Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/8/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Fine Line of Feedback: 6 Tips for Talking to Security Pros

Feedback is a two-way street in terms of giving, receiving, and knowing how to give and receive.

Feedback is important to all of us. It helps us learn, grow, mature, and better adjust to our surroundings. If we learn how to receive feedback well, we will be able to improve, whether it be in our personal life or in our professional career in cybersecurity. On the other hand, if we don't receive feedback well, it can hold us back.

That said, providing feedback is a sensitive and difficult topic that can take a lifetime to master. While I haven't yet mastered this skill, I know a thing or two about the personalities of security professionals. It is in this spirit that I offer six tips for giving positive feedback to security professionals.

Tip 1: Pick your battles: Knowing when to engage is an important skill in life, including when it comes to providing feedback. If you never provide any feedback on anything, nothing will ever change or improve. On the other hand, if you always provide feedback on every little thing, people feel criticized and micromanaged. When is the right time to provide feedback? In general, only in instances when feedback actually makes a difference. By that, I mean when changing something will have a direct impact on the efficiency or effectiveness of the security program — for example, requesting that a specific, noisy alert be tuned to reduce false positives and improve the efficiency of the security team. Or fixing a broken process in order to improve the overall performance of the security team.

Tip 2: Suggest: When providing feedback, it's always more helpful to suggest a practical, tangible solution, rather than expressing displeasure with what is currently happening. You may be absolutely right in your critique, but if it doesn't come with a practical alternative, it's really just complaining. A viable option goes a long way toward getting results.

Tip 3: Never assume: We are all human, and we all have our own subjective biases. That being said, feedback needs to be offered on the basis of facts and objectivity. Think you understand how someone is accomplishing a given task? Verify that your understanding is the truth. Feel like you know someone's motivation for doing something or what that person is after? Better check that feeling out against the facts. Assumptions don't help with providing feedback. They only make the receiver focus on assumptions versus the actual focus of the feedback. This often leads to unnecessary conflict or to taking things personally. Neither helps solve the problem.

Tip 4: Don't jump to conclusions: It's far too easy to connect dots that aren't actually connected. When it comes to providing feedback, we need to make sure that we really understand the facts and reality of the situation we're addressing. Otherwise, we put the value of our feedback at risk. It only takes one inaccuracy for someone who is not interested in or receptive to our feedback to rationalize dismissing it.

Tip 5: If it ain't broke, don't fix it: This colloquial proverb offers some very wise advice for those of us in the security profession. There are some people in our field who seem to want to provide feedback about just about everything. This feedback seems to come whether or not it was asked for, and whether or not it is relevant to the discussion at hand. The problem with this is that sometimes, things actually work as they should. If a process, technology, capability, employee, or anything else is working just as it should, save your breath. Hold back those words and don't provide feedback in those instances. Resources are scarce in security and should be invested in areas where they can have an impact by making a change — not in areas that don't need any fixing.

Tip 6: If you dish it, take it: I've met too many people who provide plenty of feedback but cannot accept any of it. By accepting feedback in the same spirit that it is given, you'll find that not only will you improve personally and professionally but that others will put more value on the feedback that you provide to them.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.