Newsletter #3: Blameless Postmortems
I hope you had a wonderful Thanksgiving or a wonderful weekend for my non-US friends.
So, I was thinking about blameless postmortems the other day and how it relates to emotional intelligence. At the end of the day, you want everyone in the room to feel psychological safety. If an engineer leaked a key out into a public repo but quickly notified the security team, their quick notification should be rewarded. We shouldn’t be adding to any more shame or guilt that they already have.
Afterward, in a postmortem, we can figure out how to help and enable others so we can avoid it in the future. Consider if the engineer didn’t report such an incident due to fear of reprisal.
Security, among other things, grows in large part to how safe people feel to:
- report a possible phishing incident.
- report something peculiar.
- admit that a security control is going to make their job painful.
- know you are on their side and not just out to get them!
That’s it for now. Sorry for the late email, had a Turkey coma!
Here are some postmortem links I found useful:
View Blameless Postmortems: How to Actually Do Them on Notist.
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.