Connect with us

Hi, what are you looking for?


Management & Strategy

10 Security Behaviors That Anger Us

Why Do We Get Angry With People for Doing What We Incentivize Them to Do?

Why Do We Get Angry With People for Doing What We Incentivize Them to Do?

Anyone who does a fair amount of driving knows how frustrating traffic jams can be. Traffic jams can occur for any number of reasons, including a merge.  If you’re like me, you probably get angry with those people who don’t merge early on in the process, but rather, cut in at the last possible moment.

Of course, if we take a step back and think about the situation strategically, it’s hard to get angry with these last minute mergers.  How can I make that statement?  Since most people struggle with merges, these drivers are essentially doing what we have incentivized them to do.  Namely, they take advantage of every last piece of available roadway to bypass those who struggle to merge and the backups they cause.  In fact, there have been studies that show that last minute mergers are actually good for traffic.

What could traffic patterns and merges possibly have to do with security?  I would argue that they teach us to be more understanding of people when they do exactly what we incentivize them to do.  And that is something that we can learn a lot from in the security field.  How so?  That is a fair question, of course.  To answer it, I offer “10 security behaviors that anger us, but that we incentivize”:

1. Focusing tactically:  On numerous occasions, I’ve heard different organizations state that the security team is too tactically focused.  That may certainly be the case.  But if your primary metrics involve the number of alerts fired and the number of tickets opened and closed in a given week, can you really fault your team for working towards the numbers you measure them on?

2. Fire fighting:  No one wants their security team running from one emergency to the next without any time to focus on everything else going on.  But sometimes it’s hard to fault security teams that succumb to this.  There are some issues that arise that legitimately need to push everything else aside.  Far too often though, security teams are on the receiving end of a seemingly endless array of “emergencies” that result from a lack of understanding and/or faith in both the issue and the abilities of the security team.

3. Event “du jour”:  I haven’t met a security team yet that enjoys getting sucked up into the spin surrounding an event “du jour”.  But it’s hard to imagine how they could choose to do anything but that.  When a high profile event happens, the questions “What are we doing about this?”, “Are we affected by this?”, “Are we protected against this?”, and others start coming faster than the security team can respond.  All incentives point them toward responding to the rapid fire coming their way.

4. Market segment “en vogue”:  Many in the security industry mock or poke fun at companies running towards the latest “en vogue” market.  But before you laugh, look at what we incentivize them to do.  For startups, funding and PR often overwhelmingly follow the latest hot market.  For established companies, customer budgets often do the same.

Advertisement. Scroll to continue reading.

5. Writing down passwords:  This is one of my favorites.  Everyone loves to laugh at those “stupid” users that write down their passwords.  But perhaps they should be laughing at us.  As an industry, we cannot prove that insanely complex password rules actually improve our respective security postures.  In fact, to do that, we probably need to move away from passwords entirely.  But when we don’t provide our users any workable way to grapple with our insane policies, what do we incentivize them to do?

6. Being unprepared for incident response:  No one likes to get caught by surprise and appear unprepared when a critical or serious incident occurs.  But building a mature incident response capability takes a strategic effort that won’t show its value immediately.  If an organization incentivizes only tactical gains and not strategic ones, they shouldn’t be surprised when they are unprepared for incident response.

7. Acquiring stovepiped technology:  How many times have we seen an acute problem in security boil over to the point where everyone is screaming for an immediate solution.  While we need to make sure we address acute issues in a timely manner, we want to make sure we don’t “knee jerk” and acquire a quick fix that is almost “disposable”.  We don’t want to end up with a solution that we will get very little value out of in the future.  We want to make sure we don’t end up inadvertently incentivizing our teams to put additional stovepipes in place.

8. Under budgeting security:  Everyone loves the low prices of big retail chains, but at the same time, loves to complain about lack of assistance available.  We can’t really have it both ways.  We want our vendors and providers to give us a lot of value at a low price point.  So, not surprisingly, that’s where they invest most of their resources.  Security is an overhead cost.  Of course we all know how important it is, but we don’t necessarily incentivize our vendors and providers to make it a priority.  We measure them on a different scale entirely.

9. Under training team members: It costs money to send team members to professional training, and it takes them away from their job for a bit.  If we can see the strategic value that properly training team members brings, it is a no brainer.  But if we incentivize based on only near-term gains, it’s likely that few, if any of our team members will get the training they need.

10. Not collaborating enough: There is a lot of talk about information sharing and collaboration, but unfortunately, there is less action than we would like to see.  There are many reasons why this is the case, but it
doesn’t help that most organizations incentivize their staff to keep information close hold, as well as to keep up appearances around the true state of the security program.  There is no shame in showing your cards a bit, as it allows you to improve.  But you have to incentivize for the right outcome.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem