This presentation teaches the technical support professional that the role they play in incident management is similar to the role played by law enforcement in the task of solving crimes. Both are based on a similar structured problem solving methodology.
22. The CSI Way
1. Initial Response:
Touch nothing, Observe and Listen
2. Secure and Document:
Touch nothing, Record observations
3. Collect Evidence: Bag it and Tag it
4. Interview Witnesses: Question and Record
5. Analyze Evidence: Identify and Eliminate
Record all data and actions
22
23. CSI: A Guide for Law Enforcement
Initial Response/Prioritization of Efforts
1. Receipt of Information
2. Safety Procedures
3. Emergency Care
4. Secure and Control Persons at the Scene
5. Boundaries: Identify Establish, Protect, and
Secure
6. Turn over Control of the Scene and Brief
Investigators
7. Document Actions and Observations
Source: January 2000 by the US Attorney General
23
24. Kepner-Trego’s Problem Analysis
A.K.A. The KT Process
1. Define the Problem
2. Describe the Problem
3. Establish possible causes
4. Test the most probable cause
5. Verify the true cause
24
25. ITIL® Incident Management Process
1. Incident Detection and Recording
2. Classification and Initial Support
3. Investigation and Diagnosis
4. Resolution and Recover
5. Incident Closure
6. Incident Ownership
25
It’s an Incident, Dr. Watson Support analysts need similar training to crime scene investigators. Both professions must leverage similar skills to be effective at work. The analyst is challenged to restore service, and the investigators are challenged to solve the crime. Both are solving puzzles. Structured problem solving (SPS) is a technique developed by Kepner-Tregoe. The Consortium for Service Innovation promotes the adoption of SPS within the incident management process. Law enforcement professionals utilize these techniques to solve cases. In this presentation we will walk through the incident management process and relate the work to that of the crime scene investigator. Using the structured problem solving methodology within the incident management process, support analysts can learn to support customers the CSI way. Attend this session if you want to learn how to improve incident management and solve the crime efficiently.
Feedback from HDI Annual Conference Session 304 - Tuesday, April 07, 2009 3:00 PM - 4:00 PM
The overall feedback for this presentation was extremely positive. The content itself is not new trends, it presents a new way to help support analyst understand their role and how to be successful.
Delivery Note: Rick wore a CSI hat and vest, had a crime scene setup, complete with a taped area with the outline of a dead body and bullet casings. Delivery was done in character for the entire presentation as he was a member of the Vegas crime lab sharing how their process is similar to the process that is followed within a support center.
Select Survey Comments:
Great analogy & comparison to relatable subject
This was really good. I like the approach & I thought Rick was pretty creative in the way he presented this was awesome.
Great presentation. Rick stayed in character the entire time. Great correlation of CSI Agents and Service Desk.
Liked the role play & very helpful, yet still metaphorical
Most interesting presentation I’ve been too so far.
Great way to compare investigation to problem solving
Good tie into crime scene investigation. Greate way to connect the info.
Very informative. Will be able to take this back and make nice use for new hires.
Very Engaging – innovated presentation on subject
This presentation has been delivered at a small number of events and continues to get positive response as a training tool for the support center.
100 word description
Support analysts need similar training to crime scene investigators. Both professions must leverage similar skills to be effective at work. The analyst is challenged to restore service, and the investigators are challenged to solve the crime. Both are solving puzzles. Law enforcement professionals utilize these techniques to solve cases. In this presentation we will walk through the incident management process and relate the work to that of the crime scene investigator. Using the structured problem solving methodology within the incident management process, support analysts can learn to support customers the CSI way.
Solving an incident for a customer is like solving a crime
Sherlock Homes was known for his skills of solving problem by looking at the evidence and asking questions of the people involved.
Sherlock Holmes pre-dates the Help Desk, but he does not pre-date problem solving, a critical skill of every support center analyst.
If we look at how crimes are solved, we can find a close correlation to how we manage incident recovery today.
CSI has made a major impact in today’s culture.
The TV series just completed it’s 200th episode and has resulted in many similar and very popular shows.
Of course the original is CSI based here in Las Vegas. Then there is CSI Miami, CSI New York, NCIS, Criminal Minds, The Mentalist, Law & Order, and the list goes on. My personal favorite is NCIS.
As a result of these shows, our educational institutions are seeing a rise in applications for people wanting to enter this field of work. Who even knew what CSI stood for 15 years ago?
My daughter is now in college, I know I don’t look that old. She is studying for her degree in Forensic Investigation with the goal of working for the FBI or the Secret Service.
We need a TV Show to increase the focus on our field and to get more people interested in our work.
All of the popular CSI shows are about problem solving. And they are teaching us that problem solving is a structured process and we need follow the evidence.
Let’s look at this process a little closer.
The initial response is to get experts to the scene quickly.
Customers now dial 911 for assistance. This is the single point of contact for all emergency services. How many of you remember the days before 911 when we had different phone numbers for different services and they varied from city to city?
Support has been centralized to make it easier for the customer and to improve efficiencies and effectiveness. There is more than one 911 center, but we leverage technology today to a number of locations look like one virtual contact center.
Does this sound familiar to what is happening in our industry?
The agents on the other end of the phone line are trained to manage the customer and the situation. They have to have customer service skills and problem solving skills. They may even be called upon to guide a father through the delivery of his own child.
Whether you are an officer in a 911 center or an analyst in a support center, its starts with taking the call. Neither person know what to expect when the phone rings, they just know someone needs their help.
Now that we are talking with the customer, we have to gather information. We need to understand what type of service do they need? What is the crime? We need to classify the call.
Our job is to figure out who has the appropriate skills and authority to solve the problem. If we can’t resolve the problem over the phone, then we are going to have to escalate the call to the right people. You would not expect the 911 center to send fire department to a burglary.
We also need to understand the impact and urgency so that we prioritize resources appropriately. There is a difference between a grass fire and hospital on fire. There is a difference between a shooting and vandalism.
The officer or analyst on the phone will also attempt to determine if this is a known problem. Perhaps they can resolve it without getting anyone else involved.
Service management systems today can quickly tell you if the customer has a PC or a MAC. That type of data is important to capture.
When a police officer arrives to the scene, the first order of business is defined as Initial Response. The safety of the responding personnel and the people at the scene comes first. When they enter a building, they walk cautiously room to room to ensure that it is “Clear” of danger.
They provide emergency care to the injured.
And they establish control. This is both of the crime scene and the people near it.
Over the phone, the support professional also needs to establish control. They first must empathize with the customer and address the emotional state of mind. Then they establish control by taking ownership of the problem and using the customers name to build rapport.
Then they secure the scene. The goal is to protect the evidence from contamination.
NO MORE CHANGES
One of the first things a support professional should do when working with a customer is to advise them to stop all changes. No more typing on the keyboard.
Imagine trying to solve a problem and the customer continues to install software patches they believe will address their issue. The support professional needs to secure the scene.
In addition to collecting evidence, everything must be recorded. At a crime scenes, there is always someone with a camera.
Their job is to record things before they are moved so that they can be analyzed later. This is the key point, analyze it later.
They take pictures of things that may or may not have anything to do with the crime.
How doe this apply to the support center?
Record everything. Like what? - Who called, when did the call, what software, what hardware, etc.
We have software tools today that can capture tremendous amount of information quickly.
The next step is to collect evidence.
After the scene has been secured, the crime scene investigators begin the task of collecting evidence. This is not the time to solve the problem or analyze the data.
How do we collect evidence in the support center?
And then there is the task of interview witnesses to get additional information.
Does the police office start with questions like, how tall was the man?
Absolutely not. That would be there is an assumption that there was a man and that this person saw them.
They are trained not to lead the witness, but to follow the answers with other questions.
They may ask controlling, or closed questions to determine if you are a witness or person of interest, but then the office is trained to use open questions first. What did you see?
Support analysts need to do the same thing. Once they have asked a few controlling questions to gather initial data, they need to use open questions to discover additional evidence.
Describe for me what you saw, explain what you expected to have happen,
And what are they suppose to do this all this data?
Absolutely. Record it Record everything. They do not know what might be important. Every police officer carries a pen and tablet with them. They cannot depend on their memory.
Analysts need to record the information in their little notebook we call, the incident management or service management system.
Once we have collected initial data, we need to seek to understand what we already know about this data.
The police officer or crime scene investigator will use technology to review existing information that has been stored in database. They can check the history of the people involved. They can check the history of the cars involved. They can also check the history to see if other issues have occurred at the same location. They want to know what is known so as to minimize time and rework. Why do research about a person if they can get a copy of their police record and see what other officers have already learned about the person.
How does this compare to the support center?
We can search the knowledge base
We can search the CMDB to learn more about the parts
We can search the incident history to see if the customer has had this problem before.
If we do not find the information we need, we need to gather more data.
The investigator will re-interview witnesses. They will ask clarifying questions to make sure they captured the information correctly. They will gather information from other people to get another perspective.
They may discuss this with other officers to get yet another perspective on the problem.
Support Analysts need to do the same thing. The need to seek to understand before they seek to solve.
And then they analyze the data again.
CSI’s check and double check all the evidence in the lab, not in the field.
As new data is discovered, the support analyst needs to search the knowledge base again. They may need to get assistance through either collaboration or escalation.
Sometimes the evidence may have been planted. The witness may have given false testimony.
Has anyone in the support center ever had a customer give you information that was wrong and as a result you were working on solving the wrong problem?
Sometimes the witness will tell you who did it, but you have to prove it.
Has anyone ever had a customer demand new equipment to solve their problem? And they never really told you what the problem was.
Sometime the CSI will return to the scene of the crime.
They want to a clear view of what might have happened in the environment.
In the support center we are fortunate to have technology today that allows the support analyst to get a close look at the environment without ever leaving their chair. Remote control software allows them to return to the scene of the crime to gather information and to get a closer look at what is actually happening.
When solving a crime, the investigator wants to understand the motive. If they can understand the motive, then they can get closer to solving the crime. Why would a person do what they did? Were they after money, drugs, alcohol or women?
In the support center the support analysts may need to discover the cause of the problem before they can solve it. They need to create a list of possible causes.
Then they need to test the probable causes to determine what to do next.
When testing probable causes you need a plan. Consider the frequency of occurrence and the cost of the test.
It is better to see if the door was unlocked before you test to see how much force is required to open the closed door.
Don’t overlook the simple stuff. If the robbery was in a bank, the motive is most likely money.
In order to test for possible causes, you may need to recreate the crime scene in the lab. Support professional sometimes have to reproduce the problem as part of the problem solving process.
Calling for backup must be done wisely. If a police officer calls for backup every time they stop a car, the chief is most likely going to remove the officer from the force. Some things they are expected to handle on their own. And then there are times when the situation dictates you always call for backup.
In the support center, the service level agreement may dictate that the incident is to be escalated immediately.
Why would we do this?
And there are also reasonable time limits or specific skills needed. So calling for backup is expected.
In the support center are primary task is to resolve and recover. We need to get the customer back into business.
Emergency care always comes first in the field. We need to find away to stop or minimize the pain for the customer. Workarounds are appropriate to get the customer back to work. We can turn the problem over to problem management if a permanent fix is required.
ITIL incident management is about getting the customer back to work. A workaround may be more appropriate than fixing the problem.
In the process of closing the incident, the investigator needs to confirm the evidence support his actions.
In the support center, we can only confirm the resolution has resolved the problem by asking the customer. Even if we know it did, we need to ask.
Just as even when the officer knows they guy is guilty, he needs to make sure that he can support his claim.
Everyone has to be accountable for their actions.
Just as the officer owns the case until it is closed, the support professional must own the incident until it is closed. They need to monitor and track the progress and give status updates as appropriate.
They may also be asked to give testimony to what they did and why they took the actions they did.
Here is the CSI way to solve a crime.
Note all actions and data are to be recorded. The support professional must record all emails, phone calls, test, escalations, etc that finally lead them to the resolution.
Note the steps from the Guide for Law Enforcement as published by the US Attorney General.
If we changed a few terms, could we not make this the guide for support professionals.
Kepner-Trego is a well known for their structured problem solving methodology. This is the base process that should serve as a foundation for incident management.
This is most often used in root cause analysis, which may be required for new problems where a workaround is not apparent in order to restore service. This would be known as reactive problem management.
When we look at the ITIL incident management process we see similar steps.
Perhaps it is not so far fetched to think we could create a popular TV series where each week viewers tuned in to watch how the support analyst solved the problem.