AppGov Score Blog

Check out our latest updates!

The Art of Tact & Diplomacy When Addressing IT Misconfigurations and Flaws

July 25, 2024 John O’Neill Sr

Leading a Resilient Cybersecurity Team

In the fast-paced and ever-evolving world of IT, configuring systems securely and correctly is paramount. As we’ve seen in the Entra ID application space, but also beyond, misconfigurations and flaws can lead to vulnerabilities that compromise data, disrupt services, and damage reputations. Identifying and addressing these issues requires more than technical expertise—it demands tact and diplomacy.  The significance of IT security and proper configuration cannot be overstated. A single, seemingly minor misconfiguration could pave the way for cyberattacks, resulting in significant financial losses, legal ramifications, and, most importantly, loss of customer trust. We saw this happen with the Midnight Blizzard attack on Microsoft through a legacy test OAuth application. As reported in a 2022 VMware analysis, 45% of intrusions contain a lateral movement event where the attacker will find vulnerabilities such as these misconfigurations and escalate privileges to reach sought-after information. A 2023 IBM report estimated the average cost of a data breach at $4.45 million, highlighting the severe impact that security flaws can have on an organization's reputation and customer relationships.  

When identifying security gaps, it's crucial to address them promptly and effectively. However, how individuals communicate these issues with team members can significantly influence the outcome. ENow Software was an exhibitor at the 2024 Gartner Security and Risk Management Summit. In the Opening Keynote, Christopher Mixter and Dennis Xu talk about how, historically, there has been zero tolerance for cyber failure within organizations. They go on to discuss how this mindset has a negative impact on how effective a team’s cybersecurity strategy is. A zero-tolerance approach can lead to burnout and covering up problems when, in many cases, threats are inevitable. Mixter states, “We don’t have to be perfect. What we have to be is transparent.” A resilient cyber workforce is one where burnout is reduced, and it’s safe for team members to share and learn from shortfalls. 

Confrontational approaches focusing on blame often lead to defensiveness, resistance, and an utter breakdown in communication, hindering IT's efforts to solve the problem. On the other hand, adopting a tactful and diplomatic approach can foster cooperation, understanding, and a shared commitment to improvement, highlighting the value of everyone's contribution to the team's overall success.  

The Negative Impact of a Zero-Tolerance Mindset in Cybersecurity

Not using tact and diplomacy in IT communication can lead to profound consequences. For instance, telling someone, "This is your responsibility, and it's wrong," is not only unhelpful but might also be detrimental. Here are a few reasons why blame-oriented and zero-tolerance communication is counterproductive:  

  1. Defensiveness: When individuals feel attacked, they naturally become defensive. This defensiveness can shut down open communication and collaboration, making it harder to address the issue effectively.  
  2. Relationship Damage: Blame damages professional relationships, leading to a lack of trust and a hostile work environment. In IT, where collaboration is essential, this can be particularly destructive.  
  3. Focuses on the Problem, not a Solution: Blame shifts the focus from finding solutions to assigning fault. Harping on the problem rather than solutions can slow the resolution process and prevent the team from working together to avoid future issues.  
  4. Reduced Morale: Constant blame leads to a demoralized team, reducing productivity and engagement and leading to burnout. Team members who feel undervalued and criticized are less likely to go the extra mile or stick around at all. 
 

The Importance of Message Delivery 

Approaching IT misconfigurations and flaws with tact and diplomacy involves recognizing the importance of message delivery. It's about ensuring communication is respectful, constructive, and solution-focused. Here are some strategies for achieving this: 

Carefully Choose Your Words

The language used when discussing IT issues can make a significant difference. Instead of framing the conversation around blame, focus on the issue and the desired outcome. For example:  

  • Blame-Oriented: "This is your responsibility, and it's wrong."  
  • Tactful: "I've noticed an issue with this configuration. Let's work together to find a solution." 
Focus on Collaboration

Encourage a collaborative approach to problem-solving. A focus on collaboration fosters a sense of shared responsibility and teamwork, leading to more effective and efficient resolutions. For example:  

  • Blame-Oriented: "You need to fix this."  
  • Collaborative: "How can we address this issue together?"  
Be Solution-Oriented

Instead of dwelling on the problem, focus on finding and implementing solutions. This positive approach helps motivate team members while keeping everyone focused on improvement. For example:  

  • Blame-Oriented: "This should never have happened."  
  • Solution-Oriented: "Let's brainstorm some potential fixes for this issue."  
Provide Constructive Feedback

Constructive feedback is essential for growth and improvement. Ensure feedback is specific, actionable, and focused on behaviors rather than personal attributes. For example:  

  • Blame-Oriented: "You always mess up the firewall settings."  
  • Constructive: "I noticed a few firewall settings were not configured correctly, which could allow an attacker unauthorized access. Let's review the configuration guidelines together to ensure we follow best practices."  
Listen Actively

Active listening involves fully concentrating, understanding, responding, and remembering what is said. Listening to understand helps build trust and shows you value the other person's perspective. For example:  

  • Dismissive: "I don't see why you did it this way."  
  • Active Listening: "Can you explain your thought process when configuring this setting? Understanding your approach will help us find a solution together."  
Emphasize Continuous Improvement

Encourage a culture of continuous improvement where team members feel empowered to identify and address issues without the fear of blame and accusation. Focusing on realistic incremental improvements and missteps as learning opportunities rather than expecting perfection immediately will lead to more proactive and effective IT management. For example:  

  • Zero-Tolerance: "This mistake should never have happened."  
  • Continuous Improvement: "What can we learn from this issue to prevent similar situations in the future?"  
Acknowledge and Appreciate Efforts

Recognize the efforts of your team members and constantly show appreciation for their hard work. Positive reinforcement boosts morale and encourages a more positive and productive work environment. For example:  

  • Neglecting Appreciation: "It's about time you fixed this."  
  • Appreciation: "Thank you for your hard work on resolving this issue. Your attention to detail is crucial for our success."  

Real-World Examples of Tact and Diplomacy 

To illustrate the impact of tact and diplomacy, let's consider a couple of real-world scenarios:  

Scenario 1: Forgotten Cloud App Registrations and Permissions  

A cybersecurity manager discovers several cloud applications with outdated permissions and registrations, potentially providing unauthorized access to attackers. Instead of blaming the IT staff responsible for managing these applications, the manager approaches the issue tactfully:  

  • Blame-Oriented Approach: "You didn't manage the cloud app permissions correctly. This is your fault."  
  • Tactful Approach: "I've noticed that some of our cloud applications have outdated permissions and registrations. These are potential security risks. Let's review these settings together to ensure we have the most secure configurations and reduce our attack surface."  

The manager avoids defensiveness and fosters a positive working relationship through her collaborative and solution-focused approach. The IT staff is more likely to engage in finding a solution and learning from the experience. This approach helps address the immediate issue and promotes a culture of continuous improvement and proactive security management.  

Scenario 2: Outdated Software Vulnerability  

An IT security analyst discovers an outdated software version with known vulnerabilities in the company's production environment. Instead of pointing fingers at the IT operations team, the analyst uses diplomacy:  

  • Blame-Oriented Approach: "Why haven't you updated the software? This is a major security risk, and it's your responsibility."  
  • Tactful Approach: "I've found that we're still running an older version of the software, which has some known vulnerabilities. Let's plan an update as soon as possible and discuss how we can improve patch management in the future."  

This approach acknowledges the issue without assigning blame, focusing instead on finding a solution and preventing future occurrences. It encourages a cooperative effort to enhance security and maintain system integrity.  

Building a Resilient and Positive Culture in Cybersecurity Teams 

Creating a culture of tact and diplomacy in dealing with IT misconfigurations and flaws involves more than just individual actions. Cultural change requires organizational commitment. Here are some steps to take toward building such a culture:  

  1. Leadership Commitment

Leaders play a critical role in setting the tone for how the team addresses issues. By modeling tactful and diplomatic behavior, leaders influence the entire organization. This includes providing training on Emotional Intelligence, effective communication, and conflict resolution. Modeling the positive behaviors you’d like to see from others will set a good example for others to follow

  1. Training and Development

Invest in training programs focusing on soft skills such as communication, empathy, and conflict resolution. Encourage team members to participate in workshops and courses that enhance their ability to handle difficult conversations tactfully and diplomatically. The Gartner Keynote also addresses the benefits of wellness programs for individuals in high-stress cybersecurity roles and mentions implementing them directly into incident response workflows. Participation in self-care and wellness methods such as stress reduction or counseling, or whatever benefits your organization may offer, showed a 5% increase in wellness, and saw increases in an employee’s intent to stay, their performance, and their engagement on the job.  

  1. Encourage Open Communication

Create an environment where open communication is encouraged and valued. This includes regular team meetings, feedback sessions, and open-door policies that allow team members to voice concerns and share ideas without fear of retribution.  

  1. Promote a Culture of Learning

Encourage a culture of continuous learning and improvement. Celebrate successes and learn from failures. This helps to create a safe space where team members feel comfortable admitting mistakes and working together to find solutions.  

  1. Recognize and Reward Positive Behavior

Recognize and reward team members who demonstrate tact and diplomacy in their interactions. This reinforces the importance of these behaviors and encourages others to follow suit.  

A Commitment is Needed 

Security misconfigurations and gaps are inevitable in the complex and high-stakes world of IT security. It's often not a case of if but when. How we address these issues with our teams can significantly impact the effectiveness of resolutions, the overall work environment, and the organization's security posture. By adopting a tactful and diplomatic approach, IT pros can foster collaboration, maintain positive relationships, and create a culture of continuous improvement.  

Tact and diplomacy are not just about being polite—they are about communicating strategically to achieve the best outcomes. When team members feel respected, valued, and understood, they are likelier to engage in productive problem-solving while contributing to a more secure and efficient IT environment.  

As we move forward, let us all commit to replacing blame with collaboration, criticism with constructive feedback, and confrontation with understanding. By doing so, we enhance our ability to address IT issues effectively and build stronger, more resilient teams equipped to tackle the challenges of the digital age.  

 

ENow's AppGov Score & App Governance Accelerator tools surface Entra ID application misconfigurations and security gaps. With over 20 different checks, the application governance assessment  shares why an app or setting is considered risky so your team can fully understand the importance of securing these apps and moving forward with a solid application governance strategy. Some organizations are surprised by their AppGov Score; you can use John's tips above to address these misconfigurations and security gaps in a constuctive way that builds resilience and makes for a stronger cybersecurity team and strategy.

Share This:

John O’Neill Sr

Written by John O’Neill Sr

John’s professional IT career began as a teenager, taking him on many wonderful adventures over the past 30 years. John’s IT path started with programming, but branched out quickly. Opportunities from the Help Desk to the Corner Office shape his IT journey. Specializing in Security, Systems, and Infrastructure technologies, John’s broad skillset includes Desktop and Server OS, Identity Management, Networking Services, Network Architecture, IP Telephony, and CyberSecurity. Passionate about giving back to the IT community, John develops relevant, timely content which IT Pros take advantage of immediately. Part of the MVPDays team, he develops both online and in-print content. In addition, John authored material as a contributing editor for the Petri.co.il online community as well as senior contributor to Tom’s IT Pro, Redmond Magazine, Netwrix, and both Thomson-Reuters' Aspatore Books and Exec Blueprints publications. Helping others succeed and advance in IT drives John to share knowledge. Speaking at conferences worldwide, developing technology training courses for Pluralsight’s online training library, and leading webinars are all regular investments by John in the current and next generation of IT professionals. Blending high-tech education with a bit of entertainment, attendees at John’s sessions regularly rate him one of their favorite speakers. Attendees rated John top speaker/best session at TechMentor Redmond 2019 and again at Techmentor Orlando 2021. John is proud to be honored by industry organizations, leaders, and especially his peers. A five-time recipient of Microsoft’s MVP Award, John received NEOSA’s CIO of the Year Award in 2012.