I wrote a personal blog post recently about how I was patient and non-judgmental when dealing with an end user who reported that he clicked on a malicious link. I was grateful that my blog post was well-received within the information security community, but it probably shouldn’t have. It should have been the rule, not the exception.
The response was strange to me, you see, because I am new to the Information Security industry. I come from the user-centric world of librarianship. In my Library & Information Science graduate school program, themes of approachability and user experience were key. Comically, one of the downsides is that one would develop what is known as “librarian face” and asked random questions by strangers – even outside the library – just because you “look like you know stuff.”
But, why aren’t themes of approachability and user experience central to Information Security? Many headlines scream: “end-users are your weakest security link”, or “people clicking on things will be the downfall of your organization and maybe humanity!” With all this focus on how the end-users are allegedly mucking things up, why aren’t things getting better?
Sure, you may think you have security training and awareness within your organization – but is it effective? Are users meant to feel shamed or derided? Do you mutter and swear at the mere mention of someone falling for a phishing email? Don’t you think that bad attitude carries through in your voice if you speak to an end-user on the phone, or in the tone of your writing in an email?
Industry veterans may be quick to disregard my words because I haven’t been in infosec very long. True. However, all my professional experience leading up to this point has been end-user or customer service focused. I know what it’s like to be enraged and frustrated with end-users, and it didn’t do me any good having that negative point of view. There is a reason why the saying, “you catch more flies with honey than vinegar” rings true.
This is where my idea for Empathy as a Service comes in. Empathy is not sympathy. You don’t feel sorry or pity for the end-users; you imagine being in their shoes. If you were confused or unsure about something and asked the resident expert for help then was made to feel less than human, you wouldn’t go to them for help again and would keep on with your bad habits.
If your end-users are brave enough to admit they clicked on a link and are seeking out help, you can be brave enough to offer them some empathy while troubleshooting the problem.
If this all sounds a little too new age, drum circle, hold-hands-and-sing-Kumbaya for you, I understand. The so-called “soft skills” are important, but not everyone’s cup of tea. But, you know this dramatic labor shortage in information security that we keep hearing about? Hire people who have backgrounds in customer service, training, library & information science. The people whose professional careers have end user interact as a cornerstone. You can teach the tech easier than you can teach interpersonal skills.
I recently discovered a quote from the late Theodore C. Sorensen, a speechwriter and counselor to President John F. Kennedy. The context of the quote is that he was referring to American foreign policy. However, when looked at through my eyes, I saw this as speaking volumes about how we Information Security professionals should be interacting with end-users in the present day: "We shall listen, not lecture; learn, not threaten. We will enhance our safety by earning the respect of others and showing respect for them."
Empathy as a Service is a good investment in our information security future.