Category Archives: HR leadership

Risk on the Moral High Road

If, as an HR leader, you’re going to take a stand on ethical grounds, you had better be ready for the backlash if you change your mind later on.

That seems to be a key lesson to emerge from the findings of research recently published in the Journal of Personality and Social Psychology.

For their study, Tamar Kreps, an assistant professor in the department of management at the University of Utah, and Kristin Laurin, an assistant professor in the department of psychology at the University of British Columbia, conducted a series of 15 online experiments that involved more than 5,500 participants between the ages of 18 and 77.

In each experiment, these individuals were provided information about political or corporate leaders who had changed their opinions on a particular subject. Some participants were told that the leaders staked out their original positions on moral grounds, while others were informed that these initial stances were based on a more pragmatic view, such as “it was good for the economy.”

Across the multiple studies Kreps and Laurin conducted, they found that participants saw leaders who changed their minds after taking a moral stand as being hypocritical. In most cases, these individuals also perceived these leaders as “less effective and worthy of their support than leaders whose initial stance was pragmatic,” according to a statement.

“Leaders may choose to take moral stances, believing that this will improve audiences’ perceptions. And it does, initially,” says Kreps.

“But all people, even leaders, have to change their minds sometimes. Our research shows that leaders who change their moral minds are seen as more hypocritical, and not as courageous or flexible, compared with those whose initial view was based on a pragmatic argument.”

That perception can be tough to shake, too. According to the authors, they “tried to test various factors we thought might weaken the effect” across several studies. For example, the authors asked participants how they would feel if the leader “did not rely on popular support and therefore would have no reason to pander” or “used the same moral value in the later view as in the earlier view.”

Still, no dice.

“None of those things made a difference,” says Kreps. “Initially moral mind-changers consistently seemed more hypocritical” to those taking part in the study.

While opining that moral beliefs tend to stay constant over time, Kreps cautions that leaders should take the ethical high road on a given issue only if they genuinely feel that way.

“Taking an inauthentic moral view to try to pander to a moralizing audience could backfire,” she says, “if a leader needs to change that view later on.”

Hurting for Talent in HR?

In the never-ending quest to boost HR’s profile in the C-suite, CHROs must first surround themselves with top-notch talent in their own departments, according to new research from Korn Ferry.

The problem, the same survey finds, is that serious talent gaps exist within the HR suite.

The Los Angeles-based advisory firm recently polled 189 chief human resource officers, finding that “as the HR function becomes more strategic and high-profile, HR professionals need to step up their game when it comes to business insights and achieving results,” according to a Korn Ferry statement.

More specifically, CHROs were asked to name the skills they find are most lacking as they search for human resources talent.

A mere 4 percent reported having no difficulty finding the necessary skills to round out their HR teams. Otherwise, respondents said:

  • Business acumen (41 percent)
  • Ability to turn strategy into action (28 percent)
  • Intellectual horsepower (10 percent)
  • Analytical skills (7 percent)
  • Diversified experience (6 percent)
  • Relational skills (3 percent)
  • Technical skills (1 percent)

Of course, the role of the HR function, and the CHRO, is much more complex than it was even five short years ago, says Joseph McCabe, vice chairman of Korn Ferry’s Global Human Resources Center of Expertise.

“Disruptors such as digitization and globalization are creating an environment of constant organizational change,” says McCabe. “HR leaders must understand the business challenges that occur as a result of these disruptions, including the impact on the business strategy, and be able to quickly adapt and act.”

The Korn Ferry poll allowed respondents the chance to do a bit of self-examination as well, asking CHROs what competencies were most important to helping them handle the ever-changing environment in which they operate.

By far, the most common response was “tolerance for ambiguity,” cited by 52 percent of the CHROs surveyed. Twenty percent pointed to the confidence to make bold, yet informed decisions as most critical, followed by the ability to sustain analytical thinking and motivate others (11 percent) and the ability to listen to and accommodate others’ methods (6 percent).

The study finds that a failure to cultivate both “hard” and “soft” skills could be costly for a CHRO; a reality that respondents seem to recognize. Indeed, when asked to name the top reason that a CHRO would get fired from an organization, the largest percentage (37) said “personality issues/inability to work well with or lead others,” with 34 percent reporting that an “inability to direct connect HR efforts to tangible business outcomes” would be the most likely cause for being let go.

“Today’s CHROs are judged both on what they do and how they get things done,” says McCabe. “While it’s critical that HR must act quickly to adapt to changing business strategy, it’s also important to align their team and other key leaders to foster engagement and a shared vision.”

Report: HR is ‘Behind the Curve’

New research from the Hackett Group finds that many HR departments are lagging when it comes to helping their organizations deal with talent shortages in key areas, and — due to a lack of resources — sufficient progress likely won’t be made anytime soon.

The report, The CHRO Agenda: An Urgent Need to Close Large Gaps in Talent and Technology Capabilities (registration required), is based on survey results from executives at 180 large U.S. and foreign companies, most with annual revenue of $1 billion or more. It finds that HR at many organizations lacks the ability to fully support key enterprise goals such as adapting talent-management strategies and processes to deal with changing business needs, address talent shortages in critical areas, manage change more effectively and develop agile executives fully capable of leading in a volatile business environment.

HR leaders at these companies don’t suffer from a lack of ambition: The report finds that they’re planning to address issues such as talent-related change and strengthening their organizations’ HR tech and information capabilities and organizational structure and processes. However, their departments are held back by limited resources, with the number of full-time equivalent HR employees expected to decline by 1.4 percent this year on top of a decline of 1.3 percent last year and budgets that are projected to decrease by an average of 1.6 percent, compared to a reduction of 0.3 percent in 2016.

“The consistent finding here is that most HR organizations are simply too busy fighting fires to get out in front on strategic issues,” says Harry Osle, Hackett’s global HR advisory leader. “In many cases, they are in reactive mode, with too much on their plates and an inability to say no to work that does not allow HR to become more strategic.”

HR must change this mindset if it’s ever going to deliver strategic value, he says. “To build a true leadership position within the organization, it is essential that HR find ways to more effectively manage and prioritize its service portfolio, adopt proactive demand management techniques from IT and make headway on transformation and improvement in key talent areas.”

Hackett finds that HR organizations are planning to “dramatically increase” their mainstream adoption efforts in several digital technology areas, including cloud applications and Software-as-a-Service, social media and collaboration technologies and advanced analytics.

Sad State of Parental Leave

Tuned into a pretty interesting, if not depressing, Facebook Live session on Wednesday. Seems the at-least-slow progress in paid parental leave we’ve been writing about here on HRE Daily and on our HREOnline website isn’t as promising as some think.

At least that’s according to the Society for Human Resource Management, which released during the session its National Study of Employers — a self-described “comprehensive look at employer practices, policies, programs and benefits that address the personal and family needs of employees.” (Here’s the press release for those of you who don’t have the time for an entire study right now.)

Ellen Galinsky, president and co-founder of the Families and Work Institute, talked during the session about the study’s key findings — namely that, despite reports from well-known companies (such as Netflix, Amazon, Microsoft, Johnson & Johnson and Ernst & Young — see our own posts linked above) announcing their expansions of paid-parental-leave benefits, the average amount of caregiving and parental leave provided by U.S. employers has not changed significantly since 2012.

Specifically, over the past 11 years, the number of organizations offering at least some replacement pay for women on maternity leave has increased from 46 percent to 58 percent. But the study also found that, among employers offering any replacement pay, the percentage offering full pay has continued to decline, from 17 percent in 2005 to 10 percent in 2016.

In fact, of all employers with 50 or more employees, only 6 percent offer full pay. In addition, daily flexibility, the kind needed for emergencies, has gone down actually, from 87 percent in 2012 to 81 percent in 2016, a statistic Galinsky called “critical.” She added:

“The fact that that kind of flexibility has gone down is a critical [and alarming] finding.”

According to Galinsky, HR has a major role in turning this around. As she put it during the session:

“Flexibility is now the norm. HR should be thinking this way. It used to be, ‘Should or shouldn’t we provide flexibility?’ Now it’s a given that we should.”

Unfortunately, she said, HR needs to do a better job of telling workers what is offered at their organizations. The study found only 23 percent of companies making a real effort to communicate the programs they have.

Here are some other key findings:

  • Small employers (50 to 99 employees) were more likely than large employers (1,000 or more employees) to offer all or most employees 1) traditional flextime, the ability to periodically change start and stop times (36 percent versus 17 percent), 2) control over when to take breaks (63 percent versus 47 percent) and 3) time off during the workday to attend to important family or personal needs without loss of pay (51 percent versus 33 percent).

  • Growth of workplace flexibility has been stable over the past four years. Out of 18 forms of flexibility studied, there were only four changes:

  1. An increase in employers that offer telework, allowing employees to work at least some of their paid hours at home on a regular basis (40 percent in 2016 versus 33 percent in 2012).
  2. An increase in employers that allow employees to return to work gradually after childbirth or adoption (81 percent in 2016 versus 73 percent in 2012).
  3. An increase in organizations that allow employees to receive special consideration after a career break for personal/family responsibilities (28 percent in 2016 versus 21 percent in 2012).
  4. A decrease in organizations that allow employees to take time off during the workday to attend to important family or personal needs without loss of pay (81 percent in 2016 versus 87 percent in 2012).

In Galinsky’s words:

“Whether high-profile companies offering paid [parental] leave are out of step with the majority of employers or leading the way remains to be seen. Given our findings that 78 percent of employers reported difficulty in recruiting employees for highly skilled jobs and 38 percent reported difficulty in recruiting for entry-level, hourly jobs, these high-profile companies could be leading the way in the strategic use of leave benefits.”

And, apparently, that’s not happening. Not yet anyway.

An Extreme Twist on Team-Building

Tired of the same old activities designed to create a spirit of trust and teamwork among your employees? Survival Systems USA has an extreme experience to offer that could literally teach your workers how to sink or swim together.

The Groton, Conn.-based safety and survival education provider has taught underwater egress training and water survival techniques since 1999, delivering instruction to, among others, employees of the Sikorsky Aircraft Corp., the New York Police Department and the National Guard, as the New York Times recently reported.

In imparting survival skills to those who might have to use them on the job, “we’ve seen residual effects along the way: improved morale, self-esteem, capabilities people didn’t know they had,” Survival Systems USA President Maria C. Hanna told the Times. Until recently, she said, “we’ve never stopped long enough to say, ‘You know, this is something that can appeal to a market in a different way, using the tools from aviation to help people develop themselves.’ ”

The company has begun putting those tools to work in hopes of attracting corporate customers searching for drastically different team- and morale-building exercises.

In November, for example, Survival Systems conducted a one-day aquatic survival training program for a group of three university students, four personal trainers and the owner of a paving company, according to the Times.

These individuals—who ostensibly had no work-related reasons to undergo such training—spent the first part of the six-hour program jumping from a 14-foot platform into an indoor pool. With life vests inflated, they were then given a matter of minutes to find a way to stay warm while floating. Another task required those taking part to work together to board an inflated life raft under the direction of one member of the group.

Program participants spent the next part of their Saturday strapped into Survival Systems’ Modular Egress Training Simulator, which the Times describes as “a plastic and metal craft that can be arranged to resemble the cockpit of almost any helicopter or small plane on the market.” Meanwhile, other pieces of equipment duplicated the downwash from rescue helicopters and generated rain, darkness, smoke, fire and winds of up to 120 miles-per-hour.

Once inside the simulator, these brave souls were submerged and flipped into a pool as part of an exercise that includes three rounds. First, participants must reach for the simulator’s window frame, unfasten their seatbelts, pull themselves out and swim to the surface. The second round adds a degree of difficulty to the task, by closing the aforementioned window. In the third scenario, individuals must pretend their window is stuck and escape by holding onto the simulator’s seats and making their way to an adjacent, open window.

An instructor remains nearby at all times, “ready to whisk [participants] to the surface if anything goes wrong,” the Times points out, adding that “though no one has drowned during the training, the primordial fear remains.”

The same article notes that the curriculum for this program is still being fine-tuned, and this particular group was offered the training for free, in exchange for their feedback. The experience, however, will soon retail at roughly $950 per person; a price that Survival Systems says is in line with that of its other one-day programs.

Greg Drab, owner of Advantage Personal Training, has sent multiple employees—including the four trainers taking part in the November session—through the program at no cost, but sees the $950 as a bargain.

“You get to see how people handle stressful situations,” Drab told the Times. “This unifies the team.”

Death to the HR Business Partner?

Someone recently shared this post on LinkedIn by Tom Rommens, who describes himself as “Passionate about HR.” I guess passion, then, would explain his headline: Would Somebody Please Kill the HR Business Partner?

His point, which I thought interesting enough to share, is that calling the HR leader of an organization a “business partner” doesn’t support the notion that “HR has become or will have to become part of the business itself. So,” he writes,

“we will have to kill the HR business partner … as a concept; please don’t hurt the actual people.”

Rommens mentions Dave Ulrich, Rensis Likert Professor of Business at the University of Michigan and a partner at The RBL Group in Provo, Utah, a good bit, primarily because he coined the term HR Business Partner in his long-running argument that HR professionals enable the business strategy through human resources. As Rommens puts it,

“I know it’s all semantics, but words do have their influence. I think it’s not accurate to call them partners. A partner is somebody who has a — positive, even interwoven — relationship with someone else but stands next to that other. Nobody calls the CEO a business partner; we don’t even consider the top IT guy to be one. [So why HR?]”

I reached out to Susan R. Meisinger, former president and CEO of the Society for Human Resource Management, HR speaker and consultant, and HRE‘s HR Leadership columnist, for her take on this. Semantics, she says, is precisely what’s at issue. “Ah, another debate about semantics and HR,” she told me. She went on:

“It reminds me of the almost theological debate on whether the profession was ‘personnel’ or ‘human resources,’ followed by ‘people and/or ‘human capital.’ While I know that words can matter, I think sometimes there’s too much debate and focus on the words, rather than the concepts and information the words are trying to convey.

“In short, I don’t feel strongly about the debate — I do agree that the focus should be on HR’s role as an integral part of the business, without worrying about the label of ‘business partner.’ While [Ulrich] uses the term, he does it while describing a role that’s an integral part of the business. That’s where I’d rather see the focus.”

How strongly does Meisinger feel about the overuse of semantics arguments and buzz phrases in the HR profession? You be the judge. In her words:

“To the extent that it gives some HR professionals a greater sense of status — ‘I’m a partner in this endeavor, and my input/contribution is just as important’ — it might be helpful.

“But please, if they tell me they have to be a full ‘business partner’ to be sure they get ‘a seat at the table,’ I’ll go running and screaming into the night!”

Undervaluing the Human Element

If you’ve heard it from one CHRO, you’ve heard it from a hundred: Our people are our greatest asset.

A new Korn Ferry Institute study suggests that most CEOs also appreciate the hard-working employees within the organizations they lead—just maybe not quite as much as they value technology.

More specifically, the recent survey saw 63 percent of 800 business leaders from multimillion-dollar global organizations saying that technology will be their greatest source of competitive advantage in five years. In addition, 67 percent said they believe technology will create greater future value than human capital will within their firms, and 44 percent said the prevalence of robotics, automation and artificial intelligence figure to make people “largely irrelevant in the future of work.”

As if that wasn’t hard enough for employees to hear, consider that people didn’t crack the top five in terms of assets that CEOs predict will be most critical half a decade from now. Technology ranked No. 1, followed by research and development, products/services, brand and real estate (offices, factories and land, for example.)

“CEOs have a significant blind spot in the way they perceive people,” according to the Korn Ferry Institute study, “tending to undervalue human capital.”

These “distorted perceptions” demonstrate the extent to which the individual is being pushed to the periphery of tomorrow’s workplace—and the danger in failing to recognize the potential of employees to generate value, the report continues.

In placing a greater emphasis on technology and tangible assets, chief executives “may be demonstrating, in a big way, what experts call tangibility bias. Facing uncertainty, they are putting a priority in their thinking, planning and execution on the tangible—what they can see, touch and measure.”

In the report, Korn Ferry Search Vice Chairman, CEO and Board Services Alan Guarino cautions against taking that approach while overlooking human capital.

“Leaders are placing a high emphasis on technical skills, technological prowess and the ability to drive innovation in their new senior recruits—elements critical for modern organizations,” says Guarino. “However, the financial reality proven by this study—that the value of people outstrips that of machines by a considerable distance—must give CEOs pause for thought.”

The ability to lead and manage culture—”so-called ‘soft skills,’ ” says Guarino—will become “critical factors of success for companies in the future of work, as they seek to maximize their value through their people.”

Who knows the organization’s people better than the HR executive? And, if what Guarino says is true, one could look at this study’s findings as a tremendous opportunity for the HR leader to help the CEO see the tremendous worth of human capital, and to help make the organization’s workers an irreplaceable, invaluable part of tomorrow’s workforce.

New Honors for Six Leaders in HR

The National Academy of Human Resources inducted its latest class of fellows Thursday night in New York City, honoring five high-profile HR leaders and scholars at the organization’s annual meeting.

2016 Fellows of the National Academy of HR, from left: Benito Cachinero-Sánchez, Mark Huselid, Mirian Graddick-Weir, Susan Schmitt.,Michael D’Ambrose, Boris Groysberg.
2016 fellows of the National Academy of HR, from left: Benito Cachinero-Sánchez, Mark Huselid, Mirian Graddick-Weir (distinguished fellow), Susan Schmitt, Boris Groysberg, Michael D’Ambrose.

The academy also elevated Mirian Graddick-Weir of Merck & Co. to the rank of distinguished fellow. First named a fellow in 2001, Graddick-Weir earned the latest honor for her record as “a true human-resources superstar,” said William J. Conaty, a former senior vice president of HR at General Electric who himself was named a distinguished fellow in 2007.

Graddick-Weir is executive vice president of human resources at the Kenilworth, N.J.-based  pharmaceutical giant, which employs 68,000 people in 90 countries. In 2006, she joined the company from a similar role at AT&T, where she held several posts over a 20-year career. With other honors that include being named Human Resource Executive® magazine’s HR Executive of the Year in 2000, she also holds a Ph.D. in industrial/organizational psychology from Pennsylvania State University.

In thanking members of the academy, Graddick-Weir called on HR leaders to recognize their role not only in helping employees and employers thrive, but in helping society tackle social challenges. Some of those challenges, she noted, are especially evident in the United States this year as the nation prepares to choose a president.

As HR professionals, “we have an incredible opportunity to play a leading role” in helping people grow professionally and succeed economically, Graddick-Weir said. She hailed companies that have invested in education and training, and those that have committed to addressing pay inequities and unconscious bias in hiring and promotion.

“What an exciting time it is to be a chief human resources officer,” Graddick-Weir said. “We have an enormous opportunity to … shape the workplace of the future.”

Also honored at the event, held at the Waldorf Astoria New York, was the academy’s 2016 class of fellows:

  • Benito Cachinero-Sánchez, senior vice president for human resources at E.I. du Pont de Nemours & Co., a global chemical company based in Wilmington, Del. Before joining the firm in 2011, he held leading HR jobs at companies that include Lucent Technologies and Johnson & Johnson.
  • Michael D’Ambrose, senior vice president and CHRO of Archer Daniels Midland Co. He joined the Chicago-based agricultural giant in 2006 after top HR posts with First Data, Citibank and other companies.
  • Boris Groysberg, a professor at the Harvard Business School whose research focuses on management of human capital. He’s the author of three books, including Chasing Stars: The Myth of Talent and the Portability of Performance.
  • Mark Huselid, distinguished professor of workforce analytics at Northeastern University. His research focuses on the interplay of HR management systems, corporate strategy, workforce differentiation and firm performance. He is author or co-author of several books, including The Differentiated Workforce: Transforming Talent into Strategic Impact.
  • Susan Schmitt, senior vice president of human resources at Rockwell Automation. Before joining the Milwaukee, Wis.-based industrial-technology company nearly a decade ago, Schmitt held senior HR roles with Kellogg Co., the Federal Reserve Bank of Chicago and others.

Does Your Firm Support Well-Being?

limeade_quantum_wbereportDid you know employee engagement and employee well-being are two different things? I kind of did, but this research by Limeade and Quantum Workplace (pictured at left) made the differences about as clear as they could be, given the subject matter.

The report, released last week, defines the two thusly:

“Engagement [is] the strength of the emotional connection employees have with their work, team, company and higher purpose. … Well-being [is] a state of optimal health, happiness and purpose.”

OK, different, yes, but clearly very related. In fact, that’s one of the report’s key takeaways: that when employees feel they have higher well-being, they’re more likely to be engaged in their work.

The survey of 1,276 employees across 45 U.S. markets found, more specifically, that 88 percent of employees who cited feelings of “higher well-being” (i.e., access to healthy options, the flexibility and freedom to pursue them and find balance between work and life, and a sense of belonging and value to an organization) also said they feel engaged at work, versus 50 percent for those citing “lower well-being.”

Moreover, 83 percent of those in the “higher” category say they enjoy their work versus 41 percent in the “lower” one, and 84 percent in the higher category say they’re loyal to their teams, versus 54 percent in the lower camp.

So, is all this an intuitive no-brainer? Well, yes and no, according to Dr. Laura Hamill, Limeade’s chief people officer and managing director of the Limeade Institute. As she puts it,

“The connection between well-being and engagement may seem intuitive, but there has been little research that statistically relates the two. These findings confirm the relationship and can serve as the foundation of taking companies from good to great.

“[This] connection is great news. It means that helping disengaged employees isn’t out of an organization’s control [and can actually, by enhancing retention and productivity, lead to] better business results. “

(Here’s another link to the study’s microsite with a cool video for your viewing pleasure.)

Also key to an employee’s feeling of well-being is organizational support, defined in the report as “the resources and nudges an organization intentionally provides to encourage well-being improvement.” More specifically, it says, “this research indicates that organizations should provide the policies, visible manager and leadership support, role modeling, encouragement and norms to fully support [that] improvement.”

(One interesting note: The study found managers to be the primary source of that support, or nonsupport, over and above executive leaders. “Managers,” Hamill told me, “can be the biggest obstacles to well-being improvement because they don’t understand its connection to team success or they are nervous about how to talk with their employees about their well-being. Organizations should educate managers about the impact of well-being on employee engagement — and give them the tools and support to make it a priority.”)

The numbers certainly bear out the importance of this organizational/managerial support. Seventy-two percent of people who felt their employer cared about their well-being also reported having higher organizational support, whereas only 7 percent of employees with lower organizational support reported feeling higher well-being. In other words, as perceptions of organizational support diminish, so do perceptions of well-being. So why is this finding important? According to the report’s authors,

“You’ve heard it before: It’s more expensive to replace an employee than to retain one. A 2015 study [‘The impact of human resource practices on employee retention in the telecom sector,’ published in the International Journal of Economics and Financial Issues] states that costs associated with a person leaving unexpectedly are usually 2.5 times greater than that person’s salary.

“So why not invest those dollars back in the people who already work for you to help retain them? Employees who feel they have higher well-being and who feel they have higher organizational support are more likely to want to stay in an organization — compared to those [in the lower groups].”

In fact, researchers found, about 98 percent of those who feel they have higher well-being and higher organizational support answered favorably to the statement “I would like to be working at this organization one year from now.” That number dropped to about 79 percent for people who feel they have lower well-being and lower organizational support.

Even more impressive in terms of sheer numbers, 99 percent of employees with high well-being and high organizational support recommend their employer as a great place to work.

“Employee engagement is the holy grail for many companies aiming to attract and retain top talent,” says Jason Lauritsen, director of customer success at Quantum Workplace. “[This report] validates this goal … .”

‘HR Lady’s’ Security Breach

177870130 -- credit card securityI’m imagining you, too, would stop your web browsing for one minute and read an article titled How we tricked your HR lady into giving us access to every customer’s credit card number. I obviously did.

The piece posted by network and security firm Netragard on its website lays out in pretty compelling detail all the steps the company went through to test one of its clients, unbeknownst to the client of course, for its level of vulnerability and/or security through a method it calls penetration testing. For the sake of the anonymity of the large retail corporation being tested, Netragard refers to it as Acme Corp.

What got my attention reading through the piece was just how clever and good hackers have to be, not to mention the companies offering their services to protect them from their covert ways.

Like many a hacker, no doubt, Netragard started out by identifying a job opportunity posted on LinkedIn, in this case for a senior security analyst. Here’s just a small portion of the company’s lengthy description of the ploy:

“Interestingly, the opportunity was not posted on Acme Corp.’s website. When Netragard reviewed the opportunity, it contained a link that redirected Netragard to a job-application portal that contained a resume-builder web form. This form was problematic because it worked against our intention to submit an infected resume to HR. We backtracked and began chatting on LinkedIn with the lady who posted the job opportunity. We told her that the form wasn’t loading for us but that we were interested in applying for the job. Then she asked us if we could email our resume to her directly, and of course we happily obliged.

“Our resume contained a strand of RADON 2.0. RADON is Netragard’s zeroday malware generator, designed specifically with customer well-being and integrity in mind. … Shortly after delivering our infected resume, RADON called home and had successfully infected the desktop belonging to the nice HR lady [who] we chatted with on LinkedIn. Our team covertly took control of her computer and began focusing on privilege escalation.

“RADON was running with the privileges of the HR employee that we infected. We quickly learned that those privileges were limited and would not allow our team to move laterally through the network. To elevate privileges, we impersonated the HR employee [who] we compromised and forwarded our infected resume to an IT security manager. The manager, trusting the source of the resume, opened the resume and was infected.

“In short time, RADON running on the IT security manager’s desktop called home. It was running with the privileges of the IT security manager who also happened to have domain administrative privileges.  Our team ran procdump on his desktop to dump the memory of the LSASS process. This is important because the LSASS process contains copies of credentials that can be extracted from a dump.  The procdump command is ‘safe’ because it is a Microsoft standard program and does not trigger security alerts. However, the process of extracting passwords from the dump often does trigger alerts. To avoid this, we transferred the dump to our test lab where we could safely run mimikatz to extract the credentials.

You with me still? The good folks at Netragard then used those credentials to access all three of Acme Corp.’s domains and extract their respective password databases. They then exfiltrated those databases back to their lab and successfully cracked 93 percent of all the current and historical passwords for all employees at Acme Corp.

The total elapsed time between initial point of entry and password database exfiltration was 28 minutes. Let me repeat that: 28 minutes. That’s less than half an hour. And at that point, the company had reached what it calls “an irrevocable foothold” in Acme Corp.’s network. “With that accomplished,” its post says, “it was time to go after our main target,” the cardholder-data environment.

And this, mind you, was a company whose principals had told Netragard that they were highly confident they could withstand any attempted security breach or inadvertent lapse, and that no vendor (or hacker to their knowledge) had ever breached their corporate domain let alone their CDE.

Thank goodness Netragard was simply trying to protect them by revealing their weakness — a “nice lady” sitting in the HR department. Perhaps, on reading this post, you might want to set up some special communications with all the nice folks in your HR organization (?)

As Netragard’s post implores:

” … the differences between compliance and security are vast. In the past decade we’ve seen countless businesses suffer damaging compromises at the hands of malicious hackers. These hackers get in because they test with more talent, more tenacity and more aggression than nearly all of the penetration-testing vendors operating today. For this reason, we can’t stress enough how important it is that businesses select the right vendor and test at realistic threat levels.”

And self-promoting though it may be, I couldn’t resist including its sign-off:

“It is impossible to build effective defenses without first understanding how a real threat will align with your unique risks. At Netragard, we protect you from people like us.”