“Knowing and not doing is the same as not knowing.”
Join Sebastian Avarvarei and myself as we dive deep into the layers of self-development, cybersecurity, and the crucial blend of technical acumen with soft skills.
Sebastian, with his rich experience in security, sheds light on his evolution from proficient technical leader to becoming a deeply compassionate leader in the cybersecurity industry.
I can’t wait for you to discover his unique approach to leadership, the influence "The 7 Habits of Highly Effective People" had on his managerial style, and the power of practice in transforming knowledge into actionable wisdom.
From overcoming the fear of public speaking to leading with the heart, and the role of empathy in cybersecurity, this conversation overflows with inspiration for professional growth and personal development. We’ll also touch on the importance of being kind to ourselves, of acknowledging that it’s okay not to be okay, why practicing appreciative listening can be life-changing, and so much more.
Whether you're a seasoned expert or a newbie in cybersecurity, there's a nugget of wisdom for you in this conversation.
In this episode, you will learn:
How Sebastian discovered the power of speaking from the heart (6:40)
How Stephen Covey's book influenced Sebastian (11:10)
Be ready to learn at any moment (24:50)
Why we must be kind to ourselves (34:00)
The importance of time management in empathetic leadership (37:20)
The clarifying question that creates alignment (46:40)
With over 20 years under his belt working in multi-national organizations, Sebastian is a friendly security enthusiast who loves crafting top-notch teams! He's all about creating practical security plans that align with business goals, staying updated with industry trends, and sharing knowledge—whether it's chatting with the C-suite or lighting up the stage at industry events. He'll make you see that security can be both fun and efficient!
- Book: Stephen Covey - The 7 Habits of Highly Effective People
- Sebastian Avarvei at DefCamp 2022 - What if I told you that Security is here to help?
- DefCamp conference
- Book: Ryan Holiday - Ego is the Enemy
- Book: Douglas Stone, Sheila Heen - Thanks for the Feedback: The Science and Art of Receiving Feedback Well
- The Cyber Empathy Manifesto
- Episode #1 - Why I chose an empathetic approach to cybersecurity
- About Sebastian's happy place
- Appreciative Listening on Wikipedia
- Situational Leadership Theory on Wikipedia
[00:57] Andra Zaharia: "Where we stand depends on where we sit. Each of us tends to think we see things as they are, that we are objective. But this is not the case. We see the world not as it is, but as we are conditioned to see it. When we open our mouths to describe what we see, we, in effect, describe ourselves, our perceptions, and our paradigms." This is one of the probably most recognizable paragraphs from Stephen R. Covey's book from 1989, "The Seven Habits of Highly Effective People: Powerful Lessons in Personal Change." Now, this is one of the most well-known self-development books. And this happens for a reason: it's because it's really good. If you haven't read it, don't get stuck on the headline; don't get stuck on the title. The content is really life-changing if you apply it—just like every other good thing in our lives.
[02:03] Andra Zaharia: There are two other very short quotes that I want to extract from the book, and then I'll explain how it's connected to this episode: "When the trust account is high, communication is easy, instant, and effective." And, "To learn and not to do is really not to learn; to know and not to do is really not to know." Now, this is a very simple way of saying that practice is what makes change—what creates change. And I think that we both notice, but it's so difficult sometimes to change. It's still difficult to know how to apply our skills, especially if we're talking about "soft skills," which are so much more difficult to capture sometimes because they're nuanced. But they're not impossible to develop. And this is actually one of the things that you'll find in this conversation with today's guest, Sebastian Avarvei, who spent his entire adult life working in security, and who not only has become a proficient technical leader but one of the kindest managers that I know—one of the best leaders, one of the most wholehearted people in the cybersecurity industry. Now, Sebastian left me with a question that you're going to find in this episode, along with many other examples and frameworks and questions and words that you can actually use all day, every day, in your work, in your relationships, at home, and wherever else you need them. And the question is, "What is the problem I'm trying to solve?"
[03:51] Andra Zaharia: And if you haven't had a chance to read it, there is a manifesto that I wrote for Cyber Empathy at the beginning of the podcast. I made it because I wanted to explain why I'm making this podcast. And the first episode of Cyber Empathy is actually all about that. I wanted to connect to that deep motivation of why I'm doing this and what is the problem that I'm trying to solve. And I find that even 30 episodes later, my mission is the same. The problem that I'm trying to solve is the disconnect between people—the disconnect between people in security and the people they serve, and sometimes between just peers in security as well. I'm trying to help bridge that disconnect by making empathy a practical skill, that just dissolves tension, that creates pace, that creates connection, that helps people work together and recognize good in each other. So, it is my absolute pleasure to introduce Sebastian Avarvei, one of the people who is capable of inspiring others to pursue this path and to pursue this kind of development that not only enhances technical skill but just makes life better. So, welcome to the fourth season of the Cyber Empathy Podcast. Thank you for being here, and I hope you get as much joy and as much inspiration from this conversation as I did. Thank you for being here.
[05:47] Andra Zaharia: It's been a couple of months since I saw you speak at DefCamp. And now, I finally have the opportunity to talk to you about your presentation and how that plugs into your entire experience in cybersecurity so far, which is pretty amazing. It spans so many areas of security that I'm really excited to explore today. So, this is the official Welcome to the "Cyber Empathy" podcast.
[06:20] Sebastian Avarvei: Thank you so much for having me here. I've been listening to the podcast for quite some time, and I met you in one of the earliest DefCamps. It was a really good experience and I always look forward to coming back to DefCamp. I think last year was the session when I really started to feel what it is to give a good presentation. We were discussing earlier, and I really got a lot of feedback. I felt a very good interaction with the audience. Sometime later, I was thinking, "Why was it different? Why was it so much better this time? Why did I get so many questions from the audience? Why did I get so many interactions afterward, people coming in, saying, 'Oh, I loved it,' and, 'I got to think, and here's something that I had in mind after I listened to the presentation'?" They actually took a few months, and I had a weekend where I put some technology away, less time with the phone. They had a really good insight because the presentation was really coming more from here—from the heart—and less from the mind. It was maybe the first presentation where I felt sufficiently confident in myself because I got into public speaking in order to conquer my fear of public speaking. But I got to the point where I'm confident enough to really speak from the heart, not just from the mind. And I think that's what changed. Yesterday, I gave another presentation at the OWASP chapter here in the Netherlands, and I had the same feeling. I'm not here to teach you something; I'm not here to enumerate some bullet points from a PowerPoint. No, I'm here to share a story. And that makes a lot of difference. And I think this also applies to many areas in cybersecurity in general, and especially in cybersecurity leadership. When you start leading a little bit more with the heart, not just with the mind—yes, it's a technical field; yes, there are so many technical details; and sometimes you have to be strict and even harsh—but at the end of the day, we don't do security for the sake of security; we do security to protect an organization, to protect the people in that organization, not just to protect the computers.
[08:39] Andra Zaharia: Absolutely true. And even from the first time that I saw you speak—because you say that you've now reached a level where you feel you can get more personal in the presentations that you give—I felt that there was always a special kindness about how you presented things. Even when I saw you the first week at DefCamp, and I don't precisely recall the topic, but it was definitely a lot more technical, you still delivered it with a lot of kindness. And I think that this is one of the first things that really impacted me so powerfully: not just about being in DefCamp, which, for those who don't know, is a cybersecurity conference, the biggest one in Eastern and Central Europe, that brings together 2,000 people every year in a very cozy atmosphere. It's not just having this experience of kindness but also having this direct access to what it means to be a true leader in the space. And you are a true leader. The way that you present things at DefCamp, the way that you stretch people to go beyond what they were expecting—I think that it's not just taking a counterintuitive approach just for the sake of it, but rather, it was a very well-rounded experience with your presentation. It was not just technical; it was not just about building businesses; it was also about building ourselves and then building the teams and the people around us. So, because I know we're talking about something that we know, but listeners don't know what we're talking about, could you give a quick overview of what the presentation was then, and how it inspired your actions over the last almost eight months?
[10:33] Sebastian Avarvei: It was a talk that I had in mind for quite a while; it was based on Stephen Covey's "Seven Habits" book and the principles from that book. It's something that I read a long time ago, and it was quite inspirational. I also have to give big props and kudos to my wife, Elena. She's a psychologist by training; she worked in this field, and I learned a lot from her. We have a very interesting combination of skills: I come from a more technical background—was in software development, originally—but I learned a lot from her over time. This is one of her areas of expertise, and she taught me about these kinds of principles, not only how to read about them but how to apply them. Because that's a big difference: reading a book is not the same thing as living it and applying it. I tried over time to internalize the principles from the book; at some point, it started to click. I could feel it working; I could feel it helping in my growth, in my career, and in becoming, hopefully, a better manager. That's my thought; I want to share that because I see a lot of people in our industry, coming from a technical background, either with an expectation or they're being pushed to go into a management role without actually building up the skill set. They think either it's something that you have or you don't, and you're going to do your best, and you're going to use your technical knowledge to be a good manager. Which, of course, helps; we are in a technical field, and you do need to understand the technical details. But one of the points that I was trying to make in the presentation is that just as we learn all those technical skills, we can learn soft skills in exactly the same way; it's a step-by-step approach. This is even a foundation in Stephen Covey's book: it's a set of habits that you develop. It's not some natural ability that you have to have in order to be a good leader; it's something that you have to practice, it's something that you have to intentionally develop, and that intentionality is a key element of it.
[12:50] Andra Zaharia: It's strange to me, and it just dawned on me, how we think about hard skills. I don't necessarily like the terms "hard skills" and "soft skills," but let's go with those because everyone knows them. We don't think of those hard skills as part of our identity; I mean, we don't expect to be born with them, with knowing engineering, math, science, and all of those things. But when we talk about soft skills, we kind of expect to have them innately. Just like you mentioned, knowing what good communication is, is not the same as practicing it; knowing what empathy is, is not the same thing as practicing it. I feel like people get really defensive when they're told that they could improve in terms of how to explain things, how they communicate to people, how they relate to them, or how they listen to other people—because it feels like they should already be in there somewhere. And when they're not, we feel less than, but that's such an unrealistic expectation that we have over ourselves to have all of those skills without working for them, without trying, without intentionally developing them.
[13:58] Sebastian Avarvei: It's not only that; it's actually a sign that we're not looking at ourselves with kind eyes. Because when somebody presents us with an opportunity to be better, to develop, to grow, we default to taking it as a criticism: "That person just told me that I'm not good enough." Instead of looking at it as, "Oh, that person just opened a new door for me," or "showed me a new direction in which I could continue my development," we default to thinking little of ourselves: "Oh, we're being criticized; we're not good enough." No, we're good enough for now; it doesn't mean that we cannot grow. We do want to grow; we do want to develop.
[14:45] Andra Zaharia: What do you think people who are able to nurture this curiosity—this curious mindset, the idea that "let's see why this happened," "let's see why this person told me this," "let's see what happens if I try to do this thing"—do differently from people who remain anchored in this resistance, which usually really gets in the way of good relationships throughout our lives, no matter where we have those relationships?
[15:15] Sebastian Avarvei: It can be multiple factors. One of them is a positive mindset. And, as I explained earlier, it's really looking towards, "How can I do better? What can I do more?" and really listening to the positive intent from others. Of course, it's also great to know how to give feedback. And that is a big skill in itself. There are so many books and frameworks about how to give positive feedback. We could do a whole podcast just on that one; that might be an interesting topic. But also, being able to listen in a positive manner—whatever somebody is telling me, how can I take the positive, the silver lining, from that message, even in the cases when it was intended to be negative or malicious? Let me be the one who takes the positive. So, people who move forward have that mindset. Yes, we can also move forward out of spite, just to prove something; it can be a driver as well. But the positive, the development mindset, the growth mindset, is a much more effective driver. And something that I was sharing in the talk at DefCamp last year was also the fact that you can relate to things that you're familiar with. We were addressing a room filled with people that spent nights, over many years, practicing the skills, and getting very good at hacking, at coding. And I was telling, "Look, you're seeing managers as somebody who was born with those skills. They see you in the same way. Managers look at you and go, 'Well, you must have had a different kind of brain to be able to learn all those skills.'" No, you really apply yourself; you were intentional; you put in the time; you practice until you get good at it. The same thing you can do in other areas as well. That's why I like to keep different hobbies. So, I like computers, and I like tinkering; I like playing games—spending more time than I should. But I also love working in my garden. Yeah, it's not a big garden, but I like working with my hands, seeing all those flowers growing, having that pride that regardless of the season, there is something blooming in the garden. It's good to have multiple anchor points. And I do the most of long-distance running, which is a very good thinking time. It's my "me time" to think. And even that presentation, probably half of it, I wrote it in my mind while jogging. Have those habits. Look for different perspectives of the world. And that will help you to apply yourself in other areas, to make the switch if you want to, from growing on the technical side to also growing as a manager, as a leader, and seeing how can you help others better.
[18:08] Andra Zaharia: And it is so fascinating. I mean, the people who fascinate us the most, the people who seem so at ease in the world most of the time, and who bring this positivity and transmit this energy, they usually have this very diverse set of interests. They always poke around outside their industry, their space, their profession, just like you're doing long-distance running and gardening, which is absolutely beautiful. I'm actually going to include tweets of your wonderful garden in the description because they're just delightful. I actually have another example of a speaker that I recently saw, and she was a pastry chef, then she was an acrobat—actually hired at a circus—and now she's a vulnerability researcher. Again, that's just a wonderful life story. How did you get from this to that? How did this happen? That's such a great conversation starter. And that's what creates that connection between people, which can build anything and solve anything. I remain a huge believer in the fact that if we manage to get past our differences and approach things with curiosity and kindness, and wanting to understand, I think that we can literally do anything. We can completely build something together, and that sense of camaraderie and connection—there's almost nothing more rewarding than that. And I think that this is something that our space, the cybersecurity space, is still not using enough, not discovering enough, not highlighting enough.
[19:55] Sebastian Avarvei: Although it is getting better, and we have podcasts such as yours, we see so many communities. Or, as where I spoke yesterday, it's such a vibrant community, and people are coming together and sharing ideas. Just being there to get together, it's quite a great feeling. It brings that human dimension to what we're doing. It really reminds us that we are here to protect organizations, to protect people, not to protect computers. That's not what we do; that is just the means to get to that end. You were saying earlier about understanding. This is one of the key principles in Stephen Covey's "Seven Habits," and maybe one that is the most related to empathy, which is: "Seek first to understand, and then to be understood." You can take that phrase to mean many things. It actually took me a while to understand: What does it mean to "understand"? How do you actually listen? And how does it help? Because it's not just about understanding, "Okay, I understand what you mean," but I'm here to tell you what I want. It's about understanding and then embedding my message, and putting that message next to yours, trying to come up with something that is even better than the sum of our parts. It's not just the combination of our ideas; it's not just one plus one equals two. That is another habit from Stephen Covey: the "Synergize" habit, where you're looking for more than the sum of the parts. He has a saying that synergy is not compromise. Compromise is when one plus one equals one and a half, at best. Synergy is when one plus one can be 10 or 100. Because you start with something from two sides, and when you put them together, you create something that is more than those parts, something that is new, something that combines and adds to those elements. Looking for those synergies, looking for that understanding, helps tremendously, especially if you want to be a good leader.
[22:14] Sebastian Avarvei: And it's a step that, at some point, we have to make. Right now in managing a team where there isn't anybody in the team who knows less than I do. Actually, I'm the one who knows the least about each of their areas of expertise. And I'm perfectly comfortable with that, and I'm happy to see them growing. And yeah, they're doing things that I couldn't even be dreaming of. My role is not to be better than them; definitely not my role to boost my ego by putting them down. No, I'm there to help them, to facilitate them, so they can be the best that they can be, because they can be really good.
[22:59] Andra Zaharia: The simple fact that you're creating the space for them, and that you're recognizing this in them, and that you have this partnership, I think that that is incredibly valuable. I was wondering, have you had people in your lives who have influenced your approach to management and to how you build teams? Did you see bits and pieces of this behavior in other people? And how have those people influenced your decisions and your twists and turns in cybersecurity?
[23:31] Sebastian Avarvei: No, I was happy to have a lot of people from whom to learn. I even have former managers with whom I still go out to dinner from time to time, and we still keep in contact. But I have people that I've worked with, with whom we really didn't get along. But even from them, or maybe even more from them, I learned a lot. And that's a very useful skill to have: to learn even from the people you don't like, or you don't agree with, or when you see the mistakes: "Okay, that's something I would like to avoid doing. What is the consequence of that? How did that negative mindset, for example, impact the team that we're in? How do I avoid doing that in the future?" You can learn from everybody. I learned a lot from my wife as well. I learn from my kids. I learned when I give a talk. Yesterday, when I was on stage, and at the end, somebody asked a question about if I have some thoughts about framework for policy as code and how to manage clauses in the code — something that I was not familiar with. And I said, "I'm very happy you brought up that question. I have no idea what that framework is, but I will definitely look into it because it sounds like something interesting." Be ready to learn in every moment, and get yourself a bit out of the way. And trust me, that's a learned skill in itself. And it took me a long time to learn it. Sometimes our egos are the ones that get most in the way. And I think it was in DefCamp, or in another podcast, where I had the question: "What helped me grow the most?" And I said, "When I decided to let my ego get out of the way." I actually want to listen more to others; that opened up the path for me to grow.
[25:20] Andra Zaharia: And that is so much easier said than done. It doesn't mean that it's impossible, of course. But, I think that because these things are so nuanced—so, letting go of ego, practicing empathy, practicing self-compassion, knowing what that feels like—those things are very nuanced. And sometimes, we don't either have the vocabulary for them, or we don't know exactly what they are; we can't isolate them in practice. And for practical, pragmatic people who like frameworks and need a set of steps and things like that, this is a bit of uncharted territory. You need to be comfortable with not being comfortable for a while until you start-- I feel like it's that observation bias, I think that's what it's called—when you're focused on learning something and then you suddenly learn to recognize it in other people's behaviors, and examples, and conversations, books, videos, whatever it is. And then, you can start to assemble this kind of body of knowledge that you can then use to elevate your soft skills, whatever they are. But it does take a little bit of time. And I think that they're so important because, I see you coming into the community and talking about things; I see how having these abilities elevates people, technical professionals, careers, their impact in the community, and even their relationship with their own work. Have you felt a change in how you relate to your own work? And do you remember when that happened?
[27:01] Sebastian Avarvei: Definitely, there was a change. I don't know if there was a particular time, but I can see certain milestones in my career path. I think one of the moments when I started to seriously consider that "I might want to look into this leadership thing because it sounds interesting—and maybe it's something I might want to do" was when I was working in a consulting organization many years ago. And we had one colleague who was really good technically; she was a brilliant security architect. But customer after customer was saying, "We're so happy with the work he delivered. Please don't put him in our contract again; we don't want to work with him again even though we absolutely were amazed by the quality of the work he delivered." And he was not understanding himself what was happening. And he was really being considered for being made redundant. And I was talking with our managers at the time; I said, "Can I have some conversations with him, see if I can help a little bit here?" And we started discussing, and at the time, I was already learning a little bit from my wife. I think it was about that time when I started reading books like Stephen Covey's. And I was able, in just a few conversations, to shift a little bit his perspective. And he began to realize himself what the problem was, where those conversations were going wrong. And he was just genuinely surprised to see himself; "I thought I'm doing great job; I was focusing on the technical because we have so many contracts, we have so little time, and the customer really wants this to be done as quickly as possible, with as few billable hours as possible. So, I was just focusing on that; I just wanted to get that done, and everything else was feeling redundant." And just by changing that perspective, he was able to turn around; he stayed in the organization for many years after. And that was one of the change moments for me, like, "I can actually make a difference."
[29:17] Sebastian Avarvei: But then, every time I learned something new, and I would see it working, I've seen my colleagues reacting better; I could see my team becoming more positive and getting positive feedback from them. It's a step-by-step process; it's not an overnight thing. But sometimes, we have the expectation that, "Oh, we learn one thing, and it's going to change our world." Yes, it's going to make an impact, but it's complicated; it's complex; it's human. And there are small beads here and there, and we keep putting them together. And if, at some point, you realize that, "I know a lot; I can do a lot, and it's getting better," but one step at a time. And you were saying earlier about, we're so used to technical frameworks, and we use them. We actually have the same on the soft skills side; there are so many frameworks that we just don't know about them as much as we do. And here, maybe the HR organizations in the companies could do a little bit more to promote those frameworks, to make them available, to make the tools known. So people can pick up on them. We have everything from appreciative listening—that is actually a framework, a set of very well-defined skills that you can learn—to going more into management skills. We have things like Kanban charts, situational leadership framework, which is an absolutely brilliant and very usable framework; we have them, we just need to learn that they exist and spend a little bit of time in getting to know them. So, we just had a little bit of a technical glitch. But actually, we can put a bit of that into the podcast because, yep, sometimes life happens. And that's another skill you need to develop: being a bit more accepting. And it's a skill that I had to develop when things go unexpectedly, when things crash. And I'm still working on it. Just before the podcast, I was moving some stuff around, and I managed to break two glasses. And I was so annoyed, and I again felt so frustrated, and some of the old habits that I was trying to get rid of resurfaced. And I was absolutely furious about it. "I have a few minutes on the podcast." And yes, life happens; things break; computers crash. We can learn to deal better with those situations.
[31:50] Sebastian Avarvei: That's a very useful skill: being able to deal calmly with all the curveballs that life can throw at you, and especially in business life. That's a very useful skill. And it's especially useful for yourself, for your own sanity. Yes, it's a very long-term process; you're not going to get good at it overnight. And, as I said, I've been working on it for a while. Still, I get absolutely fuming and shouting over two damn glasses that we're actually just looking for a new place to give them away because we don't need them. We get so hung up — it's a process. But it's good to see when we're making progress and recognizing, "Okay, this one didn't go as well as it could, but at least I see it. And it's not happening maybe as often; it's not happening as explosively as it used to be." So, we have to be kind to ourselves a little bit more. And this is one of the other habits that maybe it's important to learn as a good, empathic leader: we have to be good and to like ourselves first. Because if we're not good to ourselves, it's going to be very difficult to be good to others, even when it comes with good intentions. And I've seen that; I've been in that place where we put ourselves down and we take much more weight and much more work on our plate than we should because we think we're doing a good thing for others. We have to be careful; we have to be good to ourselves; we have to appreciate ourselves, so we can be good to others. It's nice to be a hero, but be careful if you're a positive or negative hero.
[33:39] Andra Zaharia: Yeah, that's true. That's so true, especially because we also influence people with our examples. And if we have managers that are constantly burning out, that they're constantly stressed, that trickles into the team. That definitely does. And yes, this kind of self-compassion is something that I've been working on in therapy a lot. And it was so difficult in the beginning because I didn't know how. I'm also very harsh with myself, and I tend to punish myself and demand a lot of myself. And obviously, those are things that we have just internalized as children, and it's hard to let go of those things. But having someone remind you that it's okay to make mistakes, that it's okay to be kind to yourself, even when you don't feel like being nice to yourself, I've found that this happens a lot. Personally, I’ve had the privilege to work with both managers and colleagues, and partners, and have friends that have the ability to remind me of this. And I do this for them, and it's a constant cycle of learning how to soothe each other and ourselves individually, which is really, I find, such a generous thing to do. And that change may be incremental; it may not be constant. This is also something important that I learned, that I think has a good place here: not to expect ourselves to make constant progress in this and to never have relapses, I guess. But change does also have a snowball effect; it has a very powerful compound effect. And you realize that five years, ten years of doing this work results in a beautiful transformation and being more comfortable with yourself, with others, and having more open-hearted and open-minded conversations. And giving, again, putting that example out there and then seeing who resonates with it, which is what you've been doing for such a long time.
[35:44] Sebastian Avarvei: I've been trying, and I know we both come from a culture that tends to be a bit more on the dark humor side. Dark humor is still fun, but we do look at things a bit differently. And it's something that we have to learn to change. As you were saying earlier, we have to learn that it's okay to not be okay. Actually, in our case, I think also something we need to learn is that it's okay to be okay. I used to be in a position where if something was going well, I'd think, "I'm happy. Okay, let me sit down because something bad might be coming." And I go, "What do you mean 'be happy'? What do you mean 'feel content'? That's not a natural state."
[36:30] Andra Zaharia: Yeah, that's true. Our cultural anchors are very powerful and very hard to let go of. It takes a lot of, again, intentional work and awareness to make sure. It starts with awareness; that's where it starts. We realize these things, we pick up on them, and then we create that space where we can react differently. Because if we're just going as programmed, that's not going to bring about any change.
[36:57] Sebastian Avarvei: No, absolutely. And it's something that you can practice, exactly, with the words. Something that I've seen in myself in the past, and I've seen many others around us doing, is receiving compliments. We are actually quite often not good at receiving compliments, and we take it as a joke. Every time somebody was paying me a compliment, I would have to diminish it; "Love your jacket today." "Oh, come on!" Or just finding something wrong with it. How about I learned just to say, "Thank you; that's actually very kind of you." It's those small things that make a huge difference. And those are the kinds of small habits that are easy to make. Making a habit of not getting angry. That's not an easy goal, and it's not something you would achieve in itself. Making a habit out of, when somebody pays me a compliment, responding kindly and actually appreciating that compliment. That is a small step, easy to make, and very powerful.
[38:06] Sebastian Avarvei: And it's the same with—you can apply it in many areas—time management. I was making a list earlier: what would be some of the seven habits of an empathic leader? One of them was time management, in the sense of, we have to be kind and respectful of our own time and organize our time better so we can organize the time of others in a better way. And if you remember, one of the things that I have in the presentation of DefCamp was, as managers, we tend to think about how long a task does it take, based on how long it takes us to think about the task. We call it the "five-minute task." It takes me five minutes to think or to describe that task, and I tend to forget that it will take a week, a month, or a year for the other party to actually do it. And it's valid both within our teams—on how do we manage, on how are we mindful in our team of how do we place the burden. Can we put something that is reasonable? And do we really understand how long it takes?—but it's also relevant for us in security. Because in security, we keep telling others, "Oh, you have to fix this; you have to patch that one; you have to upgrade that system; you have to decommission that legacy system." And we keep throwing things over the fence. But are we thinking about the context? Do we think, "Right, how long will it take for that department to get rid of that system? What will be the consequences?" It doesn't mean that we have to take that as an excuse not to do it, but it just makes us better at planning and prioritizing, and saying, "Alright, I would like you to do these five things. I realize how much time they take, what burden they put; then, this is the order of priority." So, at least I put the first things first, the ones that I really want to get done today. I put that at the top of the list, and I understand what happens then with the others. Being mindful of our time helps us to be mindful of other people's time.
[40:16] Andra Zaharia: Wow, that's a really great lesson. That's a really, really great lesson, especially because the less we know about other people's jobs, the more we tend to assume that they're easier than they really are. And one way that we can actually practice empathy is to ask questions and let other people explain what it takes, what it involves, or just give them the freedom to decide. Just like you mentioned, give them the freedom to either prioritize their work or communicate freely, and without fearing that they'll be considered incompetent or unwilling to do something. And just create that space for them. What other habits are on your list? Because that is a very powerful list, and I really want to give the listeners a chance to really go through it.
[41:05] Sebastian Avarvei: So, actually, we've already covered a few of them: "Seeking first to understand, and then to be understood." So, that's really foundational. And this is all where it starts. This is not an isolated habit or an isolated principle. All these principles, just like in the principles from Stephen Covey's book, work together and they enforce each other. For example, we are talking about time management and being mindful of other people's or other departments' time. In order to do that, you have to understand what they're doing, and really understand it. We have the bad habit, sometimes, of listening just so we can prepare a counter-argument. That's another skill that we quite often have to work on: listening for the sake of understanding, not just for the sake of preparing a counter-argument. That's a very important habit. "Beginning with the end in mind" is one of Covey's foundational principles as well. This means thinking about where you want to end, what is your goal, which then dovetails into building plans, building roadmaps, and writing mission statements. A few months ago, I organized one of our quarterly team days with my team. One of the goals for that event, for me, was: "I want to have our team mission statement. What is our mission statement as the security team?" Which sounds easy. I set aside three hours for it, and it was barely enough. And that is after saying in advance, "I want to work on this," or there was even time to think about it.
[42:50] Sebastian Avarvei: But bringing all those ideas together, and listening to everybody, and what is the value in each contribution from every person—then, how do we select which ones we keep? And how do we select the ones that—this is actually a good one, but we have limited space, a limited size for the mission statement. And let's prioritize what is the most representative. "Beginning with the end in mind," defining where you want to get and how to get there, is a very important skill. And, again, planning is not something that we easily do. We live a lot from crisis to crisis, especially in security. And it's addictive. I love doing incident management, and leading an incident response team. It's so addictive because you're in the thick of things, and everything is coming at you fast, and your adrenaline is really spiking. I also do paragliding; jumping from a mountain with just a piece of cloth above your head is nowhere near as adrenaline-inducing as leading the incident response team for a major incident. But we have to do more. We have to sit down, think ahead, plan. And sometimes we have to do that—you know, just find time for yourself and make that space for yourself to have that thinking time. It's not easy. I'm scared of how many emails I get, and I constantly look at how can I reduce that because everything is something that requires attention, something that is a crisis waiting to happen if I don't answer. And I have to push that away. And now, I need to make time to think, to plan, to say, "What's going to be the end that we want to reach?"
[44:40] Andra Zaharia: This is actually one of the key reasons why I wanted to talk to you for the podcast. Because even if you're leading this big team for a big company, with loads of responsibilities that never end—they're never going to end—but still, you make time for community, you make time for yourself, for your health, for your family, for everything else. And to me, you're an example that this is possible. This is not just something that's idealistic. It's not just something that people boast about on LinkedIn with their morning routine and things like that. It's something that's actually attainable. You can have a high-responsibility role, and you can be a good manager, and still remain compassionate to yourself. It's not easy. Yes, it takes work; it takes practice; it takes years; it takes a lot of maturity; it takes a lot of acknowledgment; and also a lot of support, both giving support and receiving that support. But it is possible. And I love that you're going into so much detail about these situations, in these very specific examples, because they paint a very accurate picture. And they even give people words to work with, and questions to work with. That's how we actually end up practicing these things, and not just thinking about them and feeling momentarily inspired. But we actually get to translate that into action.
[46:08] Sebastian Avarvei: And hopefully, it's something that people can use. And I’m nowhere as good as you make me to be. But it definitely paints a picture of something that I'm aspiring to.
[46:16] Andra Zaharia: Speaking of compliments, perhaps this is a good chance.
[46:19] Sebastian Avarvei: Oh, no. I appreciate. And I'm just saying, I'm not there yet. But I'm on that path. And I know where I want to go. Hopefully, some of the things that we discussed here do stick with the audience. For me, we were talking about things that stayed with us for a long time. It was actually something that I picked up from another podcast; it was "Down the Security Rabbit Hole" Podcast at the time, quite a few years ago. And I heard a phrase that I'm overusing to an extreme, which is: "What is the problem we're trying to solve?" It's a very simple sentence. But it's so useful in so many different circumstances. And actually, now that I think about it, it resonates with, and it's very closely related to, this idea of thinking and making time to think about, "What do we want to be?" And "Where do we want to go?" It's a sentence that I use in everything from one-on-one meetings to meetings with the board. It gives me the chance to pause the conversation a bit, to get out of that rush, out of that adrenaline of "We have so many problems that we're trying to solve in this meeting," to "Okay, let's take a step back. Do we understand what's the problem we're trying to solve? What is the problem we're trying to solve? Let's define that problem. And let's keep asking that question until we get to the root of the problem." And it helped me in so many situations; it's a very simple sentence that you can use in almost everything. "What's the problem we're trying to solve?" It can be even in your life. "I want to improve something about myself." Why? What's the problem that I want to solve? "Oh, it's this one. That will help me to get to that solution much faster." Same with security. "We want to fix things. Oh, we need that system patched." Why? What's the problem? We're trying to solve? What happens if that system is not patched? "Oh, that happens. And that is the impact for the organization." And it helps us to understand the "why." And it helps the others.
[48:24] Andra Zaharia: Yep, creating that shared understanding, which sometimes we assume is there and is often not there.
[48:31] Sebastian Avarvei: And it really matters because some people might think that this kind of conversation, "Oh, it's so nice, and so fluffy, and so good-spirited." But yeah, we live in the real world; we have nine-to-five jobs that are, in some cases, nine-to-nine jobs. But yeah, how do we apply this? You can actually do it. Again, another seminal moment for me was, I was just starting in security. And I was writing security policies at the time, where I was updating them. And it was at a time where the security team was not the most loved in the company, especially with the project management teams, "We have this project, we need to get it done. Can you approve it?" "No, that's a no, you're violating the policies; go away. Do it again." We weren't making a lot of friends. Especially, I wasn't making a lot of friends at the time. And then I got the task to update some of our security policies. And I will say it for myself, I had an absolutely brilliant idea: for each requirement in the policy, let's write the rationale, the reason for that policy. "What's the problem we're trying to solve here? If we want you to do this, if we wanted to have the passwords hashed when they are stored in the database. If we wanted to put this kind of security controls in place for this kind of system, what's the problem we're trying to solve? What's the risk we are mitigating?" And what happened? Over just a few months, I saw a tremendous difference in the kinds of reviews that we were doing with the project. I saw project managers, and the solution designers and the architects coming themselves: "Oh, I saw in the policy that we're doing this because-- Oh, okay, so this is why we're doing. I think this might be a good approach to solve that problem. I think this implementation would be good against that risk." And even when we're giving the rejection, say, "No, this is not good. But this is why. This is a remaining problem. This is the risk." It shifted things entirely.
[50:53] Andra Zaharia: Because it connected people to the context, to the purpose, and they felt informed enough to make a decision for themselves, instead of being coerced into a certain type of behavior.
[51:05] Sebastian Avarvei: It helped them to understand what was the problem we were trying to solve.
[51:08] Andra Zaharia: What a difference a single question can make! It astounds me. And what a difference a book can make! Because I remember reading Stephen Covey's "Seven Habits," and it was so much more than I expected. That book is truly transformative. You've made me want to reread it because, obviously, we have to sometimes go back to the things that you can’t capture them perfectly at the moment. You use what you need in that stage of your life. And it's just using these kinds of things, capturing bits and pieces that we can actually use over the years and use continuously with great results. It's so much better than reading 200 books and watching several hundred videos and not doing anything with them.
[51:53] Sebastian Avarvei: Exactly. I remember getting the question—I think it was at DefCamp: "Next to Stephen Covey’s, what's the best book that I would recommend somebody to read?" And I said, "The best book is the one that you're going to start applying tomorrow. That's the best one." And I was saying in the presentation as well: There's no glory in reading 10,000 books and not applying any of them. Again, something that we can relate from security. Knowing about 10,000 problems and not doing anything about them is not as good as knowing about five problems and solving them. Find the problems you can solve; focus on fixing them. Find a book that resonates with you and apply it. Don't just rush into the next book; take the time to apply what you learn. Again, making a parallel with auditing, with pen-testing: I love making the shift from, "Well, we're just doing audits for the sake of doing audits. We're doing audits so we can say we've done it. This is the report; this is everything that's wrong. Bye" I'm shifting to, "Okay, we do the audit; we actually introduce four cycles in between the audits. Okay, one year we do the audit. Next year, we don't do the audit; next year, we focus on helping those teams to implement the changes that we recommended from the audit."
[53:15] Andra Zaharia: Again, that makes a significant difference. I love that everything that you mentioned is so practical. It is so practical; it is so usable. And you've seen it work; you see it work every day. And I bet that there are tons of people—well, I know that there are tons of people in this industry—who do these things. But perhaps we don't have enough of a chance to talk about that; we don't talk about them enough. We still focus on the more technical aspects, for the most part, simply because, like you mentioned, those are thrilling—the thrill of the chase, of the discovery, of handling complex things. This doesn't have to take away from that, but I feel that it actually enhances it when you get to share it with the community when you get to celebrate successes together, when you get to bond over experiences from which everyone learns. And I appreciate it so much that you've shared so many details and so many examples in so many instances that really highlight how we can use compassion, empathy, kindness, and all of the good stuff to make our lives better and make other people's lives better, as well.
[54:28] Sebastian Avarvei: Absolutely. I think maybe that's the biggest point to take: Be good to yourself, first and foremost.
[54:35] Andra Zaharia: And with that in mind, thank you so much, Sebastian. This has been a wonderful conversation, even if technology wanted to interrupt—it did interrupt, but...
[54:45] Sebastian Avarvei: Life happens.
[54:47] Andra Zaharia: It does.