Today’s post is by Richard Kim.
Richard is a Senior Security Engineer in the Chicagoland area. He’s worked in IT and security for the last 15 years, and is trying to follow Jay and other’s advice about being a more active participant in the InfoSec community. You can find him on LinkedIn at: https://www.linkedin.com/in/richard-kim-7077981a
When Jay threw out the idea of a guest post, I automatically pivoted to the weirdest, nerdiest thing I was messing around with. It involves Tensor Flow and using it to watch application logs for patterns. It’s probably one of those things that doesn’t really have a real application, but is just fun for weirdos like me. Then I thought about writing something that could be used in an actual workday. Then I thought about it some more, and I shuddered because the thing that was coming to mind was way outside my comfort zone. I’ve always been more comfortable with a keyboard and a screen than with people and polite conversation. I don’t think that is unique. In our industry, we get to deal with really smart people, but as my boss often says, the higher the IQ the lower the EQ (Emotional Quotient). There was a time when I would have turned up my nose and huffed at the very idea of EQ, but if we are honest with ourselves, we know this limits how far we can go. Worse, it limits how far our ideas will go. How do we develop our EQ, to the point where we can interact with non-technical people and have that be a positive experience for them and for us?
InfoSec practitioners are ultimately problem solvers. It’s what we do on a daily basis. When I am faced with a problem, a breach, a crypto to break, what do I do? I observe, I test solutions, I document, and I repeat. This is no different. If you can just get this problem into that space in your mind, you’ll begin to solve it because you’ll just be letting your brain what it does best. With your indulgence, I’d like to lay out for you what my process in that has looked like for me, beginning with my failures.
Fake it. You try to fake the whole firm handshake, eye contact, ‘hey how about this weather’ attitude. I was in front of a very high maintenance client at one point. Very non-technical, and really big on physical touching (handshakes, backslapping, but thankfully no hugging.) It was nothing short of torture to fake this. When the time finally came for a technical conversation, I was so exhausted mentally that I couldn’t do it, and I really phoned it in, more or less becoming a robot (more on this later). Faking it fails because it’s not connected to who we are, and it’s exhausting! It’s like a class with no methods or wireframe that was never meant to work. It can fool some people (and maybe a venture capitalist if the stories I’ve heard are true), but this is not who we are.
Be a robot. Answer questions. Ask stock questions, receive stock answers. Respond in an overly technical fashion. If smile, then smile. Inherit reaction. …well you get the idea. After going through my robotic presentation you should have seen the perplexed and confused stares around the room. The few responses I received I met with an overly complex response. At the end there was a simple, “Thanks for your time”, and we were done. Being a robot doesn’t engage people. It places the complete burden of understanding on them. Worse yet, it can lead you to the really bad place of just being a jerk.
Be a jerk. Look down on people. Treat anyone who doesn’t understand what chmod 755 means like a nincompoop. Talk about how foolish people are and how obvious the solutions are. I sometimes worry about the way this attitude is pervasive in our industry. InfoSec professionals are some of the smartest people I know, but that doesn’t give us the right to look down on others or belittle the challenges they face. If we’re honest, we would melt (or be wildly unsuccessful) facing the same challenges. This is the worst kind of defense mechanism. I think most problem solvers want others to understand and agree with the solution. It can infuriate us when they don’t, but that failure is actually our failure to explain. We cannot use that as an excuse to be a jerk.
There were obviously a few other methods along the way, but a few years ago, I settled on three rules. These rules govern all my interactions when dealing with non-technical people (and it works fine for technical people, too).
They are simply: Be quiet. Be curious. Be nice.
Rule 1: Be Quiet. We’re mainly a community of introverts so being quiet comes pretty naturally. Rule 1 is going to save you a lot because if all else fails, you can pivot back to here. When was the last time you were really quiet, listened, and tried to understand what someone was saying? Sometimes the most challenging thing is to take our eyes off our our problems and viewpoints, and listen to someone else’s.
Rule 2: Be Curious. This is an extension to being quiet. Be curious about people, and their problems/experience/accomplishments. If you explain something and something isn’t quite getting through ask the questions to figure out why. There were times when I tried to see people in my mind as giant puzzles to be solved, and the only way to solve these puzzles was to ask questions. If you execute this well, it’s likely that you’ll be doing a lot of rule 1 while they do a lot of talking. The more they talk, and the wider range of things they talk about, the more will trust and like you.
Rule 3: Be Nice. Follow your mama’s advice. If you don’t have anything nice to say, see rule 1. Remember that there is a right and wrong way to ask questions. Genuine curiosity is different from condescending curiosity. I know a Regional Director at a large manufacturing firm who described it like this. The Golden Rule is to treat others the way you would want to be treated. The Platinum Rule is to treat others the way they would want to be treated. Rule 3 is all about the Platinum Rule. The good news is that the more data you gather from Rule 2, the more information you have to implement Rule 3.
These rules have been with me for a while. I’ve followed them for such a long time that I had them engraved and keep them on my desk.
I’m still observing, testing, and I hope, improving. I think that’s the challenge for all of us in this space. I definitely don’t implement this perfectly, but I’m constantly getting better. I don’t know if any of us are going to be good enough at this to be the next Henry Kissinger, but you never get to a better place by ignoring your known limitations. Lean into them. It’s ultimately no different than any seemingly insurmountable problem that we face on a daily basis.