Category Archives: Work

How I think about retrospectives

Posted on by
Reply

I believe in self-improving systems, and retrospectives are a core way of reflecting and then changing behavior accordingly. There’s a lot out there on what a retrospective is, formats to use, and other techniques, so I’ll just highlight my facilitation thoughts on them here. This is influenced by the CAST handbook and my own facilitation background.

Must be blame-free / a psychologically safe space

People will not open up and be actually present and interrogative if they don’t feel safe. It is your responsibility when setting up, facilitating, and debriefing to make sure the system is what is being critiqued, not the humans within it. The humans made the best possible choice they could given the circumstances they were in, so let’s change the circumstances in the future. Make this explicit early and often. As Charity says on the sticker on my megaphone, “communicate positive intent.”

A picture of a megaphone focused on a sticker in Lisa Frank obnoxiously bright styling, "communicate positive intent." Additional stickers that are visible are the Priceless Baroot, the edge of a pleading taco emoji, and one that seems to ready "...necessarily a crime."

Must be scoped well

If people don’t know what they’re talking about, they won’t talk about the same thing, and getting to concrete outcomes will become nearly impossible. Focus on a specific project, timeline, or outcome. Communicate this early and often.

Should encourage creative thinking

Whatever format you pick should be mildly novel (not so novel that it disrupts how people approach things, but novel enough to edge them out of their comfort zone). Use a different prompt set or a different tool, but rarely both at the same time. Ask more of people to engage and challenge them into someplace new.

Needs to lead to concrete, actionable tweaks

If you don’t arrive at experiments that will change how you’re behaving, you have wasted everyone’s time. I like to set aside about 1/4 of the time of the retro to listing, refining, and then selecting one or two these experiments. I ask the following questions:

  • What will change if we take this action?
  • What would prevent us from making the change?
  • How will we know if we’re successful or not?
  • When should we check back?
  • What is our next step, and who is responsible for it?

I only pick up 1-3 concrete steps to take after each retro. I track them just like any project, and I report back on them before the next retro to show that the time and vulnerability is worth it.

One goal should be building trust with the team

A core part of the system is team trust, and in improving the system, we should be focused on building that part of it. By being blame free, enacting suggestions, and pushing people to engage more, we build that trust. If something about the retro process is eroding trust, pause and reassess your approach.

Historical income

Posted on by
Reply

So I found some of my old tax documents and figured I’d map what the income trajectory has been like for me since I started working at 16. I often held 2-3 jobs at a time before moving into a nonprofit career, before deciding I was tired of the constant stress of paying rent and moved to the private sector.

Chart of income over time, boxed out for what was going on in life at certain points. Boiled-down summary follows in blog post.


Moving to full time work with an undergrad degree 3-4x’d my income.
Moving from jobs to a career tripled it.
Moving to the private sector doubled that again.
Leveling up to senior increased by about 50%.

The job hunt

Posted on by
Reply

So I’ve just signed to start in mid-December as the manager of the AppSec team at a well-known platform. I’m REALLY excited for this for many reasons I’ll get into after I’ve actually started and it feels real. I’m really excited to be able to talk about this part of my life again.

I’ll do a separate post about how I structured my consulting because that’s it own fun setup, but I wanted to take a moment here to talk about how grueling the job hunt is right now and to offer some scaffolding, because being intentional about things is how I stay sane when in a chaotic situation.

This is long because I have a lot to say on keeping track, experiments in approach, and what actually worked this time.

Resources mentioned in here:

  1. Job hunt tracking spreadsheet
  2. Sankey HTML file and associated page/image
  3. Financial burn-down spreadsheet
Continue reading

Dimming my own light

Posted on by
2

I’ve always enjoyed being under the influence. Whether alcohol or more illicit things, I usually have a good time, even when the times aren’t particularly good.

This is absolutely not a “drugs are bad” post. I still enjoy drugs (including alcohol), in the right context. More research is being done on the usefulness of drugs ranging from run-of-the-mill THC to ketamine to hallucinogens. No, this post is about why I used a specific drug to dim my own light (by which I mean “exercising my mind and expecting great things from other people exercising theirs”), where it got me to, and where I’m at now.

Continue reading

Distributed playbook

Posted on by
Reply

While I was at Truss, I helped move us from a dozen people in the Bay Area to nearly a hundred across 20 states. Through monthly meetings to run experiments in improving our practices, we came up with the Distributed Playbook. It’s since changed format enough that I missed the original version, so I’ve ported it over from Github to a page on this blog. It, along with the onboarding guide, are two of the things of which I’m most proud from my time at Truss. Hope they can help you out, too!

Onboarding documentation the most important documentation

Posted on by
Reply

Originally posted on the Truss blog

Most of us rely on documentation in one way or another. In this blog post, we attempt to make the following points:

  1. Most documentation should be treated as if it is onboarding someone to an organization, project, process, etc.
  2. Involving multiple people of different practice areas increases the quality and context of the documentation.
  3. Documentation can help a growing/large organization stay in sync with itself.
  4. Truss’s onboarding documentation is great and you should check it out.

Onboarding documentation is the most important documentation

“Documentation” is the media object (text, video, images, etc) which explains how to do something. Docs can take the form of descriptive policy, READMEs, How-Tos, welcoming, etc. 

Documentation is nearly always worth having, but if you only have time to get one piece of documentation in place, it should be made on the assumption it’s being used to onboard someone to the project, organization, process, etc to which it relates. A person rarely looks at the whole project, organization, process, etc as a whole as that is overwhelming. They instead look for signposts that provide context and support in understanding the system they’re about to interact with. 

When I got started at Truss long long ago in 2017, we had an onboarding manager checklist but no real guidance for the new Trussel outside of that human contact. Ari, who at the time was doing onboarding (and is now an engineer), is an incredibly high-touch, welcoming human. However, if she or another person helping with the process had a more pressing thing to be doing (which was often the case at a suddenly and rapidly growing consultancy), a new Trussel would stall out and be left in a sea of tasks, new tools, and new people, with a sense of “what even do I do?” And when one doesn’t have a clear path forward, one can feel useless, which is not a good feeling when you’re just getting started somewhere and want to prove your worth.

This was because we had documentation about how things worked, but not from the perspective of the person being onboarded to the organization. If we were to get this in place, a new Trussel would feel more welcomed and solid in their footing.

Luckily(?) I compulsively document things. So as I learned about bits and pieces of the organization, I wrote down in one place what others should also expect as they came in. Oh, we do have a document about PTO? Link it up and give a quick summary. We don’t have one on role definition? Could I help make one? I tried to set it up so when something was unclear or incorrect in the docs, a new person would feel safe enough to ask questions and empowered enough to edit the docs when they learned the answer. This generated a surprisingly long document which was complete enough, but also incredibly overwhelming.

Pouring the firehose into drinkable cups

Documentation takes a bunch of different people of different practices to make it good. Sharing the load also makes creating and maintaining the docs a lighter lift and a shared source of truth and object worth maintaining together.

Our document was way too burdensome, so we called on our design content strategists James and Kaleigh, who suggested it be reformatted into phases of onboarding time. Delivery Manager Amy tried this format out first on her project, and then I expanded it into the MilMove project. When it stuck well enough, we did a card sorting exercise for who wanted to know about which parts of our operations, and when it made sense to learn about them. We also started linking out to external documents when a section got too long or convoluted. This allows people to focus on the big picture, and dive in deeper when something is relevant to them. Then we took our honking document and rearranged it and edited it down to a mere 28 pages.

Just as people had started asking to have new policy or reference docs put into the emerging guide, everyone also helped edit for clarity. It became a thing for more folk to reference and make use of. And just as Nelz, Jeri, Andrew (all engineers), and Mallory (designer) have held my hand in multiple ways to migrate the Guide from a Google Doc to GitHub Pages, many other folk have also refined the Guide to make it what it is. Including our general counsel Burstein writing the best damn disclaimer you ever did see and otherwise making sure we’re not just witty but also reasonable legally.

We have all done this in the spirit of being a warm, welcoming place for new Trussels. All those folk named here (and those I have forgotten 💔) have demonstrated our values in order to make it an easier transition for others to also represent those values.

If you are working on onboarding documents, call in help! Ask tenured folk to verify knowledge is represented, newer folk that it’s clear, content specialists to review structure, etc. 

Being able to document something requires understanding it

Growing and large organizations are often accused of “the left hand not knowing what the right is doing.” This has to do with the functions of the different hands not being clear to the other. Enter (you guessed it): onboarding documentation! By describing how different components of a system work, the system itself has opportunities to become more aligned.

One thing that came up time and time again as we worked on the Trussels’ Guide were points of inconsistency or lack of clarity around internal workings. As we grew from 14 to 90 Trussels during the development of the Guide, our processes were also scaling. We became more robust and more formal. But importantly, we always did so with an eye to being comprehensible to an incoming Trussel. Docs shouldn’t only be intelligible in the context of the whole — each should stand on its own in a meaningful way. While most Trussels can’t (and shouldn’t have to) know about every tiny detail of how the business operates, they should be able to look up the details and/or who to ask if they start to care.

As an aside, there’s also this great piece about how you can’t fix a product (or a process) by having good words. The thing you’re describing has to be good, too.

Documenting can surface where things are out of alignment and provide a route to bringing them back into sync with each other. This is important for your organization, project, or process to be functional within the context of itself and the larger systems of which it is part.

A quick how-to

What’s worth documenting? I start documenting when roughly three people ask me the same sort of question. Rather than respond to each separately, I 

  1. try to write it down with the first’s help, 
  2. talk through it with the second, and 
  3. ask the third to try to self-serve with the document created. 

This allows emergent areas of interest, guided by our new Trussels, to determine some of the aspects of the business we next define more clearly. 

We’re proud of how we do things at Truss and want to share them

So now we are ready, dear reader, to show you how we work at Truss and, as importantly, how we talk about how we work. And so I introduce to you the Trussels’ Guide to Truss. In it are the ways we are kind to each other, how the business functions, some of the decisions we’ve made, and how we embed assumptions into our work.

We hope you’ll have a look, take what works for you, leave what doesn’t, and continue to engage in the conversation of how to build great businesses together. Also, if this seems like the place for you, we’re hiring!

A playbook for distributed teams

Posted on by
Reply

Originally posted on the Truss blog

There are a lot of articles coming out these days about how to be an effective distributed employee. But there is much less around on how to be a good distributed team. Truss hired our first distributed employees back in January of 2018, and we’re now at 55% outside our “home state” of California (and many of us are spread across CA). We’re now 75 folk, and there are usually 5 of us in “the office.” As Isaac recently said, “it’s like a coworking space that only Trussels have access to.”

We’ve had to learn a few things in order to keep the organization functioning and aligned with our values. We’ve now codified the steadiest of these lessons in a distributed playbook on GitHub.

A quick note on language, and why we chose “distributed” over “remote.”

“Remote” suggests that there is a central place to which a node is remote. Because we wanted to emphasize that we are all on equal footing, we instead chose “distributed” – there is no “center.” We have collections of Trussels in NYC, Atlanta, Chicago, Sacramento, LA, and SF; as well as individual Trussels in many other locations.

What the playbook holds

We think healthy distributed team interaction falls into four buckets: facilitating interaction, properly resourcing people, bonding with each other, and seeing each other in person on occasion. This includes other things like taking stack, having a place for banter, having offsites, and having ways to connect about not-work. Things we’ve talked about in previous blog posts and will continue to post about (and now will collect into this playbook as we do).

A quick note on internal references in the playbook

We talk in the playbook about TDRs – Truss Decision Records. We pulled these from ADRs (Architectural Decision Records) which we use in our code repos to document why we made certain choices. We do the same for our organization now, and anyone can propose a new decision. We should probably do another blog post on that at some point.

We want your help!

We’re still learning about distributed team interactions—we all are—and we’d love your feedback and contributions to the playbook so we can all learn with each other.

Facilitating distributed All Hands meetings

Posted on by
Reply

Originally posted on the Truss blog

All hands meetings are important – they are a way to spread a message, a way for a team to get to know each other, and a way to move a decision making process forward. They are easy to do wrong—to hear something everyone already knows a thousand times over, to be unclear, or to be a jumbled mess without enough time to accomplish a goal. I’ve run the numbers of how much we pay for an all hands meeting (something I can do with internal salary transparency), and the cost is nothing to laugh at. So why do we have these meetings so often (at Truss, once a week), and how can we make sure we’re getting the most of them?

We see facilitation as the way to get the most out of a meeting like this. I’ll arbitrarily define “meeting facilitation” here as the act of deciding what you want to get out of a gathering, planning for, and then constructing and maintaining a space and flow to optimize for achieving that goal with a group of people. This is different from presentations—which are also useful—as a presentation is about the clear delivering of a message by one or a small group of people to another set of people. It is possible to facilitate a set of presentations, especially if there is Q&A at the end.

Facilitating distributed meetings

As we’ve talked about before, facilitation changes when you have a distributed group. And so as Truss noses up past 70 (and still growing) we’re hitting new facilitation challenges. As our client base grows, and our internal operations change, and fewer Trussels know each other well, what do we want out of our all hands meetings (that we call “Practitioners’,” or “Prac” for short), and how can we be sure we’re achieving those goals?

Skill share

We know we don’t have all the answers at Truss, and so we wanted to have the conversation about how to further improve our practices with a broader group of people. Four Trussels (Sara, MacRae, Isaac, and Willow) were joined by Emily of honeycomb.io, Pam of One Medical, Aaron of CivicActions, Liz of Public Lab, and Mike of an undisclosed media company to skill share. The all hands we facilitate run from groups of a handful to in the 70s. Some of us rotate facilitators, some of us hold that honor for a prolonged period. Some of us are fully remote, some of us are clumped into rooms in different locations.

While you can get into the details by watching the video or reading the notes, our main categories of interest fell into engagement & participation, meeting purpose, and who is remote versus who is in person. We had a few main takeaways that we’ll be cross-pollinating across our organizations.

Facilitation Guild

Having a group of similarly dedicated folk within your organization can help up everyone’s game. Try out experiments together, lean on each other for support, and perform course corrections by having allies to check in with. We try out new things on our project teams and then share them back to the guild, helping the whole organization benefit from gains (and avoid and/or reproduce discovered failures!)

Collaborative decision making

While some of us (including Truss) still use all hands primarily as a way to disseminate information, Aaron of CivicActions and Liz of Public Lab told stories of making decisions as organizations during all hands meetings. This makes my robot heart sing with joy, and the Truss facilitation guild will be looking for ways to start doing this in our projects.

“Hand” in chat

As a group grows larger, it becomes more difficult to track who wants to say something, and in what order. We use the video conferencing software’s chat to raise a hand through text—literally typing “hand”—in order to signal we want to say something. Not only does it help the facilitator keep stack, it also gives time to folks who want to consider what they want to say before they say it

Banter / Side channel

Banter is a great way to keep everyone engaged—I may not want to take up everyone’s attention with the perfect gif in reaction to something that’s just been said, but if I have somewhere to post it, I’m more likely to stay engaged as are the folk looking at and responding to the gif. Using a side channel (so not distracting from the “hand” channel above) means everyone wins.

What’s next?

Huge shout out to all the folk who joined for this facilitation skill share—I’m excited about a lot I get to do, and this was still the highlight of my month thus far. To be able to share skills across organizations is rarer than I’d like in the private sector, and that’s just silly. We all do better when we all do better. I hope we have more reason to collaborate with each other to grow and uplift the spaces we’re in. Is there something you want to learn or share about?

There is a growing body of work around working from home and working from anywhere… as well as the practices individuals take to stay sane and healthy while doing so. But we’re lacking a supporting body of work in how to help groups work together well in this new distributed environment. Truss is beginning to codify our learnings into a distributed playbook, which we’ll share when it’s good enough to face the tumult of the internet. When it’s out, we hope you’ll join us in making it better.

Upping Our Distributed Practices

Posted on by
Reply

Originally posted on the Truss blog

While there are lively debates about whether or not the Future is Distributed, at Truss we’re having a pretty solid time of it. Running online meetings is just the beginning of making sure your distributed team is included, and we’re continually working to improve our distributed practices.

We have a running doc of practices we want to try. Our goal is to fail at least occasionally — it means we’re actually reaching further than our grasp. Here are a handful that we’ve recently tried, and to what result.

  1. Persistent distributed video : quiet failure
  2. Being Humans Together : resounding success
  3. #in-out-status : success
  4. Synchronized cupcake delivery : failed, but worth a re-attempt

Persistent distributed video

One of the things we missed most in becoming fully distributed was the human bonding time we got with our rad coworkers while in the office together. One of our attempts at addressing this has been a standing video link which people can jump into and out of to “cowork” with each other. There’s sometimes some idle chitchat, and then often heads-down working.

It ended up not working for a few reasons:

  • being on it as the same time as other folk is rare;
  • we have a culture of scheduling time to talk about specific subjects rather than hoping it happens organically;
  • the standing video link quickly became “invisible.”

Result : quiet failure

Being Humans Together

Getting distributed folk in a video in a coordinated way to talk about Not Work is now a standing half-hour weekly timeslot. It is some Trussels’ favorite part of the week. We do a couple different formats:

  • if under 9 participants, each person gets 2 minutes to talk about anything at all they want to, so long as it’s not work.
  • if it’s more than 9 participants, a quick checkin happens on how people are feeling, and then breakout groups of 3-4 people each for a deeper dive.

We sometimes have a prompt (“what’s one story about you that you think really represents what you’re like?” or a show-and-tell.

Breakout functionality in video conferencing software has been amazingly useful. So far we’ve done these randomly, but at some point we might try self-selection into these “rooms.”

Result : resounding success

#in-out-status

Has this ever happened to you? You log in on the East Coast after a sick day, and you have no. idea. what is going on with different stories. Did someone delete that blocker, or has it been worked around? And it’s 3 hours before anyone else who might know what’s going on will be online.

We now have a Slack channel called #in-out-status where people give a brief summary of the status of what they were working on before they go out for the day. It’s evolved to be a place where we also flag when we’re in for the day, going to lunch, taking a sick day, etc.

Result : success

Synchronized Cupcake Delivery

The project I manage recently hit a big milestone in October. While it was more of a non-event than our June release, there was still some stress around it, and a celebration was warranted. I set up a 2-hour session — the first hour of which was to catch up with each other (similar to Being Humans Together, but less structured), and a second hour to wander around where each of us is, and post pictures back to the group. The pictures were to put everyone on equal footing, rather than prioritizing office Trussels.

Also, during the first hour, I had lined up (what I thought would be) synchronized treat delivery to people regardless of location, scheduling deliveries for the time of the zone of delivery (IE, deliveries marked for 11:30 PT, 13:30 CT, and 14:30 ET in the interface should all arrive at the same point in time).

It ends up this is not a use case for this particular delivery service.

While all the cupcakes (plus one cookie order and one bundt cake order for some destitute places of the world which don’t have cupcakes available for delivery) for people in my timezone arrived as expected, 2 folk received theirs at the time requested but in MY timezone (hours late), and 2 received theirs hours early (for conversion errors I don’t understand).

download.png

While it didn’t work out this time, everyone felt included and celebrated. Definitely worth trying again at some point.

Result : failed, but worth a re-attempt

When Things Go Wrong: Response and Recovery

Posted on by
Reply

Originally posted on the Truss blog

When building systems with threats in mind, it’s not enough to just plan, not enough to just raise the cost to a bad thing happening — we still have to have an idea of what we’ll do when the bad thing happens despite our best efforts.

Truss modernizes government and scales industry through digital infrastructure. Information which is sensitive to individuals and to the welfare of the organization flows through the pipes we set up. Whether hospital records, the move locations of a military family, or financial data, Truss takes the best care possible in setting up infrastructure which mitigates the likelihood of a breach. We also have a plan for such a breach, in case it happens anyway.

At RightsCon, I moderated the panel The Rules of Cyberwarfare: Connecting a Tradition of Just War, Attribution, and Modern Cyberoffensives with Tarah Wheeler, Tom Cross, and Ari Schwartz. The question was this: if “cyber”* is a fifth arena of war (the existing domains being land, air, water, and space) what is a just response to a cyberattack which follows the international expectation of deescalating?

The panel and audience knew that the responses which are happening now — the assumption of “hack back” against other state adversaries, the use of CFAA against people who might otherwise entertain the thought of being a patriotic hacker — we don’t agree with. The Computer Fraud and Abuse Act (CFAA) is what makes breaking those terms of service that are too long and dense to read fully a federal crime. That’s right, logging into your partner’s bank account after their death in order to pay the house’s electrical bill is a federal crime, and it’s the same law that’s used in most of the “hacker” cases you read about in the news. It’s also the number one reason the infosec professionals I know and love refuse to work with the government. The ACDC bill which allows “hacking back” is an exception to CFAA which means you can attack a computer that’s attacking you. Except of course it’s not that clear-cut.

Which brings in the questions that many folk in the audience had. What about attribution (the ability to know who is taking the action)? This is hard in digital space because it’s easy to attack something from behind someone else’s IP address. What about asymmetry (an imbalance between those in conflict with one another)? Is it ok if one country attacks the other in cyberspace when the other country is just beginning to get online? These are hard problems, but we can’t wait until they are solved to have conversations about responses. If you’re having a hard time moving on without those hard problems being “solved enough” first, you’re not alone – the audience also had a deeply difficult time with it.

But what would be acceptable? If there was a breach of military moving data, do you think it would be responded to differently than the malicious changing medical records? Do you think who the adversary is would matter? Does the immediate or the potential future impact on those involved matter more? Where is the line between war and espionage? We ended the panel with the a comparison to disaster response, so attendees would have a framing to continue the discussion.

Disaster response also focuses on preparedness (stockpiling water for the next Bay Area earthquake), response (digging our neighbors out of the rubble), and mitigation (enforcing building codes which make collapse in an earthquake less likely). We are terrible at recovery. When it’s time to rebuild, the money, attention, and volunteers have dried up. Huge swathes of Far Rockaway (2012) and New Orleans (2005) are still a wreck from hurricanes.

The same is true for online attacks — whether doxxing (the nonconsensual revealing of personal information) or DDoSing (a distributed denial of service attack is when many computers all pester your computer for a response, not allowing it to say anything). We spend so much attention on battening down the password hatches and doing incident response that most don’t think about what being whole again after an attack that might happen anyway looks like. And so much of infosec and government work is about trying to prevent the Bad Thing from ever happening. Plan A is to make a perfect system. But we must own up to Plan A rarely being the plan that works out. Don’t your contracts also have release clauses in them? Planning for worst case isn’t inviting calamity, it’s being pragmatic.

One of our engineers recently said, “I would rather throw away some work than have to be under a too-tight deadline later.” This was said as Plan A seemed less and less likely due to bureaucracy and too many moving parts. But Plans B and C were being procrastinated on by our government protective cover. Why? I see the cost of exploring options in government as high, with extremely limited resources to work with. This means all sorts of fragility and resources wasted putting out fires when Plan A didn’t work exactly as planned. A balance of ownership, accountability, and flexibility would have helped alleviate this difficult situation. Additionally, setting aside resources for recovering from inevitable failure helps the entire system be more robust.

While Truss doesn’t specialize in the actual recovery (there are firms and insurance providers who do focus on response and recovery plans), we know it’s a necessary part of a complete plan, and you should, too. Good luck out there today, and remember to keep in mind what you’ll do if it doesn’t all work out.

* Note that I have a deep visceral reaction to the word “cyber,” but it’s the word that has been thoroughly adopted in this discipline and so it has been used here for the sake of readability. The confusing image for this post is the inoculation to having to use the word.