I first encountered Flail when I was in the military. My first posting was to a relatively new unit that didn’t exist 3 years before I showed up. This unit showed all of the hallmarks of an environment that leads to flail, and many of the human costs were present showing that flail had been there for a while. While any major organizational change could potentially lead to flail, it doesn’t always show up and recognizing that it’s there is the first step in the art of managing flail. To risk spoiling the rest of my article, my five steps towards flail management are building a clear and comprehensive problem statement with corresponding strategic vision, empowering people managers to solve people problems, encouraging collaboration while respecting boundaries, building in stress relief, and counter-intuitively, minimizing change to only tweak that which is necessary to attain the desired strategic outcome.

So, let’s get started by talking about what I mean when I say “flail.” As I think about it, flail is the human and organizational stress response to failing processes and workflows that are being overwhelmed or damaged by new changes. Flail at the human level looks and feels like an environment everyone is locked into perpetual firefighting behavior. It can lead to stress, burnout, and lost productivity when important items are de-prioritized as overwhelming urgent business-as-usual tasks pile up. At the organizational level, it feels like disorder, inefficiencies, loss of collaboration, and general chaos. In the long run, it leads to talent loss, inability to innovate, and a loss of maturity in core capabilities as turnover bleeds competency from the talent pool.

When solving flail, the first step is realizing that to the people on the ground, flail looks and feels a lot like solving problems. In fact, that’s all employees in a flail infected organization will see - a constant and unending stream of problems that need to be solved in order to complete previously uncomplicated tasks. That’s because the root cause of flail isn’t in their hands. There’s no way for a good employee to “good employee” their way out of organizational flail. When I evaluate clients, I look for a predisposition to flail and the signs I look for are a history of reacting poorly to change, silos, teams that are universally at capacity, and an operating strategy that is slanted towards fire fighting rather than investing in fire-prevention.

So this all sounds like a management problem and not a security one, right? Why am I talking about it here on Secure Humans? Well, that’s because a poorly implemented security program can induce flail when it adds unneeded complexity to previously simple development tasks as security is integrated into the SDLC. When designing plans, I have a couple of preemptive flail prevention solutions that I weave into my plans when I see a client that’s predisposed to, or currently undergoing, flail.

After diagnosing flail or a predisposition to it, my first concern is identifying a palpable, clear problem statement and pairing it with a strategic vision that addresses the problem. Often times, our human instinct is to minimize problems, let them go unsaid, or lead with a solution. However, not everyone has that vital context and when big changes happen, they appear to come from nowhere, or are couched in neutered words that lack any sort of problem worth solving. This means that strategic changes can seem ego driven, or the result of a busy-body looking to make a mark while in office, as opposed to an actual solution to a real problem facing the organization.

The next step involves assessing how middle-management gets their work done. Flail resistant organizations empower their management at every level to identify solvable problems at their level and solve them, and communicate upwards when unsolvable problems happen at their level. How well people managers are able to manage is a huge part in how resilient an organization is against the chaos that comes with strategic shifts.

Since managers are often the referee for work coming into and exiting their shops, they’re also sitting at a key position to minimize flail. When taken to an extreme, strong boundaries to inter-departmental collaboration present as silos, but when completely torn down, those boundaries’ absence lead to an unmanageably large, un-prioritized to-do list for every person in that shop. Instead, I look at workflows that route between shops and departments in treat those managers as stakeholders in the changes that will impact them. They already know how they want work to show up for their shop to work on, and respecting those existing methods is key to minimizing disruption, friction, opportunity cost, and flail that comes with new security asks.

After designing process changes that minimize introduced new chaos, it’s time to acknowledge that stress, friction, and chaos may already be present. This can come in many forms. When planning, I like to build in technical debt friendly risk-exception processes that can keep teams from being overwhelmed by old problems as well as adopting a crawl-walk-run approach to capability maturity. At a management level, delegating work to other teams or just refusing low-priority work can help bleed off some stress for individual teams but isn’t a permanent solution. At the human level, encouraging socialization, hobbies, and other stress relief to keep from being overwhelmed is a huge help that many of us overlook when overworked.

Finally, when building a plan to make strategic changes, try to keep change to a minimum. In any organization, even flailing ones, there’s a lot of processes, workflow, tooling, and shops that work well. The silent 90% tends to get drowned out by the 10% of flailing processes that do need to be addressed. It’s important to understand the totality of all that in order to set keep what’s working intact, and only make the lightest of changes that address the clear problem and meet the all important strategic vision. This also means not applying re-organization after org change after shake-up. It’s often tempting to try to bring out the re-org toolbox and make reactive changes, but that almost always makes things worse while the organization is healing.

When preventing or managing flail, the role of leadership is to set the vision, empower managers to manage their responsibilities, encourage healthy collaboration between business units, departments, and shops, and allow for some stress relief when dealing with the consequences of strategic change. The role of managers is to change the problems that their work-centers, shops, and departments have to solve. When accounting for flail, be deliberate in only mandating changes that solve real problems, and allow problem solvers to solve those problems.

There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.