all are learners for the rest of our lives. We need to treat each other as fellow human beings and not anything less. People often have to unlearn the bias and discrimination that they witnessed growing up. The very same people go on to work in various companies at various levels. Leaders have to lead by example and build a positive culture – a culture where it is appreciated to have the most important conversations.