June 26

How to Learn From Security Failures — and Why We Should!

Before you bite my head off and determine I’m insane (to steal a line from my hero Jimmy Buffet, “If we weren’t all crazy, we would go insane), let me explain.
This weekend, I read an excellent post by Brad Feld — Talking About Failure. Go read his post, but in the meantime, his point is that we, collectively, don’t spend enough time talking about or thinking about failure. Brad focused on entrepreneurs and VCs – I’m going to expand that to security professionals.
We are conditioned in our practice of security to be especially leery of failure. Open any newspaper and you can read about the results of someone’s failure. Given the high stakes in security today, it often seems that “failure is not an option.” I bet some of us have even uttered those words in the not too distant past.
I agree we need to prevent catastrophic failure, but how many of you are comfortable, right now, admitting that you don’t know the answer to something? Can you think back to the last month and find a poor decision, failed project, or the like?
I used to joke that I did household projects twice: the first time, then the right way. Of course, that’s not really a joke. I have a list of projects that I worked on since I was old enough to hold a hammer and nails. I learned, through trial and error, how to build and repair almost everything around the house. As I got older (and my budget could afford it), I learned from my vast experience (including failures) that the right tools and some planning made a difference. If I hadn’t been willing to try things out and fail, I know I wouldn’t have learned as much.
I think we need to refocus the way we practice security. While we need to mindful of failures that create breaches or have dire consequences, it doesn’t mean that we do everything right the first time. We often experience some failures along the path, and it’s time we used that to our advantage.
I’m a big believer that we learn from extremes – extreme success and failure. When you muddle along in the middle, I don’t think we benefit that much, to be honest. I’m fortunate, I grew up in a family of positive values and was supported through each step. My parents took a simple gesture when I was small that will stay with me until I die (thanks Mom and Dad!) — see, in my room, I had a desk with a bulletin board over it. In addition to my american flags, my parents bought me a sign that read “you never fail until you stop trying.” It was blue letters on a white plastic background with the image of an eagle flying. I read that sign several times a day for more years than I can recall and have incorporated it into my basic belief structure.
So while I am not suggesting that you embrace failure and seek it out, I do believe that failure is important. What is valuable is what you do when you fail. Rather than knee-jerk away, take some time to step back and analyze what happened. I’m no expert on how to examine failure, but I’ll share with you some of my approach:

1. Allow some time to go by; “they” say that time heals all wounds. In the case of failure, some time allows the pain to settle and gives you the ability to take a closer look at what happened.
2. Spend some time thinking and looking at the situation from different perspectives to learn from your failure. This is not about beating yourself up. This is not about drama. This is about purposeful reflection. The tough part here is the need to separate your ego from your actions (or at least minimize it for a while). It’s not easy, but you almost have to “hover” and treat it like it was someone else in the situation.
3. Gather a group of trusted advisors (I usually go with 3-4) and schedule some time to let them share their insights and experience with you. Then share what you learned — and listen to the feedback. This is best done in person, but the phone works, too. I choose people that I trust and respect. Hearing about your mistakes is never easy, but when it comes from friends, you know they care about you.
4. Determine what to do about it. What did you learn? What do you want to do about it? Sometimes the lesson is that it’s time to move on. A lot of people get hung up on “quitting” – sometimes it’s smart to give up and walk away, lesson learned. Failure is not terminal, but what you do next is generally defining – so choose well. If you believe in yourself and your action/cause, then perhaps you need to regroup and try again.
5. Share your experiences with others. We crave authenticity in this world, it’s part of the human experience. And when you are wiling to share your vulnerability with others, you actually grow and become stronger. Seriously.
Brad mentioned in his post that “Occasionally I’ll have a similar failure a second time or a third time – hopefully I learn eventually.” I haven’t spoken with him yet, but I bet that the failures were also a bit different the second and third time around. The way I see it, we grow when we take risks. When we take risks, sometimes we fail. But if we learn from the lessons, we improve, if only a little bit.
In security, we need to celebrate our successes, but spend more time examining our failures. I think we can “embrace” our failure as an opportunity to develop and learn. With that attitude, you can’t go wrong! The more we are willing to examine mistakes, missteps and other avenues where we can improve – the more rapidly we will be able t advance our practice of security.
Well, here’s to your success and to your failure, since I believe in my soul that you never really fail until you stop trying. Brad pledges to write more about failure; maybe I will too. In the meantime, share with me your stories of failure — and the lesson you learned. We’ll both be better humans as a result.

Michael Santarcangelo is an expert who coaches, consults and speaks on security and compliance issues with clients around the world. As the founder of the Michaelangelo Group, Michael helps organizations transform their practice of security. Learn how Michael can help you by visiting www.santarmj.staging.wpengine.com or sending him an email at securitycatalyst@gmail.com.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Ron –

    Great insights! I’m with you that we need to celebrate some successes, and acknowledge when people do things right!

  2. Ron –

    Great insights! I’m with you that we need to celebrate some successes, and acknowledge when people do things right!

  3. Michael,
    Great post as always.

    Some thoughts:

    (I) Have you read John Maxwell’s book “Failing Forward” (http://www.amazon.com/gp/product/0785274308/103-2995726-4503063?v=glance&n=283155)? John C. Maxwell believes “the difference between average people and achieving people is their perception of and response to failure.” In Failing Forward, he offers inspirational advice for turning the difficulties that inevitably arise in life into stepping stones that help you reach the top.

    (II) For major project or activities, you should conduct an after-action report. This is taken from the U.S. Military. After the activity, write these four questions and answer them:
    (1) What did you expect to happen? (or what was your goal?)
    (2) What really happened? (or what was the end result?)
    (3) Why is there a difference?
    (4) What did you learn?
    This will help you track your “learning opportunities” (successes and failures) and learn from them.

    (III) Often the worst things that happen to people are the best thing that ever happened. Lance Armstrong had testicular cancer. Michael J. Fox has Parkenson’s disease. They both say that their illness was the best thing that happened. Failures, like illnesses give us a chance to gain perspective, not only on the area of failure, but also on life in general.

    (IV) In Security and Audit, we are often looking for failures in security and then we hammer others for it. We need to take a positive view of failure and learn from it. We need to look for root causes, not side-effects (why did that *really* happen?). Lastly, we need to remember to catch others doing things right.

    “Don’t Worry. Be Happy”

    Ron W

  4. Michael,
    Great post as always.

    Some thoughts:

    (I) Have you read John Maxwell’s book “Failing Forward” (http://www.amazon.com/gp/product/0785274308/103-2995726-4503063?v=glance&n=283155)? John C. Maxwell believes “the difference between average people and achieving people is their perception of and response to failure.” In Failing Forward, he offers inspirational advice for turning the difficulties that inevitably arise in life into stepping stones that help you reach the top.

    (II) For major project or activities, you should conduct an after-action report. This is taken from the U.S. Military. After the activity, write these four questions and answer them:
    (1) What did you expect to happen? (or what was your goal?)
    (2) What really happened? (or what was the end result?)
    (3) Why is there a difference?
    (4) What did you learn?
    This will help you track your “learning opportunities” (successes and failures) and learn from them.

    (III) Often the worst things that happen to people are the best thing that ever happened. Lance Armstrong had testicular cancer. Michael J. Fox has Parkenson’s disease. They both say that their illness was the best thing that happened. Failures, like illnesses give us a chance to gain perspective, not only on the area of failure, but also on life in general.

    (IV) In Security and Audit, we are often looking for failures in security and then we hammer others for it. We need to take a positive view of failure and learn from it. We need to look for root causes, not side-effects (why did that *really* happen?). Lastly, we need to remember to catch others doing things right.

    “Don’t Worry. Be Happy”

    Ron W

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!