Security Experts:

How Stubbornness Can Harm an Organization's Security Posture

Too often, when we are set in our ways, we can get dismissive

Some people are open to change, receptive to feedback, seek diverse data points, and are willing to weigh different perspectives. Other people are quite the opposite. Still others are somewhere in between. Where a person falls on the stubbornness spectrum and why they behave stubbornly has always interested me.

Stubbornness is defined as “dogged determination not to change one's attitude or position on something.”

Despite my interest in this topic, I know neither what drives a stubborn person nor what makes a flexible one. That hasn’t stopped me, however, from observing different behaviors and deducing a few security lessons over the course of my career.

In this piece, I’d like to analyze five statements stubborn people often say, discuss how they harm an organization's security posture, and suggest ways forward in each case.

"We’ve always done it this way"

From time to time, we encounter approaches, methods, processes, and procedures that don’t make a whole lot of sense to us.  The job of a security practitioner is to ask hard questions, including questions that help us determine whether or not something strengthens, weakens, or has no impact at all on the enterprise’s security posture. When we ask these hard questions, we hear the answer “we’ve always done it this way” more often than we probably should. Of course, this answer in and of itself is insufficient. If a given approach, method, process, or procedure has merit, its value can be measured and shown through tangible metrics. If, on the other hand, it is in place merely due to stubbornness, the time to reevaluate it is long overdue. Being receptive to constructive criticism around approaches, methods, processes, and procedures leads to improving and replacing them, which in turn, improves the security posture of the enterprise. Focusing on improving the security posture can be a good way to help the stubborn see that they should open up a bit to another way of thinking.

"I’ve already decided that this is the right approach"

Have you ever tried to discuss an important matter with someone, only to feel that their mind has been made up and that the conclusion was foregone?  Sadly, this happens in the security field far more often than it should. Needless to say, when a person or an organization stubbornly blazes ahead down the wrong path, it doesn’t help mitigate risk or improve security.  Although it is tempting to refute the approach point for point, that generally causes the stubborn person to dig in further. A better approach is to help the stubborn person see what the result of their path will be. Often, fear of embarrassment, fear of failure, or just plain selfishness in the form of a desire to be praised and viewed positively will outweigh the need to stick to the original decision. Showing the end game sometimes pushes a stubborn person to consider a different approach.

"We’ve already committed to doing this"

Sometimes, promises and commitments get made. Ideally, they should be made after checking desirability, feasibility, and viability. Unfortunately, that is not always the case. When commitments are made that cannot be upheld, it can be difficult to come clean and reset expectations. As hard as that is, under delivering is far worse. Helping a stubborn person understand that can go a long way to having them come around to setting a realistic expectation and making promises and commitments that can be kept.

"I don’t care what the data say"

Facts matter. Truth is important. Data don’t lie. Yet, interestingly enough, many people seem to ignore what the data say in favor of their intuitions, feelings, and/or beliefs. In the security field that can increase risk, diminish usability, lower revenue, and raise costs. None of those are desired outcomes for a security team, of course. Helping a stubborn decision maker see the impact of their subjectiveness and bias is often more effective than trying to convince them that they aren’t looking at the situation objectively and logically.  Helping to sway the decision maker to the side of data and logic can have a huge impact and can help raise an enterprise’s security posture.

"They don’t know what they’re talking about"

Too often, when we are set in our ways, we can get quite dismissive. In this closed mode, when we encounter people who disagree with our particular view, it is all too easy to dismiss them via ad hominem attacks. We might think they don’t know what they’re talking about, that they don’t know how to do the job we do, that they don’t understand what we’re dealing with, or any number of other dismissive statements. While there is certainly no shortage of people who do not add much to the conversation, there are also quite a few people who really do add quite a bit. It is important to help someone who is behaving in a stubborn manner to see this, lest they ignore a crucial piece of information or viewpoint. Speaking to the results or past accomplishments of the person providing the differing viewpoint can often help dislodge the resistance to consider that person’s point of view. The enterprise and its security posture will be better for it.

Also ReadHow Not to Micromanage Talented Employees

Also Read: How Self-Doubt Can Keep Your Security Team Sharp

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.