Technological innovation is moving at the speed of life. We live in a world infused with artificially intelligent sensors that cross biological, physical and digital boundaries. Not surprisingly, cybersecurity and GRC workforces are struggling to keep pace. The people, processes and technologies that make our new world go round require a very different approach toward protection and defense.
The problems we have are primitive, systemic and require transformative thinking and approaches. To design and build the cybersecurity workforces of the future, we must have a clear understanding of our current state, which includes an analysis of our emotional state – a deeper dive into our humanity.
Several organizations have analyzed the current state of our cyber workforce over the past year. Diving into that data uncovers some uncomfortable truths. The most important takeaway is that iteratively improving the existing workforce is not sufficient.
ISACA’s State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations Report gives much insight into our collective consciousness. The study asked respondents to identify the top five most important soft skills security professionals need today. The top two skills were communication (57%) and critical thinking (56%). There were also some disconcerting revelations. According to the report, the bottom two soft skills valued in the cybersecurity industry were empathy (13%) and honesty (16%). Plainly stated, we value communication and critical thinking, but we do not think empathy and honesty are important.
The fact that we as cybersecurity professionals think that it is not necessary to be empathetic is frankly the most significant aha moment that any recent survey has invoked. It explains many of the systemic problems we are seeing and experiencing in the industry today.
So, what exactly is empathy? The dictionary defines it as the capacity to understand or feel what another person is experiencing – the ability to figuratively step into another’s shoes to view the situation at hand.
As to why empathy is so important in cybersecurity, we need to view it from a leadership and cultural perspective. To further dive into this, we looked at Businessolver’s 2021 State of Workplace Empathy study. That research unearthed several key findings, all of which pointed to this fact: leaders are struggling to reconcile empathy gaps with employees.
Significant findings of the Businessolver study include:
- 68% of CEOs say they fear they will be less respected if they show empathy in the workplace. This is up an astonishing 31 points from 2020!
- 50% of CEOs believe empathy in their organizations is sufficient, dropping 22 points from 2020.
- 50% of CEOs believe empathy drives employee motivation.
- Only 25% of employees believe empathy in their organizations is sufficient.
Another study, The Ernst & Young 2021 Empathy in Business Survey, tells us there is a danger in underestimating the importance of empathy.
Here are some of their findings:
- 87% of workers feel that mutual empathy between them and their leaders increases their efficiency.
- 87% report it boosts creativity.
- 86% believe it enhances innovation.
- 81% think it increases company revenue.
We are seeing the consequences of this mindset gap.
We all know about ‘The Great Resignation’ happening in the United States. This is now a global phenomenon. According to the ISACA State of Cybersecurity 2022 Study, The Great Resignation continues to significantly impact our global workforce. A full 60% of respondents reported difficulties retaining qualified cybersecurity professionals, up seven percentage points from 2021.
"The Great Resignation continues to significantly impact our global workforce"
Two of the top five reasons cybersecurity professionals leave their jobs are high work stress levels (45%) and a lack of management support (34%). In an industry where the battle for cybersecurity professionals is intense, the Ernst & Young survey is prescient. According to the study, there are many benefits to leading with empathy. Responses like this tell us why:
- 79% agree empathetic leadership decreases employee turnover.
- 90% of US workers believe empathetic leadership leads to higher job satisfaction.
- 88% of US workers feel empathetic leadership generates loyalty among staff toward their bosses.
- 85% of US workers think empathetic leadership boosts worker productivity.
Clearly, ISACA’s report reveals the cybersecurity industry’s apathy towards empathy, while the other studies illuminate the positive outcomes for an organization where leaders are empathetic. So, where is the disconnect for us?
Let’s look at another side of cyber activity to determine the answer.
Cyber villains are diverse by design, and that diversity affords them a constant infusion of different ways of thinking. Attackers understand that compromising the user is the fastest way to access the information or resources they are targeting. And to compromise a user, you need to understand their emotional state.
The ISACA report indicates that the predominant attack types leveraged as part of a compromise were:
- 13% Social engineering. It remains the predominant cyber-attack method.
- 12% Advanced persistent threat (APT).
- 10% Misconfiguration.
- 10% Ransomware.
Note that the top two mechanisms of attack leverage involve a significant understanding of the users’ emotional state. The attackers choose to hone in on our emotional weaknesses and exploit us. They leverage their understanding of how we will react to certain situations. The very emotion that we as an industry deemed unworthy as a critical skill is the single greatest mechanism by which we get exploited. And exploiting away they are!
A 2021 Data Breach Report by Verizon concludes that:
- The #1 pattern in breaches involves a social engineering component.
- 43% of breaches involved phishing and pretexting.
- 85% of breaches involve a human element, with credentials being one of the most sought-after data types.
So, how is it that threat actors across the board can manipulate us through our emotions, yet empathy is considered to be one of our industry’s least important skills?
We know the importance of empathy in the business world. We can see the impact on workforces both when we lack and when we embrace empathy at the leadership level. At the same time, we see how threat actors wield empathy as a way to take advantage of us. We need to stop thinking that empathy is not important!
But how do we improve empathy?
Some people are naturally empathetic – unfortunately, not most of us. It is difficult to put yourself in another person’s position without bias and look at the world unvarnished through their eyes. On the good side, others become empathetic through diverse lived experiences and meaningful exposure to different people. Without a doubt, diversity improves empathy.
The bad news is that we are not diverse as an industry, and less than 12% of industry professionals responding to the ISACA survey are under 34 years old. This is staggering. It means the generation most in tune with empathy is barely represented in our workforce. Combine this with well below half of our workforce being women and people of color, and we are at a distinct disadvantage in effectively nurturing empathy.
The solution? We need more diversity in the cyber industry, plain and simple. The more diverse we become, the more empathetic we will be as an industry.
The writing is on the wall. We just need to put action to our words!