Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Findings From The Field - DevOps Enterprise London 2020

John Allspaw
June 23, 2020
Technology
11
9.3k

Findings From The Field - DevOps Enterprise London 2020

In the past two years, we have had the opportunity to observe and explore the real nitty-gritty of how organizations handle, perceive, value, and treat the incidents that they experience. While the size, type, and character of these companies vary wildly, we have observed some common patterns across them.

This talk will outline these patterns we've discovered and explored, some of which run counter to traditional beliefs in the industry, some of which pose dilemmas for businesses, and others that point to undiscovered competitive advantages that are being "left on the table."

These patterns include:
- A mismatch between leadership’s views on incidents and the lived experience that engineers have with them.
- Learning from incidents is given low organizational priority, and the quality and depth of the results reflect this.
- “Fixing” rather than “learning” - the main focus of post-incident activity is repair.
- Engineers learn from incidents in unconventional ways that are largely hidden from management (and therefore unsupported).

John Allspaw

June 23, 2020
Tweet

More Decks by John Allspaw

See All by John Allspaw
Connections and Intersections between Resilience Engineering and Security
jallspaw
1
97
Incident Analysis: How *Learning* is Different Than *Fixing*
jallspaw
3
4.6k
DevOpsDays NYC 2020: Can Resilience Engineering be sufficiently described in 5 minutes?
jallspaw
0
250
Resilience Engineering: How and What
jallspaw
2
4.4k
Taking Human Performance Seriously
jallspaw
1
770
Amplifying Sources of Resilience
jallspaw
1
380
“Problem Detection” (Klein, et. al., 2005) - Papers We Love (NYC)
jallspaw
0
170
In the Center of the Cyclone: Finding Sources of Resilience
jallspaw
0
99
Code For America Summit 2018
jallspaw
0
72

Other Decks in Technology

See All in Technology
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
620
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
2
540
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
670
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
200
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
190
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
15k
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
3
150
本当のAWS基礎
toru_kubota
0
520
web-application-security
matsuihidetoshi
0
170

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
The Language of Interfaces
destraynor
151
23k
What's new in Ruby 2.0
geeforr
337
31k
Designing Experiences People Love
moore
136
23k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
4 Signs Your Business is Dying
shpigford
175
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
YesSQL, Process and Tooling at Scale
rocio
164
13k

Transcript

  1. Findings From The Field Two Years of Studying Incidents Closely

    Adaptive Capacity Labs John Allspaw

  2. about me Consortium for Resilient Internet-Facing Business IT Adaptive Capacity

    Labs

  3. disclosure 1. these are only a few of the most

    common patterns 2. these are not judgements/comments on any single organization

  4. Bottom Line, Up Front: what we’ve observed across the industry

    1. The state of maturity in the industry on learning from incidents is low. 2. Significant gaps exist between technology leaders 㲗 hands-on practitioners on what it means to learn from incidents. 3. Learning from incidents is given low priority, resulting in a narrow focus on fixing. 4. Overconfidence in what shallow incident metrics mean and significant energy wasted on tabulating them.

  5. Technology Leaders 㲗 Hands-on Practitioners • what is actually learned

    • how learning actually takes place • what the incident actually means (for the past, for now, and for the future) a gap exists here

  6. “Blunt” End “Sharp” End Technology Leaders Hands-on Practitioners • summaries

    • simplifications • abstractions • statistics

  7. “Blunt” End “Sharp” End Technology Leaders Hands-on Practitioners • summaries

    • simplifications • abstractions • statistics

  8. Technology Leaders Hands-on Practitioners ! ! 24.53 Mean Time To

    Resolve 32.13 Mean Time To Oversimplify 14.45 Mean Time To Something 22 incidents in Q3 12 SEVERITY DEFCON events

  9. Technology Leaders • typically are far away from the “messy

    details” of incidents • frequently believe their presence and participation in incident response channels (chat, bridges, etc.) has a positive influence (it doesn’t) • typically believes incidents are adverse events in an otherwise “quiet” and healthy reality (they’re not) • typically fear how incidents reflect poorly on their performance more than they fear practitioners not learning effectively from them

  10. Technology Leaders • typically believe abstract incident metrics tell enough

    of a story for them to understand the state of the “system” (they don’t) • typically believe abstract incident metrics reflect more about their teams’ performance than it reflects the complexity those teams have to cope with • typically believe the above observations don’t apply to them

  11. (M)TTR/(M)TTD Frequency Severity Customer impact … shallow metrics no predictive

    value forward no explanatory value backward

  12. “but they help us ask deeper questions” You don’t need

    this chart to ask deeper questions about incidents. Just ask the questions. and record both the questions and answers so others can find them in the future

  13. Technology Leaders How can you tell the difference between… A

    difficult case handled well. A straightforward case handled poorly. ?

  14. Difficulty in handling the incident Consequences or impact of the

    incident Performance in handling the incident Technology Leaders incident metrics only signal these without these, you cannot understand what incidents mean in context

  15. incident metrics do not do what you think they do

    More on this topic: https://bit.ly/beyond-shallow-data

  16. Hands-on Practitioners • typically view post-incident activities to be a

    “check-the-box” chore • typically believe in a future world where automation will make incidents disappear • typically do not capture what makes an incident difficult, only what technical solution there was for it. • typically do not capture the post-incident writeup for readers beyond their local team

  17. Hands-on Practitioners • typically do not read post-incident review write-ups

    from other teams • typically fear what leadership thinks of incident metrics more than they fear misunderstanding the origins and sources of the incident • typically has to exercise significant restraint from immediately jumping to “fixes” before understanding an incident beyond a surface level • typically believe the above observations don’t apply to them

  18. Learning is not the same as fixing. More about this

    here: https://bit.ly/learning-not-fixing

  19. Ok! We get it! What are solutions, wiseguy?

  20. Technology Leaders Learning from incidents effectively requires skill and expertise

    that most do not have These are skills that can be learned and improved. Prioritize it when things are going well. It will accelerate the expertise in your org. More on this: https://www.learningfromincidents.io/

  21. Technology Leaders Focus less on incident metrics and more on

    signals that people are learning • analytics on how often incident write-up are being read • analytics on who is reading the write-ups • analytics on where incident write-ups are being linked from • support group incident review meetings being optional, and track attendance • track which write-ups that link to prior relevant incident write-ups More about this here: https://bit.ly/learning-markers

  22. Practitioners Don’t place all the burden on a group review

    meeting! Use this meeting to present and discuss analysis that has already been done. this is an important meeting — prepare for it like it’s expensive — because it is! • HiPPO (“highest paid person's opinion”) • Groupthink • Tangents • Redirections • Elephants in the room • “Down in the weeds” Too many potential pitfalls to bet everything on a single meeting…

  23. Practitioners Incident analysts should NOT be stakeholders • Your role

    is not to tell the One True Story™ of what happened. • Your role is not to dictate or suggest what to do. • Maintaining a non-stakeholder stance signals to others that you are willing too hear a minority viewpoint • Half of your job is to get people to genuinely look forward to and participate in the next incident analysis.

  24. Practitioners Separate generating action items from the group review meeting

    Action Items Generation Group Review Meeting “soak time”

  25. ACL Challenge Technology Leaders Practitioners For every incident that has

    a “red herring” episode…capture the red herring part of the story in detail in the write-up, especially on what made following the “rabbit hole” seem reasonable at the time. Start tracking how often post-incident write-ups are voluntarily read by people outside of the team(s) closest to the incident. Start tracking how often incident review meetings are voluntarily attended by people outside of the team(s) closest to the incident.

  26. Help I’m Looking For

  27. Thank You! Help I’m Looking For