Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/8/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Fine Line of Feedback: 6 Tips for Talking to Security Pros

Feedback is a two-way street in terms of giving, receiving, and knowing how to give and receive.

Feedback is important to all of us. It helps us learn, grow, mature, and better adjust to our surroundings. If we learn how to receive feedback well, we will be able to improve, whether it be in our personal life or in our professional career in cybersecurity. On the other hand, if we don't receive feedback well, it can hold us back.

That said, providing feedback is a sensitive and difficult topic that can take a lifetime to master. While I haven't yet mastered this skill, I know a thing or two about the personalities of security professionals. It is in this spirit that I offer six tips for giving positive feedback to security professionals.

Tip 1: Pick your battles: Knowing when to engage is an important skill in life, including when it comes to providing feedback. If you never provide any feedback on anything, nothing will ever change or improve. On the other hand, if you always provide feedback on every little thing, people feel criticized and micromanaged. When is the right time to provide feedback? In general, only in instances when feedback actually makes a difference. By that, I mean when changing something will have a direct impact on the efficiency or effectiveness of the security program — for example, requesting that a specific, noisy alert be tuned to reduce false positives and improve the efficiency of the security team. Or fixing a broken process in order to improve the overall performance of the security team.

Tip 2: Suggest: When providing feedback, it's always more helpful to suggest a practical, tangible solution, rather than expressing displeasure with what is currently happening. You may be absolutely right in your critique, but if it doesn't come with a practical alternative, it's really just complaining. A viable option goes a long way toward getting results.

Tip 3: Never assume: We are all human, and we all have our own subjective biases. That being said, feedback needs to be offered on the basis of facts and objectivity. Think you understand how someone is accomplishing a given task? Verify that your understanding is the truth. Feel like you know someone's motivation for doing something or what that person is after? Better check that feeling out against the facts. Assumptions don't help with providing feedback. They only make the receiver focus on assumptions versus the actual focus of the feedback. This often leads to unnecessary conflict or to taking things personally. Neither helps solve the problem.

Tip 4: Don't jump to conclusions: It's far too easy to connect dots that aren't actually connected. When it comes to providing feedback, we need to make sure that we really understand the facts and reality of the situation we're addressing. Otherwise, we put the value of our feedback at risk. It only takes one inaccuracy for someone who is not interested in or receptive to our feedback to rationalize dismissing it.

Tip 5: If it ain't broke, don't fix it: This colloquial proverb offers some very wise advice for those of us in the security profession. There are some people in our field who seem to want to provide feedback about just about everything. This feedback seems to come whether or not it was asked for, and whether or not it is relevant to the discussion at hand. The problem with this is that sometimes, things actually work as they should. If a process, technology, capability, employee, or anything else is working just as it should, save your breath. Hold back those words and don't provide feedback in those instances. Resources are scarce in security and should be invested in areas where they can have an impact by making a change — not in areas that don't need any fixing.

Tip 6: If you dish it, take it: I've met too many people who provide plenty of feedback but cannot accept any of it. By accepting feedback in the same spirit that it is given, you'll find that not only will you improve personally and professionally but that others will put more value on the feedback that you provide to them.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-8087
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
CVE-2019-10079
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
CVE-2019-12147
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
CVE-2019-12148
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
CVE-2019-12290
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...