Photo of Moldavanko courtesy of Kyiv Post
Introduction
We greet an old friend: the anti-design pattern: Boss Gets Stuck.
A new person joins the Giganet team and the team faces a major crisis.
Giganet has a SaaS application for collecting work hours from gig workers using watches. The latest feature has a customizable contracts module and was key to their big win with LA County.
Alice cleans her fridge and Mark, the tall, lanky bald man guides Bob on his journey with Alice.
Pesya - matriarch of the hackers
Little old Pesya is the matriarch of the Silicon Valley hackers.
She was born in Moldavanka, the tough south-side Odessa neighborhood, which was as Isaac Babel wrote: “crowded with suckling babies, drying rags and conjugal nights filled with big-city chic and soldierly tirelessness”..
Her family immigrated to America and they settled in another tough neighborhood, Chicago’s South Side.
Pesya was the youngest of 5 children, gifted in math and science. Her parents worked hard and pushed their children to academic excellence. Pesya completed the University of Chicago with a PhD in theoretical computer science. After graduating, she joined Google in 1999, where she fit right in.
When Google fired 12,000 people to focus on AI, Pesya was already in her mid 50s.
It was legend that she was the only employee who kept her original desk for 25 years, where she researched browser security.
She reported to Mark, the tall, lanky bald man.
Pesya didn’t mind being terminated. Her kids were on track. She had money in the bank, her 2 books on browser security were published by O’Reilly and sold nicely. She was on her own, doing what she enjoyed, an empty-nester divorcee who did not have to deal with an ex and children.
She divorced Bill after he left her for a younger, more svelte woman.
Pesya raised their 3 kids on her own. Her oldest son graduated CalTech in aerospace engineering, the middle daughter taught kindergarten in Palo Alto, and the youngest was back in Chicago doing graduate work in finance at the University of Chicago.
Venice, CA
Bob, “Iris, we need someone for software security, do we have the budget to hire someone?”.
Iris jumps in, “With the LA County contract, yes. Do you guys have someone in mind?”.
Lena said, “Sure. Bob - you should call Pesya. Her son lives in West LA, she is moving to LA”.
Bob was not surprised that Lena had all this information.
Yasmin, Lena and Pesya were close friends. At Google, the 3 of them had lunch together every day. It was an improbable combination that worked well.
Petite GI Jane Lena, the elite software warrior. Married to Sergey, the RF board designer and gamer.
Yasmin, the slim, tall, very beautiful kernel developer and serious runner. Dating rich LA Persians.
Pesya, the jolly hacker matriarch, slightly overweight, always laughing, thinking about going to the gym, but more interested in CVE-2023-6345, the zero-day she had just discovered in the Chrome 2D graphics engine.
Iris, “Lena, can you call up this Pesya person and bring her in for an interview?”
Lena, “Iris, sure, but she doesn’t need an interview. You need to convince her to come to us. She is the number one person in the world in browser security. Pesya will be doing you a favor if she joins Giganet. It would be a major marketing coup for Barry”.
Barry is one of the two co-founders of Giganet, together with Iris, who was his CFO at a failed Silicon Valley startup.
Barry is Italian gangster chic - Polo shirt, slacks, Italian loafers and cigars.
Barry asks, “Why is Pesya a major marketing coup?”.
Lena, “Baaaarrrrrrry. It’s obvious. Play the browser-security card. When enterprise customers like LA County ask what you do for browser security in your SaaS application - you can roll out Pesya. She will slam-dunk them. Pesya is good for business. Make a press release”.
Barry, “Call her”.
The next day, Pesya comes into the studio apartment facing the beach in Venice. The reunion with Lena and Yasmin brings back happy times.
Today, Yasmin is wearing another outfit from L’Agence, courtesy of her uber-rich Persian boyfriend - a Jennah checked blazer, white t-shirt, straight-leg jeans and her trademark Mizuno running shoes.
Bob, “Pesya, it’s great to see you again! We’re looking for someone to handle software security for the application. Wondering if you might be interested?”.
Pesya says, “Tell me more about what you’re working on”.
Sitting around a table in the living room, the team talks about the project.
Pesya says, “You know, I can help you and it really sounds like fun. Make me an offer. The timing is good for me. I just moved to LA from the Valley. I want to be close to Zack and his family and enjoy my grandchildren. ”.
Iris makes her an offer and they close on the spot.
Pesya comes in the next morning at 8:00.
Iris opens up early. She and her ex-Navy Seal husband like to get in some surfing early morning on Venice beach.
Iris, “Hi Pesya, do you want a cappuccino?”.
“Green tea, if you have, I want to jump into the code and start building a threat model. When is your next major release?”.
Iris, “Uh, next week - we have a milestone with LA County”.
Pesya, “Awesome. You’re lucky Bob was the architect and Lena and Yasmin developed the software. They are all world-class on software security. You are in good hands”.
Iris is beginning to feel queasy. Physically Sick to Her Stomach.
She thinks back to a conversation with Lena 3 months ago about the gig workers contracts module.
Iris had written the specifications herself, and had outsourced the contracts code to a 5-star rated contractor named Yuriy she found on Upwork. Iris was proud of the great hourly rate she had negotiated with the contractor.
Iris, “I think it looks really great”.
Lena, “It’s an ugly piece of shit. Yuriy made a completely different look-and-feel from the rest of our beautiful application. The typography is different, the fonts are huge, the navigation is across the top bar instead of our standard left side-bar. He didn’t bother to use our style guide. He uses strange-looking buttons to add and edit line items to a contract. It’s ugly and your customers will hate it. He must have had some old Angular 1.0 code and reused it. That’s why you got such a good deal.”
Your customers. Not our customers.
Iris, “Lena, we need to think about time-to-market.Besides, the contracts interface is used by payroll staff, it’s not the same users. I don’t know if it matters”.
Lena, “Do what you want, it’s your decision”.
After the confrontation with Lena, Iris decided to stop the discussion and move on.
That conversation was 3 months ago.
Today, a world-class security expert is about to look at code written by a Ukrainian Upworker.
Iris is a finance person. She worked for the IRS investigating white-collar crime, she understands risk management, she knows that the contracts module is non-standard with the rest of the code. But she has no tools to estimate their exposure. Pesya does.
That afternoon, Pesya asks Yasmin to conduct a code review of the contracts module.
Yasmin has this technique where they go around in a circle reading each other's source code.
Yasmin, “Justin, can you please start reading the code?”
Justin is their QA person, fresh out of Santa Monica College. Korean, jet black hair. Hip-hop street wear. Very quick.
They spend the next hour listening to Justin read Angular 1.0 TypeScript code in the contracts module.
Pesya, “Justin, what do you see here?”
“I see a lot of Regex code. I see a bunch of places where the programmer wrapped <option> elements in <select> ones. I don’t understand why he does it this way. It looks bizarre”.
Iris is observing. Getting Sicker to Her Stomach by the Minute.
Pesya, “That is correct, Justin. There is no reason to do it that way. As a matter of fact - this code is very old and it’s very vulnerable to DDOS attacks and cross-site scripting. There are 8 known browser vulnerabilities in this code. We have to upgrade to the latest version of the framework and fix all the bugs in the TypeScript code.”
Iris asks, “How long will it take to fix?” She’s praying to the Lord that the answer is a day or two.
Lena, “At least a month to upgrade the framework, go through all the source code, fix bugs, and prepare for QA and a penetration test. I told you it was a piece of shit”.
Pesya, “Iris, You cannot release the system like this”.
In addition to the DDOS vulnerabilities, there are XSS vulnerabilities. Attackers may be able to extract contract information about the gig workers and conduct a side-channel attack to identify people. You will be in violation of CCPA.
CCPA penalties have an upper cap of $7,500 per intentional violation or $2,500 per non-intentional violation. It may seem like a small penalty, but it can eventually grow massive. The penalties can quickly add up because one consumer equals one violation.
Pesya, “How many users do you have now?” Iris replies, “About 10,000 users”.
Pesya, “You have $25M in exposure”. She deliberately uses the word exposure with Iris so that Iris will understand financial impact.
“We’ll need another 4 weeks for security testing and validation after Lena and Justin finish. Yasmin’s back end module is not affected and the rest of the front-end is fine. You need to allow 12-13 weeks to fix this problem”.
Iris feels like she wants to throw up.
The Boss Gets Stuck Anti-Design Pattern
Problem
The leader does not decide.
Not deciding happens for a number of reasons:
Decision paralysis, usually out of fear of another person.
Hierarchy. In large organizations, decisions can be bumped upstairs to someone else higher up in the hierarchy. The boss doesn't understand the problem and is inclined to do nothing and ignore signals from soldiers lower down in the organization.
Iris's problem wasn't being indecisive, but rather that she didn’t understand the possible impact of Yuriy’s code quality.Non-standard ways of decision making. In remote-first organizations, different business units may have different ways of taking decisions. One of them might be “do nothing” first.
Disaggregation. When a decision-maker needs other people to make a decision, the process breaks down into smaller pieces. The smaller pieces have less information and less inclination to make a decision that makes them look bad.
The usual approach to Boss Gets Stuck uses traditional tools of organizational politics:
Keep a low profile and hope you don’t get hit with flying missiles.
Have meetings. As many as possible with as many people as possible.
Dilute decisions. Make a decision that only addresses part of the problem, then tell people you solved the problem.
The usual approach makes problems worse.
Solution
The solution to Boss Gets Stuck is based on the idea that you cannot put a feature into the product that you don’t have in your team.
Since Team == Product, the most important feature for you and your team is being purposeful about everything.
Conflict derives from diversity of ideas, which is crucial to the success of the team.
You want to be purposeful about channeling conflict into constructing value. You do this in several ways:
Achieve buy-in for a new / different idea.
Use constructive confrontation to achieve buy-in. "Constructive confrontation" requires addressing problems directly, objectively, and in a positive manner. Have your data and your opinion, be prepared to get in a conference room with the other person and argue your opinion, assertively and backed by data.
Do internal marketing. Get other people interested and curious about your new/different idea so that you can achieve buy-in from them.
Pre-staff. After internal marketing and buy-in, meetings will be short and to-the-point since you already have buy-in before the staff decision making meeting.
Constructive confrontation results in 1 of 4 possibilities:
Agree and commit - This is the best. Everyone is on the same page and works towards the goal.
Agree and not commit - This is bad. It can torpedo a project.
Disagree and commit - This is good, because it acknowledges the reality of diversity in the team.
Disagree and not commit - Less good, but at least, the problems are out in the open.
Conclusion
When you have a social and consensus-based decision making process, you can deal constructively with Boss Gets Stuck.
Software for Your Head: Core Protocols for Creating and Maintaining Shared Vision
I have to clean my fridge
The next day, Bob is back in the Venice gym doing circuit training.
It’s Tuesdays with Alice.
What Alice did, she walked into the gym, put her bag into a locker and started on the treadmill.
Bob walked over to join her after parking his bike by the ping-pong table.
They chat as Alice treads.
Bob, “Would you be interested in coming with me to a meetup next Sunday on brain-storming? IBM is sponsoring a session at UCLA on creativity. It’s free, and very informal. You can even wear your old USC sweatshirt”.
Alice, “Sounds like a lot of fun, text me the details”. She smiles at Bob. He smiles back.
Bob texts Alice the details. He’s getting his hopes up to be with Alice in a neutral setting outside the gym without flat out asking her on a date.
Saturday, Alice texts back: “I’m sorry to disappoint you, I have to clean my fridge. It’s a mess”.
On a park bench in Venice CA
Mark was the one who began.
Mark, “Bob, tell me what’s new with Alice”.
Mark remained silent as they sat on the park bench.
In front of them there was the green calm of the park.
A man hungry for an answer, must stock up on patience.
A man in possession of analytical skills needs to listen.
That is why Mark remained silent.
Mark listened carefully to Bob's story for about 10 minutes.
Mark, “You love this woman?” Bob, “Yes”.
Mark, “Your system state is now Boss Gets Stuck.
The two of you are afraid to make a decision which would affect status-quo.
But - this is not a software engineering team. You are not developing a product.
Go very slowly.
There are no problems to solve here.”