Tag Archives: collaboration

Collaboratively building a service catalog

Posted on by
Reply

As our AppSec team matures, we’re defining our processes and expectations. One of the next things for us to try out is a Service Catalog, where we list what sorts of services we can offer to other teams. Having one is a tool to allow us to plan our work, get better at the work we’ve decided to focus on, and be better partners to engineering. But what should such a catalog look like?

Collecting potential offerings

  1. reviewed the last 10ish requests that came to our team through our various intake portals, classified the request types, where the work happened, and what the output looked like.
  2. put together a form for my reports to continue tracking incoming requests while I was out for a week (yay taking time away!)
  3. hosted a whiteboarding session to collect all the different services team members wanted to offer.

We then took that pile and voted for things in two ways — items that had a deep security impact, and items we thought we were set up for success for. We picked the top 6 and moved them onto the next phase.

Can we handle this?

Wanting to provide a service is one thing. Handling the incoming load is another thing entirely. Luckily, GoFundMe is a pretty transparent company, and I was able to get my hands on the full set of projects Engineering hopes to work on this year, along with what area of focus they’re in (Keep The Lights On, tech debt, new business, etc). For a back-of-the-napkin sketch of commitment load, for each of our offerings we sketched out

  1. How much work it would take us to get into a “refined” spot
  2. How much time we thought we’d spend per instance once in that refined spot
  3. How much coverage we wanted humans to be doing (combination of “most risky 10%” and “automation should handle 30% of this workload for us”)
  4. Which types of projects we thought the offering applied to

I did some spreadsheet magic to generate how much time per sprint we’d end up spending on each of the offerings. In this discussion, we realized one offering was something we wanted to improve our capacity around, but didn’t want to officially offer as it being needed would indicate we had failed to catch something earlier in the lifecycle. Ends up we can handle it, even if we’re wildly successful!

Fitting into the flow

Then it’s a matter of ideal time to offer our services for each of these projects. So we’re setting up automations to detect when a project moves from one phase of our Product Lifecycle to another, so we can proactively reach out.

I’ll also need to shop the catalog around to our partners to be sure we’re offering things that make sense to them and that they see the value in.

Being explicit

We’re now working on being clearer about what each of these offerings means, how to request each one, etc. So far, I think the following are the important bits of information:

  • What it is, and which part of the Product Lifecycle it aligns with
  • What an output looks like and where it lives
  • What to expect (from a human; from AI)
  • How to set yourself up for success
  • Specifics to add to our backlog

Metrics

From all this, we can

  • occasionally track how much time we’re spending on these items
  • measure hit rate of how many projects we covered
  • be intentional about what we’re automating
  • track coverage of security touchpoints across projects and add that to our overall risk assessment

August Joy : Finalizing the Disaster Zine!

Posted on by
Reply

Back when I was mildly pregnant in 2021, I figured I would need something to work on while I was on parental leave. While I’ve transitioned my career (and am currently looking for work again), I never really reached resolution about all I had learned in crisis response that hadn’t yet been applied across the field. It’s arguably part of why I left — the field had stagnated and wasn’t adapting to new technologies and practices, and one can only bash their head against that wall for so long. But I knew I had things to teach, and that there are still folks who wanted to learn about it. So I decided to use whatever time I had to put together some guidance, to wrap things up. Did I want to finish the mixed-mode system paper I’d worked on back in my academic days? No, that would be too cumbersome to get published now that I don’t have any affiliations.

Continue reading

Sniff test and teaming up with the formal sector

Posted on by
Reply

This is a draft for the zine, worked on with John Crowley. Reminder that we have a kickstarter up for not-quite-a-month still.

Determining if they’re collaborative

The vast majority of people in the formal sector when I was doing crisis response in 2010-2018 actually wanted to help the frontline population, and had a deep breadth of education and experience in doing so. One of the things about the formal sector is that they’re NOT starting from square one for each crisis. They are also stymied by bureaucracies. Those same bureaucracies also hold them accountable. It’s a mixed bag. 

Under Trump, they’ll be changing a lot. See more in the Trends article. This piece is to get a rough sniff test on whether or not someone in the formal sector is trustworthy and whether or not they can actually effect change to assist your efforts. 

  • You’ll want to be aware that most folks in the field come from a social work background, and most folks in the command center come from a command and control background. This doesn’t exclude either set from being worth collaborating with, but it will influence their approaches.
  • They should be focused on listening and responding, not telling you want to do or just listening without saying anything. 
  • You will spot them speaking to people of different backgrounds at the same time – you’ll see them facilitating a discussion between someone deployed via the military and someone whose house just got blown down. 
  • When you embark upon conversation, they’re focused on the actual problem and how to deliver support whether or not you collaborate, rather than getting territorial. 

If they’re worth collaborating with

Once you figure out someone CAN be collaborated with, you’ll want to determine if they have enough sway in their org to actually get some things done with you. Start small and work your way up. 

  • If they know who to ask and when their next checkpoint with that person is, they are probably effective. 
  • If they can deliver on concrete things (including preventing an interruption to your work), it’s a good sign. 
  • If they’re just hanging out to be seen or to gather intel, ask them to move on, assertively if need be. 
  • If they over promise and then hype up their role in what’s happening, you’re probably dealing with a problematic person and you should cut ties ASAP, even if they can nominally deliver.

The actual collaboration mechanisms

  • Have multiple people behind one role title and group email/phone number to coordinate with the formal sector. Do not give out a single person’s point of contact or it will be unsustainable for them.
  • They cannot come join you on discord or wherever because of IT rules of what can and can’t be installed on their devices, so you’ll need to find a way to talk to each other. 
  • One-on-one conversations are more likely to get traction for actual collaboration. 
  • They may also invite you to their meetings as information sharing, but it’s not the time or place to try to course correct how they operate. 
  • If you end up sharing their space with them (you’re invited to their phone calls or meetings), expect things to flow very differently from what you’ve seen in your own community and try to follow their lead.

What to collaborate on after they pass the sniff test

  • Ask what usually goes wrong or what complications you’re about to face.
  • Tell them about pain points to elicit feedback.
  • If you need to talk about risks you’re taking or rules you’re breaking, have answers ready about how you’re mitigating those risks.
  • If you need a large number of “simple” things like blankets, you can usually arrange a pickup point from them to then bring to your distro center to get out into your community.
  • If you have a solid distro system going, offer it as a way to do last mile logistics for their supplies. You may need to integrate with their reporting system, but it may be worth it. They won’t have logistics, access, or intelligence (PII) to do last mile.