About This Episode
EPISODE 6 features the head of security at Tatari Craig Merchant. Craig has had an incredible career in IT, starting as an engineer, moving to consultant work, and making the shift to security in 2001. Working over the years with large corporations implementing advanced security measures, while also focusing on small to medium business markets, and even working in cloud technology. Craig has a wealth of knowledge from his years of experience in the security field, adapting and evolving with new technology. His top 5 leadership tips lend a unique perspective into the reality of cyber security and how to successfully communicate its importance within the tech world.
Craig’s Top 5 Leadership Tips:
Below is a summary of the Top 5 Leadership tips shared during the interview this week. Take a listen to the episode to learn more about the thoughts behind these tips –
- Selling The Importance Of Good Security
- Being An Empathetic Listener
- Pick Your Battles
- When To Stick To Your Guns
- Trusting In Your People
We hope you enjoy the episode. You can find even more Full Stack Leader episodes here:
Ryan: Welcome everybody to today’s episode of full-stack leader. We’re here with Craig merchant. Who’s the head of security at tuttare based out of San Francisco, welcome Craig.
Craig: Thank you so much, happy to be here.
Ryan: Glad to have you. Maybe you can give our audience a little bit of a rundown as to what you’ve done in the past.
I know you have a long history of working in the security field, and it’s a really unique side of the technology industry. We’re excited to talk to you about it.
Craig: Sure. I started down this career path. My junior year of college. Basic desktop support for Georgetown university. After I graduated, I got certified as a Novell network engineer.
And mind you, this was in 1995 when the internet was really just starting to happen. And for engineers just vastly outstripped the capability like colleges didn’t even realize. Like it type degrees back then. And, I got hooked up with this consulting company called convergent and they partnered me with their top engineer and for about a year and a half, he just downloaded his knowledge base of experience and technical expertise into me.
Spent some time at a couple of fields starting. Went back to consulting. I really started pivoting towards security in 2001. That engineer and I had a project at the HEB grocery store chain in Texas, which was like a $9 billion grocery store company. At least it was back then. And Walmart was trying to get into Texas.
So they were spending like $250 million to redo all of their IT so that they could compete against Walmart. And Cisco had this blueprint for. Kind of networking insecurity done, right? The budget was unlimited, if you were only going to buy Cisco equipment, here’s what that blueprint looked like.
And we were tasked with implementing that and I was responsible for all of the like vulnerability management, intrusion detection, kind of systems management stuff. And that sort of got me on the security track in 2006. That engineer is another partner of mine. Formed a small managed service provider called on-time.
That was focused on the small and medium business market. And I basically became the dedicated security guy. And that’s when I first discovered Splunk in 2006. And that was a product that I have largely built my career around, for the last. I guess 15 years now. Um, great, great product. Yeah. Oh, I could no longer really imagine doing my job without it.
It’s expensive, but it is an absolutely fantastic tool. And, so I did that for like six or seven years. In 2001 was my first, , first security hire at a company called location labs that makes mobile. Safety products for like parents to kind of keep an eye on their children. After that, I went to responses as a senior security architect. The response was like the 800 pound gorilla in the marketing orchestration space.
They got acquired by Oracle in 2014. So I was. Senior cloud security architect there for a couple of years, then I left and worked for dimension data, doing Splunk security consulting at Oracle, for another two and a half years then, I was the first security hire at a FinTech startup called token vault.
After that I spent a year at Salesforce Tableau, and then now. The head of security at tuttare, which is an ad tech startup. Wow.
Ryan: You’ve really tried a lot of different flavors over the course of.
Craig: I certainly have, you know, I like to keep it interesting.
Ryan: I think that’s important for a leader because you end up having a lot of different experiences to work off of when you’re thinking about decision-making.
Craig: Yeah. Cause the challenges as our. World and technology stacks have evolved or are very different. Like it used to be this sort of, you were securing all of it, which meant like your laptops and your servers and stuff like that. But now, you typically have your, you know, a lot of companies like tuttare is basically SAS only like the only infrastructure we have is.
And our offices. And so, you now have one security challenge of how do we keep our employee laptops secure, and then you have the security challenges for your Linux based customer facing platform, which uses technologies like, Kubernetes and containers and Docker, and those, the security, risks, and challenges to both those environments are completely different.
So having a broad range of experience in both of them really, I think, is necessary for. Effective security leaders today.
Ryan: Do you find that you need to bring on team members with specialties in one or the other, and do you end up crossing them over once you get them in?
Craig: My hiring philosophy is much more centered around finding the right people rather than acquiring a particular.
Like, if someone’s smart, I can usually mentor them. And most of the areas of security. So as long as I think they’re a good fit, like personality wise, like they’re hungry, they’re quick learners. They’re reliable, they’re responsible. They own whatever it is that they’re taking on and are constantly pursuing new challenges.
That is more important than a particular skill set. There are times though, when you absolutely want a dedicated person with a very limited role and a deep skillset and some kind of technology, like, a cloud security engineer, that’s definitely a role I would hire for the skillset simply because if you’re a traditional IT person, the learning curve.
, come up to speed on AWS or Azure or GCP as well as technologies like Kubernetes and Docker that are not as commonly found in the enterprise. I think that hill will be a little bit too steep.
Ryan: Yeah. And maybe over the course of time, they can train to get those skills, but they also need to be investing in themselves.
Yeah. I’ve found one of the, one of the interesting things you said from the very beginning and it, you echoed it a second ago. Was this concept of mentorship or, an apprenticeship, type of experience with the team? Sounds like you worked as an apprentice, early in your career, and it sounds like you also still use some of that methodology.
Is that pretty important to the way that you work with your teammates?
Craig: I don’t think I would be where I am in my career today without having. One or two people who significantly influenced my knowledge, my presentation skills, how to work with customers. There’s so much soft skills that just because you’re really good at, network engineering or vulnerability management or something like that.
If you can’t make a good PowerPoint presentation, or if you can’t write really good documentation, at least as a consultant, right? The documentation is what speaks for you when you’re no longer there to defend your. So having those types of skills in addition to a technical skill set is absolutely critical.
Ryan: Are there any specific ways of mentoring that you like? Maybe something you picked up when you were being mentored or maybe it’s something new, but like a specific style of, of, um, prepping someone and teaching someone how to enter what is a relatively complex
Um, the guy that I was partnered with, he basically any free time we have, like, if we were driving to a customer site or, waiting for a backup to restore something like that, it was basically. His brain dump on whatever subject came to mind. , that, and that worked for me, I can learn. And that kind of fashion, I don’t think that is typically the approach that will work for most people.
Like when I was at Salesforce, my boss told me that since Splunk was the primary tool that our team used for detections and that kind of thing, that he wanted me to elevate their skills. In terms of Splunk. And so for like two hours, two to three hours a week, I would come up with some kind of a problem, like, okay, here’s how you onboard data.
Here’s how you get it normalized with Splunk’s common information model. Okay. This data here is problematic. Now let’s see if you can figure it out, hit me up on slack. If you need help and try to like slowly incrementally, give them the next thing to chew on, to elevate theirs.
They were all kind of like, we got to record all of these so I can go back and watch it again, kind of thousand I’d stare at the end of the two hour meeting, because there was so much information, but, , that’s why we report things.
Ryan: Yeah, absolutely. The recordings are incredibly helpful.
These days we use the same methodology here, we’ll record teaching sessions and then let people go back and re-engage with them. What do you think that this kind of approach has helped prepare people for those big moments? Because one of the things I’ve noticed over the course of time and security is wonderful when you don’t even notice that it’s there, but there are these big moments that arise.
And the life of almost all products or all engineering systems that have major need for immediate security, and response from security. Do you think that that kind of ongoing preparation of team members like that preps them for those big moments?
Craig: Typically speaking what the security, my experience, at least what the security team is advocating for in terms of, these are the risks that we see to the business.
These are the recommended security controls, and there’s usually some degree of pushback. It usually takes some kind of an event. To really change the business’s mindset. And I have a perfect example. So on Wednesday morning before Thanksgiving, one of our tutorials went to the VP of ops and said, Hey, a colleague of mine, an old colleague of mine.
So they have an interview here in two weeks, but we interviewed them in April and passed on them. I think that’s kind of weird. So the VP of ops, when or the recruiting tool, she didn’t see anything scheduled for him. So she reaches out to the candidate and he says, yeah, a recruiter from tuttare calls.
Said that they saw my profile on LinkedIn and wanted to schedule that. So now we’re thinking like, okay, any sort of screenshot of the meeting invite that looked completely legitimate. It had some things wrong with it. Like some of the emails on it were legitimate to tear emails, but not emails that we ever used.
And eventually you notice that the meeting ID was the same. And so what we think happened was that he was logged in, on his personal machine to work and that machine or phone got compromised. The attackers realized who he was, where he worked. They looked through his trash and they found the old meeting invite.
And since we’re an ad company and he’s in an advertising company, Social engineering aspect of seeing an invite from a company in your same industry is much more likely to get you to click on it. And so what the attackers were hoping to do was he would do the interview on his work machine. And when he clicked on the hangout, it almost certainly would send his machine somewhere that would infect it with malware, sending it back to Google for the meeting.
And he would just think that he’d been sitting. Wow that and the company that he works for makes viral marketing videos, right? They’re not a high value target. So this was an unbelievable amount of effort for the attackers to make, to get a foothold. On a company that makes viral marketing videos and it touches on a number of different things, right?
Accessing work from personal machines, right? Security usually gets really twitchy about that. And oftentimes the user community or the business pushes back pretty hard on us, either saying we can’t allow them to use personal machines to access work, or they have to install some kind of security software on their personal device, which then starts raising issues of.
Ryan:But what’s our big issues in today’s world,
Craig: which they certainly are. And when we sort of explained this scenario to management, the light bulb went off like, okay, this really is the kind of modern threat landscape and we have more value than this company does. So if they’re going to make that kind of effort to hack them, imagine what kind of effort they might make to hack.
Ryan: Yeah. And it seems that it seems that it’s really picked up over the last little bit as well, with the, with all of the ransomware going on and, people finding different avenues to exploit, beyond the traditional ways of doing
Craig: it. Yeah. Like Zscaler, which is a company that has a product known as a cloud access security broker, the CASBY it’s basically like an always on VPN server.
Without you having to manage your own firewalls, they released their kind of research and statistics for 2021. And they said that they’d seen a 300% increase in malware using encryption to hide what it’s doing because of this. They were talking about the argument for decrypting SSL connections so that you can see what’s going on.
They also said that attacks against tech companies rose 2300% in 2020. Wow. They stopped something like 20 billion encrypted attacks across all of their customers over the course of, the first nine months of the year
Ryan: with data like that, it makes it understandable why a business would be.
Extremely cognizant about what’s going on on their machines. And I think you brought up a really good point a minute ago, which is striking that balance as a company between protecting the business and making sure that you’re not hit by one of these attacks and simultaneously protecting the privacy of your employees, which is becoming more and more important to everyone as well.
How do you think as a leader you’re striking that balance? What are some of the ways in which you think about balancing what the company’s needs are and not scaring the employee?
Craig: That there’s a very good and relevant question. There is a class of tool that we call EDR endpoint detection and response, and it’s basically what modern antivirus has become.
So companies like CrowdStrike. Carbon black Sentinel one. Those are the leaders in that space and it basically combines the NexGen anti virus tool with significant forensic auditing capabilities. So when it logs, when a process starts and stops, it will log when a network connection is made. DNS requests, URL queries, like it gives security a significant amount of visibility into what is happening in the environment.
And it is not a particularly controversial technology. EDR is pretty much ubiquitous in modern companies these days. , but it does have potential for privacy issues around like DNS requests and logging URLs now a CASBY solution. Is like the next step up in terms of visibility for security and privacy issues for the employees.
Because if you are decrypting traffic, could you steal their Facebook cookie? Could you, could you grab their medical info? For example, if they’re using their machine to communicate with their healthcare. And most of those tools give you a pretty wide range of flexibility to give employees reasonable amounts of privacy.
You can say, like, we will exclude from decryption, social media, banking, medical stuff, and whatever employees specifically ask for additional privacy, but then everything else, security is going on. And I found one of the ways to kind of help alleviate some of the fears of surveillance is to really have a very clear explanation.
Usually some kind of a data privacy document that explains to people how it is that data’s used because it is not at least my company. We’re not human threat hunters. Cause that doesn’t really scale for the size of our business. So what’s going to happen is that a tool like Splunk is going to be running automated searches in the background all the time.
And only when those detection searches say that a particular employee or computer is sufficiently risky, that security will actually start going through the logs to see what that machine is. And I think that’s pretty reasonable to say, look, we’re not looking for activity unless you’re doing something really bad.
Ryan: Do you think that people generally understand this? Or is this maybe a miscommunication and something you have to work on when you’re working in a head of security position? Because I’ve noticed that people get the concept of security and they also might view it both as protecting, maybe protecting the company, but also.
Looking at them as potential bad actors as well. And which might put them on edge there. Do you think there’s an understanding of that kind of, maybe not that kind of detail, but of, of that concept that would rally them around wanting the security?
Craig: I think the overwhelming majority of people, unless the company has recently experienced a breach, significantly underestimate the risks to them.
Yeah. And like in that example that I gave you from before Thanksgiving, like we don’t believe this 20 something Facebook ad expert was deliberately targeted. We think that it was, random malware ended up on his machine and then the decide the attackers decided, okay, now we’re going to make this a campaign against the company, because we found out later that he wasn’t the only employee that got a call from a quote unquote to tare recruiter to set up.
And that also then helps me sell my story to the business that, Hey, attackers are very sophisticated and modern times and we, in order to protect ourselves from them, we have to go to much greater lengths than you might normally think of.
Ryan: Which brings up a great question.
How much do you have to sell the concept of security even to the C-suite or the leaders of the organization so that they, themselves who have an inherent desire to protect the company, but even so they know. That we’re going to need to budget for this appropriately.
Is that a hard sell or is that something that you’ve learned over the years, how to communicate to them effectively?
Craig: I mean, it really depends. Like I have, I’ve been at organizations where, senior leadership thought, do we really even need to do and point security? All of our data is stored in the cloud, which is pretty reasonable.
The sales pitch that I talked about. With, you know, if you are an internet facing service, whatever you do. And you have your Linux, Kubernetes, Docker type environment, like the trends in the industry towards containers, which are very small, like not even a virtual machine.
So to speak, that usually makes one very specific. And then you just have what we call microservices of containers, doing very specific things, all talking to each other in, some kind of a mesh or a fabric. And if a computer does something really simple, then it’s really easy to secure because you know what it does.
And if it does anything other than what it is supposed to do, you get that alert, a really good sign that something bad is happening. And so locking down that environment, getting to. You hear cloud people talk about infrastructure is code like security is code is on the horizon for a lot of companies these days.
And so with that ability to fully monitor and lock down that type of environment, then really the risk of compromise. Comes from someone getting on an administrators’ computer and finding their SSH keys and, using that computer to get into the platform to maybe disable some of the security or add an exception so that whatever their malicious activity is, will be considered part of good normal policy.
Like at that point, that’s where the risk to that platform or more likely to be. And securing laptops that do lots and lots of different things and are operated by human beings is a much greater security challenge than just making sure that a bunch of Linux servers and containers only do what you want them to do.
Ryan: Do you think, as you’re thinking about the planning of these kinds of. Initiatives that will help protect the organization and implement this kind of complex network of defenses.
What do you think is an easy digestible format for some of the leaders in the organizations ? Grasp what you’re saying and feel confident in putting a budget towards that.
Craig: It’s a lot of discussions. There’s no one easy way. And I report to the head of dev ops at tuttare and of course that, right. He’s a very technical individual and there’s times where he’s told me, like, Craig, you’ve explained something to me in great detail. And, I’m a technical person and I didn’t totally understand it. And you’re you as a security professional have been living and breathing this stuff for 20 some odd years, you lose, you definitely lose perspective on.
How much people don’t know how much they can digest in a single sitting. and it’s really just like an ongoing iterative, sales and Amanda rising process in order to get them to come around. And it certainly helps with. , you have that kind of real-world scenario that we had before Thanksgiving that makes light bulbs go on, makes them sort of like reassess.
They’re complacent that no one would bother to target us and, and we trust our employees. That’s just not always the case. And , it’s a tough sell, but it’s an ongoing kind of struggle. And if you are going to get into security leadership, you need to prepare to be a salesperson.
Ryan: That’s a great spot to end this part of the discussion. Thank you. What an incredible rundown. There are so many spots to explore more deeply here. We only have a short amount of time, but I really appreciate you going in depth on some of those. And even that one example makes me nervous. So I’m glad to have heard it today as well.
This is a really great area to think about the differences in the way that a lot of aspects of tech are managed and led and how this one has to be managed and led and actually partner with those. So I appreciate you giving us a great run.
Security is one of the most challenging and important aspects to the tech industry within that complex land. It’s clear that Craig’s style of leadership ties very closely to a mentor apprentice model. This intimate form of knowledge sharing is especially important in a side of the industry that is constantly in flux and facing ever-growing challenges that impact both employees and customers.
He also reminds us that leaders always face the challenge of striking a balance between meeting the needs of customers. In this case safety concerns and giving employees the freedom they seek to work independently in today’s world of anonymous attacks. That balance is so much more pronounced.
Ryan: back. We’re really excited to have Craig Merchant with us here today. The head of security at tuttare and he’s going to give us his top five tips for security in it. So Craig, let’s jump in. What’s your number one tip you want to share with our audience?
Craig: For leadership tips. Tip number one, if you’re new to security leadership, congratulations, you are in sales and the product is expensive.
, it encumbers your employees and makes their jobs more difficult. It invades their privacy and it solves a problem that they might not even see because unless you’ve experienced a breach recently, They think everything’s okay. They’re fine. With the status quo. For example, when you start doing system hardening, the CIS benchmarks are kind of considered to be the gold standard for securing end points. And so they tell you to turn off. All sorts of different stuff to reduce your attack service that people use, right?
Like disabled, Bluetooth, disabled touch ID, disable, face ID. If you just were to turn that on, because that’s what the industry says is recommended, your user community is going to flip out. So like what, one of the things that we’re going to do is we’re going to go through the CIS benchmarks for windows and apple and.
Find all of the stuff that we think might have mixed business or personal use, or might be extremely convenient for people. And then put out a survey and see, which of those things are being used for business, which are being used for personal, which aren’t being used or are being used for both.
So that way
Ryan: we get them and you get them into the conversation.
Craig: Yeah. And , it will help us pick our battles. Because Bluetooth is a remotely exploitable technology without a particularly stellar track record in terms of security. And there’s no such thing really as like a Bluetooth firewall or a Bluetooth intrusion detection system, like there is for.
Your wireless network adapter and it’s used throughout the company. So do we make the company go on a buying spree and make everyone wire in their headsets and keyboards and mice? The users are absolutely going to hate that. And they’re going to complain about it forever and probably make them more resistant to something else down the line that is equally inconvenient, but is far more secure.
Ryan: That’s amazing. Thank you for sharing that. Let’s jump to number two now, but you got
Craig: number two is you absolutely have to learn to be an empathic listener. Because in your mind, you’re, it’s a no brainer that you disable like touch ID and face ID. Right? Security researchers have shown both technologies.
Can. Be worked around without necessarily a huge amount of effort. But when people complain to you, like really, you have to learn to sit and listen and kind of turn off the part of your brain. That’s just waiting for them to finish talking because you’re going to do what you’re going to do anyway. And like really try and connect to them to understand how it’s going to frustrate them.
And it’s much better to sort of like reach out with questions before you talk about a security control that you want to improve. And start really understanding like, you know, how much do people use Bluetooth? Are you accessing work on your mobile phone? Like start that conversation with questions to figure out what people are doing?
How are they doing it? What would the implications be if you implemented a certain change and then really listen to them?
Ryan: Love that. Yeah, it’s really about taking the time to actually hear what their needs are. Figuring out where you can meet them and then actually putting elements into place that are going to be good on both sides.
Great. Alright. How about number three?
Craig: Number three is you do not have unlimited political capital unless you work in a regulated industry like healthcare or financial services or something like that, where you are basically ordered by compliance standards to do certain security things. If you’re not in one of those industries, then everything is a sales pitch.
And, there are times where you can go to the mat for what you think is right. And you know, what’s going to anger or frustrate your user community or your leadership or whatever, you can’t do that every single time. Right. So you got to really understand the, like, pick your battles.
Ryan: how do you feel about your skills of setting expectations?
As you let something go. Sure you can make that decision. And if you make that decision, these are the potential impacts. Do you feel like that’s important to be able to communicate that?
Craig: I mean, you absolutely at least my personal style is to say like, okay, if we don’t do that, like here’s some scenarios.
I think it could reasonably lead to, you know, compromise in the business. Here are the potential risks or the capabilities that I will lose if you don’t give me what I want. And then say, let’s be very clear. I think we should do this, but I am compromising on this particular issue because I don’t think it’s worth it.
Ryan: Yeah. I think that’s pretty important. We even go through that on a totally different side on the development side of things, which is, you know, they have to make decisions as to what features they want to build or with what they, if they need to go down a path to support, the backend architecture versus doing a bunch of great work on the front end for the users and really having those expectations.
Effectively communicated and the results like actually tracked over the course of time and be ready to jump back in because they may need to change our mind later. All right. Tip number four, what you got from.
Craig: It’s kind of the opposite of tip number three, and that’s stick to your guns right now you, of course.
Yeah. You are the expert. There are times when you absolutely need to go to the mat to get something done.
Craig: of people, you know, think that security professionals tend to do. Paranoid or, they like playing with gadgets, so they just want to buy more stuff. I mean, my philosophy is that any security tool that I deploy that is capable of generating an alarm is one more obstacle between me and my personnel.
I want the absolute minimum amount of stuff to get to a reasonable state of security. But you know, a lot of the time, like if you are facing opposition and you are going to go to the mat because you believe that particular security thing is important enough to like, burn a bridge or spend a lot of your political capital on.
I would recommend, like, thinking more about making it a sales campaign and like, all right, maybe we’re going to table this thing now. And I’m going to spend another three months, working on you, finding articles about how something happened to another company that is related to whatever it is you’re trying to do, and kind of work on them for some period.
Ryan: Yeah, I was, I was also thinking about the nature of the type of security that it is. I think if somebody’s in a real home security experience, Has someone break into their house, take something. There is a kind of different feeling than when it happens in, on a spreadsheet or it happens, somewhere related to their bank account.
They don’t eat. They aren’t even really a part of the transactional theft or the transactional element. So having them realize beforehand. How that can impact them later is a huge piece of it. And if you know what those are, you really have to stick to communicating that and stick to your ideas around it.
Ryan: Great. All right. Last one, tip number five.
Craig: What do you got for us? Last one is to trust your people. Like if you are coming into security leadership from a technical background where you’ve done a significant amount of time as an engineer. I guarantee that your former bosses or former senior engineers trusted you to succeed in some kind of a project that they were really nervous about and you managed to get it done.
You need to have the same sort of faith in your people that people in your life had in you.
Ryan: How do you think you build that trust with them? Or how do you think they can build that trust with you as a leader?
Craig: typically prefer to like, give someone an objective. Like, I want you to deploy this cloud security solution thing.
And then at that point I’ll pretty much stay out of it. I’ll offer up my opinion when they ask for it. But for the most part, I’ll leave them to do the research, figure out what we want to do. POC is on, you know, they will have to present to me like, okay, We looked at these three products, here’s the sort of feature matrix.
And here’s my thinking why we should go for the middle expensive one versus the free open source version. , and only if I think that there are. Getting into trouble, or it seems like things are taking a lot longer than they should, that I’ll get more involved in the kind of day to day, you know, what are you doing?
What are you working on? Let me help you with that because I had one experience at my first job. I had to configure a network adapter in like three Novell NetWare servers, and I just could not get it to work, but I was embarrassed that I wasn’t successful. Right. I’m a certified Novell engineer at this point.
And so I waited basically until the afternoon before they were supposed to be delivered to the customer to tell my boss, Hey, I’m struggling. I’m not able to figure this out. And the CEO spent the entire night getting those servers. So that was the one and only time I really needed to learn the lesson of asking for help sooner, rather than later, there’s no shame in asking for help.
No one knows everything.
Ryan: Absolutely. Especially in a side of the business, that really depends on sharing knowledge and being able to talk with one another to find solutions. So it. All right. Well, thank you. It was an amazing interview. We really appreciate you taking the time to sit down with us and offering some of your insights into what is often a very misunderstood side of the industry.
You’ve given us some really good perspective on what it takes to look at both the external experience, as well as working with employees internally as well. How those two things have to come together. Thanks for joining us today, Craig.
Craig: Appreciate it. My pleasure Ryan was fun.
Ryan: Craig hits home. That leadership is very much about selling vision. No matter what level you’re at, as he points out solid security can be one of the most important insurance policies an organization has, but the more security a leader provides, the more they can hinder independence and exponential growth.
To pull this off gracefully. He thoughtfully reminds us that listening to and understanding the organization’s actual deeper needs are central to striking the balance between safety and innovation.