As one of the podcast guests emphasized in a recent episode, specialists in the cybersecurity space have spent over 20 years building technology to keep us safe. However, only a micro-fraction of that effort went into teaching the skills and concepts that non-infosec people need to stay safe as technology wrecked a storm around them.
In the current dynamic, technical specialists are frustrated with the limited effectiveness of cybersecurity training. On the other side of the screen, the people they're trying to protect are equally discouraged and confused about what infosec experts want from them. And so, even the best intentions tend to get lost in translation as that disconnect sits unbridged.
I see this in language, when "people are weakest link" comes up – a concept that only deepens the divide.
I see this in the frustration of people who try to do the right thing, like using multi-factor authentication, but whom companies let down. (I'm looking at you, Twitter.)
That's why I believe...
It's time to bring empathy into the status quo
Empathy is much more than a buzzword. It's not a marketing ploy.
It's a powerful ability that breeds connection, openness, and curiosity. It breaks down barriers, stereotypes, and misconceptions. It helps move things from foreign to familiar and turn fear into friendship.
How? By putting people in a frame of mind where they have the willingness to:
listen with intent and an open mind
discover what people care about
find out why people do the things they do
notice the key elements which form their identity (and how they became a part of it)
communicate with intent rather than going through the motions.
If you're willing to cultivate empathy, practicing it lights up even the most remote, inaccessible corners of people's behavior – yours included.
In 2021, Tracy Brower, a PhD sociologist and author, wrote an article on Forbes with data supporting that "Empathy Is The Most Important Leadership Skill According To Research." That article made the rounds and not just because it was compelling, but because people resonated with this skill.
We've all had colleagues that became our friends, managers who were supportive and kind, peers who treated us with empathy and respect. Maybe we go back to the moments we shared with them when we need to be reminded of what empathy feels like because they left an indelible mark in our lives.
While we don't need a study to tell us this, it offers a helpful reminder about the qualities we notice and appreciate in empathetic leaders, no matter the role in which we find them:
Open and transparent
Fair
Follows through on action
Encourages others to share their opinions
Trusted to handle difficult conversations.
People like these help make empathy a part of the status quo. They normalize being vulnerable, taking the time to understand where others are coming from, and finding a way to work together and make use of everyone's contribution.
I'm honored to say that all the people I've talked to for Cyber Empathy have these qualities because they cultivate them with intent, which is the most valuable thing I've learned from them.
Let's get practical about empathy in cybersecurity
Over half (58%) of employees have previously left a job because they didn’t feel valued by their boss, and nearly half (48%) have left a job because they didn’t feel like they belonged. The difficulty of connecting with colleagues has resulted in more than a third (37%) of employees leaving their organization.
While this 2021 EY study highlights problems that plague the business environment in general, they certainly apply to cybersecurity just as well. In fact, a recent Gartner prediction points out a well-known industry problem: that “cybersecurity professionals are facing unsustainable levels of stress.”
The reasons behind this are a topic for a dedicated article, but it's important to note how massive the aftermath can become. Gartner anticipates that:
By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors.
One of the biggest problems in cybersecurity today is how the lack of empathy stifles progress because it takes effort to translate its benefits into practice and into numbers that impact the bottom line. But the scarcity of empathy shows up in different statistics:
Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents. The number of cyber and social engineering attacks against people is spiking as threat actors increasingly see humans as the most vulnerable point of exploitation.
When we bring empathy into cybersecurity products, processes, and approaches, we can meet people where they are. Most people just want to do a good job, which is just not security. If we want to support non-infosec people to acquire those skills, we need a different approach, one that resonates, one that makes them feel seen and appreciated for their efforts.
A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. In the survey, 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.
It’s not enough to know we’re empathetic. We need a system for practicing it, for making it actionable.
This is one of the reasons I created Cyber Empathy: to surface real-life examples of tactics that work, language that changes behavior, and people who defy the statistics, creating a new standard.
If this resonates, keep an eye on this project. I'll do my best to support you on this journey.