Management & Strategy The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and ‘human intel’ can make or break a security team. By Joshua Goldfarb | March 12, 2026 (8:30 AM ET) Flipboard Reddit Whatsapp Whatsapp Email During my years working in Security Operations, we were very careful to vet anything that came our way. We vetted sources, intelligence, IOCs, TTPs (tactics, techniques, and procedures), and other information as well. The reason for this was straightforward. Leveraging anything that was not properly vetted could result in serious consequences. What are these consequences you ask? There are many, of course, but a few of them include: Drowning in false positives (and thus potentially missing true positives) Wasting resources chasing ghosts Causing unnecessary downtime by responding to faux incidents Damaging trust and relationships (sometimes irreparably) with stakeholders Harming the reputation and political capital of the security team As you can see, some of these consequences are worse than others, but none of them are great. Thus, it is not surprising that the vast majority of security teams vet information properly before introducing it into the security workflow. It is a logical practice that makes complete sense. Given that we understand this when it comes to information, why is it so hard to apply this practice to people or organizations (teams, enterprises, vendors, etc.)? In other words, while most of us vet security information rigorously, when we hear information, and especially negative information, about people or organizations, most of us don’t vet it rigorously at all. In fact, in many cases, we will begin thinking negatively of or discounting who or what we heard negative information about before asking simple questions that could quickly expose the truth. This has been a question that has troubled me for quite some time, and I’ve always wondered why this is the case. While I’m not an expert in human behavior, it may provide us some insight here. In general, people do not like to displease other people or to come across as unpleasant. In addition, many people prefer to avoid conflict, even if that conflict is necessary and would result in a greater good. There are likely many reasons, but even these two help us understand why many people shy away from vetting information they hear about people or organizations. Doing so might require unpleasantness and a bit of healthy conflict. Even so, it is a worthwhile practice that can help security teams ensure they don’t discount someone or something that may add value, while simultaneously embracing and empowering someone or something that may cause harm. How can we vet information, and in particular negative information, about people or organizations? Here are a few techniques that can be employed: Advertisement. Scroll to continue reading. Ask questions: As the German philosopher Friedrich Nietzsche stated, “Truth doesn’t mind being questioned. A lie does not like being challenged.” In other words, when someone is sharing the truth with us, they won’t mind at all if we have a few questions and/or want to clarify a few things. On the other hand, when someone is lying, if you probe even a little bit, the narrative will quickly break down. The person lying might even get reactive, hostile, attack you, and/or attempt to deflect. Those are all signs that the piece of information you have been given may not be reliable. Ask for evidence: If a person or organization has indeed done whatever it is they are being accused of, shouldn’t there be evidence of that? It is, unfortunately, a well-known trick of deceitful people that they are often vague and omit specifics. This makes it harder for most logical and empathetic people to identify the inconsistencies in the story that might reveal the truth. The solution to this is straightforward – ask for evidence. If that subsequently results in a variety of evasive tactics and not the evidence that was requested, it is a clue that the information is probably not reliable. Approach the targeted person or organization directly: It amazes me that more people don’t simply approach the targeted person or organization directly when confronted with unfavorable information. Some people do, of course, but not enough people do. Doing so gives that person or organization the chance to explain their version of events. And guess what? If they are in the right, it is usually fairly easy to tell from their telling of it. How so? Generally, when a person is right, they will be happy to entertain a discussion, be specific, provide data points, produce evidence, and respond positively to being questioned. It may very well prompt you to question the source, ask questions, and ask for evidence. Consider the source: Is the source always the victim in their stories? Does the source always seem to talk about others, rather than focusing on the topic or task at hand? Does the source have a history of raising vague, unsupported negative information about people or organizations? Does the source have a history of being proven wrong or to have been lying? If so, it may be worth considering that this source may be more problematic than reliable. Review history: Has the targeted person or organization produced good results for you in the past? If you think back over the advice they’ve given you, has it generally been good advice (whether or not you followed it)? Is the targeted person or organization generally reliable and of good character? If so, you may have encountered false information about this person or organization, and you should probably go through the above bullets to ascertain more details around what the actual truth may be. While vetting people or organizations takes effort and may go against our nature, it is generally well worth the effort. Just like information, people and organizations need to be properly vetted. If they aren’t, there can be serious consequences for a security team. Consequences that will harm the enterprise security posture. Written By Joshua Goldfarb Joshua Goldfarb (Twitter: @ananalytical) is currently Field CISO at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. More from Joshua Goldfarb Security in the Dark: Recognizing the Signs of Hidden Information The Loudest Voices in Security Often Have the Least to Lose The Great Disconnect: Unmasking the ‘Two Separate Conversations’ in Security What Makes a Great Field CXO: Lessons from the Front Lines Perspective: Why Politics in the Workplace is a Cybersecurity Risk Slow and Steady Security: Lessons from the Tortoise and the Hare Reclaiming Control: How Enterprises Can Fix Broken Security Operations Why Sincerity Is a Strategic Asset in Cybersecurity Latest News Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes CISO Conversations: Aimee Cardwell Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Business software company Rippling as appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. Netskope has appointed Joseph Welsh as leader of US public sector sales. More People On The Move Expert Insights How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp