Seven signs that you are working for a “Peter” and how you can adjust how you work to compensate
Laurence J. Peter was a Canadian educator and author who was perhaps most well known for his famous book “The Peter Principle”. In his book, Peter and co-author Raymond Hull explain the Peter principle, which “observes that people in a hierarchy tend to rise to ‘a level of respective incompetence’: employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent, as skills in one job do not necessarily translate to another.” (source). Since then, the Peter principle has become widely known and has been a favorite topic of discussion.
As a professional discipline, security is not immune to the Peter principle. I’m sure you’ve experienced it over the course of your career just as much as I have over the course of mine. While we may not be able to fix the organizational issues created by a “Peter”, by identifying the signs that we are working for one, we can often adjust how we work to compensate.
In this spirit, I offer seven signs that you are working for a “Peter” and how you can adjust how you work to compensate:
1. Inability to think and plan strategically: When a strong security leader has a handle on their work responsibilities and understands the business, domain, and organization in which they work, that leader will be able to think and plan strategically. They will be able to set goals and priorities to ensure that strategic initiatives go from conception to implementation. They will also be able to delegate appropriately, with the ability to monitor and track progress without the need to micromanage. When a security professional is promoted to their level of incompetence, however, the situation is quite the opposite. Employees of a “Peter” will likely experience a manager (not a leader) who is 180 degrees from being methodical and strategic. As a result, they will need to take on strategic thinking and planning themselves. They will also need to do a considerable amount of pushing from the bottom.
2. Running from crisis to crisis: Perhaps one of the most widely seen symptoms of not being methodical and strategic is the tendency to run from crisis to crisis. Some of the best managers I’ve had over the course of my career have been able to see an issue before anyone else and navigate the team towards pre-empting it. Not only does this make the team look good, it also staves off a fair number of crises. Those working for a “Peter” will not find themselves in this situation, unfortunately, and will need to learn to look far ahead to avoid getting pulled into one crisis after another.
3. Hesitance to put anything in writing: A common defense mechanism of a “Peter” is to avoid putting anything in writing. After all, when something goes wrong and it is time for a person or a team to take responsibility, written accounts are important. If there is nothing in writing, the situation quickly becomes a game of “he said, she said”. The “Peter” thrives on this ability to absolve themselves. If you find yourself working for a “Peter”, be sure to document everything, especially verbal conversations you have with them. Everything needs to be written down, lest you become the target.
4. Does not make tough decisions: Decision making, or at least timely and responsible decision making, is not easy at all. The “Peter”, realizing that they are in over their head, will not be able to make decisions, and in particular, tough decisions. The reason for this is simple: there exists the possibility of making the wrong decision and thus being held accountable for that wrong decision. If your manager is a “Peter”, you will find them trying to defer all decision making to others. As tough as it is, if a decision is not in your purview, don’t allow the “Peter” to push it onto you. Use writing as a means to paint the “Peter” into a corner. They may still refuse to make the necessary decision, but at least you won’t have taken responsibility for something your manager is being paid to be responsible for.
5. Does not answer tough questions: Answering tough questions is almost as difficult as making tough decisions. I have found over the course of my career that colleagues overwhelmingly prefer direct, open, and transparent answers, even if they are not the answers they were hoping to hear. A “Peter” won’t give a straight answer. Instead, they use a variety of tactics including evasion, changing subjects, distraction, confusion, and sometimes even ad hominem attacks. If you find yourself in this situation with a “Peter”, whether verbally or in a written forum, keep asking the question until you get a straight answer. If you don’t, be sure to document that.
6. Words and actions don’t align: We have all worked with people who say one thing and do another. This is especially the case with a “Peter”. When tough decisions are hard to make and tough answers are hard to communicate, the “Peter” may resort to pleasing the crowd, almost in a populist fashion. While it may tame the crowd in the near-term, in the long-term, it always catches up with the “Peter” and their team. If you find yourself in this type of situation, feel free to be honest and direct with the stakeholders you interact with individually, even if what you know respectfully goes against what they were told by the “Peter”. Stick to the facts, of course. Your professional reputation may take a serious hit by towing a party line that is not the truth. Beyond that, respectfully communicating the truth is what is best for the organization in the long run.
7. Poor communication skills: If you can’t fully understand something, don’t have a plan, and don’t have any answers, that renders effective communication nearly impossible. This is something routinely encountered by customers, executives, team members, and other stakeholders when a “Peter” is involved. Unfortunately, this causes a loss of confidence and trust in both the “Peter” and the team. This is a tough one for the security professional caught in the middle. The best option, in my experience, is to nurture your professional relationships and continue to communicate in an open, honest, straightforward, and transparent manner. People aren’t stupid – many of them will understand the predicament you are in and will realize that you are handling it admirably, even if they don’t say anything.
Read: Seven Ways to Ensure Successful Cross-Team Security Initiatives
Read: How to Spot an Effective Security Practitioner
Read: How to Spot an Ineffective Security Practitioner
Read: How Stubbornness Can Harm an Organization’s Security Posture

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.
More from Joshua Goldfarb
- Stay Focused on What’s Important
- External Signs of Narcissism – Raising Awareness to Avoid Collateral Damage
- What Makes an Effective Anti-Bot Solution?
- Application Security Protection for the Masses
- Secrets to a Good Security Webinar or Conference Presentation
- Don’t Let Your Career Go the Way of Entertainment 720
- Bringing Bots and Fraud to the Boardroom
- How “Long-Sightedness” Can Improve Security and Fraud Programs
Latest News
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
