Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/8/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Fine Line of Feedback: 6 Tips for Talking to Security Pros

Feedback is a two-way street in terms of giving, receiving, and knowing how to give and receive.

Feedback is important to all of us. It helps us learn, grow, mature, and better adjust to our surroundings. If we learn how to receive feedback well, we will be able to improve, whether it be in our personal life or in our professional career in cybersecurity. On the other hand, if we don't receive feedback well, it can hold us back.

That said, providing feedback is a sensitive and difficult topic that can take a lifetime to master. While I haven't yet mastered this skill, I know a thing or two about the personalities of security professionals. It is in this spirit that I offer six tips for giving positive feedback to security professionals.

Tip 1: Pick your battles: Knowing when to engage is an important skill in life, including when it comes to providing feedback. If you never provide any feedback on anything, nothing will ever change or improve. On the other hand, if you always provide feedback on every little thing, people feel criticized and micromanaged. When is the right time to provide feedback? In general, only in instances when feedback actually makes a difference. By that, I mean when changing something will have a direct impact on the efficiency or effectiveness of the security program — for example, requesting that a specific, noisy alert be tuned to reduce false positives and improve the efficiency of the security team. Or fixing a broken process in order to improve the overall performance of the security team.

Tip 2: Suggest: When providing feedback, it's always more helpful to suggest a practical, tangible solution, rather than expressing displeasure with what is currently happening. You may be absolutely right in your critique, but if it doesn't come with a practical alternative, it's really just complaining. A viable option goes a long way toward getting results.

Tip 3: Never assume: We are all human, and we all have our own subjective biases. That being said, feedback needs to be offered on the basis of facts and objectivity. Think you understand how someone is accomplishing a given task? Verify that your understanding is the truth. Feel like you know someone's motivation for doing something or what that person is after? Better check that feeling out against the facts. Assumptions don't help with providing feedback. They only make the receiver focus on assumptions versus the actual focus of the feedback. This often leads to unnecessary conflict or to taking things personally. Neither helps solve the problem.

Tip 4: Don't jump to conclusions: It's far too easy to connect dots that aren't actually connected. When it comes to providing feedback, we need to make sure that we really understand the facts and reality of the situation we're addressing. Otherwise, we put the value of our feedback at risk. It only takes one inaccuracy for someone who is not interested in or receptive to our feedback to rationalize dismissing it.

Tip 5: If it ain't broke, don't fix it: This colloquial proverb offers some very wise advice for those of us in the security profession. There are some people in our field who seem to want to provide feedback about just about everything. This feedback seems to come whether or not it was asked for, and whether or not it is relevant to the discussion at hand. The problem with this is that sometimes, things actually work as they should. If a process, technology, capability, employee, or anything else is working just as it should, save your breath. Hold back those words and don't provide feedback in those instances. Resources are scarce in security and should be invested in areas where they can have an impact by making a change — not in areas that don't need any fixing.

Tip 6: If you dish it, take it: I've met too many people who provide plenty of feedback but cannot accept any of it. By accepting feedback in the same spirit that it is given, you'll find that not only will you improve personally and professionally but that others will put more value on the feedback that you provide to them.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...