Back to some business – mentoring a student at the verge of work life

Recently I have signed up with the alumni organisation of “my” university to participate in their mentoring program for students at the verge of work life. Mentoring – I have done that before and my former mentee is now a good friend of mine.

Let me reflect about what mentoring is and what an effective approach may look like.


What is mentoring?

In the Internet I found this definition of the Alberta Learning Information Service ALIS that resonates with me:

«Mentors are experienced, trusted advisors or counsellors who have successful careers and proven track records. Mentors are not usually paid for their services.

As a mentor, your role will be to:

  • make a commitment to support and encourage your mentee
  • encourage your mentee to develop careers that reflect their skills, potential and goals
  • offer wisdom, knowledge, experience, constructive criticism, connections and resources
  • focus on the overall career directions like advancement and training rather than on day-to-day concerns of your mentee
  • set an example for the level of professional conduct and success your mentee hopes to achieve»

In alignment with this definition and with my previous mentoring experience I understand that…

  • The mentor accompanies the overall career development of his mentee in a one to one setup independent of the current work place. He acts as a sparring partner bringing in his long year experience, with the target to help the mentee find a career path that matches his/her strengths and interests. The relationship is based on mutual trust and confidentiality. The time horizon is longer term and can be several years.
  • Mentoring is different from coaching. I understand that a coach accompanies an employee at his/her work place – to perform efficiently and effectively according to his potential.


How would I conceive our mentoring process to be effective?

To mentor a student at the verge of work life, I think of these steps for the process to be satisfactory and effective. 

for blogwhite

  • Basis: Initiative is with Mentee / Mentor is a responsive sparring partner
    From the mentee, I expect that he/she will drive the relationship, invite for meetings and/or ask for support, when he is ready or needs it. As a mentor, I will be the responsive (reachable) and  supportive sparring partner bringing in my experience and network. The mentee has to solve his “problem” and he can count on my mentor support. As a mentor, I cannot impose my ideas, I just give suggestions, hopefully good suggestions based on my experience.
  • Align mentor and mentee / revise relation: Trust and commitment
    As a first step, we, the mentor and the mentee will get to know one another, exchange about our motivations and backgrounds and find alignment. The target is to build trust. Trust is indispensable for our mentor/mentee relationship. Without trust it is not possible to proceed and achieve results. Based on trust, we make the commitment to start our mentor/mentee relationship. This relationship is not expected to be short term, and hence it is also necessary to revise it from time to time to verify trust and commitment still exist.
  • Identify mentee strengths/interests/personality: Profile
    As a second step, the mentee will identify his profile, with my mentor support. The profile consists out of his strengths (capabilities/talents/knowledge), his personality (e.g. more a researcher or an entrepreneur) and his interests (what activities turn me on). Useful structures to identify the profile are provided by Tim Clark, Alexander Osterwald and Yves Pingeur: “Business Model You“, Campus Verlag, Frankfurt am Main 2012). They call it “key resources”.
  • Find targets: Value propositions
    Based on the profile or key resources, the next step is to find the activities that are of value for potential customers and that allow my mentee to make a living (earn money) and perhaps harness more personal benefits (such as satisfaction from living his mission or from doing what he likes to do). Tim Clark et alii recommend to find the “value propositions” using their structured “business canvas“.
  • Sell and apply: CVs, job selection > job
    Based on the profile and targets identified, we can act and apply for jobs. The profile will be phrased out in CVs (for media such as LinkedIn and for the “paper” CV that  might need adaption for individual applications. As a mentor, I also think of using my network and of coaching the interview process (letter of motivation, what the interviewer may ask/expect or ideas on how to react when being rejected). 
  • Digest lessons: Updated profiles, value propositions and CVs
    The experience gained during job applications will help us to loop back and update the profile and value proposition and the CVs (in the media (such as LinkedIn) and in the paper CV. Then more applications may follow – or it is also an alternative to look for options to open a business.
  • Hand over to work life: Business mentor
    Once, a job is found, I will have to retreat. I suggest to find a business mentor for similar support in the new work life. Well, in case our mentor/mentee relation was one of trust all the way through, I might have found another friend that would perhaps come back and ask for ideas and support from time to time.






Elucubrations: Service catalog – structuring the big picture for a security operations service

Assume this task: Write a service catalog for IT Security Operations

Assume that IT Security Operations has to write down their services for a large company. I like this task. I believe that writing down the services helps clarify the mission and targets, focus on deliverables asked for and ease collaboration with the related IT and business areas.

In this blog I describe my thoughts about structuring the big picture of the service catalog for IT Security Operations. My thoughts may be useful for similar endeavors.


Four questions that help structure the big picture of our service catalog

  • What is the most logical structure for IT security operations services?
  • Who is the main client and what is his mandate? Who are additional clients and stakeholders?
  • What does the service list look like?
  • What layout/details shall describe the services on the list?

To answer these questions requires talking to the subject matter experts within the IT Security Operations team and around it.


What is the most logical structure for IT security operations services?

The mission of Security Operations is: “We detect, defend and prevent attacks.” They are a “watch dog” for the enterprise IT infrastructure.

  • They detect attacks based on the knowledge about threats and vulnerabilities and based on analyzing logs as well as user/client reports of attacks perceived.
  • They defend attacks that have penetrated into the IT infrastructure. They stop incidents immediately and for major attacks they collaborate with other teams and with management.
  • They prevent attacks in future by feeding back their hands-on experience to security -, risk – or engineering teams and their management.

I like the mission “detect, defend, prevent” to give structure to the services. This is a process oriented view.

An alternative is the attack classification (e.g. by objectives such as privilege gain, denial of service (DDOS) or malware). I  rejected to use attack classification, because it is ambiguous (research has provided multiple  classifications) and rather reflects a client or market view (e.g. selling malware defense services and tools) which is less relevant for an internal service. I prefer the process view.

Conclusion: For our service catalog, structuring the services along the lines “detect, defend and prevent” or along the process is the best option.


Who is the main client and what is his mandate? Who are additional clients and stakeholders?

In the organization that I had in mind, IT security has been assigned to a cross-functional department (owning enterprise IT security). This IT Security Department has “outsourced” IT security operations to the IT department that owns incident and problem management. Hence the IT Security Department is the main client of IT Security Operations. I believe this is an efficient organizational set up for IT Security Operations, as they will  follow  the one incident/problem management process (IPM) that holds for all IT services often following the best practice library ITIL.

In addition to the IT Security Department, IT Security Operations has more clients/stakeholders such as Legal&Compliance, Business Risk Functions and Officers, Fraud Detection, Enduser or Server Operations, Application Development or Enterprise Architecture. The major stakeholders collaborate in a Security Committee.

Indirectly all employees and business clients as well as all departments benefit from IT Security Operations, as they can rely on the “watch dog” detecting, defending and preventing attacks. IT Security Operations is a link in the value chain delivering to the entities that are in more direct contact with the end clients.

Conclusion: The IT Security Department (owning IT security services) is the main client of IT Security Operations (responsible for security incident/problem management)… in the setup that I was confronted with.


What does the service list look like? 

Even if a service list already exists, I propose to change it, in case it does not fit the logical structure “detect, defend and prevent”.  A logical structure eases communication. Also service names have to be as short and concise as possible. To convince the stakeholders of the catalog, I always make a cross tabulation to show where the differences are  (while working the existing list into my proposal). This is a description of the process:

  • “Detect” encompasses (1) operating the security tools (needed for attack detection), (2) security event monitoring (normalizing a variety of logs), (3) running a security and advisory desk, and (4) security incident detection (analyzing the logs, taking into consideration attacks reported to the service desk by internal users and external clients, being aware of vulnerabilities found in vulnerability scans and benefiting from knowledge bases available from sources such as governmental or research authorities).
  • “Defend” is (1) incident response (taking immediate action to stop incidents) and (2) security problem management (initiating/participating in solving major problems).
  • “Prevent” is providing (1) a vulnerability scan service, (2) reporting security incidents (successful and unsuccessful attacks) and (3) consulting about security operations (based on hands-on experience with attacks, e.g. in  Security Committees, to project and system managers or to security architects).

Conclusion: The big picture is clear – mission (detect, defend, prevent attacks; responsibility for security incident and problem handling), main client (IT Security Department or owner of security), and the service list (to be illustrated as a pie chart along the lines “detect, defend, prevent”) . This will be the heart of the service overview chapter.


What layout shall describe the services on the list?

Based on the ITIL best practice and with some minor modifications, I chose this layout to describe the service items on the lists:

  • Service name: Describing the service as shortly and as clearly as possible. Example: “Security incident response” or “Security event monitoring”.
  • Service lifecycle status: Mostly operational.
  • Client/audience: Business or IT facing. Examples: IT Security or Legal&Compliance.
  • Service owner/manager: Responsible person from within IT Security Operations.
  • Service description: Short outline of the service and reason. Example: IT Security relies on measures being taken to stop incidents detected. Or: Legal&Compliance relies on logs available for compliance coverage.
  • Service deliverables: Breaking down the service into individual results. Example: Incident classes in scope such as DDOS, malware, phishing etc. Or: Logs available for compliance.
  • Limitation of the service: What is included. Example: Only handling security relevant incidents.
  • Service dependencies: Prerequisites for the service. Example: IPM process is operational. Or: Raw event logs are available for normalization and further analysis.
  • Cost recovering: Lump sum recovery or cost charging based on prices. Example: IT Security provides the budget, but projects pay for security operations consultancy.
  • Service changing/canceling: How can the service be modified or canceled. Example: IT Security Committee agrees about new incident classes to be included.
  • Service support: Contact points. Example: Dispatching group defined for ticketing process or one mailbox for clients to report observed/suspected attacks.
  • Hours of operation: Example: 7×24 or week days with on call availability.
  • Performance metrics: What are the handles to measure the quality of the deliverable. Example: Resolution time for incidents or false positives. Note that research (e.g. from Forrester or Gartner) is available that supports defining performance metrics for security.
  • Target service level: What service level is to be delivered (ITIL calls this “service level agreement”). Example: 99% of malware attacks stopped within 24 hours hours or no more than 10% false positives


Conclusion: Deliverables matter

I strongly believe that it is indispensable to focus the service catalog on deliverables. The clients/stakeholders want to know, what is in it for them: What matters for them are the results, not the tasks performed that describe “how” results are achieved. Focusing on deliverables leaves room for optimizing or innovating the process at the point where the process knowledge is – in IT Security Operations.



Consult & engage: Getting started with my own company

Do you feel like work after your retirement?

This is an email that I received from Thomas: “Do you feel like work after your retirement? I have a small task for you…. it is about optimizing the service desk in my company.” Oh yes, I do feel like work after my retirement. I have managed several service desks in my work life, I love to work with teams and find new ways of doing things. In addition I have known Thomas for more than twenty years. This is a wonderful opportunity.

We start the journey. With his teams, we develop a SWOT and we derive five actions in a two hour workshop, reviewing the process over a Gugi with coffee. I am confident that this service desk will end up being even more beneficial for the company of Thomas. And I will continue to engage to facilitate change, as much as I am asked for.

Have you read my mind? – I have always dreamt of founding my own company…

Thomas’ assignment came in well. I have always dreamt of founding my own company. At work I had loved to provide our research service as an enterprise within the enterprise – with our young team in Kraków. As a farewell for my retirement, the team gave me the book “Business Model You” by Tim Clark, Alexander Osterwalder and Yves Pigneur (campus 2012).

Yes, why not live my dream now?

Conceiving my company: What values do resonate with clients – and can I deliver?

This is the name of my new company: “consult & engage” (to conform to the legal requirements for registering a one man firm in Switzerland, the name has to be “Petra Peters Erb consult & engage”).

This is my value statement for consult & engage:

  • Find a facilitator for change and innovation
  • … leveraging my experience as a retired baby boomer,
  • … benefiting from my motivation to engage beyond consulting.

And this is where I can deliver:

  • Interests: Achieve results with teams of differing backgrounds. Have an open mind, discover new ground, analyze it, structure it, derive actions, engage to make things happen. (My blogs about traveling may illustrate my interest to discover, understand, structure and share).
  • Personality: Intrinsically self motivated and interested. I love to bring my “I” into teams and to support them achieving results.
  • Experience: Service management/operations (for IT and broader research service), sourcing and contract management, project management, agile management and development of international teams, business process management and managing/selling services as an enterprise in the enterprise.

(Basis: “Business Model Canvas” of Alexander Osterwalder  and “Business for You”, Tim Clark et alii).

Illustrating my value proposition with a motto

To illustrate my value proposition, I selected this elephant I came across in the Etosha Park, when traveling with my husband.


This elephant may illustrate walking firmly towards new horizons leaving marks. And, the elephant surprised me. When coming closer to the scrubs, he ran off fast towards his destination proving that elephants are not only firm and solid, but also agile.