Hey, this is Jennifer Tribe and you’re listening to Frankly IT, episode 79.

Doing more with less is a recurring theme in IT. Whether you’re a small team looking to punch above your weight or a larger team looking to crank up productivity, finding ways to get manual tasks off your plate is critical. You will never have time for the really high value strategic stuff if you’re constantly stuck in the weeds with repetitive tasks.

Today I’m talking to Tiffany Ricks, founder and CEO of a cybersecurity company called Hacware. Tiffany is a serial entrepreneur who has owned several tech startups, and has built software for the likes of the US Air Force and L3 Technologies. Last year, she was named a Top 50 innovator by Dallas Innovates and was a finalist on the 2021 Innovator in Cybersecurity list from DMagazine. Along the way, she’s had to be resourceful and savvy about how she spends her time.

Which brings us to today’s topic: automating IT tasks with scripts. Finding ways to free up your time and your team’s time, and eliminating human error, by giving the work to machines. We dig into what to automate, how to find the right solution for automating, and ways to evaluate open-source tools.

Let’s go.

Listen here


Interview With Tiffany Ricks, CEO, Hacware

Tiffany Ricks, CEO, Hacware
Tiffany Ricks, Hacware

Jennifer: Welcome to the show, Tiffany.

Tiffany: Hi, thank you, Jennifer, for having me.

Jennifer: You are the founder and the head of a small software development team called Hacware. And I know this is a really small team. You said six people, four engineers, and yet you’re a very productive team. So tell us, what’s the secret to your team’s productivity?

Tiffany: Yeah, great question. We’re a small cybersecurity tech startup, and yep we’re a small team, so what makes us productive is we really have to focus on—it sounds cliche, but communication is key. And I like to say for us, we have to be sometimes brutally honest, because there’s a lot of times in the IT world, in the tech world we have these thoughts that we can get things done faster than we can. We can take on more than we can. And oftentimes that is not the case. So for us, open communication is good. It helps us to move faster.

Tiffany: But we also are a strong believer in automating a lot of tasks for us. And so with our small team, we’re able to provide our technology to companies throughout the United States and abroad. And it’s because we’re able to leverage automating various tasks. But you really have to be very communicative. You have to be able to give up control. And you also have to be willing to try new things to really have your small organization do great things with just a small amount of resources.

Jennifer: We’re going to dig into the automation piece today, but it sounds like there’s also another layer on top of that, as you said, communication and also being really realistic about what your capacity is and what you can commit to in any given time.

Tiffany: That’s key. That is key. I mean, that’s one of the things that we look at from the very beginning, like, can this person communicate with us effectively? Can they be honest about what they’ve done and what they can do? And can they be confident enough to communicate the hard things, like if things aren’t going well and they’re spinning their wheels and they can’t figure something out, can they tell us that something isn’t working? And can they tell the leadership? Can they tell the leadership that something isn’t working? So communication is key. For us, it’s about giving everyone the confidence to be able to speak their truth. And we really want to listen and learn from each other. So, like, that layer is very important.

Jennifer: That’s part of the leadership role, right. Is to make that safe space for people to be able to put up their hand and say, hey, I’m struggling with this. This is harder than I thought it would be or it’s not going the way I thought it would be. And I need some help or I need some ideas about how to do this differently.

Tiffany: That’s it. That’s the leadership. It’s the leadership. They set the tone and they’re the one that creates that environment where people feel comfortable enough to communicate. And oftentimes what I do with my team is the way I try to highlight and make them feel comfortable is every day we’re setting up parts of our meeting or our time that we communicate. We’re setting aside time for them to communicate those hard things. I want to hear those hard things. And when I do hear a hard thing, it’s all about how you respond. And I have to keep in mind the way I respond could dictate whether someone else will communicate something hard in the future. So it really starts with the leadership on creating this environment and this culture of communication and explaining why. Why are we doing these things? Why is productivity important? What’s the bigger vision here? And so I think that’s it’s all leadership’s role in making that space safe for people.

Jennifer: Now, you mentioned that Hacware does automate a lot of things that they do, so what are some of the things that your team automates right now?

Tiffany: We automate quite a few things. We look at delivery scripts. We push out a lot of updates to our software daily, so it’s delivery scripts. We’re managing our site availability, configuration management, performance metrics. When we talk about productivity, we use a product management tool. And if there’s a ticket that’s been open for some time, we automate sending a notification to the person that it’s assigned to asking them what’s the status on this? Is the status correct? And this will allow them to go into the tool and update the status on the ticket. So it’s not the leadership having to go in and micromanage and look after everyone. We try to use automation and scripting to see how we’re doing on certain things, making sure that our product is up to date on certain security scans. We’re looking to see what’s new and what’s available. Containerization. There’s a lot, we really have to leverage our scripting to improve our performance and free us up to do other things that we need to better provide our product to the masses.

Jennifer: As a new team, how did you decide that you would automate those things versus some of the other things in your business?

Tiffany: So it really comes down to three criteria that I use to evaluate if we should automate something. Is there something that I need to see that I can’t see or is there something that I keep asking for, that I need to see. And it’s just a repetitive thing. So let’s create a script that’s going to automatically pull this information so I can see it or someone can see this as often as they need it to be. So the first thing is increasing visibility of something.

Tiffany: The second thing is productivity. We’re always trying to look for ways to eliminate those repetitive, mundane tasks and so trying to think of things that we do repetitively that could potentially be put into some sort of script or bot that we can potentially use. And then the third thing is consistency. This is probably what I would weight the most important thing of why we would automate something is I want to provide consistency and I want this thing to be available all the time. And so that typically goes into outward-facing things. Like with product deployments or site availability things, that really is in line with what our customers see. And so we create scripts to create that consistency.

Tiffany: So we look at three things—visibility, productivity and consistency—to determine what we should automate. Then I take it a step further and I sort of take like an 80 20 rule on if we should move forward with automating this or continue with this manual process. So if it’s going to reduce 80 percent of our time doing certain things or is it 80 percent better than what we’re already doing?

Jennifer: So if you’re a brand new team or your team that doesn’t do a lot of scripting and automation right now, you’d sort of use these criteria to evaluate a number of processes and then you’d have this big list and then you’d use that that second factor about what’s the payoff versus the effort involved to decide which of them to do first. Is that right?

Tiffany: Yep, that’s it. I think it always starts with what’s the problem that we’re facing? Is this something that is a repetitive thing that we are doing daily? And does it fit within our top three criteria for automating it? Is this problem something that if we just increase the visibility of it, then we can better determine what the next steps could be. Let’s create a script where we can understand this problem and visually see it where we all can understand what’s the next steps. Or is this problem we’re not moving efficiently. And we need to get rid of this thing so we can do something else. Let’s create a script or find something that can help us automate that to improve our productivity.

Tiffany: Then the third thing is, if it’s not consistent or if it’s not available, could it cause us to lose trust with our clients or lose revenue, and then, yes, we need to try to figure out a way to automate that so that problem doesn’t prevent us from reaching our goals. So it really just starts from a problem, seeing how we can evaluate it based on our criteria. And then from there, yeah, determining what you said before, is this something that we really need to automate or can we continue to do this thing manually for some reason.

Jennifer: Once you’ve decided what you want to automate, there’s then the question of how you’re going to do it, and we could talk about whether you outsource scripting or whether you do it in-house. But there’s probably also a third option, which is maybe buy a piece of software like off the shelf software that sort of fills that gap. So how do you decide which of those options is right for your team?

Tiffany: You’re right, there’s three categories, but it really comes down to again, the 80 20 rule. So does this open source solution or this product meet 80 percent of our needs and 20 percent of the time, do we need to customize it? If this thing hits 80 percent of our needs and we don’t have to spend the time of building this thing up from the ground, then most likely we’re going to go with that solution. We’re going to go with the open source solution or the off the shelf thing.

Tiffany: The other thing we look at is now you have to treat open source and off the shelf the same way. You have to look in and do your research to determine, OK, if it does say that it meets 80 percent of our needs, now, we need to go and do our due diligence to see what the community is saying. And so we’ll review Reddit to see what others have said about the product or the script. We’ll most likely reach out to some other individuals in our network to see if they heard anything about it. If they have the code on some sort of open source forum, we’ll see when was it last updated. We really want to see when was the last time the software was updated or when did they last release this. If it was two years ago, I’m not sure if it’s really, from a security standpoint, going to be something we want to try. We may want to go ahead and build this thing in-house. So we sort of look at those factors. Does it meet 80 percent of our needs? What is the community saying? And then from a security standpoint, when was this thing last released and updated.

Jennifer: You mentioned, when was the software last updated as one sort of marker. Are there other flags that you should be looking for when you’re evaluating open source tools to figure out whether they’re secure and reliable enough for you?

Tiffany: Yes, we go to sources that we trust. So we’ll look on various Department of Defense sites like we’ll look OWASP. We will read blogs from trusted sources and then from there will determine if we want to pursue this software a little bit further. The other thing is that a lot of these open source tools, they have the capability to audit them, so you can run a little command to audit that component and then you can look and see how many of their vulnerabilities are considered high, low or critical. Then you have to evaluate based on the findings that you see, if this is something that you could potentially fix, again, that goes back to like the 20 percent, if it’s 20 percent things that don’t fit your requirements or your security comfort level, can you fix those things?

Jennifer: Tell us more about that audit function.

Tiffany: A lot of these open source scripts, they have a parameter on it to audit it. If it doesn’t, then I would be concerned. But a lot of modern open source products have an audit feature and you can see all of their high vulnerabilities, the critical vulnerabilities. And they’re typically in line with what you would find if you did a NIST scan and you were scanning these software components using the software that’s provided from the Department of Defense. So they use that same technology to audit it.

Tiffany: You can look at one module or one script and use the audit command on that and it’ll tell you its vulnerabilities. And the last time that it was patched and then you can take it a step further and it’ll link to their security page, where it’ll show you all of the known issues, all of the issues that have been resolved and when they were resolved. It’ll give you a deep dive on all of that.

Jennifer: From a Hacware perspective, where have you landed in the split between pulling in open source tools and scripting things yourself?

Tiffany: We love open source software and we contribute a lot to the open source community. We have a GitHub page where we provide scripts and monitoring tools for free because we’ve leveraged and we’ve used some of that same stuff to help us automate our internal processes. So I would say when we think about internal automation, it’s probably around 60 percent of our scripts are open source. And then we will build the 40 percent in-house. And then, yeah, we provide a lot of open source technology out there to give back to the community.

Jennifer: That’s awesome. We’ll put a link to your GitHub page in the show notes so people can check that out.

Tiffany: Awesome. Yeah. We use a lot of python scripting, power shell scripting. And been a great way for us to increase our productivity, visibility and staying consistent by meeting our customers needs.

Jennifer: Excellent, thank you so much for joining us today, Tiffany.

Tiffany: Thank you so much, Jennifer.

Listen here

Like what you hear? Listen and subscribe.