Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/8/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Fine Line of Feedback: 6 Tips for Talking to Security Pros

Feedback is a two-way street in terms of giving, receiving, and knowing how to give and receive.

Feedback is important to all of us. It helps us learn, grow, mature, and better adjust to our surroundings. If we learn how to receive feedback well, we will be able to improve, whether it be in our personal life or in our professional career in cybersecurity. On the other hand, if we don't receive feedback well, it can hold us back.

That said, providing feedback is a sensitive and difficult topic that can take a lifetime to master. While I haven't yet mastered this skill, I know a thing or two about the personalities of security professionals. It is in this spirit that I offer six tips for giving positive feedback to security professionals.

Tip 1: Pick your battles: Knowing when to engage is an important skill in life, including when it comes to providing feedback. If you never provide any feedback on anything, nothing will ever change or improve. On the other hand, if you always provide feedback on every little thing, people feel criticized and micromanaged. When is the right time to provide feedback? In general, only in instances when feedback actually makes a difference. By that, I mean when changing something will have a direct impact on the efficiency or effectiveness of the security program — for example, requesting that a specific, noisy alert be tuned to reduce false positives and improve the efficiency of the security team. Or fixing a broken process in order to improve the overall performance of the security team.

Tip 2: Suggest: When providing feedback, it's always more helpful to suggest a practical, tangible solution, rather than expressing displeasure with what is currently happening. You may be absolutely right in your critique, but if it doesn't come with a practical alternative, it's really just complaining. A viable option goes a long way toward getting results.

Tip 3: Never assume: We are all human, and we all have our own subjective biases. That being said, feedback needs to be offered on the basis of facts and objectivity. Think you understand how someone is accomplishing a given task? Verify that your understanding is the truth. Feel like you know someone's motivation for doing something or what that person is after? Better check that feeling out against the facts. Assumptions don't help with providing feedback. They only make the receiver focus on assumptions versus the actual focus of the feedback. This often leads to unnecessary conflict or to taking things personally. Neither helps solve the problem.

Tip 4: Don't jump to conclusions: It's far too easy to connect dots that aren't actually connected. When it comes to providing feedback, we need to make sure that we really understand the facts and reality of the situation we're addressing. Otherwise, we put the value of our feedback at risk. It only takes one inaccuracy for someone who is not interested in or receptive to our feedback to rationalize dismissing it.

Tip 5: If it ain't broke, don't fix it: This colloquial proverb offers some very wise advice for those of us in the security profession. There are some people in our field who seem to want to provide feedback about just about everything. This feedback seems to come whether or not it was asked for, and whether or not it is relevant to the discussion at hand. The problem with this is that sometimes, things actually work as they should. If a process, technology, capability, employee, or anything else is working just as it should, save your breath. Hold back those words and don't provide feedback in those instances. Resources are scarce in security and should be invested in areas where they can have an impact by making a change — not in areas that don't need any fixing.

Tip 6: If you dish it, take it: I've met too many people who provide plenty of feedback but cannot accept any of it. By accepting feedback in the same spirit that it is given, you'll find that not only will you improve personally and professionally but that others will put more value on the feedback that you provide to them.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.