Empathy in Digital Assets Security

30th Nov, 2021#6

Digital assets such as cryptocurrencies are revolutionizing how we transact and store wealth. However, they have introduced new cyber threats that go beyond just protecting your password. 

Every month, millions of dollars' worth of digital assets are lost to malicious hackers. Apart from the advancement of hacking tools and skills, the other big contributor to these losses is poor cybersecurity practices. Many digital wallets companies do not take time to explain to their customers the risks involved and how they can minimize their exposure. 

Today, I’m joined by Dario Duran, a cybersecurity expert currently focused on digital assets and non-fungible tokens (NFTs). He’s been in the industry for decades and will share his wealth of experience with us. Dario will help us see if there’s a place for empathy in cybersecurity applied to digital assets and what that looks like.

In this episode, you can discover how using a win-win approach while dealing with clients promotes empathy (something you can apply to your own work as well). You’ll also learn the concept of cryptocurrencies and the logic behind their development. And we’ll top it all off with suggestions for cost-effective methods to improve a company’s cybersecurity.

In this episode, you will learn:

  • How practicing and encouraging empathy looks like from Dario’s perspective (04:06)

  • What digital assets are and why you need them secured (10:17)

  • How digital agents can promote empathy after their development (13:53)

  • The most cost-effective way to improve a company’s cybersecurity posture (19:01)

Guest

Photography of Dario Duran.

Dario Duran

Building the tech and relationships to bridge the institutional gap to digital assets.

Transcription

[01:29] Andra Zaharia: Dario works at the intersection of so many layers of super complex technology that I find it very difficult to wrap my mind around sometimes. So, he works in the digital asset space, which is made of cryptocurrencies and things like tokenization and many, many other layers, protocols, and concepts that seem very technically dense. What I found completely refreshing about him and about his work is just the sheer amount of empathy that he uses in his conversations, in his work, and in his contribution to the community. Dario has an incredible background in cybersecurity, in general, in just the elements that made the backbone of the internet, both up to this point and what might be able to shape its evolution in the future. So, talking to him was just an eye-opening experience simply because he highlighted some of the ways that we can cultivate and use empathy in context where that's never the first thing that you can think about. So, I'm very excited to share this conversation with you, and to help you see that behind every role – no matter how technical or how maybe mysterious because you don't know exactly what it means or what it entails – there's a human that is pouring their passion, their knowledge, but also a lot of themselves into their work to try to help other people, to try to keep things on the right track from an ethical perspective, and to try to contribute through something good to our evolution as a society. So, enjoy this episode. And I'll be back with more soon.

[03:43] Andra Zaharia: So, Dario, thank you so much for accepting to be a guest on the Cyber Empathy podcast. I've been looking forward to our conversation ever since I got the chance to first speak to you for a separate project. So, it's an honor to have you here. Thank you again.

[03:59] Dario Duran: Thank you for the opportunity and thank you for the challenge. As I mentioned before, this is the first time for me.

[04:06] Andra Zaharia: I appreciate your vote of confidence. And since we are here to talk about empathy, just to give listeners a quick background, you've been in cybersecurity, basically, since the field emerged and started to be a thing. And it was nowhere near what it is today. And you've seen all of its development stages, you've worked in a number of roles that gave you not just access but influence and impact most in terms of technology and processes and changing people's minds, changing decision-makers’ minds around some things. So, I was wondering what practicing and encouraging empathy looks like in your specific role at this point.

[04:52] Dario Duran: Empathy – we've spoken about it. And then the way you phrased it, “I've been around cybersecurity since the beginnings of cyber seconds,” it sort of hints to a very, very old person. I was helping to build TCP/IP networks at the transition between X.25 and TCP/IP way back in the day. So, I've been around a while, and I've got fairly long-winded and long-winding experience with security, cybersec, network security. So, empathy is something that, in a business context or in a technical context, I have very little experience with directly. But it is something that when I started to think about this particular conversation, I started to dig into it. And just to remind the listeners and just to remind our own conversation; empathy is our ability to engage with one another, to perceive to some degree the thoughts, experiences, and emotions from the other person – the vis à vis.

[05:58] Dario Duran: And in a business context, although I don't necessarily talk about being more empathetic with clients or users, per se, I do speak increasingly about a win-win situation. Do you have emotional intelligence? Do you have soft skills to be able to talk with people? But I think, from an IT security perspective, increasingly, we're looking at conversations where a win-win is something that engages everyone. The win-win conversation is an important one; what does a user have to win from a conversation? What does the security department have to win from a conversation? So, I think packaging empathy as a win-win conversation is maybe something that's very fruitful and useful. 

[06:48] Dario Duran: Real connections in the workplace. And again, focusing on the role of empathy, real connections, real connectivity between people – it takes time. And I think we somehow forget that in this fast-paced world where we're trying to execute on very tight timelines where we're trying to introduce new procedures, new policies on very constrained timeframes; we're forgetting that getting things done in an empathetic, in a sustainable fashion – it takes time. I think that's one aspect which we need to highlight. And the other one, maybe, is that you need a certain amount of resiliency when you're building up these empathetic relationships. You're not always going to get it right. You're not always going to hit upon users who will embrace a new language, a new policy, a new way or method of working. So, you need a pretty thick skin. I think the IT security responsibles in companies, by and large, do demonstrate the ability to be resilient; or in layman's terms, to have thick skin.

[07:50] Andra Zaharia: That is so true. And I think that there's also another aspect of self-empathy as well because I feel like there is such immense pressure on IT and security roles, and people in IT and security roles, from entry-level to the highest most senior roles that are in the industry. And having that ability to cultivate self-empathy to realize that this is a line of work where you can never know everything, and where having a low-ego or no-ego approach is sometimes a much more productive way of approaching things and opens up communication channels to build relationships that you were talking about. I think that that's also an important aspect to consider. And thank you for speaking on that because I believe that with that win-win approach in mind, you're prioritizing benefits for the other person as well, or for the other team that you're talking to, that always changes perspective, that forces you to think differently. It's just like setting up a website and not talking about what we do but how we're serving you as a customer. And that kind of explains that. We already understand the pain points. And there's so much more depth to that, that we could capture right now but I felt I wanted to add that example. 

[09:09] Andra Zaharia: You work at the intersection of digital assets and information security, which adds the entire Venn Diagram of these two things; adds layers and layers of abstraction and it reduces the pool of people who actually get what this is about and the role they have, the role digital assets have in this transformation that we're going through. So, what role does empathy play in making these concepts not just work on a technological level but also work in terms of human understanding? Because I feel that the conversation may feel restrictive for most people, including myself. I still have trouble wrapping my head around digital assets and the security challenges they pose. So, how do you think empathy could help make that conversation more accessible and more comfortable, especially for business decision-makers since they are the ones that have to make all these choices at the moment?

[10:17] Dario Duran: It’s a great question. And it is, by and large, I think, an unsolved niche to the cybersecurity, digital asset management space somehow. In recent years, it's become more popularly well-understood; “Not your keys, not your Bitcoin.” So, that's become a mantra, which I think, is now entered into broader mass consciousness. And there's a lot of truth to that, I think. But it's the way I've always understood it. It wasn't from the beginning but I did grow into this understanding that the importance of a Bitcoin thing, this digital thing that can somehow be transmitted and has value when you receive it and I no longer have control of it; the understanding of what that implies is really not well-understood in the market, and certainly not well-understood in the upper echelons of business. When I get asked, “Why is Bitcoin so important?” I think what many people expect is, “Oh, the price is going up, it's got a lot of value,” and stuff. But the way I always understood Bitcoin is that we all understand, I think, intrinsically, what a bearer asset is. If I give you $1 note or a 10 Franc or a 20 Franc note, and you have it and I no longer have it, it's very clear that you have control and that you possess something. Digital assets, I guess, your audience will understand well what digital assets are. Because when you're building websites, you're building systems, digital assets are just those things, those files, those pictures, those audio files that exist. And you can transmit them but you can't give any guarantees about controller ownership. And for me, Bitcoin was – and is – foundationally important because it's the world's first – it's not the only one anymore – digital bearer asset. So, when I transmit it to you, the network cryptographically, mathematically confirms and ensures that you have control over this digital thing and I no longer have control. And that very foundational concept, I think, is super important to understand Bitcoin, first digital bearer asset. 

[12:31] Dario Duran: Now, what you can use it for – at the moment, it’s turned out that it's pretty good for transmitting value and having some sort of monetary connection to it. But it can be used for a lot of other things. And then we're starting to play with ID management, using Blockchain, using digital bearer assets, using some sort of timestamps on the chain. And all these concepts are super important. I don't want to say that they're complex but they are not something that the majority of people would understand. So, how do you reduce that complexity from this new digital thing which can do a lot? How do you reduce the complexity? And how do you communicate the value, the potentialities of it to “normal people”? I don't have a great solution to that. But I can say, though, is that when you're looking at wallets that hold digital assets, they all suck. They've got QR codes; they’ve got long addresses, which are incomprehensible; there's language around confirmation time – if you wait five minutes, is your money left and been received or not? And over the past many years that I've been in the space, the wallet interface really hasn't improved. And so then I start to think about what are some of the missing pieces? And this is where our conversation on empathy caught my ear and caught my imagination a little bit. 

[13:56] Dario Duran: So, a long time ago, when the internet and the web were starting to sort of nudge themselves into public consciousness, we started talking about digital agents – kind of a digital butler that runs around the network and does stuff for you. So, if you decide that you want to read up on a certain subject matter, then this digital piece of whatever would go out and just grab information from the internet and then serve it up to you on a daily basis. This idea of a digital agent is something which I think is comprehensible. We have not yet approached it. But I can see that digital agents that act on our behalf will be very important to have digital asset management and security around digital assets goes forward and has a role going forward. I can imagine that my bank’s debit card, which holds, in the near future, hopefully, a bit of crypto, a bit of Bitcoin; my mobile wallet on my laptop. All these different expressions of me and my digital wealth and my digital identity, they should all be able to inter-work, inter-collaborate with one another in order to produce results that benefit me. And I think that sort of facility, that sort of digital agent out in the world that is empathetically trying to do the best that it can, as a piece of software, for me; this situation is, I think, important. Who's going to write that code? Companies that are looking for a win-win, in terms of a win for the client to make his world more convenient, which should help a lot as far as bringing a more empathetic basis to the discussion. So, this win-win, this convenience factor, I think, is an important part of it. 

[15:48] Dario Duran: And just to close the loop back on how cybersecurity professionals maybe look at this, when they're looking at introducing policies into organizations, I start to hear a lot these days about training and how training should be more personally focused, more personally centric, and how the motivations of the user should be aligned to the motivations of the organization so that there shouldn't be a policy which the user feels is a waste of time. And if you can align the policies, and if you can align the outcomes, and if you can make this stuff more convenient, more bite-sized so that the user aligns himself with security; I think the users will endeavor to do the more secure, the more personally beneficial thing. And this also has, of course, an implication on digital asset space because we do personally have to take more responsibility for our digital presence, for our digital identity, and for our digital wealth in the days going forward, in time going forward.

[16:49] Andra Zaharia: I think you brought a lot of clarity to a very, very complex and very technically dense topic. I really appreciate that. And it's not just that, but you also highlighted some examples and some gaps in the market, in the workflow, in the ecosystem that definitely require more people to pay attention to them and to get personally involved in trying to figure out what these solutions and these improvements look like in real life. And the fact that you mentioned using relatable examples, and being mindful of the language that we use to set expectations for people who are just now interacting for the first time with digital assets or interacting more and more with security policies, and all sorts of concepts that are honestly speaking foreign to them. Because that concept of echo chamber keeps coming up whenever we have conversations, and we try to get outside of the industry to talk to people who have no relation or who are at all familiar with even the most basic security concepts, which is fine, and it happens a lot, and it's a reality. And getting through that echo chamber and actually helping people become comfortable with these terms, and what they mean, and what their impact is on their work and their own digital identity, I think, is a step in helping them just have more control and more self-confidence that they can work with these concepts in a way that helps them and improves their perspective and their understanding of what's going on in the world. Because obviously, this is one of the main reasons we're having this conversation, that I actually started this podcast is that I feel that cybersecurity education is fundamental to us retaining, let's say, critical thinking and improving it, and also retaining our mental clarity and our ability to navigate the world as it progresses far beyond our biological capabilities of actually processing information and doing something with it as well.

[19:02] Dario Duran: You spotted two topics which are super important. The one is, we as humans, we have a firehose of information in our hands, in our mobile phones. And we're confronted with information, which is really beyond our capacity to deal with. I have a great deal of sympathy for colleagues in larger financial institutions that I've been in, that are asked to change their passwords on some sort of schedule, or to keep their passwords very strong, or to be on guard for phishing emails that might come from outside. And when you work for a bank, these tasks are not optional; there are things that you have to be on guard for. But I have a great deal of sympathy for individuals that just don't have time, their work requirements are very high, the information flow is very large, and the time to get stuff done is very short. And you put that all together, then on top of that, the IT department comes and says, “And these are the constraints that you still have to keep in mind. And this is the training that we're going to give you,” which has been historically very boring. It's been mandatory, but it's been very boring. And so anything that can be done to improve the training, I think, will be a huge win because I think training and education, at least in my day, it was the most cost-effective way, the most cost-efficient way to improve a company’s cybersecurity posture was just by ensuring that everyone was better trained.

[19:01] Andra Zaharia: Yeah, because that develops that shared vocabulary and those shared experiences that we really not just understand but feel on an emotional level. Since we're talking about this shared vocabulary and these symbols of trust that we can integrate into our lives. Could you share examples of what cybersecurity looks like when it builds on empathy? Something that came to mind as I was listening to you and speaking about your experience with protocols and everything else, is that seeing that green lock in your browser and knowing that your connection is encrypted, even without knowing what encryption is, it gives you that sense of security, and it helps anchor that symbol, it helps bring it closer and make it familiar and make it reliable. Are there any such other examples that you can think of that show that this is a simple way to present security to a user who doesn't have any background in technology or security but still feels familiar and safe and puts it them in control of their actions, hopefully?

[21:48] Dario Duran: I wish I had examples, I don't because this it's not my daily grind. But something that's come up in recent times that I've taken note of is that when I'm in a browser – in particular, Chrome, but it doesn't have to be just Chrome – and I'm hitting a couple of different email accounts through the browser, the browser is now starting to ask me if I want to carve it out into a separate space, and the separate space has a distinct color to it. So, now I'm able to, on my work laptop, be able to deal with my work emails in that space A; and my private emails, that has a distinct color, in space B. And it's all within the browser. And I was quite surprised that Google had come up with that notion. But it is useful because it helps me to separate work and private within the same desktop. So, I found that to be very useful.

[22:51] Andra Zaharia: Anything that builds awareness, I think, is incredibly important. Any change that makes us mindful of our habits and puts us in a certain mental space that makes us either more aware of the fact that we need to particularly protect that specific activity such as online banking. I also enjoy Gmail’s feature where it tells you that this is a new email address, “You've never talked to this person before. This person is external to your organization. Are you sure you want to email them?” All of those things and flags are very important. And it is a big way in which technology can contribute to building safer habits and teaching people the value of these micro reactions, which otherwise we’d just go through on autopilot simply because the autopilot is a way to survive in the world, a very complex world that we've been talking about. I deeply value the fact that you lend your time and your expertise and your experience to this conversation, which I'm very much looking forward to sharing with others. Is there a specific set of resources that they could follow if they want to just enhance their understanding of digital assets and security, and how these things come together to hopefully have their own education on the topic?

[24:13] Dario Duran: Well, first of all, thank you, Andra, it was a pleasure. A bit of fun, I have to say, to talk about something which is not 100% part of my daily grind. So, it's been a pleasure. As far as being able to follow me, I'm not, broadly speaking, a public figure. I'm on Twitter. So, for those that are interested in learning about digital assets and getting some level of deeper, technical, and also social or economic perspective on that, I use Twitter almost exclusively as my source of truth for all things related to Bitcoin and crypto. I go to conferences as well. I'm not proposing to follow me on Twitter, but if you go to my Twitter, find me at DarioUTXO and check out who I follow. That'll give you a pretty good sense for the market. These days, I've been putting my nose into traders and how the NFT markets are working. So, there are a bit of new scams that are popping up. But otherwise, it's a good source. And otherwise, I'm on LinkedIn, reach out to me. My channels are open if you've got questions, I'd love to help.

[25:22] Andra Zaharia: Thank you so much. That's very generous of you.