Before you bite my head off and determine Iâ€™m insane (to steal a line from my hero Jimmy Buffet, â€œIf we werenâ€™t all crazy, we would go insane), let me explain.
This weekend, I read an excellent post by Brad Feld — Talking About Failure. Go read his post, but in the meantime, his point is that we, collectively, donâ€™t spend enough time talking about or thinking about failure. Brad focused on entrepreneurs and VCs – Iâ€™m going to expand that to security professionals.
We are conditioned in our practice of security to be especially leery of failure. Open any newspaper and you can read about the results of someoneâ€™s failure. Given the high stakes in security today, it often seems that â€œfailure is not an option.â€ I bet some of us have even uttered those words in the not too distant past.
I agree we need to prevent catastrophic failure, but how many of you are comfortable, right now, admitting that you donâ€™t know the answer to something? Can you think back to the last month and find a poor decision, failed project, or the like?
I used to joke that I did household projects twice: the first time, then the right way. Of course, thatâ€™s not really a joke. I have a list of projects that I worked on since I was old enough to hold a hammer and nails. I learned, through trial and error, how to build and repair almost everything around the house. As I got older (and my budget could afford it), I learned from my vast experience (including failures) that the right tools and some planning made a difference. If I hadnâ€™t been willing to try things out and fail, I know I wouldnâ€™t have learned as much.
I think we need to refocus the way we practice security. While we need to mindful of failures that create breaches or have dire consequences, it doesnâ€™t mean that we do everything right the first time. We often experience some failures along the path, and itâ€™s time we used that to our advantage.
Iâ€™m a big believer that we learn from extremes – extreme success and failure. When you muddle along in the middle, I donâ€™t think we benefit that much, to be honest. Iâ€™m fortunate, I grew up in a family of positive values and was supported through each step. My parents took a simple gesture when I was small that will stay with me until I die (thanks Mom and Dad!) — see, in my room, I had a desk with a bulletin board over it. In addition to my american flags, my parents bought me a sign that read â€œyou never fail until you stop trying.â€ It was blue letters on a white plastic background with the image of an eagle flying. I read that sign several times a day for more years than I can recall and have incorporated it into my basic belief structure.
So while I am not suggesting that you embrace failure and seek it out, I do believe that failure is important. What is valuable is what you do when you fail. Rather than knee-jerk away, take some time to step back and analyze what happened. Iâ€™m no expert on how to examine failure, but Iâ€™ll share with you some of my approach:
1. Allow some time to go by; â€œtheyâ€ say that time heals all wounds. In the case of failure, some time allows the pain to settle and gives you the ability to take a closer look at what happened.
2. Spend some time thinking and looking at the situation from different perspectives to learn from your failure. This is not about beating yourself up. This is not about drama. This is about purposeful reflection. The tough part here is the need to separate your ego from your actions (or at least minimize it for a while). Itâ€™s not easy, but you almost have to â€œhoverâ€ and treat it like it was someone else in the situation.
3. Gather a group of trusted advisors (I usually go with 3-4) and schedule some time to let them share their insights and experience with you. Then share what you learned — and listen to the feedback. This is best done in person, but the phone works, too. I choose people that I trust and respect. Hearing about your mistakes is never easy, but when it comes from friends, you know they care about you.
4. Determine what to do about it. What did you learn? What do you want to do about it? Sometimes the lesson is that itâ€™s time to move on. A lot of people get hung up on â€œquittingâ€ – sometimes itâ€™s smart to give up and walk away, lesson learned. Failure is not terminal, but what you do next is generally defining – so choose well. If you believe in yourself and your action/cause, then perhaps you need to regroup and try again.
5. Share your experiences with others. We crave authenticity in this world, itâ€™s part of the human experience. And when you are wiling to share your vulnerability with others, you actually grow and become stronger. Seriously.
Brad mentioned in his post that â€œOccasionally Iâ€™ll have a similar failure a second time or a third time â€“ hopefully I learn eventually.â€ I havenâ€™t spoken with him yet, but I bet that the failures were also a bit different the second and third time around. The way I see it, we grow when we take risks. When we take risks, sometimes we fail. But if we learn from the lessons, we improve, if only a little bit.
In security, we need to celebrate our successes, but spend more time examining our failures. I think we can â€œembraceâ€ our failure as an opportunity to develop and learn. With that attitude, you canâ€™t go wrong! The more we are willing to examine mistakes, missteps and other avenues where we can improve – the more rapidly we will be able t advance our practice of security.
Well, hereâ€™s to your success and to your failure, since I believe in my soul that you never really fail until you stop trying. Brad pledges to write more about failure; maybe I will too. In the meantime, share with me your stories of failure — and the lesson you learned. Weâ€™ll both be better humans as a result.
Michael Santarcangelo is an expert who coaches, consults and speaks on security and compliance issues with clients around the world. As the founder of the Michaelangelo Group, Michael helps organizations transform their practice of security. Learn how Michael can help you by visiting www.santarmj.staging.wpengine.com or sending him an email at firstname.lastname@example.org.