In this last post of my 5 More Ways I Can Steal Your Data series, I focus on my belief that all data security comes down to empathy. Yes, that one trait that we in technology stereotypically aren't known for displaying. But I know there are IT professionals out there who have and use it. These are the people I need on my teams to help guide them toward making the right decisions.
Empathy? That's Not a Technical Skill!
If we all recognize that the personal data we steward actually belongs to people who need to have their data treated securely, then we will make decisions that make that data more secure. But what about people who just don't have that feeling? We see attitudes like this:
"I know the data model calls for encryption, but we just don't have the time to implement it now. We'll do it later."
"Encryption means making the columns wider. That will negatively impact performance."
"We have a firewall to protect the data."
"Encryption increases CPU pressure. That will negatively impact performance."
"Security and privacy aren't my jobs. Someone needs to do those parts after the software is done."
"We don't have to meet European laws unless our company is in Europe." [I'm not a lawyer, but I know this isn't true.]
What's lacking in all those statements is a lack of empathy for the people whose data we are storing. The people who will be forced to deal with the consequences of bad data practices once all the other 10+ Ways I Can Steal Your Data I've been writing about in the eBook and this series. Consequences might just be having to reset their passwords. Bad data practices could lead to identity theft, financial losses, and personal safety issues.
Hiring for Empathy
I rarely see any interview techniques that focus on screening candidates for empathy skills or experiences. Maybe we should be adding such items to our hiring processes. I believe the best way to do this is to ask candidates to talk about:
- Examples of times they had to choose the right type of security to implement for Personally Identifiable Information (PII)
- A time they had to trade performance in favor of meeting a requirement
- The roles they think are responsible for data protection
- The methods they would use in projects focused on protecting data
- The times they have personally experienced having their own data exposed
If I were asking these questions of a candidate, I'd be looking not so much for their answers, but the attitude they convey while answering. Did they factor in risks? Trade-offs? How a customer might be impacted? This is what Jerry Weinberg writes about in Secrets of Consulting when he says, "Words are useful, but always listen to the music."
By the way, this concept applies to consultants as well. Sure, we tend to retain consultants who can just get things done, but they also need to have empathy to help clients make the right decisions. Consultants who lack empathy tend to not care much about your customers, just their own.
Wrapping it Up
I encourage you to read the eBook, go back through the series, then take steps to help ensure data security and empathy. Empathy is about feeling their pain and taking a stand to mitigate that pain as much as you can.
Oh, and as I said in a previous post, keeping your boss out of jail. Do that.
UPDATE: My eBook, 10 Ways We Can Steal Your Data is now available. Go download it.