In the fast-paced and ever-evolving world of IT, configuring systems securely and correctly is paramount. As we’ve seen in the Entra ID application space, but also beyond, misconfigurations and flaws can lead to vulnerabilities that compromise data, disrupt services, and damage reputations. Identifying and addressing these issues requires more than technical expertise—it demands tact and diplomacy. The significance of IT security and proper configuration cannot be overstated. A single, seemingly minor misconfiguration could pave the way for cyberattacks, resulting in significant financial losses, legal ramifications, and, most importantly, loss of customer trust. We saw this happen with the Midnight Blizzard attack on Microsoft through a legacy test OAuth application. As reported in a 2022 VMware analysis, 45% of intrusions contain a lateral movement event where the attacker will find vulnerabilities such as these misconfigurations and escalate privileges to reach sought-after information. A 2023 IBM report estimated the average cost of a data breach at $4.45 million, highlighting the severe impact that security flaws can have on an organization's reputation and customer relationships.
When identifying security gaps, it's crucial to address them promptly and effectively. However, how individuals communicate these issues with team members can significantly influence the outcome. ENow Software was an exhibitor at the 2024 Gartner Security and Risk Management Summit. In the Opening Keynote, Christopher Mixter and Dennis Xu talk about how, historically, there has been zero tolerance for cyber failure within organizations. They go on to discuss how this mindset has a negative impact on how effective a team’s cybersecurity strategy is. A zero-tolerance approach can lead to burnout and covering up problems when, in many cases, threats are inevitable. Mixter states, “We don’t have to be perfect. What we have to be is transparent.” A resilient cyber workforce is one where burnout is reduced, and it’s safe for team members to share and learn from shortfalls.
Confrontational approaches focusing on blame often lead to defensiveness, resistance, and an utter breakdown in communication, hindering IT's efforts to solve the problem. On the other hand, adopting a tactful and diplomatic approach can foster cooperation, understanding, and a shared commitment to improvement, highlighting the value of everyone's contribution to the team's overall success.
Not using tact and diplomacy in IT communication can lead to profound consequences. For instance, telling someone, "This is your responsibility, and it's wrong," is not only unhelpful but might also be detrimental. Here are a few reasons why blame-oriented and zero-tolerance communication is counterproductive:
Approaching IT misconfigurations and flaws with tact and diplomacy involves recognizing the importance of message delivery. It's about ensuring communication is respectful, constructive, and solution-focused. Here are some strategies for achieving this:
The language used when discussing IT issues can make a significant difference. Instead of framing the conversation around blame, focus on the issue and the desired outcome. For example:
Encourage a collaborative approach to problem-solving. A focus on collaboration fosters a sense of shared responsibility and teamwork, leading to more effective and efficient resolutions. For example:
Instead of dwelling on the problem, focus on finding and implementing solutions. This positive approach helps motivate team members while keeping everyone focused on improvement. For example:
Constructive feedback is essential for growth and improvement. Ensure feedback is specific, actionable, and focused on behaviors rather than personal attributes. For example:
Active listening involves fully concentrating, understanding, responding, and remembering what is said. Listening to understand helps build trust and shows you value the other person's perspective. For example:
Encourage a culture of continuous improvement where team members feel empowered to identify and address issues without the fear of blame and accusation. Focusing on realistic incremental improvements and missteps as learning opportunities rather than expecting perfection immediately will lead to more proactive and effective IT management. For example:
Recognize the efforts of your team members and constantly show appreciation for their hard work. Positive reinforcement boosts morale and encourages a more positive and productive work environment. For example:
To illustrate the impact of tact and diplomacy, let's consider a couple of real-world scenarios:
A cybersecurity manager discovers several cloud applications with outdated permissions and registrations, potentially providing unauthorized access to attackers. Instead of blaming the IT staff responsible for managing these applications, the manager approaches the issue tactfully:
The manager avoids defensiveness and fosters a positive working relationship through her collaborative and solution-focused approach. The IT staff is more likely to engage in finding a solution and learning from the experience. This approach helps address the immediate issue and promotes a culture of continuous improvement and proactive security management.
An IT security analyst discovers an outdated software version with known vulnerabilities in the company's production environment. Instead of pointing fingers at the IT operations team, the analyst uses diplomacy:
This approach acknowledges the issue without assigning blame, focusing instead on finding a solution and preventing future occurrences. It encourages a cooperative effort to enhance security and maintain system integrity.
Creating a culture of tact and diplomacy in dealing with IT misconfigurations and flaws involves more than just individual actions. Cultural change requires organizational commitment. Here are some steps to take toward building such a culture:
Leaders play a critical role in setting the tone for how the team addresses issues. By modeling tactful and diplomatic behavior, leaders influence the entire organization. This includes providing training on Emotional Intelligence, effective communication, and conflict resolution. Modeling the positive behaviors you’d like to see from others will set a good example for others to follow
Invest in training programs focusing on soft skills such as communication, empathy, and conflict resolution. Encourage team members to participate in workshops and courses that enhance their ability to handle difficult conversations tactfully and diplomatically. The Gartner Keynote also addresses the benefits of wellness programs for individuals in high-stress cybersecurity roles and mentions implementing them directly into incident response workflows. Participation in self-care and wellness methods such as stress reduction or counseling, or whatever benefits your organization may offer, showed a 5% increase in wellness, and saw increases in an employee’s intent to stay, their performance, and their engagement on the job.
Create an environment where open communication is encouraged and valued. This includes regular team meetings, feedback sessions, and open-door policies that allow team members to voice concerns and share ideas without fear of retribution.
Encourage a culture of continuous learning and improvement. Celebrate successes and learn from failures. This helps to create a safe space where team members feel comfortable admitting mistakes and working together to find solutions.
Recognize and reward team members who demonstrate tact and diplomacy in their interactions. This reinforces the importance of these behaviors and encourages others to follow suit.
Security misconfigurations and gaps are inevitable in the complex and high-stakes world of IT security. It's often not a case of if but when. How we address these issues with our teams can significantly impact the effectiveness of resolutions, the overall work environment, and the organization's security posture. By adopting a tactful and diplomatic approach, IT pros can foster collaboration, maintain positive relationships, and create a culture of continuous improvement.
Tact and diplomacy are not just about being polite—they are about communicating strategically to achieve the best outcomes. When team members feel respected, valued, and understood, they are likelier to engage in productive problem-solving while contributing to a more secure and efficient IT environment.
As we move forward, let us all commit to replacing blame with collaboration, criticism with constructive feedback, and confrontation with understanding. By doing so, we enhance our ability to address IT issues effectively and build stronger, more resilient teams equipped to tackle the challenges of the digital age.
ENow's AppGov Score & App Governance Accelerator tools surface Entra ID application misconfigurations and security gaps. With over 20 different checks, the application governance assessment shares why an app or setting is considered risky so your team can fully understand the importance of securing these apps and moving forward with a solid application governance strategy. Some organizations are surprised by their AppGov Score; you can use John's tips above to address these misconfigurations and security gaps in a constuctive way that builds resilience and makes for a stronger cybersecurity team and strategy.