The value of approachability in cybersecurity

4th Oct, 2022#20

The key to being a successful cybersecurity expert is to be approachable and understand the needs of others.

Cybersecurity is a continuous process that touches on many critical organizational functions. It is, therefore, a bad idea to run it in a silo that is unapproachable by teams from other departments. 

When cybersecurity personnel are approachable, people feel more comfortable consulting them and following their instructions. This helps in creating a safety-first culture that can improve the overall security posture of an organization and also help people in their day to day lives.

Our guest today is Tracy Z. Maleeff, a Security Researcher with the Krebs Stamos Group. She previously held the roles of Information Security Analyst at The New York Times Company and Cyber Analyst for GlaxoSmithKline. She is a dedicated practitioner and promoter of empathy in cybersecurity. 

In this episode, you’ll learn the importance of being approachable as a cybersecurity expert and how it can make your work easier. Plus, Tracy shares a few simple initiatives an organization can undertake to promote a safety-first security culture. Additionally, you'll find out how people feel about empathy in cybersecurity in Europe versus North America.

In this episode, you will learn:

  • How Tracy ended up in cybersecurity after working as a librarian (04:10)

  • A common misconception about practicing empathy in cybersecurity (16:19)

  • Initiatives that can truly help organizations strengthen their cybersecurity culture (29:12)

  • How Europeans perceive cyber empathy and its role (34:09)

Guest

Photography of Tracy Z. Maleeff.

Tracy Z. Maleeff

Tracy Z. Maleeff, aka InfoSecSherpa, is a Security Researcher with the Krebs Stamos Group. She previously held the roles of Information Security Analyst at The New York Times Company and a Cyber Analyst for GlaxoSmithKline. 

Prior to joining the Information Security field, Tracy worked as a librarian in academic, corporate, and law firm libraries. 

She holds a Master of Library and Information Science degree from the University of Pittsburgh in addition to undergraduate degrees from both Temple University (magna cum laude) and the Pennsylvania State University. 

Tracy has been featured in the Tribe of Hackers: Cybersecurity Advice and Tribe of Hackers: Leadership books. Tracy publishes a daily Information Security & Privacy newsletter and maintains an OSINT research blog at infosecsherpa.medium.com.

Transcription

[00:42] Tracy Z. Maleeff: That was one of the first emails I've received. When I was a SOC analyst, I replied to a woman's email, and she said, “Oh, there are people there? I didn't think any people actually worked in cybersecurity.”

[00:54] Andra Zaharia: Sometimes all it takes for change to start is for one person to challenge the status quo. And my guest today is exactly that kind of person. Tracy Z. Maleeff—aka InfoSecSherpa—is one of the kindest, most active, and supportive people in the cybersecurity community. Perhaps her background as a librarian in academic corporate and law firm libraries has something to do with that, as you'll hear from the wonderful stories and examples that she shared in this episode. It was fascinating to hear how Tracy changed her career, how she changed paths, why she did this, and how she is bringing about transformation through her role as a security researcher and as an active contributor to the information security community. I love the models that she applies and the way that she's been championing empathy for years — basically, ever since she started working in this industry. Whether you follow her on Twitter, connect with her on LinkedIn, hear her speak on podcasts and conferences, or read her articles, Tracy has a lot to teach every one of us. She has a great way of connecting people from the industry with those outside the industry and helping people see each other from behind their screens. And she shares a lot of simple tips that anyone can apply to use empathy in a very practical way and improve their relationships, improve their work, reduce tension, reduce conflict, and at the end of the day, simply make life easier for everyone involved. When you're doing a complex job, like most of the jobs in cybersecurity, you really need to find a way to connect to people. And I don't mean just by making sure that the physical connections are in place, and that all the setup is working. We also need a connection that's more difficult to maintain and repair sometimes, but that's more important than any of the technical layers that help us communicate with each other. So, here's Tracy, sharing her incredible expertise, her stories, and her examples.

[03:27] Andra Zaharia: Tracy, to have this conversation from one side of the world to the other is one of the reasons, first of all, that I love the internet and how it changed my life, our lives in general. And it's just that sort of magical moment that I'm really enjoying. So, welcome to the Cyber Empathy podcast. I am absolutely thrilled to have you here.

[03:47] Tracy Z. Maleeff: Well, thank you so much. It was a pleasure to be asked. Obviously, I'm a big fan and a big promoter of empathy in cybersecurity. And like I said, I'm of half Eastern European descent, so I am always happy to get in touch with where my ancestors came from. So, jó napot kívánok or jó estét kívánok to any Hungarians listening.

[04:10] Andra Zaharia: Oh, I love that. Thank you for that. I know that there are some of them. I do not speak Hungarian, but that is very nice, thank you. And it's interesting to see all of these things overlap. And this is what cybersecurity surface is for me, actually, is that there are so many ways in which our lives, values, principles, and our general life experiences overlap and come together in cybersecurity, in the work that we do, whether it is for our actual jobs or with clients, but also for the many personal projects that many people have in this industry, one way or another. So, throughout all of these experiences, are there any, let's say, inflection moments where empathy shapes the choices that you made that took you from a career path as a librarian into switching tracks and veering towards cybersecurity, how did that happen? Because I bet that many people have asked you this, but perhaps people listening right now might not know this story.

[05:15] Tracy Z. Maleeff: Well, I can definitely share a link to an article that really well plotted out my whole journey, so I'm happy to share that with you. I don't want to bore people who have heard it before, so let me just give a tiny little story about the change. Actually, empathy was a big part of me finding my identity in information security, I'll get that in a second. So, yes, I have a Master of Library and Information Science degree. I've worked as a librarian for over 15 years. I did a large chunk of that time in law firm libraries, but I also worked in academia and corporate libraries. I never did public or school libraries, that's a different kind of librarianship. So I was very much about the research, about the OSINT, things like that, and then customer service. The very short version is, I decided in 2015 that I wanted to do something different with my life. I read an article called “How to future-proof your career.” I was interested in longevity and I felt like I had done everything that I set out to do in the library world and I needed a new world to conquer, basically. But I wanted to pick one that had longevity to it. I didn't want to uproot my whole life just to pick something that I'd have to readjust again in a few years. So, I knew that would be tech, tech would have longevity. So I first tried going to tech meetups, going to coding classes, and I just didn't really like the tech side of it. Honestly, I didn't really enjoy talking to people very much. And I just didn't really like anything about it and it was kind of a disappointment. But until someone said, “Oh, well, wait, there's this whole other side of tech: the backend technology and cybersecurity.” And once I was introduced to that, my old joke at this point is they had me at port scanning. I was like, “Where's this been all my life? Wow, this is really cool.” That's when I really realized that it's the information security aspect that I would like. So, then I just immersed myself in that. Again, went to meetups, went to classes, did just intensive workshops and boot camps, and things like that. 

[07:36] Tracy Z. Maleeff: Eventually, I realized I needed to leave my job, because I did take the initiative to run a security awareness training in October of 2015 for the law firm where I was working. And the CIO was grateful, put me in charge of it, and that was really great. Except that when November came around, the only thing they wanted me to do was to run it again next year, and I thought, “No, I think this is my career change.” So, in February 2016, I quit my job. A couple of weeks later, I was on a plane to San Francisco to attend the RSA Conference because I created my own business, which I called Sherpa Intelligence. I did freelance research. I used all my transferable skills, all the skills that I had—research, social media, people, networking, communications, writing—and I became a freelancer. And I did have clients who were cybersecurity, who had me do research projects for them. I had other clients that I was a social media manager for. I did all kinds of different things just to immerse myself in the InfoSec industry. So I did that for a year and a half before I was then hired as a SOC analyst for a company. So, that's the rather large nutshell version of it. And then where empathy comes in is when I had my SOC analyst job. And you've mentioned something, I think it was caught on a recording, people not realizing that there are humans behind security. That was one of the first emails I received. When I was a SOC analyst, I replied to a woman's email and she said, “Oh, there are people there? I didn't think any people actually worked in cybersecurity.” And I remember asking some of my coworkers: “Do you not regularly talk to the end users?” And they said, “No, of course not.” And that was very different for me because, being a librarian, it is all about interfacing with the end users, whomever they be—whether it's the general public, whether it's children in school, or in my case, it was lawyers—that was a huge part of it and we talked with them and we interacted with them. And I was just really stunned that that wasn't more of a part of tech or information security. And I also realized that when I was a librarian in the law firm, I remember the lawyers would actually contact the library for technical issues when the help desk was either backed up or, honestly, if they were too mean. Because a lot of times, tech people are mean on the help desk because I get it and I understand why; you're dealing with a lot. But I started to pick up on the fact that for some tech questions, people were contacting the library. So that's also why I felt more comfortable having cybersecurity as my quirky hobby because there were a lot of things I was able to pick up on to help the attorneys. 

[10:27] Tracy Z. Maleeff: So, I developed this talk out of my frustration and surprise of how end users are perceived and spoken to or ignored in cybersecurity. I came up with this talk called “Empathy as a Service” to create a culture of security. And I base that upon this library science principle called the reference interview. And it's these seven steps, which I give a whole hour talk about what I will give and give the link to. And I take the seven steps from library science of “The Reference Interview,” and what that means is just how to speak to a client or a user to find out what they want, what they need, what are they looking for. Maybe you'd be surprised to know how many people really do just show up at a library and just stand in front of the library reference desk and just say, “I need this.” And you have to narrow it down and ask them questions or listen to what they don't say. Over the years, I've been able to refine this talk. But it's really something crucial that you need to take each interaction with an end user and apply this reference interview principle because you need to really listen to them. I've given so many examples that happened to me in real life of times when an end user left out an important piece of information, maybe it was intentional, maybe it was not intentional, maybe they didn't even realize that was important information. But sometimes these people might be scared to contact security thinking they might get fired because they admitted that they clicked on a phishing link or something like that. And approachability is a big foundation of Library Science; being approachable to people. In the library world, we always laughed that there's a thing called Librarian Face that people just, in public, always just seem to approach you and ask you questions because you “look like” you know things. I've had that happen to me more times than I can count. And I actually had a woman say that to me once. I was in Colorado one time. First time in the state, never been there before. She just walked right up to me and just said bluntly, “You look like you know things.” I said, “Okay.” And then she proceeded to ask me a question. And it was a question about where something was in the town, and I did actually happen to know, and my husband said after she walked away, “How did you know that?” And I said, “Well, I did kind of study the map before we got here.” 

[13:08] Tracy Z. Maleeff: So many times, in the past few years that I've been in InfoSec, being approachable has really meant the difference between having a safe network and not. A short story I can share about that is one place I worked, the woman from a department in a company I was working for was intimidated to contact the security team because it's not very approachable and it felt very scary, and she also thought she was going to be chastised for this. So, she approached me. And the situation was they were having a guest speaker from a certain app company and she said, “I would like my whole department of 300 people to download this app and these features, and use it while we have the guest speaker,” because everybody was remote and everything. So, I looked into it and saw many questionable privacy and security issues with the app. And I called the woman back and I said, “I'm really sorry, but I've evaluated this and it's too risky. I'm going to have to ask you to not permit that. That could really be a big problem for us.” And she was really grateful because I didn't chastise her, I wasn't mean. I said, “I hear you.” I said, “I looked into every way to make this work, and it's really just not going to work.” But just fast forward, though, I remember I thought I was very proud of this. And when I shared with superiors what happened, they were actually mad. They were mad that this woman didn't go through the proper channels. And when I tried to explain to them, I'm like, “But your proper channels are intimidating. And wouldn't it have been worse if she had just gone and told them all to do that?” And one of my concerns was that people were going to download and activate this, and then forget about it, and then forget that they had it. So, I was really hurt, confused, and perplexed as to why being approachable, all of a sudden, was a liability in cybersecurity. So, that's one of the pitfalls that I also want to work on is not let that be something that is looked down on. Too many people I've come across in tech, or even cybersecurity, when I explain these talks about empathy and things, I'll get eye rolls or I'll get people who don't agree with me. But I've lived it, I've experienced it.

[15:37] Andra Zaharia: Exactly. And this is something that I wanted to ask you about because you've given us such a wonderfully clear overview of your trajectory, which is, again, incredible to achieve everything that you've achieved and build us and be a part of the community and contribute so meaningfully in—I’m going to say—just six years because it feels like it's not that much but I know that there's a lot of life packed into those six years.

[16:03] Tracy Z. Maleeff: That's a good way to say it. 2015 is when I knew that I needed to leave. But yeah, 2016 is when everything got started and my first job was in 2017. And you're right, yes, a lot of life and a lot of cybersecurity has been packed in this. 

[16:19] Andra Zaharia: Exactly. And I've been able to witness some of that. And I can definitely vouch and I've felt the experience of having approachable people in the community that I can follow, talk to, learn from the conversations that they have in public, which is one of the most meaningful resources and meaningful ways to educate yourself in this space, particularly, especially if you come from a nontechnical background and still have a way to contribute and still find your place and find your role in this industry. So, specifically around talking about empathy and things that seem soft and like something that's not even nice to have. I want to say that these things sometimes some people perceive them as superficial, unnecessary, or “We have much bigger issues to deal with. This is BS. No, I don't have time for this.” What are the misconceptions about practicing empathy have you seen around people? And do you have any examples of moments, stories, or experiences that put those people in a position to experience empathy themselves and suddenly have that aha moment where they change positions on this particular topic?

[17:40] Tracy Z. Maleeff: Oh, wow, that's a lot of questions in there. I’ll try to break that down. Well, let me start by saying that there's a quote or at least a portion of a quote that I tried to often use in my talks, which is, “Don't mistake my kindness for weakness.” I think a lot of people are reluctant to exhibit empathy or practice empathy because they think it makes them look weak. No, that's not the case, and that's why I love the quote. I have pulled it up here, the longer version is, “Don't mistake my kindness for weakness. I'm kind to everyone. But when someone is unkind to me, weak is not what you're going to remember about me.” I like that phrase. I think a lot of people confuse, and they also confuse sympathy with empathy. I don't want you to feel sorry for people. I've never given the same “Empathy as a Service” talk twice, I always try to make it different. And when I first was giving this talk, I would spend a lot of time explaining the difference between sympathy and empathy. I think now I just have one slide and kind of gloss over it. But that's what people I think don't understand. Sympathy is, yes, feeling sorry for someone. But empathy is, like, what's it like to be in their shoes? The way to get through to people is, “Well, let's turn it around and put the mirror on you.” I know my audience says sometimes I use things like, “When you first played Dungeons and Dragons, did you have a mean dungeon master? Did you not understand the spells or how the die worked? Was somebody mean to you? Or was somebody understanding and empathetic and remembered their first time and was nice to you?” And I really feel like that got through to some folks because a lot of people get very tunnel vision; “Well, I can't show any weakness when it comes to defending security policies and things like that.” You need that openness to be able to understand what people are struggling with. So I do have a couple of examples I can give you. One example is, every single day, this woman at this company I worked at, reported the all-company newsletter as spam. Every single day. After I picked up on the pattern of seeing it every day, I asked the guys—and they were all guys in the SOC—about this, and they had some unkind words for this person, like, “Oh, yeah, she does that all the time and every single day.” And I said, “Well, did anybody ask her about it?” And they're just like, “Of course, no. Nobody talked to her about it.” So I reached out to her and just asked, I said, “Hi, I see you report this every day. It's not a malicious email. Can you tell me why you report it?” And her response was, “I thought that's what I was supposed to do.” So, I remember just taking a breath and thinking, “Oh, there's a lot to unpack here.” So, I was thinking about it later, and it sounds like maybe one time they use the company newsletter as a phishing simulation or she got her instruction confused, maybe the training they did wasn't successful and wasn't useful. So this woman had been doing this forever and nobody stopped to ask her. So, once I explained to her that it was fine and gave her just a quick little rundown, and then it went away. And I think somebody noticed that they stopped coming in at those emails, and I said, “Yeah, you want to know why? Because I actually talked to her.” Nobody wanted a part of that, but that's also wasting her time, too, because the SOC was mad that it was a waste of our time, so rather than do anything about it, they just called her a stupid use, and just complained all the time. Whereas I just talked to her, like, “You're not in trouble. Everything's fine. I just want to ask you why we see this email from you all the time.”

[21:41] Andra Zaharia: And on that note, I think that there's an interesting, perhaps, example or something, just a key point to consider here for technical people who are struggling to understand how they might be able to actually use empathy in their careers, I feel that the example you just gave my maybe it applies to them in talking to management, in getting resources in so many ways, in so many obstacles and challenges that they have in just boosting their positive impact in companies because they know that a lot of people, and not just technical ones, but a lot of people in cybersecurity, they genuinely want to do good, they want to do good with their work. But coming from this very offensive, aggressive mindset, and cybersecurity comes from a military background, so there's a lot of ethos around that. That's kind of natural, that's the inheritance that it got.

[22:35] Tracy Z. Maleeff: In some ways, yeah. I think, classically, that's a lot of the mindset. And a lot of people had that hacker mindset, and there are the movies and the stereotypes and things like that. Honestly, I think it's a lot more broad now. But even in the few years that I've been around, I've definitely noticed a change. Because also, keep in mind—not so much anymore, but definitely at first—I think it was a lot of tech folks who then were either assigned in a security job or just drifted and morphed into a security job. So, you're coming from this base of an IT culture, which also has those mean stereotypes.

[23:17] Andra Zaharia: It does, because it creates closeness and it creates the feeling that you're part of a community of a close circle that knows some things that the others don't, which is fine to have. But at this point where cybersecurity is such an important factor in global stability, I don't think we can afford to do that anymore. And having the ability to spread this knowledge and open up communication throughout society, whatever that means, at any level, I think that that is essential. And I think that some people could really benefit from developing their ability to practice empathy because they would be able to progress through their careers and just have more visibility, have more openness from other stakeholders in their companies and in the community to do more good and do more with the skills that they have. But they still nurture these stereotypes and limiting beliefs that affect them as well because I think that once we learn this in a professional context, we can carry it over to our personal lives as well. It's a valuable lesson in behaving as a human and society in general, not just in cybersecurity.

[24:27] Tracy Z. Maleeff: I have another example of empathy that I think might hit home for some of your more tech-minded listeners again. One time at a company I worked for, the security team was asked to meet with the manager, somebody in engineering that was on the tech side. Because as you know, in many organizations, tech and security are not in the same department. He wanted us to review this software because they wanted to use it for their department. But the thing was, they only wanted to use the open source version, which we looked through and saw too many vulnerabilities and things like that. So, we're having this discussion, and it did feel like it was getting a little contentious. And finally, at some point, the manager from the engineering tech side said, “Why do I feel like I'm being punished because I asked the security team to review the software?” And that was like a gut punch to me. I was like, “He is absolutely right.” We were treating them like gatekeepers, we weren't showing empathy. And I was new so I also wasn't really speaking much in the meeting. So I just kind of took a breath and was just signaling to everyone else. I'm like, “Let me try something here.” Basically, long story short, I was like, “Well, what's prohibiting you from using the more secure version?” And he said money. Because the more secure version was the paid version, and you need money. So, immediately, I said, “Who do we need to talk to approve the expense of the safer version of the software?” And he gave me the information. And I turned to our team and said, “Okay, let's write up a report and tell them that they need to get this approved for the paid version to be more secure because of x, y, z could happen, that would be really bad and wind up costing the company a lot more.” I'm really proud of myself for that because if I hadn't spoken up, I feel like that just would have ended with the department just doing what they wanted, getting the insecure software, and then maybe six, nine, 12 months later, dealing with some sort of issue.

[26:53] Andra Zaharia: Plus their relationship decaying.

[26:56] Tracy Z. Maleeff: Exactly. So, that's what you also need to ask and that's what I say all the time is listen for what people aren't saying. And I know sometimes people look at me weird about that. But I put it this way: You know how something should go inside your head, you know how a remediation checklist goes, you know how an incident response checklist goes, you understand how these conversations go; well, is there something that's not being ticked off of a box? And that's what I thought to ask the question of, well, why are you not looking at the other version? Because nobody else was asking that. There's the golden question of, okay, why not? Well, because we can't afford it. Okay, so in my mind, that's not a good enough of a reason to use something insecure. We weren't talking hundreds of millions of dollars, we were talking a couple of thousand. That's not a big deal. So I believe in the end, after writing up a report and submit it, I think they did eventually get the more safe paid version. But that's the story that I like to share with more technical-minded folks, especially in cybersecurity: Don't have that attitude that you're the gatekeeper because you're not going to get anything done. People are then just going to go off and do what they want to do, and it's likely going to bypass security. So you might as well be approachable, be empathetic. And even if it turns out that you can't help them, then figure out a way to help them still be secure with the insecure product. Say it was a $50 million product, just hypothetically, and then that was cost prohibitive. Well then work with that department on how to make them safe. There are ways to do things, just don't say no. Because I think that's what people keep forgetting is, people are going to find a way to do stuff. Shadow IT, they're going to go around you. So, you know what? Lead, follow, or get out of the way. And if you just get out of the way and let them do what they want, they're going to cause a problem. So, I just want people to get that through their head is that there's an expression, “You catch more flies with honey than vinegar.” I want people to be more like honey and less like vinegar. 

[29:11] Andra Zaharia: Oh, yes. That's a very powerful story, especially because I think it also highlights a lot, the value of building relationships and working on that disconnect. Since people's job in cybersecurity is protecting connection and protecting data. We focus on the technical side or we talk a lot about the technical side, which is what most people see outside the industry as well. But the connection that we're we should also take care of is the connection between people. And I feel that those trust relationships are fundamental to making technology work, companies work everything, absolutely everything. And if that trust connection and that open channel of communication is there, even the hardest problems in cybersecurity have a lot of them to solve, and they'll never end, and they're complex, and they just branch out into everything, or almost everything. I think that there's a much higher chance to see that succeed. And one of the beautiful things that I see in cybersecurity, especially in the corners of it where I've had the pleasure to end up in is that I see a lot of that connection, I see a lot of generosity of people putting so much energy into initiatives and into programs for others to use freely and build themselves, build their characters, their know-how, their abilities, and bring that into the industry because we need everyone to contribute, not just technical people. It goes so much beyond that. So, I was wondering if you have examples or suggestions of initiatives that people might be able to join to see empathy in action, to see things at work besides your presentation and the awesome example that you give on Twitter, especially just following your conversations along. So, are there any specific initiatives that you particularly appreciate and have seen make a difference?

[31:04] Tracy Z. Maleeff: Well, whenever any company has their own Cybersecurity Awareness Month events on-site, maybe they do something fun, like have a cake or have games or something like that, any sort of outreach is good, I like that. Another thing that I want to stress to people is even if you don't work in cybersecurity, you can still be an advocate for cybersecurity in whatever job you have. Another way to look at that is cultivating allies for cybersecurity within your company. A real example is I had someone, who was a software engineer, talk to me and said, “I'm feeling all this pressure to get a job in cybersecurity, but I really like being a software engineer.” I said, “You can do whatever you want to do.” And when I explained the concept of being a security advocate, I said, “Well, you know what you can do and that would be really helpful is make sure that you have clean code.” And I talked about being a security advocate, and that never even occurred to them, and they were like, “Oh, I can do that. I like security and I like following it all. I just don't want to do it as my job.” And I'm like, “That's fine. But you can be an advocate for it. You can be a representative, a deputy, however you want.” The one place I worked actually had little cowboy, Old West deputy badges. It was the same material of a challenge coin, so it was like a heavy metal deputy star that we would give to people who went above and beyond. They didn't work in the security department, but they went above and beyond doing security things. The bare minimum thing you can do in your organization is just making sure that people know how to contact security. I think a lot of times there's no phone number, you can't always find the individual person, and an individual may not want to deal with the email—I mean, they should—and maybe the only group mailbox is the phishing mailbox, so it's really not going to necessarily be seen or seen quickly there. I've seen that way too many times that end users are just saying, “I just don't even know how to contact someone.” I mean, that's just the bare minimum of approachability is just do they know how to contact you?

[33:30] Andra Zaharia: Minimized friction and just recognize people's emotional labor, there's a lot of that that goes into cybersecurity both from people who are in the industry but also from people who aren't there but whose values align with this industry who feel kind of a natural connection because they're probably more cautious people who need a bit more predictability in their lives, or they have a stronger radar for risk. Whatever it is, I think that those are great people to turn into advocates to help to recognize among their peers for their efforts to tell other people and to just give them a helping hand when you need to.

[34:10] Tracy Z. Maleeff: And something that I created when I was at one of my jobs is I would give people a “cyber cupcake,” that's what I would call it. But it really just was a JPEG. It was some sort of an image file of a cupcake because we were all spread out. This was before the pandemic, but we were still all spread out so I couldn't physically give someone a cupcake. But if an end user alerted us to something or reported, say, a phishing email that was really sophisticated, I would give them feedback, I would give them a cyber cupcake and say, “Good job! That was a really complicated phishing email that you could have easily fallen for.” And I know it sounds silly, and I know it sounds stupid, and I think that's also what a lot of people are fearful of—of maybe looking silly—I am beyond that. I do not care. I will talk about I'll cyber cupcakes and send them out. Don't take yourself that seriously. But people love it. And I cannot tell you how many messages I would get in response to people saying, “You made my day. This is the best thing ever.” And I know it's silly, but if you just give someone some recognition, then they feel empowered and they make good decisions. And another place where I worked, somebody remembered their security training, they got an email saying that the SWIFT account number changed for this vendor. And right away, that was a red flag for this person, and escalated it. And I remember, I was thinking to myself, “Oh, where can I buy a dozen cupcakes just to give to this woman,” because she remembered her training and we were approachable. She reached out to me and said, “I don't know about this. They're telling me that their SWIFT number changed and that doesn't seem right and let's look into it.” So, approachability doesn't have to be a burden, it can be fun. But actually, I want to turn something around real quick and ask you, because you have a mostly non-North American audience, I have been very wary of giving my empathy as a service talk outside of North America because I'm concerned how it'll be accepted, say, in Europe. I feel like, as Americans, we have the stereotype of being very optimistic and cheerful, and I feel like there are people in other parts of the world that are just naturally cynical. And honestly, I'm a little scared to give my talk in Europe because I don't want to have a whole roomful of Europeans just rolling their eyes at me. So I'm just curious about that. What, from your perspective, do you think the empathy message can be embraced in Europe and made and made fun of? Or is it just pretty much the same amount of friction we get in North America?

[37:03] Andra Zaharia: I think I would say that it's pretty much the same. I say this because, although, yes, there are definitely cultural differences there. And yes, we tend to be a lot more direct. I think that sometimes we may even seem blunt, especially because non-native speakers tend to choose their words differently than native speakers, so sometimes it does come out as blunt. But I think that there's a crisis of connection that many people are experiencing, whether it is in their personal lives, at work, around the meaning or direction that their life is going in, the meaning of their job, which again, cybersecurity creates a wonderful opportunity for you to do meaningful work that actually contributes to something that's palpable, which I think is absolutely fantastic. I think that is one of the few jobs in tech that really does this. I think that the cybersecurity industry has something specific about it, even here, even this community, which I've been in since 2015 and I know pretty well, is that they do care about a higher purpose. So there's a connection there to creating change. And empathy plays right into your ability to create change in communities, in people, in individual behavior, but also at a higher scale. So, I definitely hope to see your talk on a stage in Europe, on many stages in Europe, across Europe, from east to west or the other way around, simply because that I know there are a lot of good people who are a lot more open, especially Gen Z. Gen Z are absolutely fantastic. I have incredible conversations with them. They blow my mind with their level of maturity and emotional intelligence, openness and being nonjudgmental. And I'm talking about people specifically in cybersecurity although they're not developers in various roles, across roles, honestly. And I think that there's a huge opportunity here to change the conversation and finally, let's say, dilute and hopefully put aside some of the stereotypes that have been perpetuating for much longer than there were necessary if they even were.

[39:07] Tracy Z. Maleeff: And what you really want to do is leave your users empowered, not scared, not ashamed. There's that expression of FUD: fear, uncertainty, and doubt. You don't want to leave your users shamed, angry, scared, or embarrassed. You want to leave them empowered. You leave them empowered by giving them information or giving them positive feedback about something that they did. Like I said, “Hey, good catch. That was a really tricky phishing email, you did a good job spotting that and reporting it.” That's worth a lot when you empower someone and encourage them. Doesn't cost anything. Maybe it's two seconds out of your day. And anything you can do. Another one is to meeting the person halfway with language. For example, you saw my talk, so you know I am a big advocate of using online translators and putting the message in English and also in that person's native language, but I will always start off my translation with “I am using an online translator.” 

[40:12] Andra Zaharia: And it's so easy now. These things are so easy.

[40:15] Tracy Z. Maleeff: I know. It's so easy to do and I don't know why people do it. And my rationale for putting both English and the other language in an email is these online translators are not perfect. But I know that a lot of folks if English is not their first language, I know that a lot of people can read English better than they can speak it. So I put both there because if something doesn't make sense in the translation, then they could go to the English part and be like, “Oh, that's what they meant. Okay, got that.” So, give people that power and make them empowered to do that.

[40:55] Andra Zaharia: And that effort of translating to people or just learning one word in their language, I feel that it makes such a huge difference and it already shows openness, it already shows kindness, it already shows “I care about you as a human being.” And that changes everything. And I feel that we all need and deserve that in our lives. And all of the examples that you've shared today with me and for the listeners, they've been just absolutely amazing and they've highlighted so many practical ways in which empathy makes a difference. And honestly, I don't know any context where empathy doesn't make a difference because it really does. It can be small. It doesn't have to be flashy. It doesn't have to be anything super sophisticated, doesn't have to take time. And it always brings out good things in people both in yourself and the person that you're doing it for, which, to me, one of the few things in life that's always a win-win.

[41:52] Tracy Z. Maleeff: And I imagine, in your part of the world, you're probably seeing a lot of Ukrainian refugees. So, I do know that many Ukrainians are bilingual, trilingual, or more. But yeah, if they're going to start to settle in and maybe work in Romania, they might need a little bit more empathy because of all the trauma they've been through, for starters. But yeah, this is a very upsetting and confusing time in their lives. So if they go into your local mobile store in Bucharest, have some patience with them. A long time ago, my husband worked for a cell phone carrier. It was when Hurricane Katrina happened when people were getting evacuated. And I'm in Philadelphia, many were arriving in Philadelphia with just the clothes on their backs. And I just remember, my husband would go above and beyond to try and help these people because they had nothing. A lot of people wound up going to him because they would go to other stores and they weren't as understanding or as empathetic. It's definitely possible. It's really possible to put empathy into anything that you do with technology. And all it does is benefit all of us in the end. Again, I want people to understand this: They're just going to go around you if you're going to be mean and if you're not going to help them. They are just going to cause you more work later, so why don't you be nice to them now? And you don't even have to like the person, just be civil.

[43:27] Andra Zaharia: That’s true. And it lowers stress, it lowers your blood pressure, honestly, it relaxes your body, even if you're not doing it consciously. Again, yes, everyone benefits.

[43:38] Tracy Z. Maleeff: Do you remember the phrase that I taught people in my talk? In the American South, there is a phrase. If someone does something wrong or absurd, they'll say, “Bless your heart.” So, “bless your heart” is not something you would actually say to someone because it's saying something mean but in a nice way. And the reason why I told people to do this is just as an exercise for yourself because I saw too many times, co-workers just start to curse to themselves about end users and get really upset, and it's not good for them—like you said, it's stress—and it doesn't help that you just keep calling users stupid. I mean, believe me, I'm not perfect. There are definitely some times when I got really rattled or things, but I would just take a deep breath and I just say, “Bless their heart for trying. They are just doing their best that they can.”

[44:42] Andra Zaharia: I actually learned this from Brene Brown. She asked this in one of her books, and I really stopped with this question: “Do you think that people are trying their best?” And honestly, I had a hard time. I think that I thought about this for a month and I kept observing people. And my initial instinct was, “I don't think that everyone is trying their best. There certainly are some people who could do a lot better.” But then I realized that, obviously, each day is different. And yes, most people are trying their best. That's the best that they can do at that time. We don't know their context. They'll know their life story.

[45:16] Tracy Z. Maleeff: And you don't know their training, especially if it is a work situation, maybe they weren't trained very well. And like the woman who kept reporting the email, that's what she thought she was supposed to do. So somewhere there was a breakdown in training, which I never saw and I didn't know her situation. So rather than call her dumb, try to get to the reason why. So, again, I only mentioned the “bless your heart for trying” and somewhere in my office here I actually have a sign, just because, to me, I feel like you take a deep breath, they're doing their best, let’s make this right, empower them, and move on. I feel like that's a lot more healthier and productive than just using curse words and getting angry and upset. We're just all doing our best right here. We're doing what we can. Life is hard anymore. All kinds of things.

[46:06] Andra Zaharia: It is, but we can make it better for one another. 

[46:09] Tracy Z. Maleeff: Yeah. Empathy is important. It's not a sign of weakness. It's a sign of humanity, and that's really what it boils down to. Anyone who still wants to fight us on empathy, are you really that inhumane of a person? If you are, then you've got some bigger issues, and maybe you should get some assistance with that. But it just comes down to being humane and just being a good human. And it doesn't really take that much extra effort. And if you just think long term about the problems that you could nip in the bud by being empathetic today, you'll have a smoother tomorrow. So I just want people to be mindful of that.

[46:51] Andra Zaharia: That's a beautiful way to wrap this up. Thank you so much, Tracy. Thank you for showing empathy and practice through this episode and through everything that you do. I’m so grateful that we have people like you in the community to lead the way and to show others how we can actually be better humans, honestly. So, thank you so much.

[47:11] Tracy Z. Maleeff: My pleasure and viszontlátásra to my Magyar friends. My dream is to one day speak at a cybersecurity conference in Hungary. I think my grandfather and great-grandfather would be very pleased. 

[47:28] Andra Zaharia: We will be working on making that happen and bring you to Bucharest as well.

[47:34] Tracy Z. Maleeff: Wonderful. I'd love that. Thank you so much for having me. This has been wonderful. Please feel free to reach out to me on Twitter—I'm InfoSecSherpa—and I'll share some of my other links so you can hear some of my talks and things like that.

[47:46] Andra Zaharia: Thank you so much.