Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/8/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Fine Line of Feedback: 6 Tips for Talking to Security Pros

Feedback is a two-way street in terms of giving, receiving, and knowing how to give and receive.

Feedback is important to all of us. It helps us learn, grow, mature, and better adjust to our surroundings. If we learn how to receive feedback well, we will be able to improve, whether it be in our personal life or in our professional career in cybersecurity. On the other hand, if we don't receive feedback well, it can hold us back.

That said, providing feedback is a sensitive and difficult topic that can take a lifetime to master. While I haven't yet mastered this skill, I know a thing or two about the personalities of security professionals. It is in this spirit that I offer six tips for giving positive feedback to security professionals.

Tip 1: Pick your battles: Knowing when to engage is an important skill in life, including when it comes to providing feedback. If you never provide any feedback on anything, nothing will ever change or improve. On the other hand, if you always provide feedback on every little thing, people feel criticized and micromanaged. When is the right time to provide feedback? In general, only in instances when feedback actually makes a difference. By that, I mean when changing something will have a direct impact on the efficiency or effectiveness of the security program — for example, requesting that a specific, noisy alert be tuned to reduce false positives and improve the efficiency of the security team. Or fixing a broken process in order to improve the overall performance of the security team.

Tip 2: Suggest: When providing feedback, it's always more helpful to suggest a practical, tangible solution, rather than expressing displeasure with what is currently happening. You may be absolutely right in your critique, but if it doesn't come with a practical alternative, it's really just complaining. A viable option goes a long way toward getting results.

Tip 3: Never assume: We are all human, and we all have our own subjective biases. That being said, feedback needs to be offered on the basis of facts and objectivity. Think you understand how someone is accomplishing a given task? Verify that your understanding is the truth. Feel like you know someone's motivation for doing something or what that person is after? Better check that feeling out against the facts. Assumptions don't help with providing feedback. They only make the receiver focus on assumptions versus the actual focus of the feedback. This often leads to unnecessary conflict or to taking things personally. Neither helps solve the problem.

Tip 4: Don't jump to conclusions: It's far too easy to connect dots that aren't actually connected. When it comes to providing feedback, we need to make sure that we really understand the facts and reality of the situation we're addressing. Otherwise, we put the value of our feedback at risk. It only takes one inaccuracy for someone who is not interested in or receptive to our feedback to rationalize dismissing it.

Tip 5: If it ain't broke, don't fix it: This colloquial proverb offers some very wise advice for those of us in the security profession. There are some people in our field who seem to want to provide feedback about just about everything. This feedback seems to come whether or not it was asked for, and whether or not it is relevant to the discussion at hand. The problem with this is that sometimes, things actually work as they should. If a process, technology, capability, employee, or anything else is working just as it should, save your breath. Hold back those words and don't provide feedback in those instances. Resources are scarce in security and should be invested in areas where they can have an impact by making a change — not in areas that don't need any fixing.

Tip 6: If you dish it, take it: I've met too many people who provide plenty of feedback but cannot accept any of it. By accepting feedback in the same spirit that it is given, you'll find that not only will you improve personally and professionally but that others will put more value on the feedback that you provide to them.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.