Kim Z. Dale

Early in my career, a boss reprimanded me for being too calm. My calmness wasn’t exactly the problem. The true problem was my calm reaction to someone else’s lack of calmness and how that was perceived.

One of our key systems was down. I talked to the people who were actively working on it and was assured they understood the issue and how to resolve it. I was confident they would get the system back as quickly as possible. There wasn’t anything more I could personally do to help (or so I thought).

I returned to my office to work on other things when a BIG IMPORTANT MANAGER whose team was HIGHLY IMPACTED by the outage came in raging. Wanting to know WHAT’S GOING ON?! Wanting to know WHEN WILL IT BE FIXED?! Wanting to know WHY WASN’T I DOING ANYTHING ABOUT IT?!

I calmly (too calmly) told him the problem was being taken care of, which he interpreted as me being dismissive of his concerns. (To be fair, I probably was a tad dismissive. After all, people were working on the issue, and I had other things to do!) After a few choice expletives, he stormed off to complain about me to my boss who then summoned me to her office to yell at me about upsetting the manager.

For a while, I misinterpreted the moral of this story. I initially thought the lesson to be learned was to be sure to act sufficiently frenzied when there is a problem in order to show you grasp the seriousness of the situation, but of course, that’s not the real lesson. What I now know I should have done in that moment was let the guy rant. And listen to him rant. Really listen to him. Empathize with his concerns. Make him feel heard. Perhaps I would have realized there was something I could do to help. At a minimum, I would have been far less likely to damage my relationship with a powerful manager and get in trouble with my boss. (I did not remain in that role for long.)

Information security professionals often complain other people don’t listen to us when we tell them all the VERY IMPORTANT THINGS they should DO or NOT DO in order to keep systems secure, but how often do we really listen to those other people? How much do we work to understand needs and priorities outside of information security? Listening and empathy are not only good for relationship building. Listening and empathy are powerful tools for designing and gaining adoption for information security solutions.

When information security folks talk to non-InfoSec folks we tend to prattle on about what we need from them (Don’t click on things! Don’t download things! Don’t reuse passwords! Don’t write down passwords!), not thinking about the fact that the people we are talking to have their own stuff to worry about. But if we take the time to understand those other people’s needs and priorities we can better communicate how our work supports theirs. And if our information security priorities do not align with the priorities of the business and our clients, there is something wrong.

Technology professionals often belittle things like listening and empathy as “soft skills,” but these skills can be hard, very hard, to hone for those who don’t take to them naturally. The effort is worth it though. The most effective information security people I know balance technical expertise and people skills. To be a better information security professional, learn to listen to people outside our profession and care about what they say. You’ll learn a lot.