Replacing fear with empathy in cybersecurity communication

Transcription

[01:30] Andra Zaharia: Melanie Ensign really paves the way for people who want to practice empathy and work in cybersecurity, or for people who want to practice empathy no matter what their job or industry is. Her background in communication and her incredible work that she’s done through large-scale companies, through nonprofits by her involvement in the community shows that she has consistently practiced empathy throughout her entire career. As the founder and CEO of Discernible, she now gets to do it in a very focused way for companies who value empathy and who know that this is one of the key things and key factors to work into any viable, meaningful, impactful communication strategy. Melanie is a security privacy and risk communications adviser. And she is also a Co-Session Chair at the Enigma Conference. She is the Press Lead for DEF CON, the biggest hacker conference in the world. And besides this, she does a lot of work around preserving marine life, especially sharks. And what I found fascinating is how she pulls from all of her experiences. She draws on them to be able to offer, the people she serves and the people they serve, an empathetic and positive experience with cybersecurity products, services, and companies.

[03:09] Andra Zaharia: So, we talked about a lot of things in these 20 minutes. And I think that you will be quite energized by the examples that Melanie offered. I think she does a great job at walking the talk, at showing how cultivating values like empathy and shared responsibility and better experiences for users everywhere when it comes to keeping their things safe or going through fixing a problem when things don’t go well and when things aren’t safe. I think that her experience and her examples speak for themselves, and they have a lot to teach us. They open this door for us. And it helps us peer into what it’s like to work as a communication professional in the cybersecurity industry. Plus, it helps open our perspective to other disciplines that we can learn from. So, I’m excited to share this episode with Melanie Ensign. I think you’ll really enjoy to get to know her. And I hope that you follow her work and explore it further so that you may learn from it and improve your own. So, enjoy.

[04:32] Andra Zaharia: Melanie, welcome to the Cyber Empathy podcast. I’ve been waiting for such a long time for a good excuse to talk to you. I’m glad we’re finally doing this. I love your work. I love the way that you contribute to the community. You’re such a big example for me, especially, sharing background and communication. So, yay for this, finally.

[04:55] Melanie Ensign: Thank you so much for having me. I’m really excited to be joining you, and really excited to see what you’re working on with the Cyber Empathy podcast.

[05:03] Andra Zaharia: Thanks so much. You’ve been a champion of empathy in cybersecurity for such a long time in so many shapes and forms through all your experience, your roles, your work with the community, volunteering. Plus, you bring such a diverse and unexpected background. And around that, I wanted to tell people who maybe don’t know this about you or your work that you wanted to be sharp scientists right before going into cybersecurity and before you took this path. So, how did you reshape? Because your mission was to do something empathetic around the environment and protecting sharks. How did you reshape your mission and ended up in cybersecurity?

[05:45] Melanie Ensign: So, believe it or not, there are actually quite a few things that shark conservation and cybersecurity have in common, particularly from a communications perspective. I know one of the things that you’re really passionate about is eliminating the fear, uncertainty, and doubt in the way that we communicate within the cybersecurity industry and community. We have that same challenge in the marine biology field, particularly when we talk about shark science. Oceans without sharks are really unhealthy oceans. And so we need sharks in the ocean to help balance a lot of different, not just the food chain, but other various environmental conditions that need to be sustained in order to have healthy, vibrant life in our oceans, which is critical, not just for the animals and species that live in the water, but also for humans and for animals that live on land – we all need healthy oceans in order to survive. But sadly, in a lot of cultures, and I want to note that it’s not all cultures, there are cultures that don’t have this same stigma with sharks. But in a lot of cultures, there is a stigma and a fear of these animals. And that makes it incredibly difficult to pass protective legislation or enforce regulations on fishing and other contributors to the decline of shark populations, because it’s not something that a lot of people feel warm and fuzzy about. We’re not asking them to pass laws to protect pandas. It’s an animal that, for a lot of people, has a different emotional response for them. And that can make it difficult to get the attention that we need, but also to get them to care about why we need to protect these animals.

[07:43] Melanie Ensign: And it’s very similar to the types of challenges that we have in security where we know, from a communications perspective, that fear is only a short-term motivator. It does not lead to lasting behavior change. And quite frankly, the way that our brain responds to a fearful stimuli, actually, impedes our ability to learn and retain information. So, fear is a really bad thing in security communications because it makes our jobs so much harder. I don’t want somebody to just pay attention for two seconds because they’re scared of something. I want them to feel safe enough to explore the concept, to learn a new habit or new skill, so that they can maintain those practices throughout the course of their lifetime. So, from a communications perspective, a lot of what I learned advocating for sharks has actually applied quite well in a cybersecurity career, because it’s the same concept of how do you talk about a subject that most people are scared of in a way that gets them to understand the risks without triggering that amygdala in our hindbrain that’s going to actually make it really difficult for them to learn and process what you’re trying to teach them.

[09:09] Andra Zaharia: These are all such incredibly valuable insights. I feel like you just gave a micro masterclass in just a few minutes around why this is such a big issue. And I love how you drew this parallel between protecting marine life and trying to get people to act proactively whether it’s to protect the environment or protect themselves online or even protect their health. It feels like the same mechanisms are involved. And this is one of the things that I love about working in cybersecurity and getting to learn from people like you is that you draw on so many different things from so many different disciplines and you pull it together in a way that makes a truly meaningful difference for people, and that gets them to open up and listen. It creates that sort of connection that actually puts us in the state of “I want to learn this. This is something I want to do. This is something I feel comfortable doing. And this is something that I feel competent about.” Which for such a long time, this hasn’t been the case. Technology was only reserved for a certain type of people. And now it impacts everything, and it seeps so deeply into everything that we do. We don’t have an alternative. We not only have to live with it, but we have to be able to make sense of it. This is something that I wanted to ask you about. It’s kind of a personal hypothesis that the more complex the environment we live in is, the more often that our brain uses shortcuts to get us where we need to go, which doesn’t really encourage critical thinking, which doesn’t really make us more empathetic; it kind of reduces our empathy. So, how do you work with clients to get them to be empathetic in these super-complex situations where they have to deal with so many abstract notions, some of which they’re not that familiar or comfortable with themselves?

[11:11] Melanie Ensign: So, from a communications perspective, you actually can’t be an effective communicator if you are not empathetic, or at least have the ability to be empathetic when it’s needed. And from a communications perspective, empathy really means being able to put yourself in the position of somebody else to understand what motivates them, what triggers them, what could persuade them, or potentially what could turn them off from the message that you’re trying to communicate. And so if you can’t put yourself in another person’s position, then really understand how they process information and how they view their environment and the context that we’re talking about. You’re really going to struggle being an effective communicator. And so that’s where I start with my clients is, who is it that you need to communicate with? And how do they look at things? And how do they think about this issue? And how do they feel? And sometimes we’ll even go a step back even more, where they may come and say, “Here’s the problem. We don’t know what the solution is.” But if they can paint a picture of what they want, you know, if they’re trying to get from point A to point B, if they can actually articulate what point B should look like, then what I can do is help them reverse engineer the communication and behavior modification techniques to get to that point. But that also requires empathy to understand who is it that you need to influence? Who is it that needs to learn these particular issues or skills? What are the blockers and who can we partner with to remove them?

[12:55] Melanie Ensign: So, if you can’t actually articulate or envision the outcome that you want for your organization, you’re going to spend a lot of money throwing spaghetti at the wall and hoping that something sticks.

[13:08] Andra Zaharia: That is absolutely true.

[13:10] Melanie Ensign: And so with clients, that’s where we start is what are we trying to accomplish? Who are the people that we need to bring on this journey with us? And how do we get them there with us? And that’s not necessarily about how do we distribute a message. Sometimes we shouldn’t even be the messenger. It depends on, again, putting yourself in the position of somebody else – the people that you need to bring on this journey with you – and really understanding what it is that they need. A true partnership in a really effective communication strategy actually starts with what somebody else needs, not what you need. And then you can understand how can you help provide that for them. That’s how you build a solid partnership. It’s how you build a credible reputation is you become helpful. I can’t promise that bad things will never happen. But I can promise that we’ll never leave you alone, so that you will never have to go through them by yourself. And I think that’s what consumers are really looking for. They’re not expecting an internet or digital world where there’s no crime, everybody’s really nice to each other. We’ve never had that in the physical world either. But what they need is somebody who has their back and somebody that they can rely on.

[14:36] Melanie Ensign: I think a really good example of this is in many markets around the world. Credit card fraud is very, very common. Lots of people experience credit card fraud, their credit card numbers are stolen. And yet when you call the credit card company, they make it so easy now. This wasn’t always true. But now, it’s so easy to just file a dispute and get a refund. And all of a sudden, that makes the experience of using their credit card immensely less scary. Because I know that if something bad happens, somebody is going to fix it for me. And so a truly empathetic security experience is a customer support function. It is helping people feel like they have a friend in the game, that somebody understands what they’re going through, wants to make them whole. And truthfully, it’s also about taking responsibility for the things that we can’t prevent. Credit card companies know that they simply cannot prevent every single instance of fraud. And as a result, they are offering this service of refunds and a better customer experience than they used to provide because they just know they can’t stop all these things. But they’re being responsible on the other end, to say, “If and when this happens, we can help you.” And they’ve increasingly made that experience more seamless and less painful.

[16:12] Melanie Ensign: When we see all these headlines about data breaches and companies are like, “Oh, but it didn’t include credit card data.” I hope it included credit card data because that’s the easiest thing to fix. And the credit card companies deserve credit for what they have done to make that easy for consumers. Not every company has really taken responsibility for the fact that they can’t prevent all of these things from happening. And they’re still putting too much burden on the user or the consumer to say, “Oh, you didn’t turn on to FA,” or “You didn’t use a strong password.” Yeah, and what are you going to do about it? You were entrusted with this data. You are responsible for protecting it. And so we think, you know, a truly empathetic application of cybersecurity is customer support.

[17:04] Andra Zaharia: I couldn’t agree with them more. I was nodding vigorously here. I know no one will be able to see this. But this is so true. And you painted such a clear and simple picture that anyone can understand, that no one needs technical skill or any kind of elaborate background to be able to understand. And I think that this comes down to being able to analyze our own experiences as customers of other companies, and seeing where the friction points are, what doesn’t work. And when it works, and recognizing that, and applauding that, and celebrating that as a good example that other companies can follow because some of these things, just like you said, they’re doable, they are happening. It’s just that, as humans, it’s so much easier for us to see the negative in anything, in anyone. It’s easier just to focus on that and just brush off all the good things that are happening. So, could you share an example when you were on the receiving end of an empathetic experience? Because I bet that you do a lot of that kind of reflection and analysis to draw from it and try to help others build their own kind of empathetic experiences.

[18:18] Melanie Ensign: The best example I have is actually with credit card fraud, which unfortunately has happened to all of us, including myself. I think, unfortunately, it’s just a lot easier to identify the bad experiences. I’ll give you a good example. My sister is currently locked out of her Facebook account, and for the life of us, we cannot restore it, including having reached out to all of my friends on the Facebook security team. Account recovery is a huge problem for lots of companies. And when you have a company that is pushing 20 years old with billions of users around the world that still can’t manage account recovery effectively, that’s a huge problem. And to me, it’s a symptom of a lack of empathy, of not truly caring what the experience is for the people who are going through this. There’s so much friction in going through the process. And Facebook doesn’t even have a live customer support organization that you can call to get help. Consumers are left to their own devices to try to decipher the articles that are in the Help Center and try to follow these steps. But when it’s your account that falls through the cracks and is somehow not considered in the majority of cases that they designed the process for, you feel that. That is a very personal intimate experience for the individual going through it.

[19:46] Melanie Ensign: And so we have, honestly, very common challenge across all of the technology sector where we designed for the majority of people, in most cases. The reality is what we’re then communicating to everybody who doesn’t fall into that majority is that their experience, their situation, their needs are less important. And so particularly, when we’re talking about security, security is about edge cases. We have to care about the people who are in a smaller percentage of the population. We have to care about marginalized groups. We have to care about people who have different circumstances because we can’t claim to protect people. If, number one, we’re only protecting people who look, think, and live like we do; or two, if we’re just going based on the largest percentage of users.

[20:46] Andra Zaharia: That is so true. And I was actually reading Seth Godin’s The Practice the other day, and this exact thought came across, which was, “The more different a person is from you, the more empathy you’re going to need to reach them.” And I felt that was so powerful and so true. And the examples that you shared are so useful to be able to paint a picture in our mind of what this looks like to know how to recognize it so that we may do the same for others, whether we’re in communication or product management, whether we’re building teams or a company, or even a personal project, just thinking about how the other person receives our content, and our ideas, and our education and messages that we’re trying to convey; that makes a world of difference, not using the same old cliches, not reverting to oversimplification that speaks to no one, or generalizations just like you mentioned. I’m a huge advocate for specificity. I think that it is the one thing that I always talk about. I wonder when people will get sick and tired of it. But I do think we need it because that shows you know the person on the other side, and that you care enough to get to know them on that level. So, thank you for mentioning all of these incredibly useful things. If you were to, let’s say, guide people towards some initiatives or things that you believe in, and projects that can help them cultivate this interest in empathy, in technology, and in cybersecurity further; what would you recommend that they take a look at?

[22:20] Melanie Ensign: So, there’s a really growing field of study and practice around usability, usable security. I have some thoughts about the particular vocabulary and choice of words. But that particular area of focus is particularly useful. Because if people can’t understand what you’re saying, if they can’t use the tool that you’ve built, then we’re truly not actually protecting anybody. We’re not protecting people who can’t use the product. And so the reason why I think that that space of usable security is particularly important is because it brings in the lessons from all of these other disciplines and fields. As you noted earlier, I’m a huge fan of bringing in learnings from tangent fields and different areas of discipline. But security, traditional InfoSec and cybersecurity does not have all of the answers to all of the problems that we’re facing. We need to look to other disciplines. So, usable security is one area where there’s a lot of focus on user experience, cognitive understanding, behavior modification, how to teach people things while they’re using the tools. But other areas like public health care, public safety, there’s an entire discipline and profession of safety engineering where these are the folks that work in chemical plants and refineries. And they have had decades of professionalization that we don’t yet have in the cybersecurity space or even the software engineering space. There isn’t that same level of accountability for the things that you’re building and the harms that they could potentially create for people.

[24:06] Melanie Ensign: But these older disciplines, like I said, safety engineering, has really good practices on how do you manage risk, and do it in a way so that you, the expert, are taking the burden on emitting as a standard of quality for the people that you are building for, so that it’s not all on the consumers, not all on the users to know how to think through complex security situations. It really shouldn’t be. I mean, one of my least favorite thing right now is the obsession in our industry with email phishing simulations because a really good security team – one that is empathetic towards their employees – will protect their employees regardless of whether or not they click on things. The internet was built for people to click on things. And it is just really crazy to even set the expectation with employees that they should know what’s safe or not. Yes, education is helpful because we want them to know, we want them to be informed. But the reality is if your security team isn’t building a sandbox to quarantine traffic from malicious email domains, so that you can analyze it before your employees open it. That’s your job is to make it safe for employees to use email. And so the fact that we’re running all these simulations, and then the metric we report is, “Oh, well, 30% of them reported it to us and only two people clicked on stuff.” Well, I don’t know that there really means anything, because you can’t promise that that’s exactly how it’s going to go during a real phishing campaign. And the reality is attacks are going to happen. I want to know what you’re doing as a security team to protect the organization and our employees even when they do the thing that everybody else on the internet does.

[26:06] Andra Zaharia: That is a really great example to round up the conversation. And thank you for emphasizing how important it is to help people build their critical thinking ability, their ability to make better decisions for themselves, no matter what the situation is because the context will always change. The internet will never stop evolving. Our species will never stop evolving. I think that that’s one of the things that we should and can do something to cultivate. Thank you so much, Melanie, for sharing all these insights so generously and in such a focused manner. It was really just an absolute pleasure to talk to you. I would do it for many, many hours more to come but I think that this is a great point for listeners to start exploring your work, and follow you, and learn from your work both in cybersecurity and around protecting sharks and marine biology because I think that there’s always something to learn that we can go from and then take forward in our own way.

[27:07] Melanie Ensign: Awesome. It was a pleasure to be here. Thank you so much.