The Cyber Threat No One Talks About — the Absence of a Cybersecurity Culture

Cybersecurity Culture - Christian EspinosaIn the conversation regarding cyber threats, the perspective is typically on defeating cybercriminals. The threat lens is from the outside, which is very true. Hackers are motivated and persistent in their pursuit of stealing data, deploying ransomware, and causing havoc.

However, the cyber threat that’s as potent is what’s happening within an organization. A lack of a cybersecurity culture can increase risk exponentially. While the concept of a cybersecurity culture isn’t new, it’s still a challenge for most technical teams. When not present, cyber professionals work in siloes, avoid accountability, communicate ineffectively, and erode collaboration.

If these characteristics seem too familiar, it’s time to address, reimagine, or build a culture that values communication, collaboration, curiosity, awareness, and cooperation. Failure to pivot and adopt such a framework could be the reason that you become a cyber statistic.

What’s the Ideal Cybersecurity Culture?

For the purpose of this discussion, I’m referring to cybersecurity culture as the principles and values of the cyber team, not the enterprise. There is a difference. In the latter, cybersecurity culture describes all stakeholders and employees to understand the threat landscape and work toward adopting best practices to avoid things like phishing attacks.

In terms of your team, cybersecurity culture is the environment in which your technical folks work to prevent attacks, analyze risks, deploy new strategies, and keep the organization as secure as possible.

The ideal culture to aim for includes these ingredients:

  • Consistent and clear communication
  • Awareness around someone’s actions and the perspectives of others
  • A foundation of trust and respect
  • Collaborative interactions that support the organization
  • Championing a growth mindset where individuals can adapt and evolve
  • Empathy and understanding other’s feelings and perceptions

You may find this list overwhelming, but they are the tenets of any effective culture. Each of these elements is necessary to drive progress on the individual and team levels. So, what happens when culture is nonexistent? And what’s the impact of risk?

A Lack of Cybersecurity Culture Compounds Risk

As a cyber professional, your entire view of your actions is measured in risk. Even those businesses with robust cyber controls still have exposure to risk. It’s unavoidable in the modern age. Except that the threat isn’t always outside. Cybercriminals are rightly painted as the enemy, but the absence of a cybersecurity culture makes you more vulnerable. Here’s why.

Shared Responsibility and Accountability Failures

Your cyber team must be one that shares responsibility and takes accountability. There is no leeway on this one. It would seem to be a given that your people must work together in every component of security. Unfortunately, this isn’t happening in most organizations.

The reasons are complex, but ultimately, it comes down to the fact that technical folks have deficiencies in people skills. They are defensive and aggressive with communication and singularly focus on what they believe are the proper practices. Instead of forming a team to defeat the hackers, they often in-fight with one another, each trying to take the title of the smartest person in the room. As with any situation like this, internal animosity gives cybercriminals the edge.

Communication Stalls, Heightening Risk Incrementally

When your people are acting as teams of one, communication is toxic and ineffective. It comes out as snide remarks with an air of condensation in every word. How can a team protect your organization when they can’t even communicate?

You likely recognize the attributes of dysfunctional communication within your team. Although, you might not see it for the risk it truly is. Without a set of rules around discussion and conversation as part of your culture, you will experience greater risk in every area of cybersecurity.

Acknowledgment Gaps Grow Seeds of Disengagement

Another key part of a cybersecurity culture is acknowledgment. All too often, the only acknowledgment teams receive is about what went wrong. You can’t avoid mistakes and errors, but as the cyber leader, you need to make room for acknowledgment of progress and what’s going right.

Your cybersecurity culture has to be a safe place for this to occur so that feedback can be more positive and specific. You can still correct behavior and guide people toward best practices. If this never happens, employees will become disengaged and resentful. They’ll see you or the organization as the enemy, not the hackers.

These challenges are inherent in cybersecurity but not without a solution. Transforming technical professionals into excellent communicators and collaborators is the core of building your culture.

How to Build a Sustainable Cybersecurity Culture

No matter how mature or large your cyber department is, you can construct and foster a sustainable culture that decreases risk. As someone who has years of experience building resilient and adaptable technical teams, it is evident that culture was a people problem.

As a result, I developed strategies and initiatives to correct it in the Secure Methodology™. It’s a seven-step process that helps cyber leaders develop soft skills in their staff with the outcome of a cohesive team ready to protect an organization. Here’s how it applies to culture development.

Employees Need to Know Their Contributions

The seven-step guide touches on how employees see themselves in terms of the enterprise and its impacts. The problems with this are twofold. First, they often believe themselves to be individual contributors because they ascribe to a lot of black-and-white thinking. They want to remain solely in their lane, which causes siloes and fractures in collaboration and communication.

The second part is that they don’t feel valued or appreciated for what they do. As a result, they don’t know that what they do matters, which makes them complacent, elevating risk.

To address this, you need to work on acknowledgment, provide a clear vision of the role cyber teams play in company objectives, and champion constant communication.

A Shift to a Growth Mindset Is Imperative

You can either have a fixed or growth mindset, and cybersecurity culture only flourishes under the latter. When your technical employees are set in how they see cybersecurity and the world, they can’t grow. It’s not about learning new technical skills; they feel comfortable with this. Rather, it’s about changing perspective, which requires hard work.

If you can construct a culture that encourages growth and change, your people may be less afraid to do so. They have the potential to do this. It simply requires commitment.

Communication Is Everything

Communication includes the words we use, how we interact, and our listening ability. A lot of communication is actually nonverbal, and I can’t emphasize enough how crucial it is to understand that.

Typical technical communication is acronyms, jargon, and overcomplicating the simplest explanation. Cyber professionals have been indoctrinated in many ways to communicate in this way. It’s time for you to help them break these bad habits because they’re hurting all parties.

You’ll need to dedicate a lot of soft skill development to communication with exercises and resources. You also must lead by example, ensuring that your message is consistent and instructive. It becomes the bedrock of your cybersecurity culture, enabling your team to work as one.

Communication skills are also always in need of improvement and work. With any change to culture or new risk on the horizon, your team must continue using what they learn. That’s how it becomes culture — through daily use!

Focus and Distractions in a Dynamic Environment

Another component of building a cybersecurity culture is that the environment is so dynamic. As a result, focus can become disrupted, and distractions are plentiful. The best way I know to tackle this is by monotasking.

Monotasking requires concentrated work. It’s not a term that’s celebrated in the business world because it’s the opposition to multitasking. We’re brainwashed to multitask constantly; when we do, our attention strays. In cybersecurity, this becomes a threat.

The demands on cybersecurity never ease and require immediate responses. This paradigm won’t change. However, if your culture encourages monotasking, so that focus on specific tasks is distraction-free, your people will likely be more productive and effective.

Connecting with Others Means Shedding Self-Centered Thinking

A healthy cybersecurity culture focuses on cognitive empathy. It’s the notion of understanding the feelings of others and their perceptions. Empathy is the choice to connect with someone and accept their perspective. When present, it delivers many advantages in how you manage cyber risk because it fuels the belief that change and adaptation are good.

Again, empathy starts with you as a leader. If you demonstrate it regularly, it begins to weave its way into your culture. Making it a priority to educate your people on empathy and how to make it part of their skill set is critical to their remembering who the real enemy is — the hackers.

A Strong Cybersecurity Culture Thwarts Internal Threats

Cultivating a strong cybersecurity culture is something you have control over, which is rare in the field. If you promote one that values communication, collaboration, trust, acknowledgment, and empathy, you have an advantage over external threats. You can learn more about applying the Secure Methodology to culture by reading my book, The Smartest Person in the Room.

The Secure Methodology™ Step Six: Empathy

Empathy - Christian EspinosaEmpathy in the professional world isn’t a new concept, but its adoption is lagging. Look no further than the Great Resignation as proof that how companies treat people must change. Many people have readjusted their beliefs about work and life in the past few years, so empathy’s importance is greater than ever and has a pivotal role to play in cybersecurity.

Empathy is a key component in winning the cybersecurity war. As such, it’s the sixth step in the Secure Methodology, which is a guide of seven steps that helps cyber leaders transform their employees into high-functioning communicators and collaborators. It builds on the five preceding steps: awarenessmindsetacknowledgmentcommunication, and monotasking.

Let’s dive into empathy and why it’s a critical aspect of cybersecurity.

Empathy Is Hard to Find These Days

While empathy is critically absent in many technical folks, the rest of the world isn’t demonstrating it much, either. It doesn’t mean that people are naturally unkind; instead, their concept of doing things to support others and the greater good gets canceled by their focus on differences.

It’s easy to ground a worldview in differences and an us-versus-them mentality. If we don’t feel personally impacted by something, we’re glad to look the other way. If “others” are different, then many of us can feel it’s none of our concern.

Except, at the end of the day, we have so much more in common. First, we’re all humans and face many of the same challenges. There’s a microcosm of this happening in your cyber team, especially in their beliefs about others. They typically see nontechnical roles as “others” who could never understand what they do, which creates a wall for communication and collaboration.

Everyone will always have specific roles, but when they become the foundation of how you react to others, it’s not serving anyone. For example, saying, “Oh, he’s a salesperson and can’t understand security risk,” means someone’s already discounting them and looking at them like a caricature.

This initial premise creates an empathy void, which has consequences for cybersecurity.

The Impact of the Absence of Empathy on Cybersecurity

So, how does a lack of empathy affect cybersecurity? It can cause a lot of problems, which can have a devastating impact on risk.

Technical Folks Can Be Intellectual Bullies

Bullying in the workplace is just as common as in the schoolyard. When people cannot see the perspective of others, they tend to act condescending and be defensive in every conversation. They use their intellect to belittle others, which fosters distrust and resentment. Unfortunately, bullying is often part of cybersecurity culture and goes unchecked.

Ego Cripples Empathy

These bullies often only have concerns for themselves. They have a narrow view that doesn’t include the needs of others. It’s especially detrimental when managers have egos that stunt the growth of others. It’s toxic and hampers the capabilities of a team.

Without Empathy, You Can’t Have a Team

The basic principle of a team is a group of people working together to accomplish a goal or solve a problem. Empathy is a prerequisite for this. When it’s missing, you can’t have a team.

On the one hand, we all have some type of belief about our inabilities. You would think this would encourage us all to be more empathetic. The challenge for many technical people is that they want to cover up insecurities and reject empathy for themselves and others. As a result, the foundational trust of being teammates isn’t there.

Empathy Emptiness Is More Than an Internal Problem

A cyber team that doesn’t prioritize empathy also hurts the relationships it has with others, whether they are an internal or external client. Technical people are responsible for security, but not in a vacuum. They must work with others to understand the objectives and concerns of these parties. When they don’t, they create a greater divide and overcomplicate situations, which causes further ostracization.

The stakeholders want to be involved and understand threats and risks. Just because they aren’t technical people doesn’t mean they can’t understand these things. However, if cyber professionals keep them in the dark, it only helps cyber criminals.

The Real Empathy Struggle for Technical People Is a Human Connection Problem

In my career and experiences, I’ve learned that human connection is the root of the empathy struggle for technical folks. Obviously, connection is essential to empathy in any capacity. If we’re all lone wolves and only focus on ourselves, there’s no connection.

Striving to build a human connection is an asset anyone can appreciate. It improves communication, collaboration, and perspective. Those things make people better at their job and happier in life in general.

So, how do you break people out of their one-track minds and cultivate a cybersecurity culture built on empathy?

How to Develop Empathy in Your Cyber Staff

You may think that developing empathy in technical professionals is beyond impossible. You’re already ready to skip to the next step and leave this one out because empathy is too emotional. Fair enough, but I wouldn’t have included it in the Secure Methodology without a plan. It’s an entire chapter in my book, The Smartest Person in the Room, and these are some excerpts that can help you find success.

The Framework Starts With Cognitive Empathy

There is more than one kind of empathy, and the focus here is cognitive empathy, which is the ability to understand someone else’s feelings and perspective. It’s somewhat different from its emotional counterpart, affective empathy, but it still has the same roots.

Additionally, you must frame your approach to differentiate between empathy and sympathy. They are quite different. Empathy describes the choice to connect with someone and accept their perspective. Sympathy doesn’t require the perspective aspect. Rather, it’s merely the ability to feel sorrow for how someone else feels.

People can be sympathetic but not empathetic. It’s a good trait to have, but empathy is what can drive organizational change and success.

Understanding Motivation

Motivation is a recurring theme in the Secure Methodology and applies to empathy. Grasping what motivates an employee is a key to helping them become more empathetic. Their motivation ties to the role they play in cybersecurity and supports a perception of a team working together. If they get this, they’ll want to grow their empathy.

Acknowledging Accomplishments

When you recognize the hard work of your staff, you create positive connections with them. In turn, it becomes a way to foster empathy. In addition to acknowledging achievements, you should also highlight similarities, struggles, and perspectives. This can create further connections between teammates and enrich trust.

Adapting Communication

It starts with you and your communication if you want your people to exemplify cognitive empathy. You have to be an example through how you communicate, which means admitting uncertainty and not always having an answer. They may be more likely to do the same if you can do this. Adapting your communication is critical and includes:

  • Avoid the word “why” because it triggers defensive responses.
  • Try making statements to uncover information, such as “Tell me what your plan is for this.”
  • Include the perspectives of others in how you communicate to demonstrate that the topic impacts many people.
  • Encourage people to explain those impacts on others when working through a cybersecurity challenge.
  • Continue to impress upon your team that listening is just as vital in communication as speaking.

Putting the Target Back on the Actual Enemy

It may seem apparent, but the enemy in the cybersecurity ware is the hackers. Yet, the “otherism” I defined earlier pits cyber professionals against colleagues. For those people who are stuck in the mindset of us versus them, they forget who the actual bad guys are. In fact, they’re helping the bad guys by functioning without empathy.

Staff too busy trying to stay in control of every cyber discussion and decision refuse to let the needs and perspectives of others have a place. As a result, cybercriminals win because team cohesion is absent. This is the most dangerous environment to operate in and will likely end in a breach or incident.

In working toward greater empathy, you must be clear about who the adversary is and that it’s nobody in the room. Connection within your team and with clients is critical to being proactive and prepared for cyberattacks. You can outmaneuver the hackers if you consistently focus on this and encourage empathetic capabilities.

Trust in Empathy to Revolutionize Your Cyber Culture

All the work from the previous Secure Methodology steps will put you in a position to develop empathy with your technical people. Having this new approach should also help you make better hiring decisions in the future. The bottom line is that empathy isn’t an innate human quality. We have to learn it, and you’re in a position to help people do this. That’s good for them personally and professionally. Get more tips on empathy and exercises by reading The Smartest Person in the Room.

The Secure Methodology™ and Cybersecurity Leadership

7 Step Secure Methodology - Christian EspinosaThe advent of technology makes it easier for us to communicate with our staff and improve our business processes. However, it can also be a major risk to our organization: Hackers are lurking in every corner, waiting for the right time to steal information from us.

We need to strengthen the skills of our technical staff by utilizing The Secure Methodology. Through The Secure Methodology, we can help our staff improve their communication skills and encourage them to lead with their hearts and intuition, rather than just their logical minds.

Generally speaking, The Secure Methodology is a step-by-step guide designed to help us improve interpersonal skills so we can easily practice honest and effective communication. The Secure Methodology also promotes more in-depth understanding, allowing every person in the organization to be on the same page and work together towards a common goal, such as stopping cybercrime.

Benefits of the Secure Methodology

Cybercrimes are common worldwide, which is why it’s important for organizations to take preventive measures. The common strategies used by organizations today aren’t flawless as the number of cybercrimes continues to increase worldwide.

The Secure Methodology is different from other existing strategies because it leads us to better results, that do not require more investments in technologies or cybersecurity frameworks. Here are a few of the benefits:

  • Better security: By practicing the seven steps of The Secure Methodology, we’ll have peace of mind knowing that our organization and all our trade secrets are less vulnerable to cybercrimes. The Secure Methodology provides for a better understanding and mitigation of risks to protect our organization from hackers worldwide.
  • Cost reduction: Losing vital information will cost money from our pocket. How can we continue producing products if our trade secrets were stolen? How can customers trust us if their information is at the hands of hackers? When we practice The Secure Methodology in our organization, we reduce costs associated with cybercrimes. Instead of spending money to minimize the effects of cybercrime on our organization, we can use it for other areas that can help our business improve and grow.
  • Develop total intelligence: One of the biggest benefits of The Secure Methodology is helping leaders in the organization develop and lead with total intelligence. Through The Secure Methodology, we can learn to lead using our people skills, as well as our hearts, logic, and intuition. Being able to use different types of intelligence will make us better leaders and more equipped to combat cybercrimes.

The Secure Methodology isn’t just about helping our technical team prevent cybercrimes; it also teaches us different strategies to help improve ourselves and our organization in the long run.

Why the Secure Methodology Was Written

The Secure Methodology was written as an attempt to improve teamwork and cybersecurity in an organization. Yes, there are countless techniques that are meant to help organizations fight against cybercrimes, but not all of these are effective. In fact, looking at the cybersecurity status quo, we see that cybercrimes continue to affect organizations regardless of the size and nature of their business.

The Secure Methodology reinvents how organizations improve and also protect themselves from cybercrimes. Instead of merely using logic and intelligence in combating cybercrimes, the Secure Methodology aims to beat cyber criminals by developing the holistic skills of the staff and by using logic, emotion, and instinct equally.

Moreover, the Secure Methodology helps leaders get their technical people to strengthen their people skills and encourage them to lead with their hearts and instincts. Once we can accomplish these goals, we can quickly improve communication skills, making it easier for the organization to discuss issues and fix them as soon as possible.

The Secure Methodology allows leaders to know where their people are coming from and what kind of help their staff needs when issues arise. When we know what the world looks like from their perspective, we can provide solutions that address the root cause of the problem.

Overview of The Secure Methodology 7 Steps

1.    Awareness

Awareness has two aspects: self-awareness and the awareness of others. As the name suggests, self-awareness is about understanding our behavior or the behavior we can control. Even as a single human being, we should keep in mind that we impact the world around us, which is why we should be mindful of how we interact within it. For example, how, when, and where we frown or smile can significantly impact someone, and we should be aware of it.

Technical individuals and humans in general struggle with self-awareness because we often fill our lives with stimuli, namely social media and games. This removes the time needed to reflect on our actions. Leaders like us also face the same dilemma: we might show up in a meeting in a negative mood, not thinking how this demeanor can impact our staff and their progress during the day.

Being aware of others is also an important part of the Secure Methodology. When we’re only aware of our own actions, we’re not only being self-centered; we are also not helping solve problems in the organization.

For example, if we see a staff member crying at her desk, it’s best to ask her how she’s feeling instead of making an assumption. Making assumptions and being unaware of others’ emotions will likely make us angry and confrontational, making the situation worse.

2.    Mindset

There are also two types of mindset often exhibited by staff in an organization: growth and fixed. Individuals with a fixed mindset believe things are the way they are, and they’re no longer capable of changing. For example, technical staff with a fixed mindset in an organization may often claim, “I’m not very good with people.”

Conversely, someone with a growth mindset will say, “I understand I have challenges working with people, but I’m confident that I can get better.” With a growth mindset, a person understands what they’re struggling with and is open to learn and make changes.

3.    Acknowledgment

Acknowledgment in The Secure Methodology covers a lot of items. For starters, we should encourage our technical staff to focus on self-acknowledgment. Instead of letting them think that they’re not good enough, we should encourage them to acknowledge that their skills are vital to the organization.

Acknowledgment is also important for leaders like us. When we want our technical team to improve their behavior at work, we should acknowledge everything that they have accomplished in the past and let them see what they can do if they gain more skills. This will prevent them from shutting down and motivate them to change.

4.    Communication

Communication is about how we interact with our staff and the type of language we use. In short, communication isn’t just about the words we use; it’s also about our body language and tone. We also need to keep in mind that the meaning of communication is the response you get.

It’s common for technical staff to miss out on body language or tone and only focus on the words being communicated to them. This is problematic and often leads to issues when communicating within the organization. As leaders, we should help our technical staff understand different communication patterns and body language displayed by the speaker. We also need to train our team to listen better, rather than just waiting for a gap in the conversation to speak.

5.    Monotasking

Technical staff in an organization have to accomplish different tasks regularly, but this doesn’t mean they should do everything in one sitting. Multitasking has been hyped for so long, yet following this concept at work doesn’t guarantee better or more outcomes. In some cases, attempting to take on several tasks at one time will only result in anxiety and many unfinished projects.

As part of The Secure Methodology, we should highlight to our technical staff the importance of working with one task at a time. When technical staff practice monotasking, they can easily produce quality work because their focus is poured into one task only.

Monotasking also helps with communication, because if you are monotasking during a conversation, you are present and listening better.

6.    Empathy

It’s common for technical people to think that they’re the only individuals in the organization with problems, and everyone else has it easy. However, this kind of mindset is self-centered and somewhat narcissistic, which can only lead to bigger problems when left untreated.

When our technical staff is self-absorbed, they’re at greater risks of developing depression. Their lack of connection to other people will also make it very challenging for them to collaborate in problem-solving.

For The Secure Methodology to work in our organization, there should be empathy across all levels. Our technical staff shouldn’t jump to conclusions immediately. Sure, their role in the organization is challenging, but this doesn’t automatically mean that the other staff has easier roles to play.

As leaders, we should teach our technical staff the importance of empathy by helping them understand that other people also have different challenges and that they shouldn’t quickly judge others because they have different situations.

7.    Kaizen

Kaizen is a term that means “change for the better,” which is the ultimate goal of The Secure Methodology. If we want to improve our organization’s cybersecurity, we should establish a new process and examine it continuously. Constant and never-ending improvement (CANI) are essential ingredients in achieving goals, no matter how big or small.

Key Takeaway for Each Step

  1. Awareness means we should be conscious of other people’s behaviors and why they behave in a certain way, just like how we want other people to be conscious of how we are.
  2. Without the right mindset, it’s challenging for any of our staff to change and grow. As a leader, we should believe that every single person in our organization has the capability to change. It is also our responsibility as leaders to remain committed to change. Change doesn’t happen overnight; we must also have the right mindset to commit to change.
  3. We should acknowledge our technical team every time they make the slightest progress in their behavior at work. This will encourage them to permanently adapt to positive behavior and grow more in their field of expertise.
  4. Communication plays a vital role in the relationship of every staff member in an organization, which is why we should ensure everyone regularly practices open and honest communication. Aside from making sure that everyone is provided with various communication channels, we should also teach the importance of tone and body language and how this can help us understand the speaker better.
  5. Most technical staff don’t know how to monotask, and it is up to us as leaders to change that behavior. When our technical staff focuses on one task at a time, they can produce more and better output during the day. Knowing how to monotask is also an excellent way for our technical staff to look after their mental health as they can keep anxiety and stress at bay.
  6. Every individual in the organization deals with some type of challenge. Instead of judging others based on their behavior, we should put ourselves in their shoes and understand where that person is coming from. When everyone in the organization knows how to empathize, the team generates better results.
  7. When our organization tries something new, say improving our cybersecurity, we can’t expect to succeed during the first, second, or even third try. Kaizen is the understanding of this process and the encouragement to continue trying. To get desirable results from our efforts, we need to practice regularly and not just dabble.

Short Activity for Each Step

  1. One activity to broaden the awareness of our technical staff is to let them reflect on what happened to them on the previous day and instruct them to imagine themselves as if that were their last day on earth. When they know they have limited time to live, they would likely treat others the way they want to be treated.
  2. Keeping a journal is a great way to develop a growth mindset within our team. We can encourage our team to journal every day for a month about the things they’re grateful for and the things they’ve learned. After 30 days, we can meet as a group and then discuss how everyone has grown in a month.
  3. One simple way to acknowledge the progress made by the team is to keep a cookie jar filled with notes about their accomplishments at work. When anyone in the team feels discouraged or hopeless, they can easily get notes from the cookie jar to remind them of what they’ve accomplished in the past and what they can do if they continue to strive.
  4. To improve communication within the team, teach them the fun NLP eye pattern trick. The eyes are the closest organs to the brain, and where a person “looks” (whether to the right or left) when they’re trying to access information can determine if they’re lying. Check out this diagram.
  5. Dividing our team’s day into time blocks will allow everyone to work on things that matter the most. We can simply let them list down the tasks they have during the day and arrange them on time blocks so they’ll know what to work on during a specific timeframe within the day.
  6. One activity to teach our technical team empathy is to have them pair up and have each person make assumptions of the other and then have them discuss their similarities. This activity will help our technical team stop making assumptions about others and encourage them to look for similarities. This will eventually help them develop their empathy.
  7. Kaizen focuses on reflection and never-ending growth, so we can have our technical team keep a workday reflection journal to write down their challenge or win during the day for a week. Then, we can schedule one-on-one meetings with them to discuss what they wrote in their journals and discuss how we can improve their weaknesses or challenges.

For anyone who is interested to learn more about the Secure Methodology, you can get the book or enroll under its program.

Check Out The Smartest Person in The Roomv

Empathy vs. Sympathy

empathy vs sympathyI often wonder how certain things will turn out if our leaders know how to empathize, and not simply sympathize with their people.

See, oftentimes they are interchangeable. But there’s a big difference between sympathy and empathy, and we must learn how these two can greatly affect our relationships with people both at work and in life.

Empathy is to feel and connect with people, while sympathy drives disconnection. Empathizing is being together with the person in the dark so they are not alone while sympathizing is saying “Too bad!” from afar.

According to research, HR managers believe that having emotional intelligence is the key to a happy and productive workplace. However, having the right emotions also plays an integral part. Should we be empathetic towards people at work, or sympathetic? Keep reading this post for my in-depth look at the differences between empathy and sympathy.


To put it simply, empathy is a choice to connect with someone and take their perspective as my own. It is the ability to share my feelings with other people and understand what they’re going through — because I may have also been in that position before.

Empathizing is also about listening without interruptions. It is accepting that the person is facing challenges. I do not have to respond to what they are telling me, I just need to be with them at that moment. I can do nothing, and that’s more than enough.

According to the Secure Methodology from the book The Smartest Person in the Room, a culture without empathy will not succeed. Humans are simply not born with empathy. It is something that we need to develop and learn over time. Empathy also plays a great role when it comes to technical leadership. If it is non-existent, technical people will not care about their customers and data, nor will they have any concern for their colleagues.

Even leaders attend seminars to learn and to know its value. So what makes empathy important when it comes to leadership? Is it simply being aware of other people’s emotions and understanding how they feel? How can we act and base our decisions on it?

But before I get into this further, let me explain the two kinds of empathy: cognitive and affective.


Cognitive empathy — or logical empathy — is the ability to understand the mental state of a person. It is not a feeling, rather it is a skill. It is putting myself into someone’s place and seeing things based on their perspective. It’s imagining myself in their position, without needing to make judgments, and recognizing their emotions. It is simply understanding what they are going through, without having to feel sorry for them.

When choosing what’s best for everyone, I know I can make the right decisions because I am not influenced or clouded by other people’s emotions.


Unlike cognitive, affective empathy is the ability to share and literally feel the emotions of the other person. If a coworker comes up to me and tells me that she is going through a rough divorce, I would feel sad and anxious with her. This type of empathy, however important, is unproductive and unnecessary when it comes to a work environment.

It’s ineffective for leaders to make decisions when they have absorbed everyone’s emotions, especially the negative ones. Therefore, a great leader who is an asset to a business has high cognitive and low affective empathy.

Read this post to know more about how empathy affects leadership!

Empathy in Leadership

Sometimes at work, leaders are so concerned about their positions that they forget to take care of the people they are in charge of. They fail to recognize them as human beings, and instead, they just focus on outputs and results. This ends with employees just merely trying to do their work and get through the day with their heads down, scared of the managers that will pick on their tiniest mistakes.

No one wants to work like that. So what does it take to create a happy and healthy working environment?

Here’s a scenario. An exemplary employee who was never late, and never missed out on work — not even once — suddenly comes to work late every day and is always behind his deadlines. Instead of telling him that he needs to get himself together or he’ll be fired, the manager asked him what’s wrong and if he’s okay. He asked if there’s anything bothering him and if he needs help. The employee said that his mother is sick and he’s the one taking care of her.

So the manager told the employee to take a one-week leave and changed the schedule so that he will be able to have time to take care of his sick mother before coming to work.

That is an example of a leader showing empathy to the people he is charged with.

Leaders must show the employees that they understand and value them. The employees need to know that if they make a mistake, they wouldn’t be fired the next day. They have to know that if the numbers are down in the business, they wouldn’t be laid off so easily. The employees have to feel that the person leading them empathizes with them as a person and would consider them when they are making decisions. That’s why showing empathy in the workplace is very important.


Having sympathy for a person is evaluating and assuming what that person feels, then extending the emotions of sorrow and pity. It does not require feeling what the other person is exactly feeling at that moment, and it does not involve a shared perspective. Therefore, sympathy automatically drives detachment from the person.

Sympathy is expressed, while empathy is shared. Though empathy is a deeper feeling, sympathy is as heartfelt and honest.

A person may be able to feel sympathy, but not empathy. For example, there’s a businessman who filed for bankruptcy — others may sympathize with him and feel sorry, but not all can empathize because not everyone has experienced bankruptcy.

Although having sympathy does not lead to taking action, it is still an integral value that we all need to have.

Sympathy in Leadership

With that in mind, how does sympathy affect leadership? Think back to the previous scenario about the stellar employee who suddenly started coming into work late and missing deadlines. If the manager sympathized with the employee’s troubles, they would have simply expressed their sorrow for the other person instead of making accommodations to make things easier for the employee.

This sympathy may be nice, but it could leave the employee feeling quite a bit uncared for by their managers since no actions were taken to meet their needs.

Empathy or Sympathy?

Now that I have discussed the differences between empathy and sympathy, let me ask again, which is more important?

The answer is empathy — straight and simple.

When we have empathy, we HELP people be their best, instead of getting the best OUT of them. Colleagues support each other to let them perform well and grow. We make decisions that are best for everyone. We avoid quick judgments, and instead, we listen more.

For leaders wanting to know more about empathy, leadership, and the Secure Methodology, check out my book The Smartest Person in the Room. It discusses further how leaders can be more effective in technical leadership through empathy.

This short video by Brene Brown is great at explaining empathy vs sympathy as well:

The Value of Empathetic Leadership in Technical Roles

empathetic leadershipThere’s a misconception that leaders, especially in technical fields, should do so with only their brains. They should be logical and data-driven. Those skill sets are important, but leading from the heart is just as important. Empathetic leadership is about compassion for employees and customers. And it fits nicely in cybersecurity, an area that requires trust, communication, and collaboration for success.

Empathy is good for culture and customer loyalty — it’s also good for your bottom line. Many studies have supported this, including one that found that companies that express empathy outperform their competitors. And there’s more to reinforce this idea:

Thus, it would seem that leading with empathy is a win for all if it were only that simple. There are many challenges to building an empathetic business and leadership.

What Is Empathetic Leadership?

What exactly is empathetic leadership? Is it listening? Communicating? Caring? It’s all those things, but specifically, it’s having the ability to understand others’ needs. It’s about being aware of those outside yourself. It’s stepping into the shoes of others. Those are hard to master, and empathy isn’t all innate.

Being empathetic aligns with having emotional intelligence. There are some factors of it that are genetic traits. Women also tend to be able to show it more, but it’s still a skill. Yes, empathy is a skill, one that you can hone and develop if you commit to personal and professional growth. You have to be willing, vulnerable, and open-minded. That, of course, isn’t always how people or leaders think. It requires a fundamental change to become really good at empathy. While change is hard and scary, it’s often the best thing that can happen.

How Can You Apply Empathetic Leadership to Cybersecurity?

Cybersecurity is about protection. It would seem a natural parallel with empathy. Yet, most would agree there is a gap here. There’s a lot of focus on technology and tools to fight the cybersecurity war, but there have to be people behind.

In many cases, cybersecurity failures are human-related, not technology-focused. If that’s the case, then we can’t cure it with more systems and products. Instead, we need to focus on the people. And those people need to have an empathetic leader.

Empathy Is a People Skill

There are stereotypes that technical folks are devoid of people skills. That’s not true; they aren’t robots! Often, they get caught up in logic and forget the emotion. It is possible to improve people skills for technical professionals. I write about how to do this in seven steps in my book, The Smartest Person in the Room.

You can develop people skills the same way you do technical ones. Through practice and learning, it’s possible to become more empathetic. To achieve this on a cultural level within a company or firm, it has to start at the top. If leadership doesn’t demonstrate it, it’s hard to expect others to follow.

Empathy Is Hard for Everyone When We Focus on Differences

We can all collectively say the world right now needs more empathy. Compassion and care often get lost, as societal and cultural pressures tell us to look out for number one and focus on our differences. There’s a lot of “us vs. them” mentality in every aspect of life. It’s not hard to find that every time you scroll through social media or turn on the TV.

Why a Differences Mindset Handicaps Cybersecurity

Focusing only on differences creates divides. Those can then manifest as bad behavior within the team and toward other people in a company or even customers. The usual suspects are bullying, posturing, and egotism. Acting in these ways is often rooted in insecurity, as they want to be the smartest person in the room always. Being trapped in your head and only seeing differences leaves little room for empathy.

Lacking Empathy with Clients Can Be a Disaster

Clients, whether internal or external, expect cybersecurity professionals to protect what matters to them. To really understand this, empathy is imperative. Lack of it leads to not looking at specific needs and, instead, offering up a complicated cybersecurity framework. Complex doesn’t mean effective, and many professionals will miss the point.

If leaders don’t practice empathy and expect it in others, security will be much less effective, leaving clients unsatisfied and untrusting.

Colleagues Should Have Reciprocal Empathy

Empathy among the team is just as essential as having it with clients. Leaders model this (or don’t), as well. If a leader never acts with empathy toward their staff, why would they exhibit it with one another?

When there’s a void of empathy in these situations, communication, honesty, and transparency all suffer. It becomes a dysfunction instead of a collaborative working environment. It’s hard to be successful in this setting, no matter how technically astute you are.

The Tangible Value of Empathetic Leadership in Cybersecurity

I’ve shown you some data, studies, and leadership that illustrate the correlation between success and empathy. But how can it support cybersecurity?

  • It supports human connection: More technology and more budgets won’t cure cybersecurity shortcomings. Having sincere human relationships will, and a leader that exhibits this will have an impact.
  • It helps understand the needs of the client: An empathetic leader will dive into the challenges and pain points of the client and have clarity on these points. That’s the ideal foundation to develop a plan that works.
  • It removes the ego: This is a problem in the field. But if a leader’s behavior is egoless and focuses more on listening to others and making careful decisions, this helps all aspects of the company.
  • It improves communication and collaboration: Imagine a leader that never wants to hear anyone else’s thoughts or ideas. Well, we don’t have to imagine it because many leaders like this exist, and they fail over and over. An empathetic leader wants to hear from the team and practices active listening.
  • It helps ensure the right people are on the team: A leader that possesses empathy will use that in hiring and recruiting decisions. They’ll look for these traits in others, realizing soft skills are just as valuable as hard ones. Those smart hiring choices will lead to longer retention as well.

How You Can Cultivate Empathy in Others

If leadership commits to empathy — and they should for the value it delivers — the next step is fostering it in the entire team. Intelligence, knowledge, and experience will only get you so far in cybersecurity. They aren’t nearly as powerful without the missing piece of empathy.

Empathy is Step 6 in my Secure Methodology, and the following are some insights from that practice that can bridge the empathy gap:

  • Realign to emphasize similarities, not differences: Each of us is unique in our own way, but we have more similarities in the long run. That’s the first step for building the skill of empathy. This realignment can help cybersecurity teams immensely. You’re all in this together, and the “enemy” is cybercriminals, not each other.
  • Understand the motivation of others: Motivation and empathy have synergies. If you know someone’s “why,” then it can serve as a way to get them in touch with compassion.
  • Acknowledge wins: If you want technical employees to express empathy, you have to acknowledge their accomplishments. When you do, they feel appreciated for their work and more connected to you.
  • Adapt communication: Technical people often struggle with admitting they don’t know something. As a leader, you need to remember that when you communicate. I recommend not using “why” statements and instead leading with “what” and “how.”

These are a few highlights that demonstrate basics steps to take. There are also exercises to try and other specifics, which you can find in my book. Cultivating empathy is an ongoing process, so there’s really no finish line.

Is Empathy Part of Your Organization?

Right now, if you had to say, as a leader, if empathy is part of your organization, what would the answer be? Few can probably adamantly say yes, and that’s okay. It’s a complex attribute to introduce, cultivate, and maintain.

However, it is possible and provides so many benefits to companies. No matter where you are in the journey, I want to help. You can start by reading my book, The Smartest Person in the Room.

Cognitive vs Affective Empathy Leadership

Cognitive vs Affective EmpathyEmpathy is a skill that everyone will need over the course of their lives in many different settings. From the personal to the professional, how we relate to and understand one another is important to our success as social beings and people within a social hierarchy.

While empathy is a broad term meant to define the ability to understand and share the feelings of another, there are categories of empathy that are necessary to our understanding of the concept in a leadership context.

Cognitive and Affective empathy are two of the biggest categories that have effects on our lives and the people we interact with daily. Particularly in a company, empathy is a necessary tool for empathetic leaders to direct and work with their team members and employees. In any technical role, a technical leader must be able to harness empathy and emotional intelligence to take the perspective and understand the feelings of their team to better manage them.

The Two Sides

Cognitive and affective empathy both require understanding the feelings of another person, but while cognitive empathy is the ability to recognize and understand another’s mental state, affective empathy is the ability to share the feelings of others without any direct emotional stimulation to oneself.

We might think of cognitive empathy as the necessary first step to being able to feel what others are feeling while using affective empathy. Cognitive empathy is necessary for improving technical leadership.

Cognitive Empathy

Also known as ‘perspective taking’, cognitive empathy requires putting yourself into someone else’s place to see their perspective. Cognitive empathy is the logical empathy of understanding someone else’s feelings or positions.

It is a skill but not a feeling. One could have strong cognitive empathetic skills without actually feeling the emotions of the other person. Cognitive empathy only requires an understanding, not a reciprocation or sympathy.

Affective Empathy

Affective empathy is a great step in the empathetic process but can be ineffectual for leaders in a workplace. Someone who understands the feelings of others can then go on to literally feel the other person’s emotions. Affective empathy requires being affected by the other person’s emotions, just like you had ‘caught’ them. Catching unproductive emotions could be detrimental to your work and team.

This type of empathy is also important but less so for technical leaders and others in the workplace because it can often hinder your work or productivity. Someone leading a team must understand the team and how they are feeling and make deductions about what they are thinking or how they work, without letting those feelings interfere with their mission.

Affective empathy is not always necessary for a technical leader looking to understand their team because understanding their emotions is what will help them put themselves in their shoes and learn to manage them better.


The traits of cognitively empathetic people and affectively empathetic people are very different and often highlight the differences in thinking and application of empathy. Cognitively empathetic people can often use empathy as a tool to their advantage by using their knowledge and understanding of another person’s emotions to their and the team’s advantage. This is particularly useful for technical leaders hoping to get in the minds of their team members and learn how to maximize their work.

An affectively empathetic person will also feel the emotions of the other person, which can often be unproductive. Someone who is affectively empathetic may be experiencing the negative emotions of the other person, creating problems for themselves.

Cognitive empathy allows a leader to put themselves in someone else’s shoes and work to help the other person. The analytical nature of cognitive empathy is useful for leaders of all types because they are able to aid the work of their team members without being particularly affected by the emotions of others.

The Business Case

Empathy is an effective tool in business because understanding the needs and feelings of stakeholders is a valuable asset in any project or negotiation.

There is a strong business case for empathy in general because empathetic leaders are often more effective and command more respect from their teams.

The distinction between cognitive and affective empathy makes it clear that every type of leader can benefit from strong empathetic skills, but cognitive empathy is the essential ingredient for a strong technical leader in the workplace.

The most effective leader has high cognitive empathy, but low affective empathy. It’s great to understand and have the capacity for affective empathy, but it is important that leaders avoid diving into their affective empathy.

Democratic Leaders

Leaders who include their team members in their decision-making process can use cognitive empathy to understand their opinions and ideas better. Interpreting the votes and ideas of others through their perspectives gives a leader a deeper understanding of where they are coming from and how to better define their positions.

Autocratic Leaders

Even leaders who make all the decisions on their own without consulting team members can harness cognitive empathy to take into consideration their team members’ opinions without asking for them. Autocratic leaders often prefer to make decisions on their own terms, and by combining this style with the ability to understand their team members, their decisions can become more effective.

Servant Leaders

A similar style to military leadership where leaders serve the interests of the people they lead, a servant leader works hard to meet the needs of their team. This particular style of leadership incorporates many of the traits of empathetic leaders but can sometimes consider others’ opinions too much. Strong cognitive empathy can help to balance the idea that everyone on the team is equal with a leader who needs to have the strength to make the final decision, especially when it is a tough call.

Empathy and the Secure Methodology

The sixth step of the Secure Methodology is empathy. By taking into final consideration the positions of others, leaders can improve their leadership style and effectiveness. Empathy is a critical part of the Secure Methodology because it is part of the cement in the final steps of the methodology. Without it, the rest is less stable.

Technical Leaders and Their Empathetic Skills

Technical people often struggle with people skills for a variety of reasons. Particularly in cybersecurity, the technical perspective one must take is quite binary. This, unfortunately, doesn’t fully click when working with people, because people are far from binary. Never wanting to be wrong and poor communication are often barriers to people skills that are essential to leading a team. Technical leaders could often benefit from improving all of them.

Binary Thinking

People are not binary and think in an array of ways. The logical thinking that works so well for solving cybersecurity issues does not work with people, and a different tool is necessary to crack that code: empathy.

Cognitive empathy for technical leaders is so powerful that it could mean the difference between success and failure on a project. Failing to see the perspective of a team member could spell disaster for the project. Improving cognitive empathy is the way to improvement for every leader.

A Need for Certainty

Cybersecurity professionals like to be right, and they love to be absolutely right. Insecurity is a common source of this feeling. It can lead to one-way thinking and posturing, which doesn’t take into account what other team members are thinking or saying.

Cognitive empathy helps with this issue by opening up an understanding of what other people are saying. A technical leader can then realize that what someone else is saying is the right way, no matter how painful it might be to admit they are wrong and vice versa.


Technical jobs, like all jobs, require communication. Conversing healthily and productively is essential to project management and leadership. Cognitive empathy boosts a leader’s ability to communicate effectively with their team and makes their message stronger.

A leader’s message is more likely to be received well if it comes from a place of understanding of the other person’s perspective and feelings. If the leader uses affective empathy, it could also be helpful in deepening their understanding of those feelings, but actually feeling them is not overly helpful for a leader.

Cybersecurity Professionals and Leadership

Cognitive and Affective empathy are both a part of being an effective leader. High cognitive empathy and low affective empathy will bring out the most effective leaders in any organization. Technical leaders who demonstrate cognitive empathy well will be able to bring out the best in themselves and their team members.

For any leader looking for more information and help with using empathy in their leadership, my book, The Smartest Person in the Room, has effective strategies for deploying the Secure Methodology in cybersecurity contexts. Your leadership is a work in progress, and it’s time to work on the empathetic tools that will make you the best leader you can be.

Check Out The Smartest Person in The Room