The Feedback Factor: How Effective Feedback Drives Cybersecurity Excellence

The Feedback Factor: How Effective Feedback Drives Cybersecurity Excellence

Robert Wood

Technical skills and knowledge are undoubtedly essential for anyone working in cybersecurity, whether you're a pentester or a SOC analyst, or something else entirely. However, at Soft Side of Cyber, we believe that the true potential of cybersecurity professionals can only be unlocked when they excel in their non-technical skills and complement everything else they know. In addition, giving and receiving effective feedback is essential when you work with others, and it fuels personal and professional growth, fosters collaboration, and supports adaptable team dynamics.

This article aims to provide you with a comprehensive guide to giving and receiving effective feedback in the cybersecurity field. I'll start by breaking down the psychology behind feedback, touch on some principles of effective feedback, then move into tips and approaches for improving how you engage with and use feedback. When done well, feedback can transform challenges into opportunities for learning, unlearning, drive innovation, and strengthen the bonds between team members.

The Psychology of Feedback

Starting at the beginning, there is a deep body of research on the psychology of feedback. Numerous studies cite the importance of receiving feedback on someone's performance in any role, athletics, relationships, or professional. In all of the research I've done on this topic, the two things that stand out most to me are:

  1. How cognitive biases play into feedback
  2. How trust between two or more individuals impacts feedback

Cognitive biases inform the way each of us lives and perceive the world. Specific to giving and receiving feedback, confirmation bias is likely to reinforce people only hearing and internalizing what they already believe. Optimism bias is expected to prompt people to overestimate the probability of success of things they're specifically involved with compared with others' work. The self-serving bias will lead people to blame external factors for their circumstances instead of taking ownership of their part in a situation.

This is only the tip of the iceberg of cognitive bias, and an entire article could probably be spent digging into this more deeply. Each of us needs to be aware of our biases and, at the same time, that others have when giving and receiving feedback.

Trust between people and within teams influences people's willingness to put themselves out there, sharing and receiving feedback. In a working environment where trust is high, there's a higher likelihood of open and honest communication, risk-taking, and learning from mistakes. The exact opposite holds in low-trust environments. This relates to the level of psychological safety that the team members feel.

Five Principles of Effective Feedback

Not all feedback is created equal. There's a lot of literature on this across the internet, so it's not worth trying to recreate it here. Some of the best advice I've read on the topic is summed up in the five principles below:

  1. It is specific: Good feedback should identify the behaviors or actions that need improvement or praise. The more specific something is, the easier it will likely be to understand and act upon.
  2. It's delivered promptly: If you have feedback for someone, get it to them as close to the event as possible, ideally in real-time. Strive for a fluid conversation instead of the situation where you're setting aside that 30 minutes for a "quick chat" with "some feedback" for the person.
  3. It is balanced: As you give feedback to others, ensure it's not all negative or constructive. Call out the positives, the things that are going well, and the things you want to see more of. Recognizing people's achievements, whether in public or private, fosters motivation and self-esteem, while constructive criticism can promote growth and development.
  4. It is focused on behavior, not the person: Feedback shouldn't be used to beat up on the person or anything fundamental to who they are. Likewise, avoid making assumptions about their personality, character, or abilities.
  5. It points back to a goal: Bring your feedback back to the goals of the team or the organization. You might even be able to align feedback to their individual goals (if you know them).

Techniques and Tools for Effective Feedback

If you're a fan of tools and more specific guidance on how to do things, this section is for you. In this section, I'll break down a few techniques I've learned about in training throughout my career and provide an example of how each would look in practice.

Situation-Behavior-Impact (SBI) Model

The SBI model starts by describing a specific situation, then outlines the behavior observed, and ends by explaining the impact of that behavior. The goal of this model is to help people link actions to consequences. The SBI model helps people understand the context and importance of feedback.

Here's what it looks like in practice.

"During yesterday's team planning meeting (situation), you interrupted your colleagues multiple times (behavior). This made sharing their thoughts difficult, and some team members felt unheard (impact)."

The Sandwich Technique

The sandwich method is one of the most well-known approaches to giving feedback. It involves presenting a piece of constructive criticism between two positive comments, creating a feedback sandwich. The idea is that starting and ending with praise or something positive helps foster a more receptive mindset around constructive feedback.

Here's the sandwich technique in practice.

"You did a great job identifying that misconfiguration in our system (positive). However, it would be really helpful if you could communicate your findings without making the team who maintains the system feel bad (constructive). Your attention to detail is highly valuable to our team and we want to really foster it (positive)."

Describe, Express, Specify, Consequences (DESC) Script

The DESC (describe, express, specify, consequences) script is a structured communication tool that can help ensure that feedback is clear, specific, and focused on the desired outcome. It's very similar to SBI. It starts by describing the situation, expressing your feelings about it, specifying your request for the person to change, and explaining how different things could be if the change occurs.

This is what DESC could look like in practice:

"When you work late without notifying the team (describe), it leaves us unsure about the project's progress or realistic estimations around how long work ill take (express). In the future, please send us some more regular updates so we can forecast work more effectively (specify). This will help our entire team plan more effectively and make sure we aren't taking on more than we can handle (consequences)."

Tailoring Feedback to Individual Learning Styles

Using the same tool or approach for everyone across a team may not work. Everyone processes things differently; you can't control how someone else thinks or processes information. You can only control yourself and how you choose to engage. Consider the person, the situation, and the feedback, and proceed accordingly.

You may not get this right every time but don't give up, and don't beat up on yourself if things don't go well every time. Cybersecurity professionals can provide transparent, constructive, and well-received feedback by utilizing these techniques, ultimately contributing to their teams' growth and success.

Check out last week's reaction video on building strong relationships with non-security peers

The Art of Receiving Feedback

Feedback isn't all about giving it out, even if you're in a management or leadership position. Cybersecurity professionals can benefit tremendously in their careers if they can accept feedback from others and learn from it. I firmly believe this is important, no matter your role or level of seniority. Feedback doesn't always have to come from someone senior in your organization's reporting structure.

Here are some tips I've picked up over my career and personal life:

  1. Embrace a growth mindset: Investing in a growth mindset, as Carol Dweck speaks about, you'll be looking at everything as an opportunity to improve, not an attack on your fixed mindset.  
  2. Practice active listening and reflection: Give your full attention to the person providing feedback, don't get distracted with your phone or laptop, and resist the urge to interrupt or defend yourself. You'll feel like you must justify your actions if you receive constructive criticism, so don't jump in. Instead, after receiving the feedback, use active listening to ensure you heard them correctly, then take some time to reflect on the input and consider how you can apply it to enhance your performance. You don't have to agree with everything, but give it time to sink in and decide.
  3. Ask questions: If you're unsure about the feedback or need more information, you shouldn't hesitate to ask questions. This shows the other person that you are committed to understanding the message and taking the necessary steps to improve.
  4. Request feedback proactively and often: You'll be amazed at what happens when you actively seek feedback from your colleagues and supervisors. Ending 1:1 meetings with a "do you have any feedback for me?" can help you make this a regular part of your growth. It also demonstrates your willingness to learn and grow. By regularly soliciting input, you'll gain valuable insights about how your work and efforts affect others that can help you fine-tune your skills.
  5. Overcome defensiveness and embrace vulnerability: Getting feedback can be uncomfortable. Daring Greatly, one of the best books I've read on the value of being vulnerable with others, talks about the depth of relationships and growth that can occur with more genuine openness and vulnerability. Remember that feedback isn't an attack on you or your self-worth; it's an opportunity to be the best version of yourself.

Getting better at receiving feedback will help you throughout your career. So embrace each of these tips, try one of them this next week, see how it goes, then try another.

Building a Culture that Fueled on Feedback

If you're in a management or leadership position, you are in an excellent place to influence the culture of your cybersecurity team. I wrote about what makes a strong cybersecurity culture recently. Two things in that article related to feedback culture are removing blame and engaging with empathy.

In my experience, strong feedback cultures are about open communication, partly rooted in psychological safety. Leaders can also help establish norms and structure around how communication flows within a team, especially feedback. Respect, honesty, and listening to one another are vital in all communication.

It might be time to explore training options if a team struggles with providing and receiving feedback. This could be delivered through personal coaching or team training sessions where these skills can be taught and practiced. Yes, time will need to be invested, but it's well worth it in the long run.

Lastly, praise is a powerful tool, and using it when you see team members delivering and receiving feedback can help encourage others to do the same. People often aim to make their management happy, so reinforce the behavior you hope to see more of. This works in almost any situation, and encouraging feedback culture is no exception.

Concluding Thoughts

In the workplace, feedback is a cornerstone of growth. It works on teams, and it works on individuals. Not all feedback is good feedback, though. In this article, we discussed what makes effective feedback, some techniques for delivering it, and how to receive feedback gracefully. I hope this article helps you improve in this area of your professional (and maybe even personal) life.