"Don't screw up. When you do good, no one pays attention, but if you screw up, the weight of the world will be dropped on your shoulders."
I solemnly nodded my head in agreement and pledged I would not screw up. For the most part, I did okay. I didn't get much feedback, but since the weight of the world hadn't managed to crush me, I gathered I was okay.
Then Friday afternoon, the partner of the project came to me with a special request. Turns out I discovered a minor security problem — and because I found it, I was tasked with fixing it. I worked all weekend to find the right solution and when the partner returned on Monday, he stopped by my cube, looked me in the eye and said, "good job."
As part of my reward, I was invited to a steak dinner. At dinner, I was thanked, again, for my effort. Without a doubt, I beamed. Next thing I knew, I was the "security guy" for the team.
Being recognized with a sincere thank you, whether in public or private, feels good. It atones for long weekends, cross words and frustrations. Turns out that mastering two words, "thank you," is essential to a successful career in information security.
The constraint of time
Each person has precisely 24 hours in the day, 168 hours in the week to allocate to play, work, sleep and the myriad of activities that encompass daily life. Facing the same constraint of time, we all experience similar pressures, limitations and frustrations.
This pressure naturally extends to work, too — especially for security professionals. So how do others handle the time constraints and the resulting pressure to perform?
A few years ago I spoke at a conference for Mortgage Bankers. In a room full of lawyers, I politely, but publicly asked if they took the time to read some of the policies they wrote before approving them. I wasnt taking shots, but truly trying to understand.
The answer was enlightening; it turns out that like us, lawyers would prefer to have more time to understand an issue and write a policy. Also like us, they dont have enough time, and in the face of continued deadlines are told to cut, paste and quickly get something drafted. They are just like us. In fact, when I work with organizations to assess their culture and interview people, the same stories and examples are revealed. Everyone is busy; nobody has enough time to get his or her job done.
The impact of security
The common approach to security — and perhaps the necessity — is that we must consistently interrupt people, demanding time, attention and thought. Emails, presentations, required training — all take time. That means people need to invest their time, energy and focus into the concepts we share, technologies we install and processes we enforce.
Ideally, each interaction addresses individual concerns and provides value in excess of the time invested. Unfortunately, that's a rare occurrence across the security industry today.
Even though our efforts are designed with the best of intentions, we end up creating a condition where people have to allocate time they don't think they have in the name of "security."
People depend on us, but whether we realize it or not, we depend on them, too. We're all in this together, and taking time to acknowledge someone contributing to our success is important.
When we recognize the investment of time — the sacrifice — people have made to engage with us, to do something that improves the company, they need to be acknowledged. A sincere, heartfelt thank you speaks volumes.
An effective, sincere "thank-you" does not require anything special — no drama, no pageantry or pomp and circumstance.
It just needs to be real.
Start by considering the many individual interactions encountered each day in a different light. What did the other person invest into the effort? What was asked of them? And in return, what value did they bring? Taking a moment to truly consider the other person often reveals genuine appreciation for their efforts. That's the perfect time to express gratitude with a simple and direct "thanks!"
Master these two words, "thank you," and make a commitment to practice their use to lead the way and show gratitude for the contributions the people we serve make.
About Michael Santarcangelo
Author of Into the Breach, Michael Santarcangelo is the founder of Security Catalyst, a practice devoted to harnessing the human side of security. Michael offers keynote presentations, seminars and consulting on security awareness, effective communication of security, security career management for teams and support for security leadership. Learn more at http://www.securitycatalyst.com or engage with Michael on twitter (@catalyst).