There is a great meditation in Zen and the Art of Motorcycle Maintenance about the differences between riding and driving. Being open to the elements, in and a part of nature, is visceral. Bubbled in a car, our surroundings are observed more than experienced. That's always resonated for me.
There was a study[0] connected to videos[1] of particular flashing that trigger plaque-clearing rhythms in the brain.
Maybe placebo but my mind feels quietly clearer after watching. It could be that simply slowing down and clearing my mind for that time would do the same.
Former Head of Security GRC at Meta FinTech, and ex-CISO at Motorola. Now, Technical Founder at a compliance remediation engineering startup.
Some minor nits. One can't be SOC 2 "certified". You can only receive an attestation that the controls are designed (for the Type 1) and operating effectively (for the Type 2). So, the correct phrase would be that Excalidraw+ has received its "SOC 2 Type 1 attestation" for the x,y,z Trust Services Criteria (usually Security, Availability, and Confidentiality. Companies rarely select the other two - Privacy, and Processing Integrity - unless there's overlap with other compliance frameworks like HIPAA, etc.)Reason this is important is because phrasing matters, and the incorrect wording indicates lack of maturity.
Also, as others have said, no one "fails" a SOC 2 audit. You can only get one of four auditor opinions - Unmodified, Qualified, Adverse, and Disclaimer (you want to shoot for Unmodified).
As fyi, the technical areas that auditors highly scrutinize are access management (human and service accounts), change management (supply chain security and artifact security), and threat and vulnerability management (includes patch management, incident response, etc). Hope this information helps someone as they get ready for their SOC 2 attestation :-)
Similarly, the report areas you want to be very careful about are Section 3: System Description (make sure you don't take on compliance jeopardy by signing up for an overly broad system scope), and Section 4: Testing Matrices (push back on controls that don't apply to you, or the audit test plan doesn't make sense - auditors are still stuck in the early 00's / "client server legacy data center" mode and don't really understand modern cloud environments).
Finally, if you're using Vanta/Drata or something similar - please take time to read the security policy templates and don't accept it blindly for your organization - because once you do, then it gets set in stone and that's what you are audited against (example - most modern operating systems have anti-malware built in, you don't need to waste money for purchasing a separate software, at least for year one - so make sure your policy doesn't say you have a separate end point protection solution running. Another one, if you have an office that you're using as a WeWork co-working space model only, most of the physical security controls like cameras, badge systems etc either don't apply or are the landlord's responsibility, so out of scope for you).
Hope this comment helps someone! SOC 2 is made out to be way more complicated (and expensive) than it actually needs to be.
I highly recommend anyone going this route to use Proxmox as your base install on the (old) hardware, and then use individual LXCs/VMs for the services you run. Maybe it's just me, but I find LXCs to be much easier to manage and reason about than Docker containers, and the excellent collection of scripts maintained by the community: https://community-scripts.github.io/ProxmoxVE/scripts makes it just as easy as a Docker container registry link.
I try to use LXCs whenever the software runs directly on Debian (Proxmox's underlying OS), but it's nice to be able to use a VM for stuff that wants more control like Home Assistant's HAOS. Proxmox makes it fairly straightforward to share things like disks between LXCs, and automated backups are built in.
One of my greatest pleasures has been orienting my life toward projects and away from pleasures. I now find myself doing a lot of what other people consider work, but self-directed and self-paced in a way that brings me incredible, deep satisfaction. No one, including me, forces me to do these things. I do them because I like doing them. Bodybuilding, maintaining my home, lawn and garden, cooking/brewing/fermenting, building software. I'm not an extraordinarily wealthy man but if I woke up tomorrow with "comfortably live the rest of your life based on interest alone" money I don't suspect my life would change all that much.
Once you're doing that sort of work, the meaning of this rule will become clear as will its meaninglessness.
Thank you, most of these books are actively harmful, and the lack of intellectual rigor makes them exactly this, entertainment masquerading as education.
What matters is humility, thoughtfulness, and a relentless focus on quality. These books sell to people that want all of the inspiration with none of the work.
I started my gardening adventure with vegetables in pots. It was perfect, plants gave amazing yield, but required too detailed care and attention every day (or sometimes 2-3 times a day in a hot dry summer day). When I have moved to planting in soil I was shocked how worse the plants are doing. Same tomatoes giving 10-15 kg per plant yield in pots were under 3kg in soil. They got more disease issues, more pests (slugs and snails!).
After talking to fellow natural hobby farmers I realized the soil quality was garbage (lack of earth worms and insects), and there were severe drainage and water holding issues: weirdly the soil didn't hold water but it drained way too slow too. So, ehen it rained it was swamped for days but when it got dry none of that water stayed at the top 1 meters of the soil. I'm lucky to find amazing help from local natural farmers, so I got natural green compost (no animal products/byproducts). I have been introduced to no-dig farming too. So first year I started by applying 20cm thick compost on top soil, after putting a layer of old paper boxes against weeds. Then planted my seedlings on these, with worm poop and for some phosphate loving plants bat guano as fertilizers around the plants, topping of with hemp mulch and cacao shell mulch as topping. When this soil has sunken enough, topped off with 2-3 cm compost and mulched again. I have sprinkled insect friendly flowers to attract insects too. This was an amazing succes with not only plants flourishing, fighting diseases much better and resulting in an amazing yield. I didn't need to water as often as before (4x less frequent than before in the soil, 8x less frequent than in the pot). After year 3 I stopped all fertilization and introduced cover crops that could be used as mulch and fertilizer at the same time.
This process though is not linear. I still have plants which are not successful at all. I can grow juicy tasty watermelons in a northern European country but no parsnips or carrots or cauliflowers yet. This is what I love though, I'm interacting with a living microbiome rather than executing lab experiments. Failures are keeping it interesting and improving learning.
The internet is a nirvana automata. It wants to hack you, all your emotions, desires, your lust for rage, your hunger for dopamine, your wish to sit under the baobab tree and stare at the glowing stones lights indefinably, blissfully unaware of the world.
Thus without ever reading any of the teachings of the one in the lotus flower, one must rediscover detachment from the hackable self, or be enslaved forever.
This is ageing, for most people, unless you're one of the few lucky ones.
Death and destruction is the outcome of age, on a molecular, cellular and mental level. The foundational issue addressed by religion, because how else to deal with the unfathomable dread of "nothing gets really better, ever".
Take solace in the fact that this is true for most of your fellow creatures.
The concept of a happy ending, living happily ever after is a dangerous illusion. The best part is likely in the middle, or not at all. The end is pretty much always shit.
Zen, Stoicism, Rebirth ... so many concepts to cope with this simple, basic fact. You get born, you grow up - and then you start dying.
I do this in every work conversation of any complexity. Probably 5-10 times a day. If it's awkward, you get over it pretty fast. Normally, I say "hey, can I summarize that in my own words to make sure I understood?" and as often as not the response is "Please do!" because nobody likes being misunderstood, and it happens all the time.
One issue to work around is that, due to the turn-taking rules of conversation, the other person will immediately launch into their next thing after you've summarized their last thing, instead of letting you make a response, or ask a question. That is, if they are thoughtless or socially inept, which is not exactly a rare kind of person to encounter at work. So, your summary of what they said effectively becomes your "turn" in the conversation, and your role becomes essentially an amanuensis rather than a participant.
You just need to be ready to interrupt a steamrolling colleague and say "--Well, before you continue, I wanted to respond to what you just said." That's actually more awkward to me than summarizing their initial monologue, but it's important because this method makes for frustratingly one-sided conversations if you don't assert yourself.
Here's the deal: I've yet to come across someone who is critical of NVC but can provide something better. And in my experience, the status quo is rarely better.
NVC has its flaws. It won't always work. Nor will anything else we know of. If something comes along that works better (higher "success rate"), I'll jump on that bandwagon.
If you can't be bothered to read the rest of this long comment, here's a TLDR: Most communications books, written independently, have the same elements as NVC. The other books are better at explaining why these elements is important. But the NVC book is better at providing recipes, which is why it became more popular.
A few years ago I did a deep dive on the topic, and read 4 books on communications: Difficult Conversations, NVC, Crucial Conversations and Getting Past No. Most of these were written/invented independently of one another. When I had read all 4, I looked over all my notes, and noticed that they all point to the same things, with only minor differences:
1. State your observation, without judgement, and be specific, not general.
2. Personalize and state its impact on you. The "feelings" part of NVC - all the books explicitly call out that you should explicitly state your feelings. The Difficult Conversations authors pointed out that many people in professional settings have the notion that discussions should be absent of emotions ("objective). Yet if a discussion at work is getting heated, emotions are clearly playing a big role. Don't assume you can solve the problem without bringing those emotions to the table. And indeed, many solutions fail because they failed to address the emotions which resulted in a lack of commitment. As one book put it: Unvalidated emotions are a minefield.
Just yesterday there was a nasty discussion at work about whether to split a monorepo into smaller individual repos. One side's work is bogged down by it being a monorepo, and the other side would have trouble if it were split into monorepos. Both sides discussed the their problems, yet neither side acknowledged the other's pain. Validating the other's emotions is a core principle of all communications books I've read.
(The issue did not get resolved by the end of the day).
And personalize: Don't talk in vague principles, but talk about how you are affected. This is where a lot of the tech world fails. I recall one heated discussion at work where a person was strongly pushing for something, and using all kinds of principles/analogies. He wanted someone else to change his workflow because it was causing problems for him. Yet, he never explained how it was causing him problems! When queried, he kept invoking analogies and principles. The world rarely yields neatly to principles, and every analogy has a flaw. You'll often get competing principles. Invoking them alone will not solve the problem.
The other element of stating the impact on you is discussing the needs. What need of yours is not being met? Is this impacting your efficiency? Are you wondering whether the work is futile, and not giving your purpose? Do you think you are being ignored and want consideration?
I cannot stress this enough: If you have trouble putting a "need" to your problem, it is because you haven't thought this through, and it's a bad idea to go into a conversation about the issue. Even if you don't explicitly state your need, this is a valuable exercise to do internally. Feelings are easy: When you're mad you know you're upset. Most people stop there and go have an argument. NVC forces you to start introspecting: My teammate did X and now I'm mad. But why is his doing X bothering me? Yes, my teammate undid all my changes and replaced it with crappy code. But why exactly is this bothering me? Your needs and his needs may conflict. But unless you can determine both, the conversation is likely going to go south.
All the communications books are part "therapy": Emphasizing introspection along with communication.
3. Request (optional - depends on the situation).
Regarding the "canned robotic phrases": This is akin to any other book that becomes dogma (think TDD, unit tests, referential transparency, etc). And just like the others, the original author does not insist you use these phrases. The NVC author explicitly says that the elements must be present, but the order doesn't matter, and sometimes it can even be communicated in one phrase. It nevertheless provides those templates to make it easy on beginners.
When I read the NVC book, I felt similar to you: These phrases are very artificial. And would annoy others. NVC is the only book that has these templates, and it is likely why it is very successful. The other books discuss the issues involved in conversations much better than NVC does - but they don't provide a template.
Now how artificial are these? Surprisingly not very. All my skepticism went away once I started observing people destressing a situation at work. The majority of these situations involved someone using very similar templates. And many (most?) of those folks had never heard of NVC! It sounds very artificial when reading it, but no one thought it was off. This is the exercise I recommend everyone does: Observe someone handling a stressful situation at work, and note how often they touch on all 3 aspects of NVC (specific observation, referring to the feelings, and the needs that are unmet).
Rosenberg didn't invent NVC. He just identified its existence.
No one's forcing you to use the template. Here's an example "So this is bothering you because it's affecting your efficiency?" This is perfectly valid NVC.
I think some of the problem arises in what is considered "good" communication. In the academic (and tech) world, we often describe good communication as concise and objective. This is great when communicating facts, science, etc. But in the workplace, we are not in the business of communicating facts and doing science. Most of us are in the business of making a product, that someone will buy, from which we will earn our living. And there are many competing motivations (some people want to "make" something, others are more interested in promotions, etc). Generally, we are heavily reliant on others. You can make a great thing but if the marketing folks refuse to market it, it will impact you (and vice versa). So "good communication" at the workplace involves dealing with a wider variety of people who have differing needs from you.
Becoming better at that type of communication is a lot of effort over a long period of time. It's easy to dismiss one type of style (e.g. NVC), but recognize that the "default" alternative is very poor and merely dismissing means accepting a poor level of communication. Had I simply read the NVC book and not dived deep into other books, I wouldn't have improved at all. It is because I decided that I will try to find a way to improve it that I recognized the merits of NVC and recognized its effective usage in the real world. It's also why I didn't stop at "crappy templates" and focused on making it less artificial.
Finally, NVC has a cult following. Ignore the cult. Just focus on the book.
When you read these, keep in mind: Change is hard. Don't expect to read these and become good communicators quickly. It may take a few years of stumbling and practice.
I see a mixture of comments agreeing and disagreeing with the original submission. For those who disagree: Most of what the author is saying is in agreement with what the books say:
If your goal is to change someone, you will either fail, or will succeed at the cost of the relationship (and relationships at work do matter).
Another important related point: If you cannot summarize why the other person is acting this way without using phrases like "stubborn", "irrational" or similar negatives, then it means you have no idea about the other person's concerns and motives, and are being lazy. It is easier to label, and much harder to probe effectively. Additionally, people often act stubborn because they realize you are not really interested in their perspective. Internally their thought process (which is very rational) is "This person does not really want to hear me out, so I'm not going to invoke too many neurons engaging with him and will just dig in my heels." - which is why a lot of books focus a lot on listening skills (which includes skills to signal that you are listening - you may in reality be listening just fine but the other person does not know it - so you signal it by summarizing their stance).
A lot of the comments here are invoking false dichotomies. Since HN has a comment limit, I'll address some here:
>I don't believe you can have a successful software team with individuals who can't take a code review well.
This is tangential. You can give feedback in a code review poorly, or efficiently. Both ways allow for you to point out problems with the other's code. One way will not be taken well. The other way has a higher chance of being taken well. A big step forward is to realize you can have your cake and eat it too.
>I started to try and reason with people with carefully crafted questions to guide them towards my goal.
Leading questions is a bad idea (all the communications books say it). Learn how to state your concerns. It is OK to ask questions if genuinely curious. But if you want to point something out, learn how to state it in a non-defensive manner.
(3 separate comments below):
>If Kara's emotions and defensiveness can't handle a clearly articulated, rational, objective argument against design decisions, then for the sake of the product and the company, she probably needs to find another job. Avoiding discussions doesn't work for me.
>Learned to let go and he has his parts of the code base and I have mine.
>And this is how you end up with a terrible, in-cohesive product.
Again, false dichotomies. The solution is not to be quiet and let it go. The solution is to learn how to talk about the issues effectively. One of the books calls this "The Fool's Choice" - thinking that either you have to be quiet and not air your concerns (to save relationships), or that you have to air them and damage the relationship.
>It's either you convince them, or perhaps they convince you. Logic wins.
Logic alone rarely wins. One key point in one of the books: Don't pretend that emotions should not be part of the decision making process. The reality is that emotions are already part of the decision making process. If you get angry that someone cannot take your feedback well, emotions are present.
>It's safe to assume Kara wrote this article.
It is safe to assume that the author of this comment is unwilling to question his views on the topic.
That's what assumptions get you.
>I have seen more technical damage done by nice and competent people deferring to bullies in the workplace than by legitimate disagreements expressed passionately.
Another false dichotomy. What the submission describes is normal among non-bullies.
>The flaw here is that you assume that "Kara" will learn from her mistakes. Not always the case.
It is a similar flaw to assume that merely telling her what mistakes she made will make her learn from them. Definitely often not the case.
Crucial Conversations: This book does a great job describing the landscape and problems in communications. Don't focus too much on the solutions (and all the weird acronyms they have). Even the authors at the end say that if you understand the big picture (people feeling unsafe to speak openly to you, etc), and take actions to mitigate that (it need not be identical to what they recommend), you're most of the way there.
Difficult Conversations: Also a great book on describing the landscape. It has good strategies, but the book is written in a way to be hard to follow in a real conversation. Consider it more of an educational/reference book as opposed to a guide.
Nonviolent Communications (NVC): The best I've read in terms of giving concrete advice. Poor on describing why the strategies work. Had I read this without reading the other two I likely would have dismissed it. The book's advice will seem very wishy-washy, but upon reviewing my notes of the other two books, I realized the advice is pretty much the same in all of them - merely presented differently. Warning: There is a bit of NVC cult out there (similar to TDD, Agile, etc) - ignore the cult/hype and just focus on the stuff in the book.
NVC is very polarizing on HN. However, most of the criticisms I see here about it are clearly from people who've never read the book. And some people are triggered by the use of the word "violent". Hard to help people who judge books by their title.
Getting Past No is also a pretty good book.
BTW, I do not want to come across as an effective communicator. I'm still far from it. However, I think reading all these books and occasionally reviewing my notes has made it much easier for me to identify the communications problems that I witness (mostly at work). I've been in teams with communications problems, and I often fantasize about synthesizing all the stuff in the books into a series of blog posts, using solely examples from work. When I first started reading the books, I kept saying to myself "Ah, this part of the book describes me!" and then "Ah, that annoying guy at work - he's in this book!" and before long all the annoying folks at work were to be found somewhere in there :-)
I handle it by collecting quotes that tell me to knock it off. I've since started to focus on just the things I really care about:
The purpose of knowledge is action, not knowledge.
― Aristotle
Knowledge isn't free. You have to pay attention
― Richard Feynman
"Information is not truth"
― Yuval Noah Harari
If I were the plaything of every thought, I would be a fool, not a wise man.
― Rumi
Dhamma is in your mind, not in the forest. You don't have to go and look anywhere else.
― Ajahn Chah
Man has set for himself the goal of conquering the world,
but in the process he loses his soul.
― Alexander Solzhenitsyn
The wise man knows the Self,
And he plays the game of life.
But the fool lives in the world
Like a beast of burden.
― Ashtavakra Gita (4―1)
We must be true inside, true to ourselves,
before we can know a truth that is outside us.
― Thomas Merton
Saying yes frequently is an additive strategy. Saying no is a subtractive strategy. Keep saying no to a lot of things - the negative and unimportant ones - and once in awhile, you will be left with an idea which is so compelling that it would be a screaming no-brainer 'yes'.
- unknown
- yoga like poses where your lungs are almost flat with head slightly lower (akin to the covid pronating position). changes lungs internals and ease heart by not having to pump blood up high
- upper body movements like rotating shoulders, which compress/depress lung cavity helping air exchange
If someone is capable enough to combine things, he does not need to be told this advise. All the others we tell just to follow common advise and not live by obscurity because it is crap most of the time. Strong security does not need obscurity
