Security Practitioners: 10 Signs You Need to be More Direct
Conflict isn’t Pleasant, But Sometimes it Can be Healthy and Necessary When Done Properly and Respectfully
Living and working in different cultures gives you a broader perspective across a variety of different areas than you might have attained otherwise. It is one of the things I am most grateful for professionally and has taught me to appreciate that each culture has its own advantages and disadvantages. There is one particular aspect of some cultures that I think we in security can learn a lot from.
Which cultural aspect am I referring to? Directness. Those of you who know me know that I am very direct and that I am a big proponent of directness. Directness is something that some cultures do better than others. So how can we as security practitioners identify areas in which directness can help us improve? I present: 10 signs you need to be more direct.
1. Bad ideas hang around: I remember watching the challenger explosion on television. After the investigation, groupthink was found to be one of the reasons that the launch was allowed to go ahead, despite known risks. People were simply afraid to state their concerns directly. While the stakes are certainly lower in your security organization, the principle holds true. If people are afraid to be direct, it often results in bad ideas hanging around far longer than they need to. Whereas in a direct culture, a bad idea can be considered and politely dismissed in a relatively short amount of time, in an indirect culture, it may linger far longer than it should. That results in valuable resources being spent on activities that don’t provide much value.
2. Good ideas don’t come forward: In a similar manner, if people are afraid to be direct, it often keeps them from suggesting new ideas. Perhaps the solution to that big problem you’ve been worried about is found in the thoughts of one of your team members. But if it stays there, it doesn’t do you any good.
3. The team has no idea where it stands: Security teams need to know that the work they’re doing adds value to the organization, improves its security posture, and helps mitigate risk. In order to gauge where they stand, the security team needs to know what success in each of those areas means. The only way I know of to communicate what success means is to do so directly. That enables the team to make progress more effectively.
4. Strategic direction and goals are unclear: Building on number 3, communicating strategic direction and goals clearly and directly helps the team understand where the organization is going and what success means. Not surprisingly, that clarity will assist the security team in maturing far more quickly and efficiently.
5. Everything is above average – always: I always love it when I hear people tell me that everyone on their team is exceptional/above average/a star. Or that the intelligence they mine from their data is world class. Or that their processes are the most refined and mature in the industry. I hear this almost universally. Unfortunately, statistically, this is simply impossible. Everyone knows that organizations have different strengths and weaknesses. Try being honest. I think you’ll find that people will appreciate your candor and will respect you and your organization more for it.
6. Vendors are in the dark: Is a vendor meeting your expectations? Or, perhaps they are falling short of expectations? Are they trying to sell you something that you aren’t going to buy? Or perhaps they could benefit from some honest, constructive criticism? Did the initial phone call or meeting with the vendor reveal that we don’t have a great fit here? Then tell the vendor what you think. Directly. As someone who transitioned to the vendor side, I can tell you that trying to guess where you stand isn’t much fun at all. If we don’t have a match here, let me know, and let us both move on to other things.
7. You don’t reply to email more than you do reply: Did someone ask you a tough question by email? Did a vendor follow-up to check up on things? Did someone ask you to do something that doesn’t make a lot of sense to you? Reply. It could very well be that you indicate in your reply that a face-to-face discussion needs to happen around this matter. Or, perhaps the answer is simply no. But at least do the person the decency of replying directly.
8. Executives get things sugar-coated: It’s tempting to sugar-coat issues, challenges, shortcomings, and/or bad news to executives to avoid “burdening” them and to make ourselves look better in the short-term. But most executives I have met want to know about risks to the business, including information security related risks. Granted, you need to communicate clearly and concisely, and you need to have a plan for action. But, assuming you have all those things in place, it’s best to be direct. Sugar-coating things can make things easier for you in the near-term. But in the long-term, cracks in the foundation will show. And in the event of a serious security incident, past attempts to sugar-coat known risks will not go over too well.
9. You avoid conflict at all costs: Conflict isn’t very pleasant, but sometimes it can be healthy and necessary when done properly and respectfully. Maybe you disagree with someone’s approach. Maybe you know that a given project will not benefit the organization. Maybe you feel that a certain problem is at risk of remaining unsolved. In these cases and others, it’s quite possible that there will be others that don’t see it the way you do. But if you challenge them or they challenge you, it’s okay to be direct and have a bit of a respectful conflict. That’s really the only way that both sides can be heard and understood. Shying away from conflict accomplishes nothing other than to ensure that no one’s ideas get communicated. Over time, it also teaches people that their concerns will not be dealt with and will instead be left to die on the vine of indirectness.
10. The story keeps changing: The sad result of indirectness and conflict avoidance is that the story keeps changing. Life in the security organization becomes a moving target where no one is really certain what they should be focused on or what will add the most value. Obviously, this is not a great situation for the organization to be in and doesn’t help its security posture. Directness is the only cure for this as far as I can tell.
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.