Psychological Safety and Resilience

I discuss how working in tech, especially security, can sometimes result in an experience similar to moral distress, explore the criticality of honesty when learning from failures, and suggest ideas for improving psychological safety so our teams can get better insights about our systems.

Moral distress

Moral distress occurs when people are prevented from taking the actions they feel are right due to some external constraints placed on them. Many academic works discuss moral distress (and the more severe moral injury) within the contexts of military service or healthcare. I found a significant amount of research on managing the traumatic psychological toll that can be caused by unresolved moral distress or moral injury in these fields. This caused me to wonder if any of the strategies used to respond to moral distress in these areas could apply to the experience of security, engineering, and technology operations people, especially those in critical sectors. I’ve been contemplating the effect on teams of people especially in situations when stated organizational priorities or values seem to conflict with organizational outcomes.

The two main questions I wonder:

  1. How can we move toward working environments free from this kind of distress?
  2. What is really being degraded (besides our mental and physical health) when we don’t have a psychologically safe working environment due to moral distress, a lack of inclusion, or other factors?

I know that I am far from the only security person to have encountered a disconnect between what might be stated to employees, customers, or investors about security, product quality, or resilience being a business priority and the support for people on the ground to act on security, product quality, or resilience as an operational priority. This phenomenon could be dismissed by some as “hypocritical leadership,” but these problems are often much more nuanced than that stark oversimplification would indicate. These issues may stem from long-held beliefs or practices ingrained in the culture, fractured lines of communication, or schisms that remain from unhealed organizational or interpersonal trauma. Whatever the sources, they exist. They take a toll on employees who are responsible for acting on these stated business priorities. They push ahead without the cultural support that would make their efforts significantly more effective as well as more rewarding.

Resilience and security, after all, are team sports. They cannot happen in a vacuum. When they haven’t been integrated into the overall operational culture, they are sometimes later forced into focus (suddenly and with no on-ramp for those affected) due to a data breach or other high-visibility compromise of confidentiality, integrity, or availability.

For every priority, the only way to meaningfully improve outcomes is by learning from our experiences.

Is catastrophe the only opportunity?

The medical and occupational safety sectors emphasize a need to assess near-miss incidents, or events that could have caused harm, degradation, or catastrophe but were prevented. This Occupational Safety and Health Administration (OSHA) reporting template keeps it crystal clear and to the point: “near misses are symptoms of undiscovered safety concerns.” In the same way OSHA encourages employers to track near-misses for the purpose of occupational safety, engineering, security, and technology operations teams should consider tracking events that aren’t quite incidents but that do highlight systemic weaknesses all the same.

Incident reports are universal in the world of technology operations, information security, and beyond. What about the prevalence of near-miss reports? As Ryan Kitchens of Netflix’s SRE team said in this SREcon talk, “[s]olely learning from failure isn’t a fundamental—it’s a limitation.”

Not only do we lose out on data by not addressing our near-misses, but we also lose critical opportunities to get together as a team and tell a story. The storytelling matters because it contributes to team cohesion. Coming together to tell a story (with all the characters present) requires us to embrace honesty and communication over pride or competition. If we assign critical business value to the storytelling itself–to the act of coming together regularly to tell the stories of our near-misses, incidents, and routine operations–then these open discussions and their artifacts will become incorporated into the operational culture.

Due diligence in any of these areas involves continuously pushing toward data-driven outcomes. Guess what we can’t have without psychological safety? Good data.

Reduce your incident count by reporting fewer incidents 😎

We cannot generate truly useful insights from our systems without honesty. If there is external pressure to reduce the number of incidents being reported, then engineers may hesitate to label a failure an incident. In this kind of environment, the incident count metric is rendered meaningless. Why track incidents at all?

Of course organizations want to have fewer incidents, however stating this as an end goal actually hurts our organizations. Indeed, it will lead to a reduction in incident count–not from actually reducing the number of incidents, but rather lessening how and how often they are reported.

- Ryan Kitchens, Characteristics of Next Level Incident Reports in Software

Why should teams be tracking and discussing incidents and near-misses? We shouldn’t be motivated to do it so that we can report a line going up or down. We should be doing it so that we can:

The value of reviewing our operations relies on our transparency and open communication.

Foster psychological safety

If honesty is the best policy, how can an organization encourage honesty in the working environment? It begins with fostering psychological safety, which the Agency for Healthcare Research and Quality (AHRQ) defines in its Creating Psychological Safety in Teams presentation as “the degree to which team members feel that their environment is supportive of asking for help, trying new ways of doing things, and learning from mistakes.” High-performing teams don’t become high-performing teams by adopting a culture of fear. They achieve great things through a culture that values learning from successes, failures, and near-misses. Leaders in organizations that sincerely wish to cultivate psychological safety need to ask some hard questions, such as:

According to social scientist Timothy Clark, there are 4 stages of psychological safety:

Drawn from this paper on executive servant leadership, leaders motivated to push toward a more psychologically safe environment can start by modeling servant leadership values for their teams.

Provide interpersonal support

Servant leaders are in a position to influence the culture in a direction of support for holistic team and organizational growth as opposed to competition among team members or across teams. This could translate into leaders socializing and encouraging continued learning via training opportunities. Servant leaders may need to model for their teams the importance of learning and to normalize the idea that no one is capable of knowing everything or answering every question. Interpersonal support could also include actions that safeguard the physical or mental health of teams. On the mental health side, some examples are providing safe spaces for people to be vulnerable and ensuring that achievements are recognized. Leaders may need to model vulnerability, too.

Build community

Servant leaders must possess the ability to build community internally as well as externally to the organization. This emphasis on the wellbeing of external stakeholders is of importance. I see this as customer focus, which translates into efforts to continuously elicit and incorporate feedback from those the organization is tasked with serving. There’s no reason why the same kind of continuous feedback loop couldn’t be used internally, too. The key here is applying empathy and a focus on the real world impact of our actions rather than on our own intentions, however good they may be. Servant leaders ensure that whatever changes are being implemented are minimally harmful to whoever might be impacted by them.

Be altruistic

Servant leaders aren’t selfish. Instead, they elevate the needs of others over their own self-interest. What makes these leaders so effective is that they are genuinely invested in the wellbeing of their teams and their communities. If you want things to get better, start by taking care of your people. Maintain open lines of communication, set clear expectations, and be reliably present. Stick up for your team.

Apply egalitarianism

Servant leaders do not operate under the assumption that their leadership status makes them any more important than any other member of the organization. Rather, they understand that both learning and influence are bidirectional. Servant leaders continuously learn from inclusive perspectives and apply this feedback and knowledge to drive organizational improvements.

Operate with moral integrity

Servant leaders inspire trust and promote honesty. They flatly refuse to leverage unethical tactics such as deceit or manipulation to drive desired organizational change.

Always toward continuous learning

I’d never claim to have all the answers, but I do know that no team can survive continuous moral distress or value mismatch forever. However you want to call this phenomenon when it happens at an organization, it’s unsustainable.

If security or quality or resilience is the stated business priority:

The adoption of servant leadership values such as community building and egalitarianism can be a first step toward repairing values-based schisms, developing psychological safety, and generating meaningful insights.

TLDR


Additional References & Further Research: