Security Experts:

To Err Is Human: Accepting Responsibility to Regain Confidence

The Right Attitude Goes a Long Way Towards Helping Stakeholders Regain Confidence in the Security Team

Recently, after taking a routine medical test, the results never came back. When I called to find out what happened, I was told that due to technical reasons, the test was invalid.  I asked what the technical reasons were and was told that there was no information to provide, nor an explanation. I asked why no one contacted me and was again told that there was no information to provide, nor an explanation. Then I was asked if I wanted to come in to do the test again. I replied that I didn’t want to, but that it appears that I have to. It would be an understatement to say that I was not amused by the attitude of the person with whom I was speaking.

Looking back on this phone call, what irked me the most?  It wasn’t that a mistake had been made - that happens from time to time.  Nor was it that I had to go back and redo the test - I think many of us are quite accustomed to having to correct other people’s mistakes.  What irked me about this call was that the person on the other end of the line did not acknowledge that their organization was at fault, nor did they make any attempt to take responsibility for that.

Let’s look at the call from another angle - let’s see how a few adjustments would have made the call a much better experience:

1. Be humble and open to the idea that your organization can err

2. Acknowledge that a mistake had been made

3. Recognize that when a mistake had been made, someone needed to contact me to let me know

4. Show respect for my time

5. Empathize with me and use language like “Unfortunately, you need to come in again to do the test.  I understand that this is an inconvenience.  Can I help you make an appointment?” rather than “Do you want to come in to do the test again?”

The five steps above would have left me with a positive experience after the call.  Of course, if that had happened, then I would have nothing to write about in this piece.  In all seriousness, handling the situation correctly doesn’t change or undo what happened.  It merely shows me that the organization I’m dealing with recognizes that they have erred, accepts responsibility, and empathizes with the demands on my time. The right attitude is everything.

What does this have to do with information security?  For those of us who have worked in the field for a while, we know that from time to time, things go awry. Regardless of what goes wrong, the right attitude goes a long way towards helping stakeholders regain confidence in the security team and the security program it is running.

In this spirit, I offer five tips for maintaining the right attitude when security veers into the wrong:

1. Be humble: Mistakes will inevitably happen. What makes a mistake worse is immediately looking to blame the other side. Start from a position of humility when something goes wrong.  Look internally first to understand what might have gone wrong and look to identify the root cause of the issue.  If it turns out that fault lies elsewhere, then by all means, communicate that. Just don’t start there.

2. Acknowledge the mistake: The first step in correcting a mistake is to acknowledge that there was one.  What went wrong exactly? What impact did the mistake have?  How could it have been avoided? How could communication have been better?  What steps are being put in place to ensure that it doesn’t happen again? Answering these and other questions from the beginning shows the right attitude when looking to navigate the clean-up after a goof-up.

3. Recognize when processes need to be improved: Some mistakes are caused by human error.  Others by external factors. Yet, many are caused by broken or insufficient processes. It is important to take this into account when looking into a slip-up. If an issue with a process is identified and a plan to address it is hatched, that goes a long way when working to correct an error.

4. Respect the time of others: As the saying goes, “time is money.” Beyond that, time is also a precious commodity. I don’t know too many people that have a surplus of time.  If your security team messes up, understand that, more often than not, you are costing others in the organization time and money.  If you are aware of that and sensitive to it, that goes a long way to regaining the trust and support of those you’ve affected.

5. Empathize: Never underestimate how far showing that you understand that you have brought hardship can go. A little empathy can go a long way.  Depending on the audience, empathy can be even better when delivered with a bit of humor to diffuse the tension. Let your peers outside of the security organization know that you get it. The security team has erred, and it has brought unexpected challenges to a number of different teams. They will appreciate your empathy, and it will help you get back on track sooner.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.