A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

How to Lead With Empathy: Q&A With Tracy Z. Maleeff

Tracy Maleeff

Illustrations by Emanuel Santos

In a RE: Human Layer Security Podcast episode,Tracy Z. Maleeff (a.k.a. The “InfoSec Sherpa”) explains why it’s so important for security leaders to lead with empathy to get employees on-side and protect their company from threats like phishing and malicious insiders.

At the time of this Q&A, Tracy was an Information Security Analyst at the New York Times. She is now employed by the Krebs Stamos Group.

Listen to the whole episode here, or read on for the summarzied conversation.

Q. What is your advice to people who are trying to start a career in security, especially if their previous career experience isn’t from that area?

A couple of things. The first one is networking, networking, networking. And I mean people and computers.

If you do not have a tech background, I always tell people to pick up the CompTIA Network+ book or whatever equivalent suits you. You need to understand how information is processed—or travels through “the interwebs”—so that you can understand what you’re doing and what you’re talking about. 

So that’s the first thing. But then it’s also networking with people. Get out and talk to people. Ask them what was their greatest failure and how did they recover from it. 

I have found that people often love to talk about themselves, first of all—but also, people take a point of pride in demonstrating their resilience and what they’ve learned from something. So that’s always a fun icebreaker question. 

I’ve never had anyone scoff at that question. People usually light up and are always excited to tell me about a time that they wiped the logs or did something that you’re not supposed to, and how they recovered from it. 

The other thing I would recommend is staying on top of the news—being able to speak, even just briefly, about what’s going on in the world as it relates to cybersecurity.I have a great example of that, and it’s absolutely a true story. The day of my job interview to be a security operations center analyst was the same day as WannaCry. Now, when I woke up that morning, I started to hear some news, and I don’t think at the time we had a name for it yet. We just knew that something was going on—mostly in the UK, mostly with the NHS. We didn’t really know too much.

But I remember thinking to myself: “If I were interviewing me today, I would ask me my thoughts about this topic, and maybe to give some examples of how I would remediate it.”

And that’s exactly what I did. I had about a 45-minute drive to the interview. I listened to a news channel to learn everything that I could about it. And sure enough, the very last question was, “There seems to be something developing today, what do you know about it?” 

And they actually said, “Give us three ways you’d remediate it.” And because I was aware of what was going on and I anticipated questions, I was able to knock that out of the park.



Q. As a former librarian moving into the security world, what did you see for the first time? Have you been able to see things that others haven’t by bringing a fresh perspective to the companies that you’ve worked in?

Oh absolutely. That’s how my “Empathy-as-a-Service to Create a Culture of Security” talk came about. 

I was shocked to see how people in the industry regarded users. That’s the dirty secret in the librarian world—a lot of librarians like to complain about library users, as well. They’re not necessarily open about it… Well, maybe on librarian Twitter they’re open about it…

Share this Article

But I was observing a lot of what felt like openly hostile attitudes that InfoSec people had towards end-users. And that really shocked me. Because empathy—understanding what a user is asking for—is a foundation in library science. 

So that really threw me for a loop when I first started, and it made me think a lot about my library science roots. There’s this seven-step process of helping library users called a “reference interview,” and I created a whole talk around these seven steps.

How can you approach problems differently? How can you listen differently? How can you listen to what the end user is not saying, in order to help them? How do you avoid making assumptions? 

I always give the example of how a user will say, “I saw an email that looked suspicious. I clicked on a link, I went to the site, I closed the browser, and then I called you.” 

So my question is, “OK, well, what transpired between opening the browser, looking at the website, and closing it?” 

And this has actually happened to me—I’ve had people say, “Oh, well, it asked for a username and password, I entered it, and the site didn’t do anything, so i just closed it.” 

Well, they just gave away their username and password and they didn’t mention it the first time. Perhaps because they didn’t think it was important, because the “website” didn’t work—maybe they thought it didn’t go through. Or maybe they were scared to admit that they did that, and they didn’t want to get fired. 

So having that empathy and that keen listening skill, to circle back around: “Let’s hone in on this:  what transpired there?” That’s something that I’ve been really trying hard to emphasize to audiences.

I’m not asking people to feel sorry for end users. I’m just asking you to remember what it’s like to be scared of something that’s different. You didn’t always know how to code, you weren’t born knowing how to code. You messed up at times, and things felt scary. 

So, I think that’s the difference between the people who’ve been in tech or security for a long time and those of us who come into it from a different realm. We have that different perspective and a different way of doing things, and I feel like technical people forget what it’s like to have computers and websites be scary, and I want people to remember that.



Q. Why do you think the security industry kind of has this default hostility towards the “human in the loop?” Why do you think that, as an industry, we generally believe it’s on the person to make the right decision from a security perspective?

That’s a tough question. I’m trying to figure out how to diplomatically answer that… 

I think some of it just stems from security initially being born out of tech, which historically was always “a room in the basement”—just the forgotten scary place… And I think tech and security weren’t woven into the workplace early on so, it always had this “others” kind of feeling. 

I also think the skill set that one needs to be good at tech is that “ones and zeros” kind of attitude. It doesn’t really leave room for humans.

Technology has evolved—but not necessarily all the tech workers have. We hear how much diversity and inclusion is lagging in tech, so I feel like the people haven’t kept up with all the technological changes that computers have seen.

They’re still kind of that old school “sheriff” mentality: “I’m the one who does security here, and you listen to me!” 

People can change once they see examples, so that’s why I do my best to lead by example. 

And I encourage others to, as well, because I think that some folks don’t even know what it means to be empathetic, and maybe need some examples.