Talent market

Recently, I read an article from Mckinsey Quarterly March issue on "Making a market in talent" by Lowell Bryan, Claudia Joyce, and Leigh Weiss. It is especially relevant to the EO grade which is suffering from the symptom identified in the paper. The solution offered, which could be a suitable model for an improved posting policy, is helpful to improving the career development of EO as well as professionalizing them as experts in resource and system management. But I think its implementation requires great courage, a quality wanting of civil servants.

A common phenomenon mentioned by the author is that many organizations spend a lot of effort selecting and recruiting high-caliber individuals wherever they are found, but pay too little attention to allocating their internal talent resources effectively. Many frustrated managers search in vain for the right person for a particular job, knowing that one is somewhere in the organization. And many talented people get stuck in a corner, never finding the right experiences and challenges to grow. They may finally leave the organization for greener pasture.

Organizations typically allocate people through personal connections and transactions between individual bosses and individual employees or within small groups. Managers find it difficult to know who among the ranks is the best person for an available position; ditto for talented people who want to know what opportunities exist around and whom they may like to work with. This predicament is a common one because most organizations focus their efforts on helping managers move up the line-management hierarchy and become better general managers. They usually spend less time developing the people who have the talent required for specific expertise in professional areas. The rewards of line management motivate talented people to seek line opportunities over professional ones.

This approach is built from a paternalistic, hierarchical mind-set. Senior managers or human resources departments are expected to create opportunities for the most talented people through formal job rotations. The fact is that such traditional hierarchical models, which "push" resources to where organizations deem them to be needed most, are proving much less efficient in deploying and developing talent.

Taking the approach used in law firms, many professional-services groups and academia, where there are informal talent marketplaces for senior people to find the best junior employees and the best junior employees to choose the most attractive assignments, the authors propose that formal talent market should be established in large organizations.

To facilitate exchanges, a formal talent marketplace needs "market makers": usually central human resources staff in the case of managers, or staff assigned to help a formal network executive in the case of specialized professional talent. The process begins when all open opportunities are posted on an internal website for a minimum of one or two weeks, with description summarizing the job requirements. It should also specifies its location, job band, title, important characteristics of the person who will fill the role, its educational and experience requirements; and other factors.

The manager of the new position screens applications and chooses a subset of the group to interview. An HR professional helps with the screening and ensures that the manager has a balanced group of candidates. In the end, the manager informs all of them of the decision.

The method, if adopted for EO, represents a significant change from the traditional, top-down, non-transparent process to one that is interactive, transparent, effective placement of matched person to the right job, and one that will earn employee loyalty. The authors draw up a table demonstrating the transition of the change as follows.



Self-directed, talented people benefit considerably from such a market: the more talented they are, the greater the demand for their services and the better their opportunities will be. Highly talented people are less likely to be blocked by less talented bosses taking credit for their work. Better opportunities also ensure that job experiences challenge these employees, who in the process develop more quickly. At the same time, senior people who are pursuing important opportunities will have a greater pool of talent to draw upon, with a more diverse range of skills to tap. People who acquire reputations for developing talent will have a greater likelihood of attracting more and better job applicants, while "people eaters" will have trouble. But the real beneficiary is the organization, which wins by getting far better matches between its job opportunities and its most talented people and by gaining far greater transparency into shortages and excess supplies of talent.

Projecting the approach to the EO grade, we should ask those waiting for a posting what is their state of mind. Some desire certain jobs, but they are either too afraid to ask, or asked but to no avail. We should also ask those supervisors waiting for a post in the office to be filled. They may wish to have a good subordinate, but are at the mercy of the grade management. A talent marketplace may be the solution.

IPCC incident 2

The press report below is a good reference summing up the responses of various sectors on the IPCC incident. It is the usual way the Hong Kong press handles such materials, i.e. putting everything in the wok and producing a dish of chop-suey without analyzing and assessing the practicability and feasibility of the views.

One thing may be true, that despite the guidelines on IT security and the requirement of IT security audit, all of them could land on the soft belly of the bureaucracy and vanish. There could be interdepartmental working group (a very familiar move for any crisis), detailed instructions, consultancy, but the deed is usually considered done after these preceding measures. The most important part of compliance could just be ignored. IT security awareness could just be the awareness of following the rules superficially and engaging in surveys and audits. The awareness of the actual security of data is still far away. I think general education as well as the development of IT management professionals is the solution.

There are also views on strengthening the power of the enforcement agencies on monitoring, and also revising the PDPO to give more power to PCO on restricting the "illegal" flow of personal data. This is a dangerous sword with two sharp edges. Public opinion is always swinging. Whenever there is incident of data leakage, we ask for more control; but when there is data embargo on any scandal, we ask for less control. A balance is hard to find. For the present case, some clever persons may use it for empire building.

《信報財經新聞》2006年3月20日
警監會投訴人及被投訴人資料外洩事件，再加上某些商業機構的客戶個人資料同樣在互聯網上出現，暴露了政府和私人機構處理網絡資訊保安的不當，以及執法部門和私隱法例的不足，令香港各界的資訊保安響起警號。傳媒和公眾在事件揭發之初，一直追問如何能把流出互聯網的資訊刪除。答案當然簡單，而且只有一個 — 就是辦不到。目前，除追究責任外，各界其實更應集中精力去研究如何預防同類事故再次發生。

這次警監會洩漏資料事件，差不多是個完美的反面教材。警監會委託服務商進行的工程，應是個一般性的數據格式轉換，整件事過程中所犯的第一個錯誤，就是不該把真實資料提供給承辦商，應以模擬資料代替；即使有必要提供真實資料參考，也不能讓資料離開機構內部範圍。而且，警監會似乎未充分向服務商指引該資料庫的機密性。服務商也犯了多重錯誤。首先，他們應該對任何有關個人資料的檔案存有警覺性，不能胡亂再加外判，容許人員把工作帶返家中進行，亦不應把檔案作不必要的拷貝，更不可放在接上公共互聯網的伺服器上，所謂什?上載要密碼，下載又不用密碼，已是後話，何必當初；最後，工作完畢而不刪除資料，更是錯上加錯。

然而，如何以正確方法處理資訊保安，是有國際認可的標準，例如BS7799和ISO27001。而負責政府資訊科技統籌的政府資訊科技總監辦公室，雖然貼近這些技術和保安措施的細節，卻無權責向各政府部門實施檢討和審核，業內人士亦心知肚明，有些政府部門在經過外間顧問審核後，對顧問建議亦不一定依從。

所以，政府有必要立即成立跨部門工作小組，由政府資訊科技總監辦公室協調，甚至由更高層領導，責成所有政府部門及資助機構跟從，全面重新檢討和審核各部門及機構的表現，制定並執行一切改善措施，工作應在六個月或一個合理時間內完成，並向公眾宣布，以求挽回公眾對政府機構處理市民私隱的信心，另一方面也對私人機構起帶頭作用。此外，資訊科技業界應該與政府合作，訂立行業外判工序時的資訊安全守則，並向業內外的公私營機構和企業推廣，要求採納跟從。

而且，警監會洩露資料事件發展至今，警方、私隱專員公署與警監會仍未有向公眾表示調撥足夠資源進行網上監控，甚至連有報道指有關資料檔案在網上繼續透過 BT等方法發放，執法機關也沒有表示會嚴打，更沒有主動在網上搜索任何公私機構可能流出的資料，以求預防加深對公眾傷害。相比之下，當局對網絡非法下載影音這些侵犯私有產權行為，反而能高調地採取全天候的監控行動。然而，單是警監會洩露資料事件已牽涉二萬多個受害人，對市民及社會影響更具迫切性，但政府卻沒有採取打擊盜版同樣的監控措施，令人對執法的資源調配準則起疑。

今次事件亦充分反映現行個人資料（私隱）條例之不足之處，雖說受影響市民有權循民事索償，但在警監會這特殊和敏感性質下，絕大多數受害人都不會願意「挺身而出」，自曝身份。香港法律也不容許提出集體訴訟，連私隱專員也不能直接提出刑事訴訟，因為法例只容許他在先作出執行通知要求資料使用機構改善而仍不得要領後，才能請求律政部門決定是否起訴。換句話說，現行法例除作為一些指引基礎外，實際依法追訴能力原來有等於無。故此，檢討私隱條例工作已經刻不容緩。

IPCC incident

This is a very unfortunate incident, especially when it happened in IPCC, which is a department almost exclusively staffed by EO. Please see latest press report below. Barring any intentional malicious act by the persons with proper authorization to data access, which is something any IT security system could not prevent, the data leakage seems to stem from negligence, or ignorance/indifference to data security. Basically, this has nothing to do with IT. If you need to contract out the counting of money, or re-indexing many personnel files, would you let the contractor take them away to sort them out? Electronic data are of equal importance.

I think many colleagues have similar experience from the recent exercise of the eLeave project. Many departments contracted out the project which involved the conversion of personal bio-data as well as old leave records. These small IT projects belong to HR managers and are mostly handled by EO. I understand that all conversion work were conducted within the premises of the departments using office PC and LAN. Grateful if colleagues would share their experience. Are there any eLeave system using OCGIO's hosting service, which has just been contracted out as well?

This case is a strong illustration that IT management has become an essential management field, which is closely integrated into everyday management work. In all smaller departments or offices, managers (aka EO) are the de facto persons to be responsible for the management of IT systems which are part of all office systems. For large IT systems, the management aspect is very complex that professionals in resource and system management (aka EO) are required. It is so obvious that the EO grade needs to be prepared, at a very early stage, for the provision of such professional managerial service.

There are some IT training for EO, mainly on the use of office tools like MS Office, network admin, database admin, system development, etc. While all these are useful for IT awareness, I think more advanced topics on IT management are required. Word/Excel/LAN admin are actually clerical work. While managers need to know what they are, there is no need for intensive training. It is like training EO to type or to index files. Instead, we should make reference to the topics taught in university IT management courses: like IT security, IT project management, data privacy law, contract management, etc.

The most essential move, which is the responsibility of grade management, is to promote IT management as a professional stream of EO work. Strategic steps should be in place to identity, develop and properly create a career for IT management professionals within the grade. There is no need to worry about the fast developing technology which can be obtained from the market. Just like any other management streams, managers need to keep abreast of the general development in their field. Such general information is readily available from newspapers and journals. When managers are in posts with good recognition and prospect, they will seek out such general information as part of the job and equip themselves properly.


【明報專訊】警監會專家小組徹查後發現，投訴警察的約2萬名市民個人資料，包括姓名、地址、身分證號碼等，原來早於2004年已開始外泄，於互聯網上流傳達3年之久。調查小組把責任歸咎外判承辦商，指警監會當年把一隻載有資料庫光碟，交予承辦商「轉碼」，承辦商貪方便把資料上載至伺服器，結果令資料外泄。

警監會主席黃福鑫，昨日公布事件調查結果。黃福鑫指出，投訴資料外泄是由於2004年期間警方投訴警察課把投訴資料，以光碟模式轉交警監會，但警監會電腦系統當時採用視窗98年，與投訴警察課系統有異，須外承辦商作格式轉換。有關承辦商為求方便，把資料放在FTP伺服器，卻沒有設下載密碼。

警監會在處理個人資料程序時，亦未有諮詢私人專員公署。警監會承認，資料外泄並於網上流傳長達3年，涉及個案由1996年至2004年，其中7宗投訴仍在調查中，該會相信調查不受今次事件影響。

此外，警監會極度關注外泄資料遭濫用的情?，強調未經當事人同意下使用有關資料，便屬違反法例，可能會被警告及起訴。警監會已委任電腦專業人士，追查過去 3年曾查閱及下載有關資料的紀錄。

對於事件是否涉及人為疏忽，黃福鑫表示相信會有「公論」，而負責處理有關資料的行政主任，已於周六起主動申請放假。由於事件在04年發生，黃福鑫坦言當時他並未出任主席，無可否認的是，事件對警監會的公信力帶來嚴峻考驗。

黃福鑫表示，警監會將成立人個小組委員會，接觸受影響而求助的市民及提供協助。此外，他們會立即進行一系列措施，包括提升電腦系統及加強可查閱投訴資料的權限規定等。

香港電腦保安事故協調中心經理古煒德表示，承辦商在事件中要負相當大責任。他說，承辦商只要為警監會設計一個轉碼程式，警監會便可自行轉碼，毋須讓他人接觸重要資料。他懷疑承辦商未必有足夠經驗﹔另外，警監會在選擇承辦商時，亦應該考慮對方的可靠性。

Frankenstein and Sisyphus

There is another sci-fi movie mentioned in Mark Rowlands' book. It is an old movie on Frankenstein, which was re-made many times. The author draws reference to Frankenstein's monster to the philosophy of the meaning of life.

There are many different lines of argument in the book on the topic, evolving around the absurdity of the views of ourselves from the inside and the outside; views that are incompatible with each other. Frankenstein's monster, from the outside, had a second-hand body, pieced together from body parts found elsewhere, and from those, he had some innate abilities such as playing the flute. He was placed in a hostile and uncaring environment because of his look on the outside, while on the inside he was by no means a violent creature.

While the monster was assembled from larger body parts, the atoms and molecules from which we are constructed have also been around much longer than we are, and are put together according to some physical design principles. The monster had a disturbed designer Dr Frankenstein, but we are also put together according to a design template provided by the genes of our parents. We could find ourselves, just like the monster, being created by forces and people over which we have no control, and of which we have little real understanding. And then, when we have been produced, we find ourselves just like the monster, cast adrift in an alternately forgiving and hostile world, an environment which we have little control. Our parents, our teachers, our co-workers, our friends, our partners, slap us around. We are a product of these people, or metaphorically, stitched together by them.

As for our life. the author refers to the Myth of Sisyphus by Albert Camus (卡繆 1913-1960). It has nothing to do with Frankenstein's monster. Sisyphus is a character from Greek mythology. The gods had condemned Sisyphus to ceaselessly rolling a stone to the top of a mountain, whence the stone would fall back of its own weight and Sisyphus would roll it uphill again. It was thought that there should be no more dreadful punishment than such never-ending labour.

Camus discussed the real horror of this punishment. The way the myth was usually perceived emphasized the hardship of the labour. The stone was typically described as massive like this sketch. But what if the gods did not create the stone as large as that; or what if Sisyphus was a very strong man capable of moving large stone with ease? Did that make the punishment easy to bear. Not quite, the punishment was actually the performance of repetitive and boring task day after day. But again, what if Sisyphus had a taste and desire of rolling stones; that he loved the sense of achievement when the stone reached the top of the mountain, and that he would happily do it again the next day to enjoy the success, and everyday thereafter. Would that make the punishment lose its punitive power? The gods were clever. The punishment for Sisyphus was actually the futility of the work, not its difficulty nor boredom. The true horror of the punishment was that the task aimed at nothing, and that it was empty.

When we go to work everyday, or school, or care about family, or anything that pleases us, we have a purpose. These things may or may not be difficult, and we may enjoy doing them; but we need to do them anyway. In a few decades, our descendants will continue with all we do, and their descendants as well. From the inside, we find the significance and purpose of what we do. But the outside view is that there is no significance in our actions because we are only producing others who can perform the same action. In a way, it is Sisyphus' task.

In a sense, we are all like Frankenstein's monster. We cannot make sense of ourselves and we cannot reconcile the significance, meaning and purpose that we find on the inside with the gaze of eternity on the outside. The problem of the meaning of life is still recognised by the philosophers.

Philosopher at the end of the universe

Just finished reading the book The Philosopher at the End of the Universe by Mark Rowlands. The feature of the book is that it uses many sci-fi movies to elaborate on the various theories of philosophy, making the dry subjects much more interesting to read. The author said that the book is equivalent to university year one course on philosophy. I did not study philosopher in college. So comments from those who know better are welcome. The theories discussed include the meaning of life, reality, identity, free will and morality. Each topic has one or two chapters and relates to a movie. I think I need to put down notes on them separately.

One of the topics I like is on reality. The author refers this to the movies Matrix trilogy where the perceived reality was actually a virtual world projected by a computer with intelligence to the minds of captive men. It is not simply a case of virtual reality. A normal human in the movie spent the entire life in the world falsely created for him and never knew anything else, so to him it was the real world. There was a paradox in that Keanu Reeves was Mr Anderson in the virtual world, but he was also Neo who fought kung fu in the virtual world. In the last episode, we saw Agent Smith transformed into a person in the "real" world. This called into question which is the real and which is the virtual world.

The concept was not created by the Wachowski brothers. I recall seeing several movies deploying the same concept. There is Existenze where players entered a virtual reality game. There is also the Thirteenth Floor where a laboratory resided there worked on virtual reality so real that a murder was committed inside the virtual world; it then turned out that the laboratory was actually a virtual reality created by another group of supreme scientists.

The concept of reality, or the lack of it, dated back to 300 BC from the Greek philosopher Pyrrho who said that it was impossible for human to know things in their own nature. We also know well the story of Chuang Tzu at about the same time (300 BC) on the dream of the butterfly (莊子齊物論：莊周夢蝶), where he questioned whether the butterfly was the dream of Chuang Tzu, or Chuang Tzu was the dream of the butterfly.

The thought was made famous by Rene Descartes of the seventeenth century (笛卡兒 1596-1650). He proposed that it is possible what we call the world does not really exist; that it is merely a dream. Descartes hypothesized that the world could be ruled by an evil demon who is very powerful and decides to deceive all mankind for fun. All we perceive through our senses are only what the evil demon makes us believe. In fact, nothing of what we believe is true. Indeed there is no world as such, as every feature of the world is supplied by the demon in trickery. Descartes was arguing for the theory of scepticism, which is a view that we cannot have any real knowledge. We may think there is a world around us, but we really don't know it at all; we merely believe it very strongly.

However, this is not the goal of Descartes' argument. Having proposed the possibility that we could be tricked in all our senses, he went on to state that there is only one thing we could be absolutely sure: our existence, so that we are able to be sceptical; thus the famous expression Cognito, ergo sum, or in English I think, therefore I am. The author specifically clarified that "it does not mean anything silly like we exist only as long as we think". The main point is: we can think of the possibility that the world is not real, but we cannot think that we do not exist, the reason being we must exist to do the thinking. Or, doubting our existence automatically guarantees our existence, because otherwise we could not be around to do the doubting. Not matter how much the evil demon tries to deceive us, unless we exist he cannot be deceiving us. The conclusion drawn by Descartes is one on dualism, that the body and the soul are two different entities.

But the dust has not settled and there are problems with the claim that I think, therefore I am. The nineteenth century philosopher Friedrich Nietzsche (尼采 1844-1900) identified the problem. He proposed that the existence of self could just be a collection of thoughts, and some of the thoughts were thoughts to the effect that these thoughts belong to a certain person. But there need to be no person at all. All that is needed is the thoughts that all these thoughts belong to the same person. Nietzsche argued that all we can really be certain of is that there are thoughts, we cannot be certain of the existence of the person to whom the thoughts belongs. This point was made earlier by another philosopher David Hume (休謨 1711-1776) that when we look in on ourselves, all we find are various mental states, i.e. thoughts, beliefs, desires, feelings, emotions, but we do not come across any self or person who has these mental states. So there is still a possibility that ourself and the world we sense, do not really exist. We are just made believed by the evil demon of Descartes, or we are actually in the Matrix.

The author quoted a scene where Neo met the turbaned boy engaging in spoon-bending action. Boy: Try not to bend the spoon, for that is impossible. Instead, try to realize the truth. Neo: What is that? Boy: That there is no spoon. Then instead of bending the spoon, you see that what is really bending is yourself.

Spoon-bending with the mind is a phenomenon reported many times in our world. So are we living in a real world and can we realize the truth? Philosophers stop short of providing an answer.

Flower Show 花展 2006

今年花卉展覽於3月3日至12日在維園舉行。我有一位朋友是參展者；他與我在展出前一天先參觀和影相。當天天氣不錯，雖然稍泠，但有陽光，可算是影相理想環境。相片已上網，有興趣想看看就請點點下面的照片。

>