The Right Attitude Goes a Long Way Towards Helping Stakeholders Regain Confidence in the Security Team
Recently, after taking a routine medical test, the results never came back. When I called to find out what happened, I was told that due to technical reasons, the test was invalid. I asked what the technical reasons were and was told that there was no information to provide, nor an explanation. I asked why no one contacted me and was again told that there was no information to provide, nor an explanation. Then I was asked if I wanted to come in to do the test again. I replied that I didn’t want to, but that it appears that I have to. It would be an understatement to say that I was not amused by the attitude of the person with whom I was speaking.
Looking back on this phone call, what irked me the most? It wasn’t that a mistake had been made – that happens from time to time. Nor was it that I had to go back and redo the test – I think many of us are quite accustomed to having to correct other people’s mistakes. What irked me about this call was that the person on the other end of the line did not acknowledge that their organization was at fault, nor did they make any attempt to take responsibility for that.
Let’s look at the call from another angle – let’s see how a few adjustments would have made the call a much better experience:
1. Be humble and open to the idea that your organization can err
2. Acknowledge that a mistake had been made
3. Recognize that when a mistake had been made, someone needed to contact me to let me know
4. Show respect for my time
5. Empathize with me and use language like “Unfortunately, you need to come in again to do the test. I understand that this is an inconvenience. Can I help you make an appointment?” rather than “Do you want to come in to do the test again?”
The five steps above would have left me with a positive experience after the call. Of course, if that had happened, then I would have nothing to write about in this piece. In all seriousness, handling the situation correctly doesn’t change or undo what happened. It merely shows me that the organization I’m dealing with recognizes that they have erred, accepts responsibility, and empathizes with the demands on my time. The right attitude is everything.
What does this have to do with information security? For those of us who have worked in the field for a while, we know that from time to time, things go awry. Regardless of what goes wrong, the right attitude goes a long way towards helping stakeholders regain confidence in the security team and the security program it is running.
In this spirit, I offer five tips for maintaining the right attitude when security veers into the wrong:
1. Be humble: Mistakes will inevitably happen. What makes a mistake worse is immediately looking to blame the other side. Start from a position of humility when something goes wrong. Look internally first to understand what might have gone wrong and look to identify the root cause of the issue. If it turns out that fault lies elsewhere, then by all means, communicate that. Just don’t start there.
2. Acknowledge the mistake: The first step in correcting a mistake is to acknowledge that there was one. What went wrong exactly? What impact did the mistake have? How could it have been avoided? How could communication have been better? What steps are being put in place to ensure that it doesn’t happen again? Answering these and other questions from the beginning shows the right attitude when looking to navigate the clean-up after a goof-up.
3. Recognize when processes need to be improved: Some mistakes are caused by human error. Others by external factors. Yet, many are caused by broken or insufficient processes. It is important to take this into account when looking into a slip-up. If an issue with a process is identified and a plan to address it is hatched, that goes a long way when working to correct an error.
4. Respect the time of others: As the saying goes, “time is money.” Beyond that, time is also a precious commodity. I don’t know too many people that have a surplus of time. If your security team messes up, understand that, more often than not, you are costing others in the organization time and money. If you are aware of that and sensitive to it, that goes a long way to regaining the trust and support of those you’ve affected.
5. Empathize: Never underestimate how far showing that you understand that you have brought hardship can go. A little empathy can go a long way. Depending on the audience, empathy can be even better when delivered with a bit of humor to diffuse the tension. Let your peers outside of the security organization know that you get it. The security team has erred, and it has brought unexpected challenges to a number of different teams. They will appreciate your empathy, and it will help you get back on track sooner.