Inspire, develop, and guide a winning organization.
Create visible workflows to achieve well-architected software.
Understand and use meaningful data to measure success.
Integrate and automate quality, security, and compliance into daily work.
Understand the unique values and behaviors of a successful organization.
Explore our extensive library of experience reports.
An on-demand learning experience from the people who brought you The Phoenix Project, Team Topologies, Accelerate, and more.
Learn how making work visible, value stream management, and flow metrics can affect change in your organization.
Clarify team interactions for fast flow using simple sense-making approaches and tools.
Multiple award-winning CTO, researcher, and bestselling author Gene Kim hosts enterprise technology and business leaders.
In the first part of this two-part episode of The Idealcast, Gene Kim speaks with Dr. Ron Westrum, Emeritus Professor of Sociology at Eastern Michigan University.
In the first episode of Season 2 of The Idealcast, Gene Kim speaks with Admiral John Richardson, who served as Chief of Naval Operations for four years.
Weekly discussion around “Deming’s Journey to Profound Knowledge” with author John Willis.
VIRTUAL — Helping leaders succeed and organizations thrive (formerly DevOps Enterprise Summit).
Venue: Fontainebleau — Helping leaders succeed and organizations thrive (formerly DevOps Enterprise Summit).
DevOps best practices, case studies, organizational change, ways of working, and the latest thinking affecting business and technology leadership.
Is slowify a real word?
Could right fit help talent discover more meaning and satisfaction at work and help companies find lost productivity?
The values and philosophies that frame the processes, procedures, and practices of DevOps.
This post presents the four key metrics to measure software delivery performance.
October 6, 2022
This post has been adapted from the 2022 DevOps Enterprise Forum guidance paper Responding to Novel Security Vulnerabilities by Randy Shoup, Tapabrata Pal, Michael Nygard, Chris Hill, and Dominica DeGrandis.
In our last post, we looked at the organizational response to novel vulnerabilities. Now let’s turn to the human response.
All technology organizations experience regular interactions between social and technical elements that operate within a constantly changing environment. But when it comes to security incidents and vulnerabilities, it’s not about constantly changing environments. Instead, it’s about immediate threats, threats that can hold your production environments hostage or can expose personally identifiable information which can be used to commit identity theft and erode your customers’ trust. Under these intense circumstances, a person’s ability to remain calm and confident (versus fearful and pessimistic) differentiates successful organizational performance from unsuccessful organizational performance.
The sense of pressure and possible failure that people feel in the heat of a challenging vulnerability impacts their coping mechanisms and sense of safety. But how is it that some people can press on while others retreat or drop out? Often, this comes down to fear. Will my boss fire me if I make a mistake? they might wonder. Will this somehow end or affect my career in the long run?
In the workplace, the fear of losing your job is very real. For example, when Target experienced a breach in 2013, it ended the tenure of the CIO. Even though the response after the breach was satisfactory, the senior executive was still held accountable for the event itself.
Knowing that previous security breaches have been career ending increases the fear response of the individuals involved, spiking adrenaline and creating an overabundance of cortisol in the body. If left unchecked, this type of repetitive acute stress can lead to chronic stress, resulting in depression, exhaustion, and burnout. This phenomenon, where a high-stress situation worsens performance, is known as choking under pressure and is a perfect example of the powerful grip that fear has on our behavior. But fear responses are not unpredictable. We can use the Kübler-Ross Change Curve as a model from which to gain insights into why people press on versus drop out.
The Kübler-Ross Change Curve is an extension of the original five stages of grief that Dr. Elisabeth Kübler-Ross coined in 1969. Today, the Kübler-Ross Change Curve holds true for work environments and is traditionally used to measure response to change. Consequently, the Kübler-Ross Change Curve applies to security incident responses, which are different in nature from longer-term, planned transitions and transformations. Because novel security vulnerabilities such as Log4Shell are unpredictable, security experts need to be ready for anything at any time.
When employees are regularly subjected to alarming high-stakes events, a good night’s sleep (if adrenaline doesn’t keep them from sleeping) or a weekend off might not be enough to restore the energy necessary to show up and carry on in a potentially chaotic and uncomfortable environment.
Repeated high-stakes events reduce your company’s ability to rely on essential expertise. Likely your most-needed people are the people who are the closest emotionally to the incident itself. Those individuals’ emotional responses to the incident will follow stages similar to the Kübler-Ross Change Curve.
Source: https://www.ekrfoundation.org/5-stages-of-grief/change-curve/
The Kübler-Ross Change Curve helps those in the workplace anticipate how they and their coworkers will react physiologically when high-stress situations occur. The vertical axis reflects how morale and confidence are impacted by mental turmoil. The horizontal axis reflects the impact that time has on people as they move sequentially through each stage. This awareness helps those affected to self-regulate more readily once they recognize how each stage impacts them, both in the short and long term.
While the original Five Stages of Grief end in acceptance, the Kübler-Ross Change Curve has evolved to include experiment, decision, and integration as an approach that ultimately leads to success. By utilizing the Kübler-Ross Change Curve, we can explore ways to reduce mental turmoil (such as meditation, exercise, self-care, etc.) that are appropriate for the emotional state a person is in.
There’s an unfair expectation that people are able to manage their individual curves quickly. But this depends on how much privileged information people have and how early they start their curve. Consider a scenario in which senior executives know of an upcoming merger that will cause some team members to lose their jobs. The executives may know six months ahead of everyone else about the merger, allowing them to adjust to the change long before the staff finds out via a two-week notice. The staff is still in the shock stage while the senior executives have already moved to the integrated stage. This is exacerbated by staff who have already established equilibrium with their personal cognitive load budgets, for which a novel incident (and a new start to a curve) has to borrow energy from things like physical well-being, family time, or creative time.
When leaders provide a healthy environment in which employees are well-informed and feel safe (versus operating out of fear), people are better able to shift from frustration to improved decision making (via experimentation) with reduced time spent in depressed states. And that dynamic can reduce the risk of hefty talent replacement costs. Instead of people waiting on the cusp of a triggering event to update their résumé and walk off to another opportunity, they can persevere with more resilience. If people know about the Kübler-Ross Change Curve stages and learn to self-regulate, they can maintain confidence and morale with the stamina to press forward through challenging events.
Up next in our novel vulnerabilities series, we’ll take a look at preparing for and preventing novel vulnerabilities.
Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.
In their upcoming book, Unbundling the Enterprise: APIs, Optionality, and the Science of Happy…
Welcome to the final installment of IT Revolution’s series based on the book Investments…
As a business leader, you know that artificial intelligence (AI) is no longer just…
Welcome to the twelfth installment of IT Revolution’s series based on the book Investments…
