Why Empathy is THE Critical (and Underrated) Cybersecurity Skill

Howdy. Good afternoon. Welcome back from lunch. Got that post lunch energy. Yeah. So, um, hey everybody. I'm Ralph. I'm the CISO for the Washington State Department of Natural Resources. Hi, I'm Liz. I'm the CIO for the Department of Natural Resources. And welcome to our talk today about empathy, the critical cyber security skill. Underrated cyber security skill. I want to start with a story. Last Saturday, exactly last Saturday, my family was passing through Portland. We stopped at Rudy's Pizza. Anybody know Rudy's? Literally the best vegan pizza you're going to find. Right. So, uh, we're there celebrating my daughter's 21st birthday and she says, "Oh my god, Dad, my friend is going to college here in Portland. Can my friend

come and join us?" I said, "Yeah, sweetie, it's your birthday." "Yeah, bring him on over." that friend arrives right when the waiter arrives and there's like 10 of us at the table and I thought sweet Jesus this is exactly the time for me to practice my cyber security skills right because that's what you think this is a cyber security skill moment right so I thought if I were a young college student without a job I would want to know what's the deal with the pizza am I paying or not like what are my options here uh like I need to I need information there's an awful lot of uncertainty I just walk into a room with with 10 people and then and

then their friend. And so I thought again, my cyber security skill, I need to reduce the uncertainty for this other person. So I leaned across the table and I said, "Aaron, I don't have enough money for you to buy your own pizza. If you need your own pizza, you're on a separate ticket, but I'll buy your drink." And Aaron said, "Got it." And I said, "You can have as many slices of our pizza as you want because we're going to get way too many. Uh but like that'll help you with the ordering." The waiter came around. Aaron ordered a Sprite. We all got our food. That bit of cyber security skill, practicing empathy of putting myself in the position of

this other person, cut out a lot of crap. It cut out this person having to get their phone out and check their bank balance to see if they could afford some pizza on, you know, a college student salary, right? Um, it did a lot of that work upfront and that's the kind of stuff that we want to talk about

today. So, we I guess a couple of disclaimers, right? We are not psychologists. Uh this isn't advice. Um these aren't tips and tricks. Is that we are not skilled with microphones. Thank you. I appreciate your optimism. Good empathy. Uh we are not psychologists. This isn't advice. These aren't tips and tricks to hack people into getting your way into getting them to do what you want. We're sharing stuff that's worked for us from a cyber security perspective in something that I think doesn't get enough attention. Um I I would say the other thing about empathy is you don't have to be good at it, right? Um it's a skill. It's a muscle. We can build it.

We're not expecting everybody here. I am not naturally an empathetic person. You can ask my kids. Um yeah. No, I'm I'm kind of a dick sometimes. So, um I think you know if you have a commitment to getting better at it, you can see a lot of um that effort really pay off at work. So, that's really what we're going to talk about a little bit. Yeah. So, uh I want to start with a couple of stories actually. Do you want to tell the GIS story first? Yeah. Do you want to do some some what what is empathy? Oh, thank you. I appreciate the cues. So, uh, yeah, we haven't actually talked about what empathy is. Um, guesses. What

do you think of when I say empathy? What, like word association. What do you define empathy as? Literally asking you right now. Yes. What is it? Consideration. Consideration. I like it. Understanding. That's probably my favorite definition. You in the back really loud. Compassion. Compassion. I like it. Caring. Caring. Okay. Trust. Trust. Yeah. These are all parts of it. Uh so what is sympathy? What's the difference between empathy and sympathy? You've experienced it before. For empathy or sympathy? Empathy. You've you've gone through what they've gone through. Well, empathy, you're you're you're being empathy. You're considering with their stuff without I can see it. Your own base from the same. Your hand was up. Yeah. I like I like this.

set up a game where you would if somebody was was drowning, you would jump in and grab on to them. Whereas empathy would be like, "Hey, I see that you're struggling. Can I help you?

I'm not sure I want you on my incident response team." Yes. I think empathy is putting yourself in someone else's shoes and feeling what they feel. Okay. I I like that's probably my favorite definition of empathy so far. So, how would you define sympathy? Understanding how someone feels orre an expression of understanding. Yeah. I think I think I'm probably closest to your understanding. Right. Personally, me, sympathy is um man, I'm so sad for what you're going through. I I feel for you and empathy is I understand how you feel in that moment. I feel the same as you do. That sort of connection. I guess for me empathy is that type of understanding that gets us to a place

where we can solve hard problems together, right? Uh that's the that's the key part of empathy that I like. Okay. Now, are we ready for story time? Story time. Do you want to tell us about GIS? All right. So, when I started three years ago, I was the operations manager. Um and uh I had some of my staff members come to me and say, "Hey, there's this team and they're using these servers and they all the hardware needs to be replaced." and they're not really servers, they're workstations and they're not using them the way they should be. So, can you go deal with this? Welcome to your new job. So, I reached out to the team and I

said, "Hey, you know, I understand that this hardware needs to be replaced. Like, let's talk about like your architecture." You know, I tried to have like this technical conversation. And oh boy, it blew up. It was like, you know, it was bone on bone. Um, there were some emails that said, "Please see my response in all red bold caps below." Oh. Um, it went up the chain, it went down the chain, it went back up the chain. Um, so we had to step back and say, "Oh my gosh, we we need to figure out how we're going to deal with this because the there's still an issue that has to be resolved, but clearly we don't

understand where these people are coming from." Um, I will say that today they come to us and they say, "Hey, we're not in the IT business anymore." And that's great and uh, can you help us figure out what our next thing is? But that was three years of hard work. So, we're going to talk about how we did that hard work. Yeah. And so, we're going to be picking apart that example and we're going to pick apart the example that I'm about to share you, too. Right. Right when I began at uh Department of Natural Resources. Uh probably within the first couple months, I got a call from CISA. I didn't know we had a CISA rep. And the

rep said, "Hey, we just wanted to let you know uh there's some hackers that have claimed that they have breached your network. They have data and they're starting to share it." And I said, "Oh my god, where?" And they were like, "I don't know. It was just an alert we got." And I was like, "Is this on Twitter? What is their account?" And they're like, "I just I made the call, dude. Like, figure it out." And uh the first thing I did was crap my pants. The second thing I did was looked for our incident response plan. We didn't have one. There was no procedure, no process. We didn't have a plan for this. And the

third thing I did first talk, you'll know that Ralph was our first security hire ever. Um and he predated me by two weeks. So there was no infrastructure. So the steps that I took after that in what could have been a mess, uh I I practiced that empathy. I put some we're going to pick that apart with this example. Uh to handle that incident with uh grace and with as much skill as we could muster. And I I'll I'll jump to the shortcut here. The end of it was uh some script kitties had found our public FTP site, downloaded some GIS data we had shared with the public, and then posted on Telegram claiming that they

had hacked us. And uh right. Yeah. So let's take a look at the very first element that we think of when we're talking about the the five things that again work for us. This is not advice. We're just sharing what's worked for us at the Department of Natural Resources. Sort of the foundation of our approach to empathy is exactly what you said. Put yourself in the other person's shoes. Right. The pizza example is a really good one. Visualize what this college student might be going through. And um if that's difficult, can you go to the next slide? I want to see what my notes were. If if that's difficult, like really just spend some time visualizing at your desk. Just

think if I were that person, what could be going on for me? So, oh no, I'm sorry. I just had that one slide. Yep, my bad. Um, in the case of that CISA example, I thought, okay, there are people that are going to need and depend on me to do something now that we've got this suspected breach. What does my boss need? What does the CIO need? I'm going to put myself in the CIO's shoes. We don't have a procedure. We don't have a process. The CIO might get a call from her boss saying, "What the hell is going on? I need to give her information. I don't have any information." If I were a

CIO, I would want to know when I might expect to get some information. So, I called her and I said, "We have a suspected breach. CISA reported it and so there's some credibility there. I don't know anything because I'm just getting started and I'll call you again in 20 minutes." She said, "Great." And I thought, "If I was a CIO, that would help me calm down for the next 20 minutes while I watched the clock and did other stuff." Then I thought, what if I was the communications director and a Seattle newspaper called because they monitor Telegram and there's a a claimed hack and they call looking for a comment. If I was the communications director, I

would want to get not get broadsided by this. I would want some sort of a heads up. DNR is aware of this and we're tracking the activity. We've been unable to confirm that this was actually a successful hack, but we're looking into it. So I I contacted him and I said, "Hey, heads up. Uh, first of all, I'm Ralph. You have a cyber security person and there's a claimed hack. Here's some things that might help you if they call. I'll let you know in a couple hours when I know more. So, putting myself in in the position of these people, imagining if I was a, you know, if I was a reporter for this Seattle PI, I would

want to get a comment, right? Like visualizing what that looks like in the other person's shoes is that first step. Do you want to talk about that? So in the GIS uh server example, we had to kind of take a step back and look at what does this team do, right? So this team is in charge of sustainable harvest calculation, which is a legislativelymandated uh product that we have that we get sued over a lot. It's very public. It's in the paper. A lot of people get angry about it. So, this team of of people who have built this technology over the last 20 years that they're very familiar with, when I came in and said, "Hey,

we're going to like change it all up and make it better." They were like, "Whoa, no, no, no, no, no." There was no trust built up. There was a belief that we didn't know what we were talking about. And so, we really had to take a step back. We started to do a series of listening sessions with them. We sat down. We brought their management, their executive, their technical team. We brought the same people from our side and we just listened and we listened for a while. It was not one session, it was not two sessions, it was multiple sessions and then we, you know, thought about what they said and then we had some responses but honestly it was like

lancing a wound, right? They had a lot of things to say. We had to listen to all of that. We had to kind of untoxify that environment and then we were able to start talking about data and best practices and how this looks good to the public if we do these things a certain way and we're willing to work with you and your vendor and we want you to be part of the process. So putting oursel in their shoes really helped us start to move that conversation forward. Yeah. Could you go to slide number two because that's a perfect segue. Um, and in that scenario, we didn't get into that situation in a hurry. We're not going to

get out of it in a hurry, right? Put in the time to listen to people and find out what's going on. Uh, speaking of listening, that's a skill, right? It's a subskll. Um, some people take it really seriously and are really good at it. When I'm talking about listening, I mean you're making eye contact with people. This is, if you think about listening as a technology, it's an incredibly high bandwidth technology. You have your body posture. Are your arms closed or not? Are you leaning forward? Are you making those verbal uh grunts, right? Yeah. Hell yeah, bro. Like what? Whatever it is that's confirming and validating the other person, the eye contact. Um all of

this is an incredibly high bandwidth communication. And you're not saying anything. And it's really really important to get listening right when you're talking to somebody and you're not formulating a response in your head, right? You're just listening. Yeah. I think a lot of us have a tendency. We're not really listening. we're waiting for a chance to reply and to let people know where they're wrong. And uh listening is a skill and it's worth paying attention to. It's worth doing it with intentionality and doing it right. So hot on the heels of listening would be using short clear phrases and this falls into that listen and listen again, right? Somebody tells us the story of why it's broken or why it's not working

right. Using a short clear phrase to say, can you unpack that for me? or uh how can I help or can you tell me more about that is really really valuable to continue to get that to keep that dialogue going and not saying well sure but what happened was the IT department was understaffed and that's why we we left you you hung out to dry no excuses none of that justification just a short clear phrase to say can you tell me some more can you tell me more and I'd like to point out none of these are technical questions we're not asking how do we fix your server how do we configure it better how do we make your job easier

here. What we're saying is talk to us. Tell us more about that. Tell us all of the things what how can we improve our service delivery? Like what are the things we can do? We'll get to the technical stuff. That's the end goal, right? Is to fix the technical stuff and we'll get there. But there has to be trust in order for us to implement the things we want to do. So how do we get to that trust? We ask these questions and we listen to the answers. Yeah. Next slide. So, um, let's let's talk about emotions finally, right? Finally, finally get around to it. Naming your emotion is more powerful than you might think. One of the uh

concepts that occurred to me early on is that I was originally mixing up thinking and feeling. I I I feel like you should stop using that software. That's incorrect. Whether or not you use software is not a feeling. I I think you should stop using that software because I feel really anxious that it's still on that server. It's 20 years old. Let's move on. Or or um I I'm I'm frustrated that this thing hasn't been patched. But naming that emotion in a technical conversation has a tremendous amount of power. It's authentic and it gives the opportunity to the other person to connect with you at that level. It's really really important to Ralph. I feel

like we shouldn't have 43 local admins on that server. Or I think maybe it makes me feel anxious that we have 43 local admins on that server. I feel very anxious about that. Yeah. So much. Yeah. So I mean and in to tie that back to the example about CISA, right? Telling my CIO, I I don't know. I have a lot of uncertainty. I have a lot of doubt. I'm anxious about this, but I'm working on it regarding this suspected breach. Uh is another way to be authentic. talking to my direct supervisor, right? Just letting her know where I'm at. Uh yeah. Okay. So, the final one, um don't apologize with an asterisk. Um I think certainly coming from the help

desk side of things, somebody calls, they're locked out of their account, and the first thing that we say is, "I'm sorry. Uh let's get that fixed." I'm not actually sorry that you locked yourself out of your account. That's an inauthentic thing to say. you locked yourself out of the account. A more honest thing to say is, "I'm sad that that happened to you. Let's get this fixed." That may not seem like a big deal, but when I was doing help desk stuff and I was telling somebody I'm sorry, that was actually me trying to control their reaction. And that's not an honest way to have a relationship with that person. So to say, "I'm sad

that you're locked out of your account. Let's get that fixed." starts our relationship off more authentically, more honest, and provides that ability for us to actually work together and help each other. The asterisk is there because when you did mess something up, you should apologize. But apologizing, like listening, is a skill. You need to practice it. You need to spend some time building it. And you shouldn't I've come to believe that I should not apologize unless I'm going to follow that up with a commitment to change my behavior. And I'll give you another example. building uh building manager asked me for a security risk assessment on some HVAC software. He asked me for this in

November. The ticket got updated last month and he said, "Hey, can I get a status update on this?" So, I called him and I said, "When do you need this by?" And he said, "Oh, just sometime this year. I was just checking in on it." My next words were, "I'm sorry, I dropped the ball on this." I didn't explain how busy we were or how understaffed we are or the budget cuts that are coming. I said, "I'm sorry, I dropped the ball on this. We have a new security engineer. She's got an open schedule. I'm going to assign her to your ticket. This won't happen again. Uh I I directly address that problem. So there is a time to

apologize as long as you mean it. As long as it's real. And you do apologize to me a lot. So I'm sorry. So uh key takeaways. Yeah. Uh visualize what someone's going through. Uh listen and then listen some more and then ask follow-up questions. um use short clear phrases about, you know, how can I help? Can you unpack that for me? Can you tell me more? Call emotions by their names. And, you know, don't apologize unless you absolutely are committed to changing your behavior. Yeah. And uh empathy is something that we should be practicing. It's a skill. Even if you're not good at it, that's not a reason to not practice. If we ignore the

human element of our jobs, it's going to bite us. We need to pay attention to it. We need to admit it that it's there. I'm not saying that that should be on a risk assessment, right? That shouldn't be a bullet point. Uh there's a a 25 to 37% chance of a CVE exploit in the next year and there's an 18% chance that John's going to flip out because he doesn't want this server installed down there. You know, I'm not saying it should be a data point on there, but we need to pay attention to the emotional component of it. Uh and then every aspect of cyber security can be improved, and I would argue every aspect of it.

Yeah. How about life? life. Yeah, I agree. Uh thank you so much. Um that's the end of our talk. I think we've got some time for questions and answers. Yeah. Yeah. So to repeat the question, uh whether it's for the recording or whether it's for folks that are here, um the uh it was started with an observation that in cyber security the the recommendation is that cyber security is not the start of your career. That you need to get some other chops under your belt first. And uh this person is saying well instead of it being technical chops what if it's the people side of it that you can't be a starting point of cyber security unless

you have some history with those soft skills. Liz do you want to tackle that? I mean I think that there's value in coming into it through the service desk right like there is a lot of people that have started their career there and that gives you both the technical chops and the people chops because you have to work with those people. And in the state, we have a a job structure that you actually can't the the the security jobs start at a journey level. There is no entry position. So, you have to have a lot of experience before we can even really put you in a uh a security position at the state. So, I think that

there's a lot to be said for that on both sides. I want somebody who has, you know, some system admin or some app dev or something, you know, coming into the field. But I also think that there's a lot of working with our end users and feeling um h learning how to talk to them and how to support them and how to deliver service. That's really important for people who like to sit in the dark with a hoodie. What was the thing you said earlier? Yeah. And and just program. Yeah. I That's tricky though, right? Because um how do you put on a on a job posting? Also, you have to be really squishy with people stuff, right? Um,

how do you measure that? Yeah, go for it. And again, for the recording, the comment was uh as part of an onboarding process, getting folks out into the field to see what the co-workers are actually doing and working side by side with them to develop some of that empathy. Yeah, I would say that that you could also do some things like personally for my team, we do one-on- ones every week and one of the questions I ask my direct reports is, "What relationships have you built today?" I also say, "What's something interesting that you've seen?" Um, you know, how have you helped someone today? because I think of that relationship building as a as a core deliverable from cyber

security. We should be building relationships in addition to patching vulnerabilities, right? Uh any other question? We've got like two more minutes. Um oh, I do want to say before people are escaping, this is the right room to be in. Angela Marapino is doing a talk next about hacking your network and this is that that LinkedIn network, that people network. So, this is a good also a bunch of uh references to the Matthew Lillard film Hackers from 1996. Like I don't know if anybody else is a fan, but I am looking forward to that presentation. So, yes. Uh, go for it. Yeah. So, my I I think I have some informal awareness of non-violent communication, but also, uh, I married

an alcoholic. Uh, this is somebody who's been clean for 12 years. Um, which is awesome, but spending time in 12step recovery rooms and learning some of those, having really difficult conversations with people who are falling apart and became becoming a safe person for other people to fall apart around, I think, is a really good prerequisite for cyber security. So, I don't know what college offers that, but I found it really helpful. Yeah. Uh, and we are out of time. Um, I'm going to be sticking around here for the next 35 minutes because I want to see Angela's talk. So, you're welcome to come up and chat with me then. Thank you all so much. It was uh great to see you

all. Thank you for letting us be here.