I’m giving a talk at pyCascades this afternoon and I just wanted to share the slides for folk who like that kind of thing.

PDF: https://drive.google.com/file/d/125cCmmk8k5UtfV3QajNOXml1YW5nxM2i/view?usp=sharing

ODP (LibreOffice Impress) : https://drive.google.com/file/d/1u3_5LQUYYPiv9hSCbcgG_gOGn96a-di2/view?usp=sharing (Contains notes but they’re an early talk draft)

Google Docs version (not the original, probably has minor formatting issues but may be easier to view on your phone) : https://docs.google.com/presentation/d/149coIJnNdIsW7NWkQjv5jaKAHboHBxVLgx2lOS2oZfk/edit?usp=sharing

CVE Binary Tool source repository: https://github.com/intel/cve-bin-tool

CVE Binary Tool documentation: https://cve-bin-tool.readthedocs.io/

The slides below are just images (no alt text or notes — if you want those see the ODP link above). I’m planning to update them with something closer to the talk content after the conference but it might take a while.

I gave one talk and ran one tutorial at Open Source Bridge 2016 back in June. For those of you not familiar with it, Open Source Bridge is an open source conference with a focus on “open source citizenship” that leads to a great combination of technical and social thought from people who are part of the open source community. My favourite part is actually the super chill hacker lounge, where it’s quiet enough to actually talk, and it’s totally cool to meet new friends around the lego table or bring my knitting. I don’t mind a few alcoholic conference mixers, but I have to say I meet and remember way more people at open source bridge than many other conferences.

Talk I gave this year, entitled “Taking No For an Answer,” isn’t entirely open source specific, since it’s really about a bad community behaviour you see in many other communities, but the focus and my examples come from my work in open source. I can’t seem to find the audio recording they made, so this is reconstructed from my slide notes. You can find the whole slide deck here: Taking No For An Answer (Open Source Bridge 2016) slides.

Open source (like many fields) rewards people who are confident and even a bit pushy. Those of us who go furthest are often those who offered to fix bugs and followed through, who were ready to argue about their architectural ideas on a mailing list or irc channel. In many ways, open source is do-ocracy, where those with the time and the confidence to do things become leaders. In volunteer led communities, it can often be the case that the quality or merit of the work isn’t the big focus: it’s whether it’s getting done by anyone at all.

So because of this, In the tech world, there’s been a lot of focus on getting people to step forwards, negotiate, lean in, DO. This can be super valuable — sometimes people do need a reminder, need some tips, need an invitation to speak, need to evaluate their internal censor and not let it stop them. There’s a reason my google image search pulled up a bunch of stuff aimed at women: there’s been a lot of push to encourage folk who are under-represented or socialized not to step forwards.

So clearly, as in all discussions about women and minorities, it’s time to consider what about the men? (room laughs)

Okay, just kidding. But surely self-improvement isn’t just for folk who haven’t stepped up yet. What about self-improvement for people who are already leaders in our communities? What about training confident people to be better? So this talk is aimed not at our most vulnerable but at some of our more powerful, as well as those who want to become more powerful and effective community members.

So, it looks like I have a great audience of existing and future community leaders. Let’s talk about no.

No is a powerful tool with many uses. In my professional life, I do open source security, and a lot of my job involves saying no: No, this code isn’t right. No, you can’t skip validation. In my volunteer life, one of the things I do is coordinate a large summer mentoring program for the python software foundation. No, you can’t have more students than you have mentors. No, you can’t sign up even though it’s past the deadline. And as a minority in tech, I say a lot of no. No, I’m not available to help you with more diverse hiring. No, I don’t have time to educate you on issues facing minorities in tech. No helps me do my job, manage my time, make my volunteer program better, and so much more.

I get paid to say no: it’s a huge part of my job, and I’ve learned a lot about when to say no, how to say no, techniques to make it easier for people to accept no, when I need backup on saying no, etc. But while I’m a professional naysayer, that’s not true of a lot of other folk in our communities.

And frankly, saying no can get pretty exhausting. It’s not at all helped by all those “but you should put yourself forwards!” self-help books, let me tell you. I had some dude give me a unsolicited pep talk at work about imposter syndrome and seriously, some people need to learn the difference between a lack of confidence and a knowledgable evaluation of personal skill. No is hard, especially if you’ve been socialized to be agreeable, and some people take advantage of that.. There’s a whole talk to be had about how to say no effectively, and maybe some day I’ll give it, but I feel like the people who might need some help saying no are mostly the same people who needed help saying yes, and I want to talk to the other people. The people who make saying no so exhausting, whether they mean to or not.

Let’s talk about some common anti-patterns you get when you say no. The first one is denial. I hear this a lot in my professional life: That’s not really a security bug. That’s not exploitable. No one would ever do that.

The second reaction to no is anger. I hit this one a lot when teaching and mentoring: students sometimes have been effortlessly at the top of their class and don’t know how to handle having to work for results. Or they just have no way to handle failure and dust themselves off to try again. So they yell at me. They yell at people who they think have power over me. They blame anyone but themselves for the fact that I’m telling them something they don’t want to hear, and let me tell you they *really* don’t want to hear that I’m not destroying their life, their poor performance is destroying their life. And I wish I could say it’s just students, but try telling a project that they’re going to miss their shipping deadline due to a late breaking security issue or their failure to do due diligence. This is totally an understandable response, but it’s not a productive response.

Next is bargaining. The worst experience I have ever had saying no was to someone who exhibited both the denial and bargaining anti-patterns. She wanted me to run a program that I’d run in previous years, which is a totally reasonable thing to ask, but when I said I wasn’t available because of a more impactful commitment, she would repeatedly come to me with things and it was always “couldn’t you just” — “couldn’t you just look over the wiki?” “couldn’t you just help with this one part of the project” “couldn’t you just help this one person get set up” “couldn’t you just answer this question.” It was exhausting and awful, because I absolutely did not have the time to do these things, and I’d actually made it clear that I didn’t even have time to keep telling her no. And yet, the questions still came.

But bargaining can also be a useful and productive pattern. In my professional life, when I say no, it’s pretty normal to negotiate a solution together with the dev team. Even in that dreadful volunteer experience, my final out came by begging a friend to work with her — negotiating it so that there was a buffer of no between me and her so she had a resource willing to help her and I had the ability to do the other thing I had committed to do.

And then there’s depression, which honestly can be both emotional manipulation as well true dismay.

And finally, of course, acceptance. If you haven’t already recognized them, as well as the 5 stages of no, that was also the 5 stages of grieving. It’s sort of disturbing how much they line up. But why do we need to think about no anti-patterns?

And the answer is that these anti-patterns harm our communities. In a situation where you have very few experts and many people asking, anti-patterns surrounding no contribute to communities denial-of-servicing our few experts. This happens to me as a security expert sometimes: I’ve had weeks where I wind up arguing with people about lousy decisions endlessly, so much so that I then don’t have enough time to do advanced secure code review, or help other groups triage security issues well. It happens to me a lot more than I would like.

My friend Cate has been giving a great talk on burnout and I just wanted to share this slide, which talks about the fact that burnout isn’t just caused by high workload. No is a great tool for avoiding high workload, but it’s also a great tool for avoiding being put in situations where you’ll be hit by the other 5 things on this list. That’s one of the reasons that it’s absolutely essential that leaders need to learn to take no for an answer so that their communities can actually be *healthy* and not burnout factories.

So how can I learn to accept no with strength and grace?

The first step to accepting gracefully is to actually accept that no was in fact the answer given. If you catch yourself doing any of the anti-pattern things, you aren’t really doing a good job at this. Consider the lady who wouldn’t take no for an answer and kept asking me “couldn’t you just…” — if she’d been able to accept the no, we could have had time to help her find a better solution. But instead, the whole experience left me frustrated, exhausted, and telling my friends cautionary tales about the experience. This was a bad outcome for both of us, and for the people she wanted to help.

The second step is to listen. If you’re convinced this was the right choice, take time to find out why the answer was no. Be prepared to have that answer challenge your assumptions. One of the things I do at work sometimes is review open source libraries to see if they have good enough security hygiene for inclusion in our products, and I get a lot of push back when I tell people they need to choose a better library. They’ve made assumptions that don’t match up with my metrics, and the only way for them to learn to make better choices and thus get products to market faster is to learn what assumptions are leading them to poor decisions.

The last step is to form a new plan. You might be able to do this with the help of the person who said no, but you shouldn’t assume that — No means no, folk. If you want to be a great leader, you need to take responsibility for finding a new plan if you want the thing to be done.

But I don’t want to get a no.

But I can’t afford to get a no.

How do I turn no into a yes?

If you want to turn a no into yes, first consider: Am I being an asshole? (audience at OSB laughs, pulls out smart phones to take pictures of the slide). This is a legit thing you should ask yourself pretty regularly as a community leader, actually. For example, sometimes you’ll be asking for things to be done in a way that makes them easier for you at the cost of others. Sometimes you’re just demanding that things be done the first way you thought of when that’s not the important part of the request.

But perhaps more usefully, ask yourself what you really need. The answer is almost certainly not “I need to irritate my valuable volunteers” but what is the answer?

So, if you’re getting a no and you want a yes, clearly you are doing something wrong in the way you ask. How can you improve your ask to get better results for your community even if you have to get a no sometimes?

Step 1: do your research.

• What do you really need?
• Who else can you ask?
• Where else can you get more information?
• How long will what you’re asking for actually take?
• How stressful is it?

Step 2: Use your empathy

• How can you make saying yes more beneficial to the person you’re asking?
• Can you pay them?
• Can you provide other rewards?
• Can you make it align better with their career or life goals?
• Can you make sure they get more thanks, recognition?
• How can you make it easier for them to say yes?
• Do they need childcare?
• Do they need a better schedule?
• Does the task need to be better-defined?
• Could they help with something smaller?
• Should you just leave them alone if they say no?
• Empathy is not about what you want, but what they want.

If you don’t know how to empathize, you’re going to end up with asks that are utterly unappealing or outright insulting to the people whose help you want.

And in a striking example of that, one thing I and many others often get offered for my time is “exposure” — I’m from Canada. My people DIE of exposure. But jokes aside, exposure is often a double-edged sword for people in your community, and you need your empathy and knowledge of your community of volunteers to know when that’s something they might want and when it’s something they want to avoid at all costs.

Make a backup plan (hopefully this will be easier with the research!) If getting a yes is really important to you, you should try to do all of these things in advance.

Refusing to take no for an answer is damaging behaviour: it contributes to burnout, denial of service, assholism.

Steps to graceful acceptance of no:

1. Accept
2. Listen
3. Plan

If you really need a yes

1. Do your research
2. Use your empathy
3. Make a backup plan

And do all of this before you ask if you want the best results and the happiest community. If you’re asking for something, the onus is upon you to figure out who might want to do this and find a way to make them feel great about saying yes.

Learning to accept no well and productively will make you a more effective leader.

Nopetopus source

Photo credits:
“Superman vs Hulk (131/365)” by JD Hancock https://www.flickr.com/photos/jdhancock/4600608792
“Talk to the hand” by Bridget McKenzie https://www.flickr.com/photos/bridgetmckenz/7822818160/
“Power tool” by Helen Cook https://www.flickr.com/photos/hvc/2681974174/
“Sleepy” by Sera Photography https://www.flickr.com/photos/seraphing/15305580251/
“Denial pack” by andres musta https://www.flickr.com/photos/andresmusta/6175939561/
“Anger” by kunkelstein https://www.flickr.com/photos/21370407@N08/2091127037
“You’d be crazy to miss these bargains” by Christian Heilmann https://www.flickr.com/photos/codepo8/1309725237
“Acceptance” by Kitty Mao https://www.flickr.com/photos/kwseah/21683299393
“Beautiful Ballerina” by Grace Trivino https://www.flickr.com/photos/graceyheartphotography/4741052547
“Raised hand” by usdagov https://www.flickr.com/photos/usdagov/22484527807/
“Sharing” by Binny V A https://www.flickr.com/photos/binnyva/8600465534
“Out for a walk in the woods” by Terriko https://www.flickr.com/photos/terrio/8304718546/