Why empathy matters in cyber security
Attitudes towards groups and businesses are often skewed by our brains’ tendencies to prioritize negative information over positive. One of the best ways to mitigate this problem is to invest in a strong customer service function especially for areas like cyber security that don’t traditionally have a customer-facing element.
Security departments can oftentimes have a reputation within their organisation for being difficult or challenging. In grad school, my enterprise IT professors surmised this is due to security’s primary role as a handbrake on operations and production; that the dynamic tension between the two sides can cause people to perceive the security team as an impediment to growth and prosperity. That made sense.
I didn’t find those lines of thought completely satisfying. I countered there might be a simpler explanation in-play: negativity bias. As Jesse Richardson summarized it on his website YourBias.Is: “We are primed for survival, and our aversion to pain can distort our judgment for a modern world. In an evolutionary context it makes sense for us to be heavily biased to avoid threats, but because this bias affects our judgments in other ways it means we aren’t giving enough weight to the positives.”
This sounded a lot like the “common sense” advice I’d heard growing up: all things being equal, negative thoughts, emotions, and experiences tend to skew our thinking and memories of events more than positive thoughts, emotions, and experiences. Put another way, the bad times weigh disproportionately heavier in our memory than do the good times.
This makes sense when you look back on your impressions of various company departments and functions. I used to teach this principle to my new Help Desk staff: people never call you or drop by the service desk unless they’re already impacted by a technical problem that they couldn’t solve on their own. They may be at least a little frustrated. Teaching basic empathy and strong customer service skills helped us reduce angry customer complaints, since my Help Desk team understood how to deescalate tensions while getting people’s technical issues sorted.
We made it a point to predominantly hire people with customer service skills over technical skills. During one memorable hiring board, we introduced an unannounced practical exercise into the middle of our scripted questions. I’d ask the candidate if they were “good with people.” When they inevitably said they were, the speakerphone sitting between us would ring thanks to a hidden signal to our voice actor lurking in the next conference room. I’d smile at the candidate, tell them that it was their first day on the job, and ask them to sort out the caller. Then I’d tap the button to accept the call.
Some people assume phone-based customer support is so easy that they don’t need experience to do it well. My Help Desk techs could’ve warned them that it can be an immensely challenging and emotionally draining job. One that’s difficult to do well under the best possible circumstances.
As practical exercises go, the “unannounced service desk call” gambit wasn’t particularly difficult. Our actor pretended to be a member of senior management who could not send or receive email. His character was naturally agitated. Eight of our fourteen candidates simply froze up. They couldn’t talk on the phone at all, let alone hold a conversation. A few were downright rude to the caller. Only one person in the entire series slipped seamlessly into a courteous, comforting phone persona and managed to calm the agitated actor. That last candidate had zero technical experience which didn’t bother us at all. We hired her. Our incident resolution times might have slowed, but our customer satisfaction rates skyrocketed. People left those interactions in a good mood, which meant their impression of the IT department was more positive than negative.
I submit that the same principle holds true for any customer-facing function where the customer is already distressed before they engage you. For example, no one rings up a plumber’s shop to report their sink or dishwasher is running fine; they only call when something has stopped working. Those callers are already inconvenienced, and the loss of functionality is probably causing additional hassles. Therefore, negativity bias may cause them to feel greater effect from (and be more prone to remember) negative elements of your exchange.
The thing is, traditional industries tend to account for this. Decades of experience have taught the best-of-the-best how to deal well with agitated customers to maintain a happy and loyal customer base. Those businesses who neglected the fundamentals of customer service tend to go out of business even when there’s plenty of work to be had.
What does all this have to do with security? For one, we’re not a very old profession. There have been plumbers for centuries; modern cyber security functions are at best a few decades old. During that time, the duties and responsibilities of security departments have evolved at an astonishing pace. Further, security has only recently broken out from a subordinate function under IT or Facilities or Human Resources as an independent function. Finally – and most importantly for our purposes – most security organisations don’t have their own dedicated point-of-entry for customer service.
Since security operations frequently involve highly classified company information, there’s a natural and reasonable urge to lock the security team up in a closed-off command centre, away from the rest of the organisation. That practice serves operational necessity, but fails to maintain good relations with everyone outside of security.
I’ve addressed this challenge with my peers at conferences, classes, and mixers. While IT departments usually have ITIL-style service desks to address users’ first- or second-tier tech support needs directly, security departments often don’t. Many organisations either make customer service a secondary function for engineers and analysts or outsource their customer service function to another department (often IT’s Help Desk) or to an impersonal web-based portal.
This decision can exacerbate the effects of negativity bias. Without a knowledgeable, courteous and empathetic human to vent to about their problems, callers seeking support may leave encounters with their security department feeling unsatisfied, frustrated, and perhaps even angrier than they were before they called. Those negative impressions will colour people’s thinking for years afterwards, overpowering all the legitimate good things that security might have done for them. The bad memories outweigh the good ones. That’s just how our minds function.
If you’re responsible for your organisation’s security function, my advice is to spring for a small entry point for your services that’s staffed with people who have been specially trained to display empathy in addition to technical competence. Let these “senior ambassadors” win your customers over with charm, tact, diplomacy, and good memories. It’ll pay for itself in short order.