Do you know what happens when "the ask is too high and the trust is too low" in cybersecurity? Requests related to cybersecurity fall flat.
If you’re frustrated that clients and colleagues don’t see the value of your work and don’t take your advice to heart, this episode offers the fix you need.
Along with Advisory CISO and Cybersecurity Strategist J. Wolfgang Goerlich (“Wolf”), we delve into the critical roles of empathy and communication in addressing complex security challenges.
Join us to see how the perspectives we gain through travel can broaden and add nuance to our understanding of global issues.
Get hooked by Wolf’s powerful storytelling that makes cybersecurity relatable and engaging, while exploring the human OS and its limitations.
Find out how empathy, better communication, and Wolf’s heart, head, and hands storytelling method helps demystify risks and potential solutions.
Uncover the value of creativity, interdisciplinary collaboration, and "wandering outside of the box" by looking at the surprising intersection of cybersecurity with art – and even sexuality.
Find inspiration for your next actions in this eye-opening conversation that redefines cybersecurity and puts empathy and effective communication at the heart of the solutions to this industry's challenges.
Tune in to learn:
How language and tone massively influence how effective what we say in IT security is (5:09)
Why vulnerability is necessary for good communication, yet carries such a negative connotation in cybersecurity (10:01)
Why empathy is only effective when it becomes a practice ( 14:41)
What made Wolf pay so much attention to the importance of communication in cybersecurity (17:42)
Why how we do things has a massive impact on the industry (27:01)
Why there’s a place for art in cybersecurity (29:58)
How cybersecurity apply to all areas of our lives, including sexuality (40:16)
Wolfgang “Wolf” Goerlich
J. Wolfgang Goerlich, Advisory CISO and Strategist for Cisco, boasts an impressive track record of addressing systemic cybersecurity issues across various roles. Drawing on his cross-domain expertise in healthcare, financial, consulting, and product management, Wolfgang assists organizations in designing, implementing, and expanding their cybersecurity capabilities.
As a dedicated member of the security community, Wolfgang co-founded and organized multiple events, engaging audiences with lively and thought-provoking presentations. His extensive knowledge allows him to regularly advise maturing companies on security architecture and design, identity and access management, data governance, secure development life cycles, zero-trust security, and more.
- Wolf's website
- Wolf on LinkedIn
- Wolf on Mastodon
- Wolf on Twitter
- Jeffrey Snover
- Why effective leaders must manage up, down, and sideways
- BSides 2022 - Wolfgang Goerlich - And the Clouds Break: Continuity in the 21st Century
- Tell a story with the project name – Design Monday
- Cognitive Dissonance
- Principles for Designing Security Capabilities
- book: Effortless: Make It Easier to Do What Matters Most
- Noah Scalin
- Securing Sexuality
[00:14] Andra Zaharia: Wolfgang Georlich, aka Wolf, makes cybersecurity an act of generosity. He's unflinchingly optimistic and the spirit and driver of change across the information security space, and well beyond it. As an Advisory CISO at Cisco, he skillfully merges ideas and motivates people to go through that messy middle and come up with creative solutions to security challenges. As a supportive mentor, he brings energy and expands other people's vision, guiding them toward personal and professional growth. As a curious communicator, Wolf actively collects unfamiliar information from sources most people in the industry never explore. That's how he ended up doing the Securing Sexuality podcast and conference with his wife, Stephanie Georlich. That's what makes Wolf's talks, his articles, and his social media posts so captivating and thought-provoking. With his compass set to kindness, Wolf takes us through the rich tapestry of his work and interests, opening doors along the way. I hope you'll find at least one of them that speaks to you.
[02:04] Andra Zaharia: So it was 2017 when I first saw you speak at DefCamp, which was actually the first time I ever attended a cybersecurity conference. And your talk made such a huge impression on me. My mind was just going at a million miles per hour with all of these opportunities and all of the things that I could do. It was because your presentation took a different approach than almost anything else that I'd seen in the industry up to that point — so, in the two years since I started working. You were such an entertaining and captivating speaker. I thought to myself, 'Wow, this is fantastic that I get to learn about cybersecurity in this way.' I was wondering, what was that experience like for you? And what has it been like to connect with communities around the world because you do a fair share of traveling?
[03:04] Wolfgang Goerlich: First off, thank you so much for those kind words. The fact that you highlight that talk is very interesting, given the topic of today, because the underlying message was: be empathetic to developers. That conversation was coming off of a multi-year — I'll say "research" because research to me means I have a lot of conversations and explore ideas with a lot of people — asking the question, "Does security ever help development?" And the resounding answer was, "Well, why are you asking?" And it was such a good time; it was such a great time to come out to Romania. And to your point about differences in the world: part of my experience is going from community to community, sometimes the United States, sometimes globally, and you're spot on. There are so many commonalities; people have a great deal of affection for each other, they have each other's backs, there is a degree of friendliness. There's always great food, even though the experiences may vary in terms of what that great food is. There are always great sites, there are always people who are very excited to share with you what they're working on. But the perspectives on security often change; the ideas around security often change. And I think people who stay in their own world, meaning their own part of the world, don't get challenged in the same way that you do when you travel, especially if you go to Europe where, of course, privacy is so important and the respect for the worker is so important. If you go to Israel, a lot of things we hear about are the practicalities and looking out for one another with the systems we build and whatnot, and what are we giving back and are we contributing? So there's a lot of different, really intriguing nuances that come out and open your eyes to what people are thinking, how things can be, and how things should be. I've always wandered outside of my box and went, "Oh, that's a neat idea. Let me go back to my people and see how that applies." And yeah, that trip to Romania was certainly in line with that; it was certainly a very educational one.
[05:15] Andra Zaharia: Well, I'm honestly looking forward to at least an audiobook about your travels as a cybersecurity expert around the world. I think that would sound absolutely wonderful. And I say “audiobook” because you have such a resounding voice that makes such a big impact. You have such great delivery of messages and the storytelling that you weave into everything; it just makes you a great communicator and a great example for others to follow in terms of how they show up in communities, how they show up online, how they show up in meetings with colleagues, and everywhere else. It makes such a huge difference: the language we choose, the tone that we choose, the energy that we put into our words. And we see this very, very pervasively and very intensely nowadays when we're suddenly looking more at inefficiencies in terms of communication and training than inefficiencies in technology because we've solved, let's say, most of that, not all of it, of course, because it's a really complex issue. But then again, we're stuck. And I feel like there's frustration brewing beneath the surface for many people, that they can't get themselves to understand why some things aren't working or why some things aren't scaling properly. And that always comes back to the individual and their emotional and psychological needs. And you bring incredible expertise that brings these two factors together and brings technology and people together in a way that makes sense, and it's very compelling. So, out of all of the research that you've done and all of these thousands of conversations that you've had with people, what are some of the elements that haven't changed in the cybersecurity industry but are, let's say, more critical now than they were 10 years ago?
[07:17] Wolfgang Goerlich: What are the main things that haven't changed is your point about story. And it's so kind of you to say, but the reality is that it takes me forever to write so it's easier for me to talk. My wife is an author, and over COVID, she was writing one of her books and I was writing a blog, and I come on, saying, “I wrote 100 words.” And she's like, “Yeah, good for you. I wrote a chapter.” I just can't keep up.
[07:44] Andra Zaharia: Lean into your strengths.
[07:47] Wolfgang Goerlich: Well, the story is the fundamental OS which we all run on. And one of the things that have not changed—and so many security people, so many technologists forget this—is humanity. We still have all the same cognitive biases, we still have all the same limitations. When it was studied how many relationships people could have, the number is usually around 150 — small tribes, corporate relationships max is out around 150. This is well-studied. The researchers thought with social media, that number would have increased because we'll have better connectivity or better tools. They found even if you have 50,000 followers, you still have 150 relationships because you forget everybody else. We are running effectively 20 years of technology on 20,000 years of underlying OS, that human OS. And when you look at why projects don't work, why initiatives don't work, a lot of times it's because we've forgotten the human factors. We have not been empathetic. We have convinced ourselves in technology that technology can change the world. And rightfully so technology has upended so many things, but we fail to account for the legacy that is being humanity.
[09:14] Andra Zaharia: That legacy OS is giving us quite a bit of trouble. And I don't think that it's trouble necessarily, because we live in this hyper-optimized and hyper-optimizable era where we just want to make sure that we're taking in as much as possible and using all of these great things that are around us, which can turn into a frustrating and overwhelming experience because we realize that we can't exceed these biological limits, our emotional bandwidth is limited, our biological makeup is limited. We don't really want to admit that to ourselves because it makes us feel more vulnerable, which we are. Again, this is such a loaded term in cybersecurity because it's something so negative and I'm trying to also shed a positive light on it, because being vulnerable with other people is what makes us good communicators. It's what actually relationships are based on, the healthy ones, the ones that are meaningful. So, given this, let's say, complex makeup of biology and technology and how they interact every day, there's a particular topic that's tied to this, and will probably be for some years to come, which is risk. And I was wondering how you might be able to paint a picture around what human risk is, beyond the stereotypical approaches that we often see just on the internet because they're used by both people in the industry and outside of it, it doesn't matter. They're not really nuanced. They're not really helpful. So, I'm turning to you for a clearer, more nuanced, and more honest perspective on this.
[11:03] Wolfgang Goerlich: First off, I think the thing we need to admit is that the human condition is one of ignoring risk. This happens again and again, and it has to happen. If we paid attention to every risk, my goodness, we’d get nothing done. So, we in cybersecurity get very frustrated. I have told you that there is bad news, and I have been very clear, we'll tell ourselves in explaining all the shades of gray. And when you've asked me a question, I've said, “It depends.” Fun fact, my New Year's resolution for 2023 is to not say the phrase “it depends.” I was at an advisory call, and the guy said, “Oh, so to sum up, it depends.” I was like, “Wait, did I say that?” He's like, “No. Why?” I’m like, “Because that was my news resolution. I don't want to blow it in March.” But there's a reason for that. I was looking at this series of studies. There was a mega study in healthcare. They looked at nine individual studies trying to figure out why people prefer paradoxically bad news. So my shoulder may be injured a little bit or maybe injured all the way and I have to stop playing sports. I may have cancer and I have to start doing treatment, or it may be we need to go for our tests, those types of conversations. And they found, consistently, people prefer bad news over ambiguity. Because when it's gray and it's ambiguous, you don't know what to do. You don't know how to act, you don't know where to go. Now contrast that with how in cybersecurity we talk about risk. Well, there are many factors: who is the victim, who is the target, who is the actor. We can always attribute it to the actor. Also, there are many different ways that they can attack you. Here are six different ways. And if you want a full map, let me introduce you to the MITRE attack framework. Which, by the way, to my friends at MITRE, if you're hearing this, I love you guys. MITRE is great for us. It's terrible for empathy. And I think what we forget is people would rather be told they need to go for cancer treatment or no longer play sports again, they would rather be told that there is something bad that needs to be happening. They would rather face that than face ambiguity. And yet we bring ambiguity every single day to these conversations.
[13:20] Andra Zaharia: That is an excellent point that I've never heard in the industry before because there are two, let's say, not necessarily conflicting, but rather contradictory trends in communication. One goes towards clarifying things, towards making things more palpable, I guess, more relatable and clearer, just like you mentioned, like giving people something they can understand, something they can wrap their minds around. And the other is bringing in a bit more nuance, making the language a bit more flexible. It's difficult to reconcile these two directions. I don't think that they're opposed, but it is difficult to reconcile them and to make sure that they work and to also teach others how to actually do this in practice. So, I was wondering, because you coach so many people and you work with them on their professional development, how have you seen them transform their teams and their organizations by using these elements in their conversation? What are they leaning towards, clarifying things, simplifying things, or rather bringing in more nuance?
[14:27] M: Definitely, both. It depends on the audience. One of the things I think we forget about when we talk about empathy — and I'm gonna answer your question, I promise, if you allow me to ramble a little bit. Empathy is a practice, and empathy is focused on an audience. People will say the CLI, the command-line interface, isn't intuitive and isn't empathetic. They'll say that. But is it? You ask any Linux expert about bash and watch their eyes light up, or ask any Windows admin about PowerShell. So, Jeffrey Snover was the inventor of PowerShell, I think he's still at Microsoft, was extremely empathetic for IT people. He talked about it, he wrote about it. The command line is empathetic, it's just not empathetic for a layperson. It's your kid who wants to play his video game doesn't want to have to jump down to the command line. You’re a person at home who wants to send an email who doesn't want to jump down to the command line. When we think about these topics, one of the challenges I think people forget is your audience drives that. So we want that ambiguity, we want that debate, we want that discussion, we want the prioritization. I want risk scores and colors, facts and data, and sheets of vulnerabilities so I can dig into it. And that is absolutely appropriate for our internal security team conversations. That's fantastic. But when you bring that out, that's where you get into trouble.
[15:57] Wolfgang Goerlich: There's this concept of the leadership compass. I don't recall who mentioned this, so it's not mine. But this idea is that you manage up, you manage down, and you manage over and you manage up. So, up is to your executives and your board, down to your people, over to your peers, and out to the organization to the broader culture. Each one of those requires a different mindset and a different degree of empathy. There's a reason why people say empathy is a practice. It's not something you just one day are, "Oh, you're very empathetic today. I've solved everything." It really does need to be continuously practiced. So the debates and everything are perfect managing down, but when you manage up, you need to manage with clarity. Certainly provide those facts and everything when they come out or when they're asked, but you need to have that clarity. And furthermore, when you go over to your peers, you need to have that clarity plus provide depth. Otherwise, I think you're talking too high level or you're being condescending. If you're a security person talking to an IT person, or back to our conversation in Romania, if you're a security person talking to a developer, and you're like, "It is very important, you protect web apps because web apps guard the company's reputation," they're gonna glaze over, they don't want to hear that. They want to hear what I need to do. So it really is audience-specific.
[17:21] Andra Zaharia: It absolutely is, and you've always had this knack, which I'm sure comes through practice, work, and thoughtfulness. But you have this knack of really being in tune with the culture and being in tune with the conversation. And I was wondering, was there a particular event or experience that made you pay attention particularly to communication skills and to all of the elements that you bring into security from so many other fields and specializations?
[17:53] Wolfgang Goerlich: When I got started in security, I started out in healthcare, and I was given the title of sys admin and systems manager. I got that title because I didn't know what sys admin or root was, but all the hackers said that's what you wanted, so that's what I asked for. And then the director of nursing, for whatever reasons, started inviting me to the management meetings. So here I was, probably a 17-18-year-old kid, practically needed a booster seat to make it onto the conference room table. And one of the things that fascinated me was that decisions were oftentimes made before people got in the room. Decisions were not made by, to me, what sounded like the best argument. There's clearly something else going on. So I've always, from the very first couple of months in my career, wondered how decisions get made, how people think, how people go about doing these things. And sometimes I forget about that. So I'll give you an example where I forgot about it. Recently, in my day job as an Advisory CISO with Cisco, we do an annual study where they talk to 5,000 people globally and they ask, “What are you doing?” And they looked at business continuity, who's getting good business continuity. And they found that they had great relationships with their executives, they had great relationships with their peers, they had great relationships with the directors as measured by retention, they had great relationships outside into the business org, as measured by culture. I used to teach BCP, I used to execute on BCP, I used to coach on it, and I used to consult on it. That makes perfect sense if you're talking about what matters to the business. Of course, you're gonna have better relationships. And you can find talks, I was down in the Cayman Islands talking about this. But then what happened was we looked at the instant response and found the same pattern. “Hello, well, maybe if you're communicating the incident in a way that matters to the business.” But then we looked at endpoint detection response, and then we looked at Secure Access Service edge, and then we looked at zero trust. And again and again, organizations reporting mature capabilities, organizations reporting success are more than twice as likely to report having strong relationships across those four dimensions. And so is it, “I did zero trust, and therefore I've got great relationships.” No. Is it, “I’ve got business continuity, and therefore I got great relationships?” No, it's, “Do I have the great relationships and the trust built up?” So, when I come in and say, “Look, we need to make a change,” they listen.
[20:33] Andra Zaharia: And that takes a lot of personal development, in my opinion. I feel like performance in cybersecurity, whether it is as an individual or as a group, as a company, as a community, relies a lot on each person's level of emotional development, honestly speaking, their level of emotional maturity. It depends on that because that emotional maturity, which you acquire with, even when you work towards this with intent and when you invest in it, it doesn't just happen just because you age, and we can see this in people around us. I feel like that has always been considered part of the soft skills territory, and something that's nice to have, but not really important to the business world, which has always been this kind of limited segment in our lives, encapsulated and covered in seriousness. And all of these attributes that, in the past decades, have really been challenged and have proven to be not quite as healthy or as efficient as we thought they were. And now that the culture is changing, I feel that cybersecurity has a chance to offer and to create a network of trust, because that's what we're trying to do through technology, through people; create a network of trust that others can rely on. Even in terms of business decisions or everything else, we just need to keep the world running so it can feel like it can count on something. And to your point about the study and everything that's showing up, what do you see, let's say, in your day-to-day work that are the challenges of measuring these relationships? Because I feel like that's one of the key points that still keeps companies from investing more in this space, simply because it's not something that you can put very clear KPIs on.
[22:30] Wolfgang Goerlich: Yeah, it's not efficient. A relationship is not efficient. Having a friendship is not efficient. Having a one-to-one connection with your peer or your report is not efficient. Because if you leave, that relationship can't be replaced or replicated. And again, people don't scale. We're not built to scale. We can try to scale but we don't. If you're good, if you're talented, you don't scale. You’ve got a very set value that you provide and a finite way of providing value. So the question of measurement is really critical. One of the things that many organizations do is we look at metrics to guide us. And there are a variety of different ways to align metrics. In my way of going about it, I talk about the heart, head, and hands method of storytelling, which is my way of modeling this, which is, you want to get the attention and we talked about something you care about. So, there's the heart. What is the emotional hook and the resonance? But if you're just playing off that, we all know the power of fear, uncertainty, and doubt. We all know the power of that. The next thing you want is head, which is, “Here are the facts. Here are the stats. Here's the metric. We see an uptick in attacks on our external surface. So therefore, we need to. We see an uptick of attacks across the industry coming from remote offices. So therefore, we need to.” It needs to be factual and needs to be provable. But it needs to come after we've gotten their attention and needs to come well after we've built up the relationship. I've heard so many folks say, "I went in with great data, and they just ignored me." Well, probably because they didn't trust you yet. So, heart, head, and the last one is hand. What am I asking you to do? Am I asking you to fund a project? Am I asking you to have your team spend time not building applications but patching? Am I asking you to maybe miss your targets to help me make my targets? There's always going to be an ask. Am I asking you as a user to have a little more friction?
[24:31] Wolfgang Goerlich: And that last part is really key. I have recently been exploring solution aversion theory. I talked to the lead researcher; I interviewed him recently about this. And basically, what happens is, and we've seen this in IT security risk management for years, we've seen this with the recent COVID pandemic. If your ask is too high and the trust is too low, there's going to be this moment of cognitive dissonance. And the only way a person can resolve that kind of dissonance is to basically ignore you, like, "Oh, you must be exaggerating, you must be hyping it up, you must not have the right data." And if you think about how we do cybersecurity, we start with the bubble chart of all the breaches. And then we start with the news headlines. And then we spend the next 10 minutes talking about, "If you don't fix this right now, everything's terrible." And then we say, "Okay, now that we've properly scared you, let me go ahead and tell you what I need you to do." And they may go, "Oh, wow, that sounds very scary." And then you're like, "Oh, and by the way, this means you're going to miss your quarterly target for shipping code. Or it means you're not going to be able to have the budget for the new endpoint management suite you wanted. Or it means you're not going to be able to have headcount. And the minute we get to the hands component, this solution component, if they ask us too much, they're gonna be like, “I don't believe you. That risk is overblown, it won't happen here.” And then all security people go to the next conference and go, “No one ever listens to us.” Well, they don't listen to us, because we missed the first two crucial steps.
[26:08] Andra Zaharia: Thank you for just walking us through that model. I think that it is very powerful. It's definitely worthy of illustration, so that it sticks to people's brain, also in a visual format. Because as we were talking about trust, and the amplitude of the ask, I was picturing this graphic that helps you decide if you have all the components or not, if you've gone through all of that stage of building trust of having the conversation before you go in and just overwhelm people, honestly, with your demands, which is what cybersecurity can do sometimes. And the motivation is correct. The motivation is not wrong, people are not ill-intended. But there is an issue of how we do things and how we do things matters as much as why we do things in the first place. And I think that this is one of the things that I'm trying to do with these conversations is to help people get some examples of how to use empathy in their work to make their work easier. I've actually recently read "Effortless," which is a wonderful short book that's focused on the idea that some things don't have to be as difficult as we think they have to be. Well, it obviously dives into details and examples. But this, this stuck with me that sometimes in cybersecurity, we don't look for ways to make things easier, but rather continue to push on with things that are really, really hard. And one of the ways that I saw you take away this just present things were with more levity, with more humor, is that you're bringing in a lot of examples from product design, from other areas that give all of these notions and experiences a more palpable and practical and also relatable dimension. And I was wondering if you could talk a little bit about that.
[28:13] Wolfgang Goerlich: Yeah, I mentioned earlier, I love wandering outside my box. Whatever the boundary is, I just want to poke around and see what else is going on. So, in 2020, on March 13th, Friday the 13th of 2020, we were in Budapest, and we got the message that they were closing the borders. So very quickly, my wife and I hopped on a plane and got the last flight out of Paris. We landed at 10 o'clock at night on March 13th, which we thought was going to be a two-week shutdown. Needless to say, it wasn't two weeks. About three weeks in, a good friend of mine virtually put his arm around me and said, "You're gonna go insane if you don't have a project to work on. You're not traveling. I don't think I've ever seen you stay put this long. Are you okay?" And he gave me this idea of researching product design more deeply because I've always had a love for it. I've always had an affinity for it. So coming out of that was my series on principles for designing security capabilities where I researched and looked at several different classic 20th-century designs, from toasters to cars to MRI machines, to probably the most interesting ones speaking about getting attention and getting projects. Can I tell you the favorite line I wrote?
[29:41] Andra Zaharia: Always.
[29:43] Wolfgang Goerlich: I wrote, "The city is a book of poetry writ large across buildings, Santiago, Chile," and that was an opening of one of the blogs I wrote because I found the story about this guy named Rodrigo Rojas. Rojas was a poet, a professor, and in the '90s, they were building all these buildings, and they needed to name subdivisions. They would come up with an idea for a project, and if they had a good name that could get funding, they would build it. And because of that, he's named the majority, I think it's like 75%, of the city. So this poet is coming up with this very poetic language. And it reminded me at that same time, everyone was working from home. And I was talking to this one CISO friend of mine, and he had a name for his project. I was talking to another director and he had his name for his project. I'm gonna give you both names and tell me which one you like better for a project. The first one is "Split-Tunneled Personal Remote Offices Initiative."
[30:44] Andra Zaharia: That's a mouthful, right there.
[30:47] Wolfgang Goerlich: The second one is “10,000 Branches.”
[30:50] Andra Zaharia: Well, it’s an easy choice for me, I would definitely go with the “10,000 Branches.” Also, because I love trees, and it's instantly visual.
[31:00] Wolfgang Goerlich: It's visual, it's eye-catching. Now, a technologist would be like, "Why are you naming it that? I want to know that it’s a split tunnel.” And all these things are very important. So maybe you have the external title and you have the internal title, I don't know. But the CISO with the 10,000 Branches is like, “Yeah, this one is calling my initiative to my executive team.” I said, “I love that. That's fantastic. But why?” He goes, “Well, we used to be really good at controlling 100 branches. We have the technology, we have the capabilities, we have the team, we had figured it out over decades. Then with a flip of the switch, I have 10,000 branches with all my employees being at home under their own branch office. So it's the 10,000 Branches project.” And I was like, "You are a poet. You remind me of Rodrigo Rojas, you remind me of the story I heard about Santiago." And this throughline, I think, is all over the place. Because, again, what product designers do is they create experiences, they create capabilities, they create things we touch and feel and use every day. And at the end of the day, that's what IT and IT security people do. So there's so much overlap because the commonality of both is that 20,000 years of humanity, which we are serving and protecting.
[32:15] Andra Zaharia: And it's super interesting that you're highlighting this role of being a creator because I don't think that many people see themselves as creators of their own craft, processes, and their own technology, even of the ways that they are using this technology because everyone's very unique even if the technology is the same. To me, your examples also reminded me of the place that art has in cybersecurity or in disciplines; they tend to be sometimes a bit more conservative than they would like to think. I have seen technologists be a lot more conservative and inflexible than they would like to think simply because we talk about technology and cybersecurity moving very quickly and things happening and so on and so forth. But that's not the same as flexibility. Speed is not flexibility. They're not alike. And I think that bringing designers and communicators and product people and all kinds of artists into the space is one of the key things that we're missing for the next stage in the development of cybersecurity as a core discipline that contributes to society, because it does, and one that we can't do without at this point in time. So I was wondering what types of, let's say, examples of people who are more artistically inclined or inclined to pursue other kinds of expression in cybersecurity you've come across, and perhaps how does it influence you?
[34:02] Wolfgang Goerlich: That's a really good question. First off, I do want to say that painting reminded me not everything works. The toaster talk went over well. I did a talk on painters and how artists could inform cybersecurity. And that was the quietest audience I've ever had. People were walking out. That did that go well. So not everything works. But I think your point is a good one, but I want to push back on it a little bit because there is this idea that painting is something for painters, singing is something for singers, creation is something for the creatives, instead of just 'this is what humanity does.' And I feel like I'm talking a lot about humanity, so I apologize. This is the morning you've caught me, and we're recording in my morning time, in my timezone. Wouldn't it be wonderful if we just recognized that everyone could be creative? Wouldn't it be wonderful if we didn't have to have a degree of efficiency tied to how well you laid the paint or an outcome tied to how well you sing? I'm a terrible singer, by the way, and I will sing all day long at home in the privacy of my own house because it sounds so bad I don't want to inflict it on anyone else. But there is that shyness that a lot of us feel — “I am an engineer; therefore, I'm not creative.” And I think if people gave themselves more latitude in life to be creative in their jobs, cybersecurity is super creative. It is an artistic and craftsmanship field. It's very new, we don't know what works, we don't know what's going to happen. It is very much jazz, not orchestral music. And yet, we tend to shy away from that because we don't want to be seen as creative. Perhaps maybe creatives in our mind are people who don't deliver because we don't think we have it in us because we don't recognize the creative process. There is a number of different ways.
[36:03] Wolfgang Goerlich: In the United States, in the pandemic, there was an Old Navy commercial. And this artist went and he laid down all Navy clothes. And you watch it sped up on YouTube as he laid on all his clothes, because I think he did it in over two weeks and you saw it in two minutes. And as he was done, the camera zooms up and he realized that it's a mosaic of people — really beautiful. I saw him at an event in Seattle where he was talking to CISOs, and he deconstructed that; he said, “No one in this room could do that. Do you all agree?” “Yeah, we agree.” He goes, “Neither could I.” So if you go back, what happened was one day I was making this type of art and another day I thought that was fun and I'll try this. And he had a habit of every day doing one small piece. And then he paid attention to what worked and he built off that. And eventually, he was able to do this really cool visual. And he learned that and small ways along the line. And oftentimes we think creativity is this genius. And I can tell you, I've worked with genius CIOs, I've worked with genius CISOs, I’ve worked with people who saw the impossible. I come from Cisco, from Duo. At one point in time, Dug Song said, “Oh, phones are now a thing, why don't we put multifactor on that?” And recognize these changes were happening and recognize the need for empathy for the user, and completely upended the multifactor environment. I've seen this happen again and again, so I can absolutely tell you these hero stories. But I would say, for anyone listening, I think what people need to realize is they have that same capability. They just need to start and explore and give themselves permission to fail, permission to succeed, and see their work as being creative.
[37:59] Andra Zaharia: And embrace that process wherever it leads them because I think that's one of the things that actually happens a lot in cybersecurity, but we don't often see it, is that when people follow the process of just pursuing their interests in cybersecurity, they end up working on things that they never would have imagined doing. And I've seen this story repeat over and over again. But just like you mentioned, we don't recognize it as such and we let these self-limiting beliefs get in the way. And if no one holds up a mirror so we can see them, but without judgment, we might never overcome them and still get stuck in just a space that feels very limiting. I actually read this in a book at one point, and I love this idea, and I wanted to bring it up here because I think that it connects really well. The author says that when we're children, we live in this castle in our mind. And we open up all of these doors and discover wonderful places. And all of the rooms are colorful, and they're different. And it's amazing. But as we go through life, we start closing some of those doors because someone told us that design is ugly or someone told us that we're not allowed to go in that room. And we end up in adulthood living in a two-bedroom apartment in need of renovation. And that metaphor stuck with me so much in terms of what self-limiting beliefs will do to you. And the value of having them just exposed and challenged and persevering in spite of them, which, again, is an act of self-empathy, it's an act of self-compassion, of giving ourselves the grace and patience that we might more easily give to other people, but it just comes harder to do that for yourself. So just having those examples around us and talking about this, I think, makes it a bit easier to start opening the doors to those rooms that were closed such a long time ago. Speaking of topics that don't often come up, you and your wife are working on a project that brings cybersecurity and sexuality together in a way that would probably surprise most people because putting those two things together probably doesn't make sense for a lot of people, just like empathy and cybersecurity sometimes don't really connect from the first go. And I was wondering how that project happened and what that looks like, and perhaps what you learned through it, because it is incredibly interesting to me.
[40:41] Wolfgang Goerlich: My wife and I are working on an initiative. We've got a nonprofit, and we're doing a weekly podcast and an annual conference. She is a sex and relationship therapist, author, and teacher, and I am me. So, the security I bring and the sexuality she brings out. I'll tell you two different stories on that. Do you want her story? Or do you want my story first?
[41:09] Andra Zaharia: Well, let's start with her story.
[41:11] Wolfgang Goerlich: She was approached by a gentleman who was making a web app. It was for a community that she serves, for a population that oftentimes their relationships and their communications get weaponized, used against them in the United States. As you undoubtedly know, many of your listeners know, the United States can be a little bit backward about a lot of these topics. So it is an area that this gentleman was building an entire site to bring all the folks together so they can communicate, meet, and do these sorts of activities. Being with me, she's like, "Okay, but what happens if someone hacks that? What happens if someone steals that?" "Oh, it's anonymous." "Alright, well how anonymous?" And so she reached out to one of our mutual friends. We know plenty of hackers. He's like, “I can't pen test this.” She goes, “I know that, but can you just take a look at what you could see that's public that's open, and just give me some advice, should I share this with my clients or not?” And within 30 minutes, he came back and goes, “Don't, because I can do this, I can do that. The APIs allow me to link into their Facebook very quickly, I can take any profile and figure out who it is.” So that was really a wake-up call in two ways: One, a lot of the technology we have at this point in time creates a life where you can go from being conceived, being named, being born, through school, to meeting the love of your life, to getting married and having kids of your own. That entire path is on technology. And when you ask people what they think security is, they don't talk about fixing a SQL vulnerability in an app; they talk about protecting their friends, their family, keeping their loved ones safe; they talk about keeping their finances, their home, their cars protected; they talk about fundamentals. And oftentimes we are in cybersecurity, we're in the weeds, rightfully so because everything is on that tech stack. But we need to have empathy for that bigger picture.
[43:13] Wolfgang Goerlich: So that's when she came to me. Meanwhile, there's this device that men will put on themselves because they have a relationship with women, and women say, “Wear this.” And that's the relationship they have and the men put it on. It got held for ransom a couple of years ago. I was friends with a guy who found the vulnerability and disclosed it. And I was listening to all the cybersecurity people who thought this was hilarious, like, “Oh, that's so funny. Oh, they're being held for ransom.” And every one of Stephanie's peers was just mortified. Think about what that does to the trust and relationship. You trusted this person who asked you to do this to keep you safe. Think about the shame that this person may have already had that’s now exacerbated. Think about how scary that must have been to take bolt cutters and remove this thing from you. So, it occurred to me, had that company who was making this just have a better understanding of cybersecurity, have a better connection with the hacker community, have a bug bounty, have a process, because this vulnerability was reported to them a year or two before it was weaponized. But they didn't have any way of acting on them. And so we started talking about both of these trends and the differences in her world in my world and the similarities, and we started this project. And we're really having conversations with the entire gamut. People who are building technology, people who are hacking technology. We've talked to philosophers about what consent looks like, how do you think about this in terms of rights? To your point earlier, we're having these conversations between the US and Europe, so we're getting a good flavor. If anyone's listening to this outside the US and Europe and wants to come out and reach out to me because I'd love to have that conversation. But philosophers about how to think about these changes, we're talking to people who are in policy and law, who are fighting against oppressive laws or fighting to shape laws to support privacy, or talking to therapists and people in psychology who are helping regular folks adapt to these changes and have good relationships. And we're talking to lay people who are just trying to get out there and protect their pursuit of pleasure. So it's created this lovely set of conversations and this really great way for me to recontextualize what I used to think of cybersecurity in a much more personal way.
[45:44] Andra Zaharia: And you're bringing this information to people who also value it a lot, who are also open to understanding it. Speaking of finding the right audience and setting the right context and creating a space where that conversation can really mean something for people, and not be pushed onto them, but rather pull them into the conversation simply because they're interested and they're intrigued by this intersection of things. And I thought this was a wonderful way of you, again, contributing well beyond the cybersecurity industry to help others. And that level of contribution is something that I admire a lot, something that I seek to do myself in my own way, simply because that's where we make the biggest difference. Not just talking amongst ourselves and sticking to our echo chamber, but going far, far beyond that and just meeting people where they are in a truly empathetic way, not just in a self-congratulatory way, which sometimes conversations in this industry can happen. We have to be honest about that.
[46:56] Wolfgang Goerlich: You absolutely do. And I love the focus of this podcast, and I've sent so many people to your podcast. I know you say you try, but I think you need to give yourself credit, you absolutely do. You've helped shift and shape this part of the conversation, which is fantastic.
[47:12] Andra Zaharia: Thank you so much. It means the world coming from you. And I'm really excited about just bringing people from all of these spaces to bring their own perspective to add their piece to the puzzle and to build together something that has a little bit of something for everyone because there has to be a story that resonates with a particular listener. And I too need that connection. And I know that you do too, in so many ways. So thank you for allowing me to hop from topic to topic with you. We could go on for many hours, and perhaps we'll do a second follow-up episode to this. Thank you for being here. Thank you for everything that you do and for the examples that you set for the rest of us.
[48:02] Wolfgang Goerlich: Thank you so much for having me on. It's been a pleasure. It's so good catching up with you.