Security Career Advice: Handling Executives who ignores you

Advices are important. Both to receive and to give. As my regular readers know, I occasionally answer questions about the industry, education and offer security career advice on what one should (not) do.

Brian reached out and wanted to know how to deal with executives. His question brings us to a vital area of security, and your career: How you communicate, and how you interpret other peoples communication, is key to your success.

This is the question of today:

"Hi Kai,  What advice would you give to someone who 
found vulnerabilities, brought them to the executive level 
and then had the executives 'play' them down to avoid being 
embarrassed? I believe that InfoSec has no room for egos.
Cheers and thanks again!
Brian "

This is an interesting question, particularly to me, since I am not exactly known for discovering and sharing vulnerabilities. I am not that technical anymore. However, what I can say, revolves around how you can handle different people, and how you may interpret their reactions to you.

Which is exactly what I did in my respond to Brian:

Hi Brian!

One of many challenges we see with people (execs are people, believe it or not…) is their mental patterns, ideas and customs getting in the way for rational decision making. Most people (at those levels at least) have their own agendas — either personal, professional or both, and the mental patterns can make it hard for them to see things from different perspectives.

The same is true for security pros — we tend to focus on our perspective only, and deem everyone who “don´t get it” to be stupid user, wrong or just plain ignorant of the problem.

In the words of Dr. Stephen Covey, the author of 7 habits, we all should do out best to “Seek to understand before we try to get understood”. What I am saying is that that the exec may have reasons for their behavior that they failed to communicate to you, making it hard to understand why they choose to do what they did.

Although I am a fan of full disclosure, I do not believe in total disclosure: I do believe there are situations where we should not share everything with everyone. In the case of vulnerabilities, on a general note, I believe we should try to fix the hole before we tell everyone. And when the hole is fixed and patched, there may no longer be any real reason to talk about the vulnerability?

In cases where a company choose not to fix, not to patch, and not to disclose anything, there may be a case for going public with the vulnerability. However, I strongly believe in being more responsible than we demand from others, so I would be very careful in how I choose to go public.

Questions like:
- what will be the outcome if I do this?
- what is the outcome I want to achieve?
- what other actions can I take to achieve similar results?
- who will get into trouble if I do this? Who else?
may help you decide the appropriate action.

So short answer: try to understand their (execs) motivation, and why it differs from yours.

How does my answer help you? How can you use this? What other tips would you give Brian?

Do you have a career related question? Let me know!