Long before he was forced to reconcile his passion for the Boston Red Sox with a new love interest, or became the king of late night, Jimmy Fallon made the “IT guy” famous.
As Nick Burns, “Your Company’s Computer Guy,” Fallon expertly (and hilariously) personified the brutish, condescending and dismissive IT admin we all fear, the person with simply no time for their perceived lowly technical knowledge and unsuspecting nature of the average end-user. “Mooove” was Nick’s classic line, as he impetuously slid aside the stumped worker so he could get his fingers on their keyboard — and troubleshoot the problem.
With cybersecurity moving from backroom to boardroom, and the societal imperative that workplace cultures renounce toxicity in favor of more sensitivity and tolerance, there is rapidly becoming a call for empathy to pervade the infosec function, from the CISO’s office all the way down. Put simply, no more Nicks.
Within security operations, the typically discussed challenges boil down to the “hard” stuff, notably never-ending alerts, which show no signs of waning, especially with the widening attack surface catalyzed by remote working (although automation can help).
But one less-talked about hurdle is a “softer” one: ensuring the extension of humility and compassion – to end-users, customers (if you’re an MSSP), third-parties (a huge risk source), and, of course, the colleagues on your own team – as part of the process of addressing their and your needs. Fortunately this struggle can be chipped away at without the need for technology, and result in more productivity, effective relationships, diverse thinking, and, wouldn’t you know it, stronger and more resilient security postures.
The demand for empathy has only been exacerbated by the era of COVID-19, as workers need to adjust to not only new security challenges and potential threats brought on by the sudden shift to remote work (which Microsoft, for example, addresses through “digital empathy” aka creating an environment that is “forgiving of employee mistakes”) but also feelings of isolation and disconnect.
At the 2018 LASCON show, Joe Parker, then a Duo Security infosec analyst, delivered a foundational talk on SecOps empathy. He described three areas of security operations where empathy (and vulnerability) play a bigger role than most people may think.
Whether you are investigating an ordinary alert, trying to determine whether something is a false positive or embroiled in a full-blown incident, chances are you will need the help of others. To obtain all the log data and other details you require, empathy will encourage others to give you what you need to resolve the case and determine a course of action to avoid a similar issue in the future (automation, anyone?). Afterward, be sure to thank the sources from which you drew information and share with them the outcome of your investigation, as they may be curious of the result.
One of the common traits that show up time and time again in articles describing the habits of an empathetic person is the ability to put oneself in the shoes of others. When it comes to security, the basics are teachable and learnable, but expecting someone who is not an infosec expert to spot, for example, a well-oiled phishing attack may not be realistic. If you are called on to help with employee education, make sure that you are relatable (share a story of a time when you blundered!), non-judgmental and open to feedback, as there remains much debate within the industry as to how to make these awareness sessions more effective.
To further hammer home this point, here is what Ryan Chapman, a SANS Institute instructor, told us about empathy in dealings with users, as part of our “Sitdown With a SOC Star” series:
“I as truly believe that the most important soft skill to have within our realm is empathy. You can think of it this way: How many times has a SOC member said something like, ‘This stupid user clicked a link and now their host is compromised?’ We hear this often in a SOC environment. Is that person really ‘stupid?’ No, they aren’t. That person may be an engineer, a payroll specialist, a salesperson who enables the very company for whom you work. They have their specialties and their skills. And we have ours. Expecting everyone under the sun to understand security the way that we do is daffy. Rather, we need to be empathetic. We need to realize where they’re coming from. It’ll help us all get along, which in turn improves communication and fosters a healthy working environment.”
In the case of addressing security flaws and misconfigurations, SecOps pros will be working with more IT-inclined staff than in a typical security awareness training exchange, but empathy is still needed. When you interact with IT and operational teams, you need to be kind so that you can understand their challenges and tolerance for patching, which is known to occasionally break business applications and cause downtime. And if patching isn’t an option, you also need to understand their comfortability with compensating controls.
The ability to trust (aka assume the good in others) and be trusted will be a good barometer to gauge how you’re doing. Make no mistake, exhibiting and growing your empathy is no easy task. If it were, the world would be a far different – and likely far more harmonious – place. But this much is known by science: if you become more empathetic, your health will likely improve. And maybe that’s the best reason of all to do it.
That, and you won’t be another Nick Burns.
Dan Kaplan is director of content at Siemplify.