Avoiding Negative Value, Feedback-Driven Culture, & Don’t Buy Too Many Security Tools – BSW #321

Andy Ellis recently released a book on leadership called "1% Leadership" and has been releasing small lessons like this, piecemeal, to his Substack.

I talk about negative value all the time, but more often in terms of actual financial impact when trying to solve security problems or create controls. If you bought a $250,000 product, and in the first 6 months, it triggered ELEVEN false positives, and ZERO true positives, what's the value of that product? I endeavored to answer this question with a precise dollar figure.

Investigating the false positive, and providing the vendor with data so they could figure out why the false positive happened took roughly 4 hours of labor every time. That's 44 hours of a junior analyst's time, or about $2000.

When adding in the labor involved in implementing this $250,000 product, at the 6 month mark, it had produced around -$275,000 in value (that's a negative, below zero). Put this way, it wasn't hard to justify killing the renewal at the 1 year mark.

When you consider that everyone's time has a dollar figure attached to it, it's possible to apply this method to anything the security team does. Fourteen people in a single one-hour meeting? That comes with a cost that might be higher than you'd realize - probably in the thousands of dollars, depending on each individual's salary or billable rate.

Speaking of security tools and negative value...

This article discusses several aspects, each of which is an interesting discussion on its own!

1. security tech debt
2. security budget impact
3. recruiting and retention impact
4. security skill development
5. security engineering culture

Number 3 is an interesting one that people often don't expect. Cyentia Institute and Cisco did some research a few years back that revealed some of the most important things to do for employee retention. On the top were frequent tech refreshes, and well integrated tools. Makes sense - how frustrating is it when you're in charge of multiple tools, infrastructure is out of date/unsupported, and none of it works together? I don't want to work at a place like that!

"Feedback is an important part of your performance management. This also helps to re-calibrate anything going wrong in the expectation setting and goal setting in performance management."

The article mentions 3 types of feedback:

• Recognition feedback
• Growth feedback
• Performance feedback

Andy Ellis again. Hat tip to him for this one, via his Substack (https://duhaone.substack.com). Andy says:

"Julie Bort has an excellent rant against the return to the office movement, and, if you’re a decision-maker in a company, it’s worth a read, so you can ask yourself why return to the office is so important. For some staff, the option is necessary. If my kids weren’t in high school and already ignoring me, I’d probably want an office far away from them, too. But as a mandate, do you actually have the tools to understand and measure the costs and benefits of return to office? Or is the push more of a return to the semblance of control?"

"Sometimes I need to use the reins to guide the team. Other times I need to trust that the team knows what it’s doing and put the fate of the team, including my own, in their hands. If you can’t do that, then you’re not a manager, you’re a dictator."

Most of these will be familiar to multi-decade security folks like us, but I've never seen all these insights in one place, so it will be a handy list to share with mentees and other newcomers.