Master two words to advance your security career

"Don't screw up. When you do good, no one pays attention, but if you screw up, the weight of the world will be dropped on your shoulders."

I solemnly nodded my head in agreement and pledged I would not screw up. For the most part, I did okay. I didn't get much feedback, but since the weight of the world hadn't managed to crush me, I gathered I was okay.

[Also see Security leadership with lessons from improv theater]

Then Friday afternoon, the partner of the project came to me with a special request. Turns out I discovered a minor security problem — and because I found it, I was tasked with fixing it. I worked all weekend to find the right solution and when the partner returned on Monday, he stopped by my cube, looked me in the eye and said, "good job."

As part of my reward, I was invited to a steak dinner. At dinner, I was thanked, again, for my effort. Without a doubt, I beamed. Next thing I knew, I was the "security guy" for the team.

Being recognized with a sincere thank you, whether in public or private, feels good. It atones for long weekends, cross words and frustrations. Turns out that mastering two words, "thank you," is essential to a successful career in information security.

The constraint of time

Each person has precisely 24 hours in the day, 168 hours in the week to allocate to play, work, sleep and the myriad of activities that encompass daily life. Facing the same constraint of time, we all experience similar pressures, limitations and frustrations.

This pressure naturally extends to work, too — especially for security professionals. So how do others handle the time constraints and the resulting pressure to perform?

A few years ago I spoke at a conference for Mortgage Bankers. In a room full of lawyers, I politely, but publicly asked if they took the time to read some of the policies they wrote before approving them. I wasnt taking shots, but truly trying to understand.

The answer was enlightening; it turns out that like us, lawyers would prefer to have more time to understand an issue and write a policy. Also like us, they dont have enough time, and in the face of continued deadlines are told to cut, paste and quickly get something drafted. They are just like us. In fact, when I work with organizations to assess their culture and interview people, the same stories and examples are revealed. Everyone is busy; nobody has enough time to get his or her job done.

The impact of security

The common approach to security — and perhaps the necessity — is that we must consistently interrupt people, demanding time, attention and thought. Emails, presentations, required training — all take time. That means people need to invest their time, energy and focus into the concepts we share, technologies we install and processes we enforce.

Ideally, each interaction addresses individual concerns and provides value in excess of the time invested. Unfortunately, that's a rare occurrence across the security industry today.

Even though our efforts are designed with the best of intentions, we end up creating a condition where people have to allocate time they don't think they have in the name of "security."

People depend on us, but whether we realize it or not, we depend on them, too. We're all in this together, and taking time to acknowledge someone contributing to our success is important.

When we recognize the investment of time — the sacrifice — people have made to engage with us, to do something that improves the company, they need to be acknowledged. A sincere, heartfelt thank you speaks volumes.

An effective, sincere "thank-you" does not require anything special — no drama, no pageantry or pomp and circumstance.

It just needs to be real.

Start by considering the many individual interactions encountered each day in a different light. What did the other person invest into the effort? What was asked of them? And in return, what value did they bring? Taking a moment to truly consider the other person often reveals genuine appreciation for their efforts. That's the perfect time to express gratitude with a simple and direct "thanks!"

Master these two words, "thank you," and make a commitment to practice their use to lead the way and show gratitude for the contributions the people we serve make.

About Michael Santarcangelo

Author of Into the Breach, Michael Santarcangelo is the founder of Security Catalyst, a practice devoted to harnessing the human side of security. Michael offers keynote presentations, seminars and consulting on security awareness, effective communication of security, security career management for teams and support for security leadership. Learn more at or engage with Michael on twitter (@catalyst).

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Santarcangelo

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts