Creating real change in people’s behavior is one of the biggest challenges in cybersecurity. That’s why I often tell people with no connection to this space that technology is secondary to human psychology when it comes to protecting the tech ecosystem our lives depend on (which is not an exaggeration).
So the strategy companies choose to get their teams to care about information security practices is critical. Approach them with a checkbox-ticking attitude and you’ll just waste everyone’s time, deepening the rift between their universe and these foreign notions with zero emotional impact.
But focus on building meaningful relationships and you get the opportunity to expand your ‘bubble of trust’ to bring out the best in others. This makes it easier for anyone to find a personal connection to cybersecurity principles and tactics, increasing their willingness to try them out on their own.
Once you’ve achieved that moment of lift, you need consistency to prove that alignment between what you say and what you do – as an individual, as a team, or as a company. This allows us, the security advocates, to be effective in the long term, even as new challenges continue to crop up.
There’s no better real-life example for this process than John Opdenakker, champion of web app security and security awareness – both at work and in his contribution to the information security community. We both share a keen interest in human psychology and the role empathy plays in advancing cybersecurity as a key element for stability, continuity, and progress in the tech world and beyond.
In this episode, you’ll hear about how John practices empathy through his work and how it translates into real value for his colleagues. You’ll also learn about how creating relationships makes it easier to have meaningful conversations about cybersecurity. We’ve even included a real-life example of how an institution effectively handled a data breach in an empathetic way (yes, it can be done!).
In this episode, you will learn:
How John practices empathy to advance his security awareness work (05:15)
The essential role good relationships play in creating a sustainable security culture (10:33)
How John gets fellow security specialists to replicate his approach (12:52)
Where he feels empathy is lacking the most in cybersecurity (19:34)
The best communication strategy to create a positive impact in cybersecurity (27:08)
Security professional with a knack for using humor to expose poor practices and outdated misconceptions, John leads the way to real change in how cybersecurity reaches the people who need it the most. He's an active promoter of the elements that create and sustain a security-focused culture in any organization and one of the people who values kindness and empathy.
[01:30] Andra Zaharia: The people I've seen make one of the most meaningful contributions to the cybersecurity space are those who have found a match between their personal values and the values of the hacking community – ethical hacking, that is, of course. So, today, I'm happy to share this conversation with you with John Opdenakker. He is one of my former guests in the decision-making podcasts I used to do, actually, called How Do You Know? I last talked to him about two years ago for the podcast. And I've seen his positive impact in the community grow over the last few years, and expand through everything he tries to do to help educate others around why cybersecurity is important and how they can actually build it into their lives. And we're talking not just about technical people or people who work in the industry. We're talking about regular people like you and me, who don't have a technical background, but who still care about these things because, as I mentioned, their personal values guide them towards these topics. So, it was interesting to see how John moved from application security, which is basically making sure that developers ship secure code so you have safe-to-use software that has as few vulnerabilities as possible because having a completely vulnerability-free application is almost impossible. So, he moved from application security to managing security programs. And he has some really exciting examples that show how you can get people to join you on this journey of using cybersecurity as a lens and understanding how you can build valuable skills for yourself through training in all things digital security. So, you'll find that John speaks with a lot of passion, excitement, and energy about this topic because he cares so much about it. And he practices empathy, kindness, and generosity in his contribution to the InfoSec community. So, I hope you'll join me for this episode. And I hope you take as many useful ideas and inspiration from this episode as possible. Talk to you soon.
[04:16] Andra Zaharia: John, I'm so thrilled to have you on the Cyber Empathy podcast. This is our second time, actually, talking in the form of a podcast; we did this two years ago for my previous podcast, How Do You Know? I will link to that episode because it was really good, as well, everything that you had to say. And now we're tackling a new topic two years later, which feels like 10 years later, in both good ways and not great ways too. But I'm excited to have you here since you're one of the most kind, empathetic, generous, very patient people that I know in cybersecurity in general.
[04:54] John Opdenakker: Thanks for having me. And thanks for the very, very nice words. And indeed it has been, I guess, two or three years that we recorded the previous podcast. But it seems like you said, 10 years. And yeah, that's correct.
[05:09] Andra Zaharia: And emotionally, it feels like a decade.
[05:10] John Opdenakker: Yeah, emotionally, each year was like five, I think.
[05:15] Andra Zaharia: Yes. But still, I think that we tried to do our best during this time and take all the good and the bad, and just draw out the more life lessons that we could from them. So, that's why I think that having been through all of these challenges, all of us, I think that it helps so much to reconnect on these more human, more kind, more soothing place, I guess, and kinder conversations and warmer conversations that can replenish us a little bit and give us a little bit of energy. So, given your specialization and your background, I'm very curious to find out and to show listeners how you practice empathy in your work and in your contribution to the community because you're an active contributor in many, many ways.
[06:05] John Opdenakker: Well, yes, active as in I'm on Twitter and sharing some blogs and some bad jokes as well. But what you said, if I may come back to that for a bit, what you said is so true, we need some positivity, and that's why I'm trying to make a positive contribution. I'm not always succeeding, let's say, but at least I try in my job. For instance, last year and this year as well, we're trying to make the next step from security awareness towards really a security culture. Because what I mean with that is that awareness is like the usual sessions; you have the lunch session where someone's going to tell you something about the latest risks or why data breaches happen, why you need strong passwords. And that's very, very general. And as such, that's a good thing. But it's not because people are aware that they necessarily will change their behavior. And that's what really struck me that we and, I think, a lot of people are doing the same over and over again, and expect to really make a difference. How that relates to empathy is quite simple. And every conversation I have with a colleague or a coworker, or if it's a team meeting, just try to understand how they do their job, talk with different departments. Feel what they do, get a sense of what they do, and make the reflection and what we ask from them. It’s a changed process for him. So, if we're really going to stand a bit in their shoes, we will understand which problems they have. If we literally ask, “Okay, we need to do this,” also explain why. For instance, “We need to use strong passwords. We’re going to do this with the password manager.” But if we don't know how they do it now, what's the perceived barrier for them to use the password manager? How will we get them to use the password? It’s one of the examples, there are so many others.
[08:03] John Opdenakker: And each conversation is actually an opportunity to – if it's an individual conversation or the team – just get that sense talk with people. And after all, being nice and being kind to people, it just based off, because what I noticed, it's really about having more communication. You can do an email to a team, but it's also about reaching out to individual people. It’s more and more difficult because there are no coffee corners anymore, or in your own house, of course. But that really pays off, and it also makes the job a lot more worthwhile. Because sometimes, it's not always fun being a security professional. And if you then approach people in the wrong way or just doing another session with no results, it's just frustrating. And what we just see is that it gets better and better. And people come to reach out to me, not only to me, we have a team of security champions, reach out to us. It's both ways. It's not one way from us. And then you feel that relationships are built. And this is where empathy matters so much because if you just say, “Here's the policy. Execute it. Good luck with that.” But it won't work. The policies are important for all the reasons, but really the translation between the policies you need for a security compliance or whatever reasons you want or need them. But you, as a security team, must facilitate that people can reach that. I see ourselves as a service department. A lot of people don't like to hear that in the security profession, but we're really there to help people. And sometimes we have to say no because things are really, really bad. But those should be exceptions. I mean, if the house is burning, you have to take action. Then empathy is maybe not in the first place, but you know what I mean.
[09:59] Andra Zaharia: I think that you did a great job at painting a very vivid picture of what it looks like when things work when you're actually interested in people when you take their context into consideration and you try to actively explore it, and actively connect to that context, and get people enrolled, and get people to have skin in the game so they can feel like this is something they can do and something that matters to them and something that helps them on an individual level, not just as an employee, part of a company that they just have to do this.
[10:33] John Opdenakker: I think they’re still too much focused in work context, professional context, it has to be about work. No, in each conversation, get to know the person. And it's not only about security, it's about making connections in life. It's really worth it. And also, a few security content. For instance, we have communication channels, and there we focus more on personal security. And you see that that pays off because if you're interested in the person and tell them, give them advice, give them if there is happening something like the Facebook hack was beginning of the year, if I'm from direct, those are events they can relate to. We can debate that Facebook if it's still cool or good to have a Facebook account, but a lot of people still have that. You can relate to that and then make a story and tell them, “Look if your phone number was a part of the breach.” You can’t do not much about your phone number. Maybe you can put another form of two-factor authentication and you can remove your phone number, but also you have this awareness learning moment, and it's in their personal context. And all these aspects combined, it adds up. And then after a while, people get more confident, and that's important. Like you said, they feel “I can really change it.”
[11:54] John Opdenakker: And after all this, I'm going back again to the example of password manager. This password manager is even a productivity tool. I know you tweeted about that, Andra, but it's perceived as a security tool, which it obviously is. But I'm not losing the time anymore to look up on a paper and type my password, or even worse, type my reuse password everywhere. So, it's an announcement. It also should be a part of your story. We professionals are often too narrow-minded; security, security, security. And it's not good. There's more. Security is only one aspect, there are a lot of important aspects for software or applications or processes. But after all, if your product doesn't work or isn't sold, good luck with your security. The other way around, of course, as well.
[12:52] Andra Zaharia: Exactly. It all works together. I think that this is actually one of the things that I love about cybersecurity, and that probably people outside the industry don't see as much, is that when you work in this field, there are so many concepts and there's so much knowledge around the fact that it cultivates systems thinking. So, it gets you, it really enhances your critical thinking. And it helps you see how systems interact with one another and what happens, what the effects and the consequences of that are for your life. It helps you see five steps ahead. Whereas, without this knowledge and without having security anywhere in your mental universe, without it, you wouldn't be able to make those connections. And that kind of thinking in those skills, you can actually apply them in other areas of your life. That's why I advocate so much for just having the very basic knowledge of how security works simply because it actually helps you think better and more clearly, and hopefully, make better decisions. Just like you mentioned in your example, which we thought was extremely well placed in this context. So, when you work, obviously, you're a security champion, you advocate for cultivating empathy. Even if you don't use these exact words, you lead with empathy in your work inside a company. How do you get fellow developers or fellow security specialists to cultivate the same approach? Because for some, it comes naturally; for some, it doesn't, which is absolutely fine.
[14:26] John Opdenakker: Several aspects to that one. First of all, we also worked on onboarding. So, everyone who joins the company will get security onboarding. What does that mean? They see they will have a welcome conversation with myself or another security champion. They will get informed about “Hey, we use these, these, and these tools. Why do we use them?” Always the why, not only what we use. Because, obviously, that justify look at a lot of things, professionally, and then even broader than that, often the why is left out. And then just have to look at myself. If I don't know why I have to do something, I will have resistance. If they say that I have to, yeah, I will.
[15:14] Andra Zaharia: But it’s gonna bounce right off, basically.
[15:19] John Opdenakker: So, from the beginning on, that's one part. The other part is, like I mentioned, just as we have security champions. So, we identified not only in our software, we identified application security champions, but we also have what I like to call awareness security champions or process security champions. They all do their part of awareness and process security, which is related to application development, of course, but just to make that little nuance. We have them in each team. How’s that helpful? Because they're close to the team. They're within their team and they’re with their teammates, they know each other really well. So, it's a lot easier to capture feedback, honest feedback, because they're coworkers. And that's one thing. If we need to change something, we can distribute the change easily across the teams via the security champions. So, it's things like that, that help. And then we have mandatory security training. The word mandatory is a shame, but it is mandatory. But we are lucky that our development members are really also interested. We also hired them on, not, per se, on knowledge, but on willingness to learn about empathy. And they need to be privacy and security-minded.
[16:42] John Opdenakker: So, you can see that from simple things. And when you have the first conversation with potential employees, with the candidate, all these pieces fit together. Of course, the count start from zero, let's say, there is the current situation, and there is need for more awareness. And that's where these security champions played a role and other initiatives. And what we also do is general information, like I mentioned, but also targeted sessions with specific content for the teams.
[17:15] Andra Zaharia: That's a lot.
[17:17] John Opdenakker: It’s kind of an entire program with its own little or bigger projects, we realized, within it.
[17:24] Andra Zaharia: It sounds really good from every detail that you shared with us. It is so clear that this is so focused on the human aspect of doing our jobs. I feel like why did it take us a pandemic to realize that this artificial barrier between our professional selves and our personal selves is, well, artificial. Anyway, it took us a pandemic to realize that. It took us this sudden, physical disconnection from one another to realize how much we need one another. And I guess that this is more visible in cybersecurity than in other fields. It is so visible how much we need each other to make things happen. Just like you mentioned, you need someone on the team who you feel comfortable and familiar with, so you're more receptive to what they have to teach you, so it doesn't feel something that's foreign and imposed and artificial and abstract, so it feels something that you can actually relate to on a personal level, on an emotional level because we're all emotional creatures. And I love how you highlighted the fact that you also hire people based on the match between their personal values and the values that you cultivate, not only as a company, but these are values that the cybersecurity community cultivates in general. I'm not talking about the commercial part because that's another aspect to it. Sometimes the community and the commercial aspect overlap, but sometimes they don't, which we see every day. And I'm really glad that you mentioned this. And I just wanted to bring up Wolf’s tweet that we were talking about earlier around the fact that good security reflects your values. I thought that was a beautiful way of putting it and a very clarifying thought. And that is so true. I mean, I'm in this industry because I resonate with its values and its principles. And I bet that this is something that you feel as well, just like many of us do.
[19:19] John Opdenakker: Yeah, maybe some companies should be more like that. But that's a whole different story.
[19:26] Andra Zaharia: Leading by example is the best we can do.
[19:29] John Opdenakker: Do we take your security seriously is often way too little way too late.
[19:34] Andra Zaharia: So, I was wondering, because you see so much through your work, and the fact that you're very immersed into this field. I sometimes try to not call it an industry because that part, it feels like it's a bit farther from our values than we would like it to be. So, you probably see a lot of moments where empathy is missing. And I think that one of the things that you're also very familiar with and you follow is when a company has a data breach, which happens very often nowadays, and how customers find out about that breach, and how their expectations are set. So, where do you feel empathy is lacking the most in this process that is very critical and sensitive for so many people?
[20:21] John Opdenakker: For me, it starts already with one step earlier before the data breach happens. There are companies that just gather a lot of data they don't need. You could see that as a data privacy issues, which obviously it is. But that's also, security-wise, an issue for people who reuse passwords, put all their data there, it gets hacked out of the database of Company A, and they go to another site, and then they just assemble a mass amount of data of everyone. And what does that have to do with empty? If a customer entrusts you with data, it's your moral duty, I'd say, to protect them at best. I mean, I'm naive because a lot of companies just don't do that, but you would hope that this was the case. And then there’s also this correlation between companies, not the Facebook's of this world but the smaller companies, which are not good at privacy and ask all kinds of data are, obviously, often also not good at security. That's just a little nuance I wanted to make. Facebook is, obviously, quite good at security but the rest of you can’t compete.
[21:32] Andra Zaharia: Yeah but it happens to them. Actually, I think that most people assume that, by default, companies do a very good job at this. Most people just assume.
[21:40] John Opdenakker: I actually don't know. That's a good point. In security breach, I think most don't assume that. But also, we must be fair, it's not that smaller companies are just running behind, but they don't have the budget either. But even then, there would be with some small adoptions. Okay, breaches happen. But then what, for me, is important, what do you do afterwards? First of all, I would apologize because I had to protect the data of the company. And it doesn't matter that there was a vendor who got hacked, it doesn't matter. The customer has a contract with our company, we're responsible, apologize, own up, and say, “Sorry, this shouldn’t have happened.” Leave the phrases like, “We take your security seriously. Privacy is at the heart of everything we do.” Leave them out, please. I mean, this is just pure nonsense. Because there is a reason why companies can't immediately disclose. But obviously, they're hiding behind it. A lot of them don't tell what's happening. And that's really frustrating because you got my data, you didn't protect, it's as good as possible. Or maybe you did your best, that doesn't even matter. At least if you're honest and you say, “This this went wrong. This was the reason why your data got stolen. Hopefully, we promise to do better and just take these and these actions.” That's mostly in the disclosures nowadays: Change your password and also for other accounts where you used the same. But just an honest, candid data breach disclosure. And we're missing that so often. In my opinion, there's still much damage control and lawyers. And nothing against lawyers at all. But there's also the side of the humans that are impacted. And banding on the side, this can have devastating impact.
[23:35] John Opdenakker: Ashley Madison breach is well known where people's very sensitive information was stolen or even government websites, etc., where sensitive data is that the impact can be really big. It's again, standing on the people's shoes who are affected. And if you can do that for a little bit. And I understand all other things like damage control and reputation, etc. But I think if you're honest and you say, “This and this happened. We're trying to do better. We're going to fix it. We're going to keep you up to date.” For instance, the University of Maastricht, Maastricht in the Netherlands. That's one of the examples that pops up in my mind. They had a ransomware attack. And they were really, really good at giving updates on their website. It was not a data breach as such, but a ransomware attack. They were saying, “This happened, this happened.” They even gave a seminar when all their systems were up and running with lessons learned. I mean, this was like, “Whoa, this is really good.” You enter a really shitty period because recovering from such an attack is massive. So, it can be done differently. We could learn from each other because no company should claim they never get breached. It's something that's bound to happen somewhere.
[24:56] Andra Zaharia: And collaboration is something that cybercriminals do very well. Hence, just insane amount of things that are going on in an underground economy. I think you made some excellent points there. And those were very helpful examples to know as regular internet users, as customers of companies. So, we know what a human and a candidate, like you mentioned, the very honest way of communicating these issues looks like, versus empty words that don't mean anything to anyone. And they're just there to just to get check box. So, switching the perspective, what does it feel like? Because I think that sometimes we know what empathy is but we forget what it feels like. So, I wanted to ask you what does it feel like to be on the receiving end of an empathetic experience? What did it look like for you in cybersecurity, whether it was at work or in the community or in general, because I think that highlighting that and remembering what it feels like gives us so much energy to try to do the same for others.
[26:05] John Opdenakker: Well, it escapes me which one it was, I'm in a few data breaches. Like I said before we started recording, not too much that I know of, important nuance. There was one which was really good, and it was more or less coming back to the example of like in University of Maastricht, which didn't impact me, of course. It was like they were really candid on what's happened, “This is why we got hacked. This data was stolen.” They’d update it if they knew. There are known examples from this online as well. We should do a comparison – just a thought – good and bad data breach disclosures.
[26:47] Andra Zaharia: There's the article of your next blog article.
[26:50] John Opdenakker: I haven't been thinking about it but it's some research, because like I said, now I can’t even remember the names. I know that most disclosures are more of the same. I'm really, really pleasantly surprised if it doesn't say "we take your security seriously."
[27:08] Andra Zaharia: Exactly. Using non-cliche words, talking to people like we're talking in this conversation right now, and not trying to force phrases into context. Just be natural, be human.
[27:21] John Opdenakker: Try to keep things simple. If you want to reach the target audience, you must try to speak their language. You can still use the terms that you need, but at least explain a few things that's not clear. Explain a little bit. Sorry to say, I don't know if it's marketing purely but several marketing departments are using this kind of buzzwords. And other that I wanted to add is what's really, for me, a pleasant experience is when I'm doing my job, I already mentioned a little bit, that you feel like you're not the guy who says no. I'm not the guy who says no. That’s also an empathic experience. They're wanting to collaborate. They know he's not here to make life impossible upon us. So, it's more general, it's not one or two examples but it's that feeling that it's really rewarding. And also in general and community, sometimes I have people reaching out publicly on Twitter or privately and saying, “You inspired me to write a book,” last week or two weeks ago. I was like, “What?”
[28:44] Andra Zaharia: That is so cool to hear, that is awesome. Because creativity can come from anywhere.
[28:50] John Opdenakker: It was good for my ego. Not that I have a lot of ego. I'm just joking. But I was like, “Wow, that's kind of cool that just by being myself and writing some blogs, and hopefully being nice without knowing, and then that I could reach that.” So, that's more like the feeling I have what matters to me, because after all the social media and stuff, it’s just a bit of fun sharing some blog posts.
[29:21] Andra Zaharia: These connections, I think, are so important. We never know how things are going to play out a few years into the future. We don't know where our inspiration comes from or who we might help. I truly believe that there's someone who needs what we're creating, whether it's software, whether it's security programs, whether it's tweets, whether it's anything else. I think that there's always someone who needs what we're trying to put out into the world. And if we do that from a place of empathy and if we try to bring some positivity into a field which is usually very doomy and gloomy, I think a little bit can go a long way. And all of those tiny positive things tend to add up into, hopefully, move the conversation forward with a bit more lightness and a lot more empathy.
[30:11] John Opdenakker: Chosen bits that I don't know I was looking at. I'm only on Twitter active in the InfoSec community if you like. If as an outsider, you look at it, it must be really strange. I don't know if it's InfoSec specific, but it's a lot of fighting and a lot of echo chambering. And that's really hard because it's difficult. But I get a lot of negativity, often, when I try to tell simple things or things in a simple fashion for an audience, which is mainly not the ones that are following me, and that's a shame. Also, I'm glad they're following me and they enjoy what I do. Don't get me wrong. But I would like to reach more people outside of the bubble. And then they're criticizing me, “Yeah, but that's not elite enough.” And stuff like that. Not saying like this but almost I felt ridiculized several times, like, “Are you so stupid that you're talking about that? That's so trivial.” And then again, there are other people saying, “I appreciate it. And what can I do to improve?” It's good for me. I reached one, two persons, that's okay. But I think we should be more empathic and also not doling out companies all the time. In the beginning on Twitter, it was like, company that’s better security, “Yeah, let's call it out.” Yes, but maybe we can.
[31:34] Andra Zaharia: Let's try to help them.
[31:37] John Opdenakker: You can hold them accountable but do it in a positive way or try to help them. Or if they're not willing to help, okay.
[31:46] Andra Zaharia: In a constructive way. I believe that as well. And I think that you make such a good point. We're going to have conversations that aren't for everyone, we're going to put out the type of advice or ideas or content that's not for everyone. And that's fine. Some people will resonate with this message around empathy and around doing things that truly connect us to other human beings, so we can grow together, so we can learn together, so we can collaborate and just scale our abilities and our know-how. And generally, try to live more than just better relationships, I guess. And then there are going to be people who don't resonate with this. And that's fine as well. But I think that it is still worth it. And I appreciate how open you're about this. And the fact that, like I mentioned, you're intentionally making yourself vulnerable online, which not many people have the ability of doing, or have the availability of doing. And not just in technology, but generally many, many areas. So, I appreciate you for that. And I know that I'm not alone, and I'm seeing your community grow, and I've seen you do a lot of things that have had a positive impact on people. And I'm really excited to see what you do next, and how you continue to make that happen.
[33:13] John Opdenakker: Thanks a lot. I'll try to do my best. And yeah, empathy goes a long way, I think. If we're all a little bit nicer, and even if we don't. Or maybe that's a good advice: If we don't feel good ourselves, don't start shouting on Twitter or anywhere else.
[33:30] Andra Zaharia: That is sound advice and a very good way to round up this.
[33:36] John Opdenakker: Or post a bad joke and you will be smiling or self or not, or people will tell you it's a bad joke or other ones will think it's an amazing joke and you will have some happiness throughout today.
[33:50] Andra Zaharia: Exactly. Thank you so much, John. This has been such a wonderful conversation once again. It is packed with lessons and examples, real examples of how things are improving and how progress is actually real, and how you can make that happen. So, I appreciate you a lot.