secure methodology

Empathy vs. Sympathy

June 20, 2021 by Christian Espinosa

I often wonder how certain things will turn out if our leaders know how to empathize, and not simply sympathize with their people.

See, oftentimes they are interchangeable. But there’s a big difference between sympathy and empathy, and we must learn how these two can greatly affect our relationships with people both at work and in life.

Empathy is to feel and connect with people, while sympathy drives disconnection. Empathizing is being together with the person in the dark so they are not alone while sympathizing is saying “Too bad!” from afar.

According to research, HR managers believe that having emotional intelligence is the key to a happy and productive workplace. However, having the right emotions also plays an integral part. Should we be empathetic towards people at work, or sympathetic? Keep reading this post for my in-depth look at the differences between empathy and sympathy.

Empathy

To put it simply, empathy is a choice to connect with someone and take their perspective as my own. It is the ability to share my feelings with other people and understand what they’re going through — because I may have also been in that position before.

Empathizing is also about listening without interruptions. It is accepting that the person is facing challenges. I do not have to respond to what they are telling me, I just need to be with them at that moment. I can do nothing, and that’s more than enough.

According to the Secure Methodology from the book The Smartest Person in the Room, a culture without empathy will not succeed. Humans are simply not born with empathy. It is something that we need to develop and learn over time. Empathy also plays a great role when it comes to technical leadership. If it is non-existent, technical people will not care about their customers and data, nor will they have any concern for their colleagues.

Even leaders attend seminars to learn and to know its value. So what makes empathy important when it comes to leadership? Is it simply being aware of other people’s emotions and understanding how they feel? How can we act and base our decisions on it?

But before I get into this further, let me explain the two kinds of empathy: cognitive and affective.

Cognitive

Cognitive empathy — or logical empathy — is the ability to understand the mental state of a person. It is not a feeling, rather it is a skill. It is putting myself into someone’s place and seeing things based on their perspective. It’s imagining myself in their position, without needing to make judgments, and recognizing their emotions. It is simply understanding what they are going through, without having to feel sorry for them.

When choosing what’s best for everyone, I know I can make the right decisions because I am not influenced or clouded by other people’s emotions.

Affective

Unlike cognitive, affective empathy is the ability to share and literally feel the emotions of the other person. If a coworker comes up to me and tells me that she is going through a rough divorce, I would feel sad and anxious with her. This type of empathy, however important, is unproductive and unnecessary when it comes to a work environment.

It’s ineffective for leaders to make decisions when they have absorbed everyone’s emotions, especially the negative ones. Therefore, a great leader who is an asset to a business has high cognitive and low affective empathy.

Read this post to know more about how empathy affects leadership!

Empathy in Leadership

Sometimes at work, leaders are so concerned about their positions that they forget to take care of the people they are in charge of. They fail to recognize them as human beings, and instead, they just focus on outputs and results. This ends with employees just merely trying to do their work and get through the day with their heads down, scared of the managers that will pick on their tiniest mistakes.

No one wants to work like that. So what does it take to create a happy and healthy working environment?

Here’s a scenario. An exemplary employee who was never late, and never missed out on work — not even once — suddenly comes to work late every day and is always behind his deadlines. Instead of telling him that he needs to get himself together or he’ll be fired, the manager asked him what’s wrong and if he’s okay. He asked if there’s anything bothering him and if he needs help. The employee said that his mother is sick and he’s the one taking care of her.

So the manager told the employee to take a one-week leave and changed the schedule so that he will be able to have time to take care of his sick mother before coming to work.

That is an example of a leader showing empathy to the people he is charged with.

Leaders must show the employees that they understand and value them. The employees need to know that if they make a mistake, they wouldn’t be fired the next day. They have to know that if the numbers are down in the business, they wouldn’t be laid off so easily. The employees have to feel that the person leading them empathizes with them as a person and would consider them when they are making decisions. That’s why showing empathy in the workplace is very important.

Sympathy

Having sympathy for a person is evaluating and assuming what that person feels, then extending the emotions of sorrow and pity. It does not require feeling what the other person is exactly feeling at that moment, and it does not involve a shared perspective. Therefore, sympathy automatically drives detachment from the person.

Sympathy is expressed, while empathy is shared. Though empathy is a deeper feeling, sympathy is as heartfelt and honest.

A person may be able to feel sympathy, but not empathy. For example, there’s a businessman who filed for bankruptcy — others may sympathize with him and feel sorry, but not all can empathize because not everyone has experienced bankruptcy.

Although having sympathy does not lead to taking action, it is still an integral value that we all need to have.

Sympathy in Leadership

With that in mind, how does sympathy affect leadership? Think back to the previous scenario about the stellar employee who suddenly started coming into work late and missing deadlines. If the manager sympathized with the employee’s troubles, they would have simply expressed their sorrow for the other person instead of making accommodations to make things easier for the employee.

This sympathy may be nice, but it could leave the employee feeling quite a bit uncared for by their managers since no actions were taken to meet their needs.

Empathy or Sympathy?

Now that I have discussed the differences between empathy and sympathy, let me ask again, which is more important?

The answer is empathy — straight and simple.

When we have empathy, we HELP people be their best, instead of getting the best OUT of them. Colleagues support each other to let them perform well and grow. We make decisions that are best for everyone. We avoid quick judgments, and instead, we listen more.

For leaders wanting to know more about empathy, leadership, and the Secure Methodology, check out my book The Smartest Person in the Room. It discusses further how leaders can be more effective in technical leadership through empathy.

This short video by Brene Brown is great at explaining empathy vs sympathy as well:

Why Do Technical People Struggle with People Skills? And How Can Companies Fix It?

February 19, 2021 by Christian Espinosa

7 Step Secure Methodology - Christian Espinosa — The Secure Methodology Improves People and Life Skills

People skills are a challenge for many individuals. It’s often a combination of personality and experiences. Technical people often get put in a category of lacking them. While this is not universal, it does account for some of the failings of cybersecurity strategies.

Without a robust soft skill set, these professionals get caught in a cycle of bad communication practices, a lack of curiosity, and posturing. It’s time to peel back the onion on why they struggle in this area and how to fix it.

Why Technical People Struggle with People Skills

This analysis comes from years of experience, research, and asking the hard questions. Again, it’s not a condemnation of those in technical fields. Many have a nice balance and are thriving. Through the years, I’ve met and worked with many highly articulate, open, and excellent cybersecurity experts. However, in general, this is the exception, not the rule.

In my book, The Smartest Person in the Room, I lay out the evidence for why this struggle is all too real.

They See the World Exclusively in 1s and 0s

It’s hard to communicate and collaborate with others when your world is solely 1s and 0s or very black and white. The reality is that the world, people, and cybersecurity are gray. That’s hard for some technical minds to grasp.

In a lot of technical disciplines, there is a right answer and a wrong answer. No discussion required. It’s probably more applicable to some areas of math and science. However, cybersecurity isn’t just math and science. It’s an ever-evolving field. New risks and threats emerge all the time.

Further, it requires asking questions and understanding business needs. That can send some technical folks into a free-fall. They don’t have a naturally curious nature in public, so they fall back on what they know and don’t try to find out what they don’t. They fear curiosity in front on others may appear as a lack of knowing or incompetence.

Insecurity Leads to Soft Skill Failure

Many cybersecurity professionals never want to be wrong — another reflection of black/white thinking. The feeling often comes because they are insecure. They cling to certainty, and interacting with other people and having meaningful conversations are too uncertain.

They let insecurity guide what they do, pushing back on the need for two-way dialogue. They’ll figure it out on their own and don’t want to entertain outside ideas. That then leads to posturing.

Poor Communication Sinks Cybersecurity

There is a misconception that technical jobs don’t require communication skills. That’s not true. Every role depends on communication, and when that’s a challenge, it’s a house of cards filled with assumptions. It’s the biggest shortfall for many technical people. It doesn’t mean they aren’t articulate or don’t have a good vocabulary. It means they can’t converse in a healthy and productive manner. Having honest and transparent communication is about listening more than talking. Unfortunately, many people aren’t good at that. These communication issues will bring down any company department.

People fail at communication for many reasons, as discussed above — insecurity, fear, a closed mind, a lack of empathy. This revelation isn’t unknown. A study on business communications found that 89 percent of respondents believe effective communication is important. Yet, 80 percent of those same people said that communication in their company was average or poor.

However, it’s not a dead end. There are ways to develop communication and other soft skills.

Fixing the People Skills Problem for Technical Professionals

Attaining better people skills was a self-journey. The consequences, however, didn’t just benefit me. They helped me create a process that any technical employee can navigate and come out the other side.

There’s no magic fix for evolving people, and they must want to change. So, that’s a barrier for sure. If you’re going to invest in helping your team, you want to know they’re open and have a growth-mindset.

What I’ve developed to counter this problem is the Secure Methodology. The following is a quick review of the framework and how it works. By employing it, people can start to see the gray in the world and be better cybersecurity professionals and experience personal growth as well.

The Secure Methodology

Step One: Awareness

The first step is about being aware of yourself and others. The lack of awareness in a professional setting causes you to miss blind spots. It also causes relationship issues at work because without awareness, communication is poor, and posturing reigns.

The mind has to open itself to new perspectives to achieve awareness. That requires coaching on communication and understanding what motivates a person. There are exercises that can strengthen the awareness “muscle” and open eyes.

Step Two: Mindset

You either have a fixed or growth mindset. Those with poor people skills are trapped in fixed. It’s not permanent. The key to a growth mindset is accountability. It’s no secret that a growth mindset is critical for cybersecurity. So, you must open those minds. The best way to approach it is to encourage reflection, ask the right questions, and urge quick decision-making.

Step Three: Acknowledgment

Acknowledgment in the workplace is a rampant issue. In cybersecurity, without positive acknowledgment, employees fall into disengagement and resentment. Many times, if there is acknowledgment, it’s negative, which feeds into further anger.

The other issue is that a cybersecurity team that receives no acknowledgment can’t concede their overly complex framework isn’t working. They lose the ability to simplify. To end this cycle, you should recognize their positives in the present before you expect them to master acknowledgment. You can improve this by building rapport and trust with exercises from the book.

Step Four: Communication

We’ve talked a lot about communication because it’s applicable in every aspect of nurturing people. We’ve identified the reasons why people are bad at it. Another critical factor is that technical folks like to speak geek as a sign of their higher intelligence. For those outside the industry, it may as well be another language, and technical professionals have to interact with non-technical folks. They build a wall with it instead of a bridge.

Shared language is inclusive and promotes active listening. Getting to this involves reframing and simplification, achievable through specific activities.

Step Five: Monotasking

The world wrongly praises multitasking, believing it epitomizes capability. In fact, humans weren’t born to multitask. It’s a real problem in the cybersecurity field, leading to errors and mistakes. It also creates a lot of anxiety — as if anyone needs more of that.

Retraining to monotask means that you can focus completely on one task. It can be much more productive than trying to do five things at once. Fostering this behavior includes blocking time for specific tasks and blocking out distractions (that means not answering a call, email, or text immediately).

Step Six: Empathy

A cybersecurity culture without empathy will not succeed, at least not long-term. You may wonder why it matters in technical roles. It matters in everything, really. The problem in the workplace is an us vs. them mentality. There’s no room for consideration and compassion in this model.

Empathy is a core people skill, but we’re not born with it. It’s something people develop. When it’s nonexistent, technical people don’t care about their clients or their data. Nor do they have concern for colleagues. If you’ve been able to make it through the first five steps, then you’re on a path to spreading empathy. There are also specific activities to do on the team level to develop it further.

Step Seven: Kaizen

The final step is a Japanese term meaning “continuous improvement.” In terms of the Secure Methodology, it’s a more tangible action of root cause analysis. Root cause analysis helps understand real problems and how to improve them. That applies to cybersecurity and people skills. Mastering it requires constant change and adaption, and you can’t get there without the former six steps.

Do Better People Skills Really Lead to Better Cybersecurity?

You may look at the Secure Methodology and think it sounds great in theory but are skeptical about its real-world implications. That’s fair. Again, there isn’t a guarantee because nothing is. What you should know is that it’s proven. I’ve witnessed it, and I can without hesitation say that better people skills lead to better cybersecurity.

If this is a path you want to send your team on because you realize the deficit of soft skills, your next step is to get the complete picture of the Secure Methodology by reading my book, The Smartest Person in the Room. In it, you’ll find activities specific to the seven steps to build the people skills they’re missing.

Your Cybersecurity Methods Are Failing – Here’s Why

February 2, 2021 by Christian Espinosa

failing cybersecurity methods - christian espinosa As much as every organization wants to believe they are cyber secure, the reality paints a different story. Cybersecurity methods continue to evolve with an emphasis on tactics and technology. This progression of companies and government agencies follows the cybersecurity status quo that it’s a hardware and software issue.

And that’s just a complete disregard for the real problem. If you want to know why your cybersecurity methods are failing, it’s because it’s a people issue. This is a major theme of my book, The Smartest Person in the Room. It’s a reality that most organizations don’t want to face. Not because they don’t accept this notion; it’s because they don’t even have an awareness of it!

The Cybersecurity Landscape Points to Failures

There is plenty of available data and statistics that illustrate failures. They don’t necessarily lead to the why, but they are important for context nonetheless. Cybersecurity risk is growing, and incidents are increasing.

Hackers attack every 39 seconds.
Since the pandemic, the FBI reported that cybercrimes increased by 300%.
There was a 67% increase in security breaches from 2014 to 2019.
A record-breaking 15.1 billion records were exposed in 2019.
There were 188 million ransomware attacks in 2019.

If you’re in the industry, these numbers aren’t new to you. However, that doesn’t mean they shouldn’t be eye-opening. The numbers continue to trend up, and an organization’s go-to for this is money and defenses.

Cybersecurity Method Failures Aren’t About Spend or Defenses

Cybersecurity budgets keep increasing. Financial services, one of the most prone to cyber-attacks, spend 10% of their IT budget on cybersecurity. Tech giants like Microsoft spend even more. The company’s CEO said they would spend more than $1 billion. Government spending is up as well, with the 2019 budget for the U.S. at $15 billion.

It’s not a money problem. Dollars are essential to fighting the cyberwar, for the best technology, talent, and infrastructures. Unfortunately, many organizations believe if they spend enough, they’ll be free from attack. High budgets do allow for more technology and people, but it doesn’t always equal a successful program. Companies often learn, when something goes wrong, that money and processes do make their networks impenetrable.

All you need to do is look at the SolarWinds hack, which led to the infiltration of at least 18,000 government and private networks. It illustrates the weaknesses of supply chain security and certainly didn’t happen because they weren’t spending buckets of money. There’s no definitive answer on what the failures were for this case, but in looking at alternatives, it could turn out to be a people problem.

One possible line to draw was that the former Chairman of the Joint Chiefs of Staff said of probable cyber attackers, “If they know that we have an incredible offensive capacity, it should deter them from conducting attacks on us.”

The position was that if would-be hackers knew the prowess of the U.S.’s cyber arsenal, they’d cower. That didn’t really work out very well and points to a larger problem within the cyber community. This example in no way characterizes these experts as incompetent. Rather, it shines a light on the culture of cybersecurity.

What’s the Real Reason Cybersecurity Measures Aren’t Working?

As I said in the introduction, it’s the people entrusted with the security. It doesn’t necessarily mean they aren’t knowledgeable or don’t have training and experience. The profession is broken. Those who are practicing cybersecurity and the leadership that manages, hires, and recruits them need a reset.

Here’s why you’re failing and what you can do about it.

Cybersecurity Professionals Aren’t Passionate

Most would say that to succeed in a career, passion is necessary. If you look at those who have achieved great things in any profession, it wasn’t their intellect alone. They had the drive and were invested in their work. Most cybersecurity professionals don’t have this. They don’t take it seriously or simply want to punch a clock. They believe it’s a stable career and do the minimum.

On the other side, cybercriminals are passionate. This is their livelihood, and they treat their endeavors like Olympians chasing gold medals. When there’s this kind of imbalance in protectors versus perpetrators, the hackers are going to win.

The Prevalence of Paper Tigers

Paper tigers in cybersecurity are diluting the profession. What it means is they look good on paper — they have a certification or multiple ones as proof that they know what to do.

Unfortunately, they don’t.

They have very little real knowledge or experience. Organizations hire them, and they immediately become a risk, not a value. They don’t know what they don’t know, and that’s scary. Paper tigers also tend to have fragile egos, so they’ll never admit they don’t have the answer or understand the situation. They’ll keep backpedaling and become defensive instead of being communicative and collaborative.

The situation becomes worse as paper tigers hire paper tigers. Then you have a whole team of “professionals” that have no idea how to protect your data and infrastructure.

A Culture of Insecurity

As I just touched on, paper tigers are insecure. So are many in the profession, regardless of their skillset. Technical folks take a lot of self-worth and value in their career, and that would plummet if they suddenly admitted they weren’t the smartest person in the room. They feel they have earned their way because they have the certifications or degrees on the wall.

Insecurity means people are closed off from learning and growing. Their blind spot keeps getting bigger. In turn, they begin making cybersecurity methods more complex and complicated, believing only they know how to apply them. Such a framework doesn’t provide any guarantees that you’re free from risk. In fact, they can make you less secure. It’s like having 10 locks on your door but leaving it wide open. It’s an illusion of security.

Insecurity and Fear Lead to Posturing

Those in charge of cybersecurity also have fear mixed with insecurity. They are fearful that peers or leadership will find out that don’t have all the answers or experience. So, they counter by posturing. The posture they present is that they “know” what’s going on and how to be cyber secure. This defense mechanism results in using big words and overcomplicating the basics. In reality, there are five CIS (Center for Internet Security) Controls that will stop 85 percent of all attacks. Further, cybersecurity professionals who posture don’t even cover the basics:

What do you do?
What are you trying to protect?
What’s important to the business?

Paper tigers and insecure people aren’t going to ask any questions! They’ll just start laying out jargon and puffing their chests. They only want to seem like they have it under control when there’s a fire in the kitchen, and they don’t even know what baking soda is.

The Biggest People Problem? Communication

There’s a consensus among many that technical people have bad communication skills. That’s not universally true, but I would say it’s the biggest people problem in cybersecurity. They are long on jargon or buzzwords and short on substance.

They also often can’t articulate how and why they do things, and they certainly butt heads with business-focused colleagues. Poor communication skills or lack of altogether is why cybersecurity groups fail internally most of the time.

If there’s no openness in communication, there’s no collaboration or teamwork. Cybersecurity has to be a group effort, and everyone must be on the same page. That’s hard when there are communication barriers.

Moving from Failure to Succeeding in Cybersecurity

Fundamentally, if your business has been the victim of cybercrime, it was likely a people problem. If you haven’t had an incident, it’s probably a matter of if, not when. In either situation, you need to make some people changes.

My approach to solving the people problem and bolstering cybersecurity is the Secure Method. This approach focuses on soft skills and helping professionals lead with their head and heart. It’s a step-by-step guide with seven parts:

Awareness of self and others
Mindset moving from fixed to growth
Acknowledgment of self (removing ego) and others when they make positive changes
Communication (words, tone, and body language): learning how to articulate feelings and situations and listening
Monotasking (concentrated work)
Empathy (looking at other’s perspectives with compassion)
Kaizen (change for the better by being better)

I’ve given you a very brief explanation of each step. There is a lot more, including how to make it through each step. The Secure Method is actionable, and any organization can use it to solve the people problem.

You can read all about it by ordering my book, The Smartest Person in the Room. It will give you a unique perspective on cybersecurity and how to harness and develop talent to really be cyber secure.