Blameless Postmortems

Hope you had a wonderful Thanksgiving or a wonderful weekend for my non-US friends. So I was thinking about blameless postmortems the other day and how it relates to emotional intelligence. At the end of the day, you want everyone in the room to feel psychological safety. If an engineer leaked a key out into a public repo, but quickly notified the security team, the quick notification should be rewarded and we shouldn't be adding any more shame or guilt than they already have. Afterwards in a postmortem we can figure out how to help and enable others so we can avoid this in the future. Consider the engineer that didn't report such an incident due to fear of reprisal. Security (among other things) grows in large part to how safe people feel:

• Safe to report a possible phishing incident.

• Safe to report something peculiar.

• Safe to admit that a security control is going to make their job painful.

• Safe to know you are on their side and not just out to get them!

That's it for now. Sorry for the late email, had Turkey coma!

Here are some postmortem links I found useful: https://speaking.mattstratton.com/jLwszn https://medium.com/hootsuite-engineering/5-whys-how-we-conduct-blameless-post-mortems-after-something-goes-wrong-a47687baeacc https://www.slideshare.net/danmil30/how-to-run-a-5-whys-with-humans-not-robots/6-This_Emotional_Experience_Can_Not If you liked this email, forward it to a friend! I'd appreciate it.