Cyber Resilience Towards the Quantification of Cyber Security Threats

The World Economic Forum and its partners have developed and shared a way for organizations to calculate the impact of cyber security threats. The framework, called cyber value-at-risk comes at a time when cyberattacks are increasing in velocity and intensity, and when 90% of companies worldwide recognize they are insufficiently prepared to protect themselves against them.

Cyber Resilience workshop at the World Economic Forum meeting in Tianjin, China. September 2014.

Download the full report here: Partnering for Cyber Resilience Towards the Quantification of Cyber Threats

Cyber Resilience workshop at the World Economic Forum meeting in Tianjin, China. September 2014.

I feel honored to have been one of the participants in the development of this. The project is led by Elena Kvochko and team of the World Economic Forum in collaboration with Deliotte and other Forum partners.

Cyber Resilience workshop at the World Economic Forum meeting in Tianjin, China. September 2014.

The World Economic Forum announced this today at the annual meeting in Davos.

(Source: WEF Press Release: New Framework to Help Companies Calculate Risk of Cyberattacks)

HR Classification and Discretionary/Business Job Titles for Makers, Managers and Leaders in Technology

This article presents an organization system and policy for job titles of makermanager and leader roles in technology staffs.

Separate job titles for HR classification and discretionary/business use are used at many technology organizations, ranging from medium-sized, innovative and fast-moving companies to large, established and enterprise technology companies.1 This is a well-established practice that balances HR requirements with the rapid pace of innovation and change in job functions. They each serve a different purpose: HR classification titles are designed for use by information systems and discretionary/business titles are designed for use by humans.

HR Classification Job Titles are meant to be comparable in the entire organization (across different departments) and sometimes even comparable with other organizations. The purpose of these is to maintain standardization across the organization for HR purposes such as payroll, benefits and eligibility for things. The number of HR classification titles at each role level should be finite and small. They do not change unless there is a major change in the person’s job like a promotion or new functional role. They map to the employee’s internal level, status and eligibility for things in the company. They follow a standardized naming convention for logical classification.

Discretionary/Business Job Titles, on the other hand, are used to describe the job (or a key part of the job) in easy to understand language. A person’s discretionary/business title can change, if desired, with smaller changes in the role compared to what warrants a HR classification title change. These titles are named in human-friendly language (and do not need to be worded for logical classification like HR classification titles). Discretionary/business titles are usually the ones employees put on their email signatures, business cards, online forums and social media sites. The number of discretionary job titles at a job level is limited only by the requesters’ imagination.

Below are some examples of HR classification titles along with examples of some corresponding discretionary/business titles. Employees may propose their discretionary/business titles to their supervisors. Most of the titles below are for technology staff, but some non-technology titles are included for comparison.

HR Classification Job Titles Examples of Corresponding Discretionary/BUSINESS Job Titles
  • Engineer
  • Senior Engineer
  • iOS Software Developer
  • Software Engineer, Mobile Applications, Android
  • User Experience Engineer
  • Release Engineer
  • Product Engineer
  • Software Development Engineer in Test
  • Test Automation Engineer
  • Web Developer
  • Mobile Apps Developer
  • JavaScript Programmer
  • Code Ninja2
  • Software Artisan
  • Developer Advocate3
  • Video Software Developer

These are software engineers, also known as computer programmers and software developers. The key job requirement is that they write software code.

When appropriate, the prefix “Senior” may be applied to these titles except where noted.

  • Engineer
  • Senior Engineer
  • Systems Engineer
  • Systems Administrator
  • Unix Systems Engineer
  • Infrastructure Engineer
  • Network Engineer
  • Security Engineer
  • Windows Systems Administrator
  • Unix Guru4
  • Video Systems Engineer
  • Robotics Engineer
  • Hardware Engineer
  • Web & App Servers Administrator
  • Database Engineer
  • Database Administrator
  • Sysadmin
  • Email Administrator
These are systems, networks and other engineers. They implement, maintain and upgrade systems. While they are not required to write as much code as software engineers, they are likely to do some scripting to assist in their jobs.
When appropriate, the prefix “Senior” may be applied to these titles except where noted.
  • Analyst
  • Senior Analyst
  • Technical Analyst
  • Quality Assurance Analyst
  • Quality Assurance Tester5
  • Business Analyst
  • Product Analyst
  • Functional Analyst
  • Financial Analyst
  • Business Intelligence Analyst
  • Technology Support Analyst

Analysts are generally not required to write code, but some may.

When appropriate, the prefix “Senior” may be applied to these titles except where noted.

  • Designer
  • Senior Designer
  • Graphics Designer
  • Photo Designer
  • Art Illustrator
  • Graphics Artist
  • Visual Designer

When appropriate, the prefix “Senior” may be applied to these titles except where noted.

  • Manager
  • Senior Manager
  • Technology Manager
  • Engineering Manager
  • Software Development Manager
  • Manager of Quality Assurance for Mobile Apps
  • Manager of Engineering for Product X
  • Staff Software Engineer6
  • Lead Software Engineer7
  • Software Architect
  • Applications Architect
  • Systems Architect
  • Program Manager
When appropriate, the prefix “Senior” may be applied to these titles except where noted.
  • Director
  • Senior Director
  • Technology Director
  • Video Technology Director
  • Director of Engineering for Food & Dining Products
  • Director of Content Management Systems
  • Director of Quality for Products XY & Z
  • Distinguished Software Engineer8
  • Program Director
  • Director of Project Management
  • Director of Products XY & Z
When appropriate, the prefix “Senior” may be applied to these titles except where noted.
  • Vice President
  • Senior Vice President
  • Executive Vice President
  • President
  • CEO
  • Chairperson
  • Board Member
  • Chief Technology Officer
  • Chief Information Officer
  • Chief Scientist
  • Fellow
  • Chief Operating Officer
  • Chief Financial Officer
(any title)
  • Founder
  • Co-Founder
  • Emeritus

Often used in combination with other words, these can be used in a discretionary/business title, but obviously, only if they are true.

Discretionary Titles are official, significant and used inside and outside the organization. Therefore, like HR Classification Titles, they also need to be approved in advance.

Policy and Guidelines for Discretionary/Business Titles

  1. Assignment of discretionary/business titles (and changes to them) must be approved in advance by the same people who approve assignment of HR classification titles. Once assigned, it must be documented in the HR information system.
    • Typically this requires two people: 1. the immediate supervisor of the employee, and 2. an HR representative to comply with these guidelines. In case of doubt, dispute or disagreement it should go to a department head, staffing committee or similar body for confirmation.
    • The benefit of this process is the employee will feel good in knowing that the discretionary title is official, recognized and endorsed by the company.
  2. Please refer to the examples above see what types of discretionary/business titles are likely to be acceptable.
  3. Inappropriate, offensive or harmful language is disallowed. (E.g. “Code Nazi” and “Architect of Terror” are not ok.)
  4. It must not reflect poorly on the organization. (E.g. “Underutilized Engineer” and “Dissatisfied Manager” are not ok.)
  5. It must not make unauthorized use of trademarks, copyrighted material or anything else that is likely to run afoul of the law, policies or best practices. (E.g. “Facebook API Engineer” is not ok unless you work at Facebook.)
  6. It must reasonably relate to or represent the job, at least partly. It can’t be completely meaningless to the job. (“E.g. “Ninja” is likely not ok, but “Code Ninja” is likely to be ok, provided it is not someone else’s trademark.)
  7. The title must not exaggerate the scope, authority (decision making or staff), or level of influence of the role. (E.g. you must not call yourself just “Head of Software Development” unless you are the one and only head of all software development.)
  8. When the employee and their supervisor do not see the need for separate HR classification and discretionary/business titles, they can be the same. (E.g. Software Engineer).
  9. When required, sensible and appropriate, the discretionary and HR classification titles may be written together in combined form. (For example, on a resume or biography, the employee can write “Director & Distinguished Software Engineer”, “Staff Software Engineer (Manager-level position)”, “Vice President & Fellow”, etc.)
  10. When in doubt, consult with your department head or HR representative.
  1. For example, discretionary/business titles are used at Oracle. []
  2. Fun titles may be acceptable as long as they match the role []
  3. Assuming that the developer advocate needs to also be a software engineer []
  4. Another example of a fun title that matches the role []
  5. For testers who are not software development engineers. Those who are would have an HR classification title of software engineer []
  6. Staff Software Engineer is a people-manager level maker role. It is equivalent to an architect level, but unlike an architect who often reviews others’ code, a staff software engineer is generally an individual contributor. []
  7. Equivalent to Staff Software Engineer []
  8. The word distinguished is reserved for software engineers who are contributing value at the people-director level. At the VP level, the distinguished engineer becomes a Fellow. The bar for earning this title is exceptionally high and requires extraordinary achievements. E.g. inventing a programming language or software framework used by hundreds of people in multiple companies. Distinguished Engineers are typically well respected outside the organization. Prefixes such as Senior cannot be applied to the title Distinguished Engineer. []

Case for a Consistent, Comprehensible & Cost-Effective Vacation Policy

This article makes a case for having a vacation policy that is simple, sane and standard across the organization.

Some organizations have unnecessarily complicated vacation policies that require a lot of labor and time to implement, manage and support exceptions for. That is substandard because such vacation policies are costly for the organization, they distract from the organization’s other work and they make some employees feel unfairly treated.

Most companies would be better off with a simple vacation policy for all full-time employees.1 Here is a such a vacation policy. It can be described in one sentence as:

Every full-time employee gets 25 days (5 weeks) of paid time off per calendar year.

Detailed explanation and justification

To some managers in the United States, it may initially seem that 5 weeks is too much for entry level employees or workers at the early stages of their careers. 25 days is not too much, especially considering that these also include paid personal days off. Many organizations already give employees about 5 personal paid days off (in addition to their vacation days) to use for personal/family/religious/social events, the day before/after major holiday etc.

An example

So you could think of this policy as: Every FTE in the organization gets 20 days (4 weeks) of paid “regular” vacation, plus 5 more paid personal days off per each calendar year.

Here is one way the 5 weeks could be scheduled: 4 four weeks set aside for “regular” vacation would be meant to be used for typical vacations. As long as it is ok with the employee’s supervisor, it could be one 4-week long trip to another country, two 2-week long vacations, or even 20 separate Fridays taken off during a calendar year.

The 5 remaining days could be set aside as “personal days” would be meant to be used for other purposes like birthdays, anniversaries, personal/family/religious/social events, needing a day off at the last moment to run errands, take off the day before/after a company holiday.

This system actually makes no distinction between regular vacation and personal days off. The above is simply an example of how an employee (in consultation with their supervisor) decide to use the 25 vacation days.

Fair, consistent, and simple

Every FTE from the CEO to an entry-level engineer gets the same number of paid days off.

Vacation time is a necessary downtime for employees to relax, recharge and refresh. It should not be viewed as a perk. By giving senior-level executives more vacation days and making vacation seem like compensation sends the wrong message at multiple levels: Is the organization implying that senior-level people put in less time and effort? Is it implying that being away from work more is a valuable and desirable thing that employees should strive for?

Senior executives and entry-level employees alike get a two-day weekend. They get the same number of company holidays. They have the same sick-day policies. They should also have the same number of vacation days per year.

All prospective employees are informed of this consistent policy: 5 weeks vacation for all full-time employees, regardless of role, level and compensation. This eliminates distracting negotiations during the hiring process about vacation days. After which, existing employees can feel demoralized learning that some of their peers have more vacation days for no fair reason. Unlike compensation, vacation time is not private information. In a team that works closely together, people can often observe how much vacation their colleagues are taking if they choose to.

Speaking of sick-days, a detailed discussion of that is currently beyond the scope of this article and likely the subject of an article about employee health policy. Sick days should be separate from vacation.

Accrual, carry over, and Trading

Vacation days are not collectors items. Also, they do not have any cash value as per this policy. Employees should be encouraged to use all of their vacation days each calendar year. Taking vacation is good for the employees. It increases morale, productivity and innovation.2 So it is good for the company. Vacation days may not be carried over from one calendar year to the next, nor can they be transferred to other employees. They can definitely not be redeemed for cash.

In this system, vacation days do not accrue incrementally over the year, so employees can’t redeem any unused ones for money even if they leave the organization. You could think of it this way: They accrue all together at the end of the year. When an employee leaves the company, they are not expected to pay the company back for their vacation days used either.

As for when a new employee (or any employee) can take vacation, that should be discussed between the employee and their supervisor and needs to be signed off by the supervisor. Use trust and common sense. In almost all cases, it would not make sense to take a month-long vacation after just one day at the job.

As for the first calendar year of new employee’s joining, we can apply the following simple formula: The number of vacation days you get in your first calendar year is adjusted based on the number of weeks remaining in that year, using whole numbers rounded up. For example, if you join in the middle of the year with 26 weeks remaining (half the total number of weeks in the year), you get 13 days of vacation that first calendar year (half of 25 days, rounded up).

“Unlimited” vacation policies

These days, a few companies offer open-ended “unlimited” vacation policies, where there is no pre-set limit to the number of vacation days an employee can take, within reason.3 Realistically, these are not unlimited vacation policies, the same way credit cards with no pre-set spending limit don’t allow unlimited spending.

The data on these open-ended vacation policies is not yet conclusive, but initial data indicates that they have a number of potential drawbacks:

  1. They have been shown to result in employees taking less vacation time4
  2. They pressure employees to keep working during their “vacations”, which defeats the purpose and benefits of vacations.
  3. They put employees in uncomfortable situations with their employers. For example, when an employee gives 4-weeks notice to leave and wants to use the last one or two weeks for vacation. In such a situation, the employer is likely to feel taken advantage of under an “unlimited” vacation policy.

For these reasons, I recommend this 25 vacation days per calendar year policy over so called “unlimited”  policies.


A clear, consistent and complete vacation policy like this is likely to lower administrative costs, make employees happier and increase productivity. It is also likely to make the company more attractive to potential hires and improve retention.

  1. By full-time employee (FTE), I am referring to a person directly employed by the organization who is expected to work ~40 hour/week, typically on a Monday through Friday schedule. []
  2. The Case for Vacation: Why Science Says Breaks Are Good for Productivity: article in The Atlantic  []
  3. IBM’s un-vacation policy: All you need, all the time: article in The New York Times  []
  4. Companies Offer “Unlimited” Vacation Time Because They Know Perfectly Well People Won’t Use It (Slate)
    How One Company’s Unlimited Vacation Policy Totally Backfired (Inc.) []