It was great to see everyone in person at our August all-hands meeting! In our second monthly newsletter, you’ll find updates on some of our major projects, and I wanted to pass along some thoughts from a booklet called The Human Side of Postmortems.

Cognitive Biases

I’ve attached a PDF of a (very) small book that I think is quite good, and I’d encourage everyone to read it. In particular, I wanted to highlight something I found interesting from chapter two about stress, and how stress can change the way we react to difficult situations.

According to the author, there are four elements that will produce a measurable stress response in the body:

  1. A situation that is interpreted as novel
  2. A situation that is interpreted as unpredictable
  3. A feeling of a lack of control over a situation
  4. A situation where one can be judged negatively by others 

Sound familiar? I think we would all agree that we have been operating in a high stress environment for the past several months. Stress has a negative effect on our ability to complete complex tasks—you can expect your performance to decrease and your reaction to additional stress to increase. Almost everything we do in Security qualifies as a complex task, and this is especially true during unpredictable events, like a security incident.

What does this mean for us? First, it’s a reminder to give all your colleagues (and yourself) a little flexibility and grace, since we’re all working in some stressful conditions. Second, understanding how stress affects our performance should encourage us to interact in a blame-free mindset. I believe that every member of the Security team—and every employee in Technology Services—wants to do their best work, so mistakes and failures should be seen as opportunities to learn and grow. As I mentioned in our all hands meeting, improvements require experiments, experiments mean failure (and success!), and failures are potential for growth.

Next month we’ll talk about chapter three: cognitive biases!

Wins & Successes

Speaking of learning opportunities, the Duo outage that occurred on the first day of class certainly qualifies. Although the outage wasn’t our fault, it affected our students’ ability to access resources and had the potential to be an extremely high impact event. However, our Identity Security team was quick to respond and implement workarounds to mitigate the brunt of the impact, and we were operational again within 30 minutes. This outage affected most higher ed Duo customers in North America, and from what we’ve been able to determine we were one of the first universities to come back to an operational status! 🎉

Here are my takeaways from this experience:

  • Internal Communication. The Identity Security team communicated with the rest of the org constantly throughout the day as mitigations were put in place, and as we brought Duo back online for our services. This was critical to ensure that other groups outside Security (like the Help Desk) were kept in the loop.

  • Org-Level Partnerships. Because other groups were in the loop, they were able to provide a lot of cover for us, and explain to customers across campus what was happening. This helped free up the Identity Security team to continue working on the problem.

  • Planning. Business continuity scenarios had already been planned for situations like this, so we were ready to implement a technical work-around immediately. Having a plan in place beforehand meant that Identity Security didn’t need to make as many tough decisions under stress. 

Overall, this event was a great example of a successful response to a third-party outage.

Major Project Updates

Sign in with a NetID to see this content

Wrapping Up & Reminders

Please make sure you are using an email signature with your professional contact info, and that it matches the Technology Services brand guidelines. I’ve noticed lately how helpful it is when this information is available in messages from others across the university, and also how frustrating it can be when it's not included. Notably:

  • Your signature should not contain any additional information, such as quotes, images, or any non-standard font colors

  • You should only be using the official team name in your signature: “Technology Services—IT Security and Risk” (don’t use a specific team name like Identity Security)

The start of the fall semester went very well (despite the Duo outage), and I thank you all for your hard work and availability during this critical time. I encourage you to share your thoughts and suggestions with me at any time, and you are always welcome to schedule a meeting with me. I look forward to a productive September!

Adam Mikeal

Associate Vice President and Chief Information Security Officer