This is a post is in the Useful Ideas series.

People sometimes say “it’s easy to criticize” but how easy is it to criticize well?

Many of us often find ourselves in situations where we are called on to be critical. As a cybersecurity and product security leader, this is one of my core job duties! So, I thought I’d share some of the lessons I’ve learned (often, the hard way!) about criticism.

Criticism is not the same thing as feedback

While it’s tempting to think all the same rules apply, there are some different aspects to consider. I’ll write about giving useful feedback in a different post. If you’re in a mindset of giving constructive feedback, consider reading that commentary instead.

Criticism is not about blaming

Finger-pointing is rarely helpful. Good criticism seeks to get to the heart of the matter, so it often involves considering the context of the situation, the processes/structures/systems that produced the outcome, and the variety of factors that contributed. If you find yourself wanting to blame someone, check your motivations.

Criticism is not for it’s own sake

If the criticism isn’t leading to learning or change, then it is not valuable. If you are not prepared to help with that learning or change (whether through recommendations, support, or addressing a problem), it is not valuable. If it is not delivered to the people that are best positioned do something about it, then it is not valuable. If it is not delivered in a context and setting where the audience is receptive, then it is not valuable. If you are not trying to drive a good outcome, check your motivations.

Good criticism is difficult, and a lot more could be written here, but I hope these warnings will help you learn from some of my own experience giving it.