Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

Knowing When to Trust

How Can Security Professionals Know When to Trust and When to Hold Their Cards Close? 

The Byrds 1965 hit song “Turn! Turn! Turn!” has always been a favorite of mine.  The lyrics of the song (which are taken from a well known source) are as follows:

How Can Security Professionals Know When to Trust and When to Hold Their Cards Close? 

The Byrds 1965 hit song “Turn! Turn! Turn!” has always been a favorite of mine.  The lyrics of the song (which are taken from a well known source) are as follows:

To every thing there is a season, and a time to every purpose under the heaven:

A time to be born, and a time to die; a time to plant, a time to reap that which is planted;

A time to kill, and a time to heal; a time to break down, and a time to build up;

A time to weep, and a time to laugh; a time to mourn, and a time to dance;

A time to cast away stones, and a time to gather stones together;

A time to embrace, and a time to refrain from embracing;

Advertisement. Scroll to continue reading.

A time to get, and a time to lose; a time to keep, and a time to cast away;

A time to rend, and a time to sew; a time to keep silence, and a time to speak;

A time to love, and a time to hate; a time of war, and a time of peace.

As the song’s lyrics express, there is a time for everything.  While there are times when holding your cards close and putting up high walls is necessary, there are certainly times where only trust can open the requisite doors.  Yet, at the same time, it can be difficult to know who to trust in a world filled with a wide variety of characters.

So what does this have to do with security?  Security professionals know all too well that security is a profession built upon trust.  Hiring.  Information sharing. Referrals. Advice. Methodologies. Connections.  The list of items in the security profession for which trust is the primary facilitator is a long one.

So how can security professionals know when to trust and when to hold their cards close? This is an important question that many security professionals, myself included, struggle with. While I certainly don’t have everything all figured out, I would like to offer 10 points to consider when evaluating whether or not to trust:

1. Give and take:  Security, like life, is a give and take.  Those who receive are usually quite happy to give back.  Unfortunately, not everyone is like that.  If you only hear from someone when they need something, if they are always looking for that next piece of information or that next favor, and if they never give back, chances are that you can’t really trust them.

2. Everyone loves free advice:  During my consulting days, I learned the hard way just how much people love free advice.  Unfortunately, there are more than a few people that will promise you the world in exchange for your insight.  But if they disappear at the slightest mention of money, more than likely, they can’t be trusted.

3. Not the stock market:  Trusting someone inherently involves some risk.  While a calculated risk or educated guess can pay dividends, trusting someone who shouldn’t be trusted can come at a high price.  If by trusting someone you feel like you’re betting on the horses or playing the stock market, it’s probably best to hold your cards close in that particular situation.

4. Trust me:  Sometimes, people feel a need to remind you repeatedly that you can trust them.  In my experience, this is a red flag.  Truly trustworthy people’s reputations speak for themselves.  Trustworthy people don’t need to fast talk the next person whose good nature they’re looking to exploit.

5. Don’t worry:  In a similar vein, people who feel a need to reassure you continually that you needn’t worry are most often cause for worry.  If something sounds too good to be true, or if something sounds a bit far-fetched, it usually is.

6. Very interesting idea:  For some people, being straightforward and direct is a challenge.  Saying “no” is a definitive answer that can have undesired consequences for an untrustworthy person.  If this type of person is looking to leave a potential door open, if they are looking to lead someone along, or if they are looking to stall, saying things like “that’s a very interesting idea” is a great way to keep the status quo of ambiguity and indecision going indefinitely.

7. Inconsistency:  We’ve all spoken to people whose story keeps changing, those who give different answers in different settings, or those who can’t seem to give a straight answer.  If you notice these behaviors, chances are that the person who exhibits them cannot be trusted.

8. Lack of transparency:  People who have nothing to hide are often quite happy to be open, honest, straightforward, and transparent.  When people are less than transparent, it may be a sign that they are hiding something, keeping something from you, or are otherwise less than trustworthy.

9. Paranoia or anxiety:  Do you get a feeling of paranoia or anxiousness from someone?  Besides being difficult to work in that type of an environment, it can be a sign that for one reason or another, the person is untrustworthy.

10. Projection:  If someone is telling you that you are untrustworthy, that they don’t want to work with you, that they are unsure of your intentions, or similar such statements, it could be a sign of projection.  People who are untrustworthy often project that character trait onto people who are trustworthy.  If you see this happening, it’s likely a sign that the person you are working with is not trustworthy.

Knowing who to trust is a judgment call.  While it is never an easy decision to make, there are a number of data points that can help security professionals evaluate whether or not trusting someone is an acceptable risk to take.  In the end, only time will tell if the decision was a sound one or not. But understanding how to evaluate the trustworthiness of an individual up front can save a lot of pain down the line.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.