cancel
Showing results for 
Search instead for 
Did you mean: 

5 More Ways I Can Steal Your Data: Hire People Who Lack Empathy

Level 12

In this last post of my 5 More Ways I Can Steal Your Data series, I focus on my belief that all data security comes down to empathy. Yes, that one trait that we in technology stereotypically aren't known for displaying. But I know there are IT professionals out there who have and use it. These are the people I need on my teams to help guide them toward making the right decisions.

Empathy? That's Not a Technical Skill!

If we all recognize that the personal data we steward actually belongs to people who need to have their data treated securely, then we will make decisions that make that data more secure. But what about people who just don't have that feeling? We see attitudes like this:

"I know the data model calls for encryption, but we just don't have the time to implement it now. We'll do it later."

"Encryption means making the columns wider. That will negatively impact performance."

"We have a firewall to protect the data."

"Encryption increases CPU pressure. That will negatively impact performance."

"Security and privacy aren't my jobs. Someone needs to do those parts after the software is done."

"We don't have to meet European laws unless our company is in Europe." [I'm not a lawyer, but I know this isn't true.]

What's lacking in all those statements is a lack of empathy for the people whose data we are storing. The people who will be forced to deal with the consequences of bad data practices once all the other 10+ Ways I Can Steal Your Data I've been writing about in the eBook and this series. Consequences might just be having to reset their passwords. Bad data practices could lead to identity theft, financial losses, and personal safety issues.

Hiring for Empathy

I rarely see any interview techniques that focus on screening candidates for empathy skills or experiences. Maybe we should be adding such items to our hiring processes. I believe the best way to do this is to ask candidates to talk about:

  • Examples of times they had to choose the right type of security to implement for Personally Identifiable Information (PII)
  • A time they had to trade performance in favor of meeting a requirement
  • The roles they think are responsible for data protection
  • The methods they would use in projects focused on protecting data
  • The times they have personally experienced having their own data exposed

If I were asking these questions of a candidate, I'd be looking not so much for their answers, but the attitude they convey while answering. Did they factor in risks? Trade-offs? How a customer might be impacted?  This is what Jerry Weinberg writes about in Secrets of Consulting when he says, "Words are useful, but always listen to the music."

By the way, this concept applies to consultants as well. Sure, we tend to retain consultants who can just get things done, but they also need to have empathy to help clients make the right decisions. Consultants who lack empathy tend to not care much about your customers, just their own.

Wrapping it Up

I encourage you to read the eBook, go back through the series, then take steps to help ensure data security and empathy. Empathy is about feeling their pain and taking a stand to mitigate that pain as much as you can.

Oh, and as I said in a previous post, keeping your boss out of jail.  Do that.

UPDATE: My eBook, 10 Ways We Can Steal Your Data is now available.  Go download it.

10 Ways We Can Steal Your Data.png

35 Comments
gfsutherland
Level 14

datachick​ Outstanding point!!!

I've always maintained that it's not the answer but the thought process. As thinking out a solution is more important than giving an answer!

rschroeder
Level 21

When we hire, that "empathy factor" is one that's challenging to test for, and to test consistently across all applicants.  Some people display it, some hide it but still have it, others appear to not be aware of it--they may even have never considered it.

I say "Hire people you will enjoy working with.  Because people can be taught technical skills to fill the need, but trying to change their personality is a frustrating endeavor."  Empathy is a tool they bring as part of their personality.  Get the right person and the worst problems (which seem typically to be people problems) will diminish instead of grow.

I saw this quote:  "Words are useful, but always listen to the music."  And I had multiple reactions:

  • Many times words aren't helpful.  Sometimes they're misleading, often they don't match the feel of the music.
  • Any musician who's listened to Maynard Ferguson's band perform "MacArthur Park", and then listened to And Wiliams sing it, will probably empathize with the wonderful melody and groan in pain at the ridiculous lyrics.  I wish I'd never heard the lyrics.  The melody is excellent; not so the lyrics (IMHO).

Maynard Ferguson - MacArthur Park - YouTube

and

Andy Williams - MacArthur Park - Live 1978 - YouTube

petergwilson
Level 14

I've lost count of the number of times people in IT departments that I have worked in have argued against the use of data security as it negatively impacts them.  I explain to them the consequences of data theft and the stock answer is "That's your problem not mine".  WRONG.  It's everyone's problem.  I guess most would fail an empathy test.  I know I wouldn't have hired most of them.

michael.kent
Level 13

It's very tricky to recruit for empathy, although I'd agree it's a very useful skill.

inkedgeekfreak
Level 9

rschroeder​ I had a similar mantra to "Hire people you will enjoy working with.  Because people can be taught technical skills to fill the need, but trying to change their personality is a frustrating endeavor" when hiring for service desk. Are you pleasant, can you innately toubleshoot? I can teach you the tech, I can't teach you common sense and being polite.

vinay.by
Level 16

Good article

migliore
Level 8

Good read and great points.

Thanks.

datachick
Level 12

The trade off of hiring people you like is that you may end up discriminating of just ”different”, depending on how your personal preference system works.  If you just mean “don’t hire jerks”, I’m with ya.

mrobinette
Level 7

I agree with you. How would one gauge empathy in an interview?

rschroeder
Level 21

Yours is an excellent question.  I Googled it and came up with numerous responses, and one that's interesting is here:

https://dschool-old.stanford.edu/wp-content/themes/dschool/method-cards/interview-for-empathy.pdf

pastedImage_0.png

datachick
Level 12

This is also why I don't like interviews that are mostly trivia questions: syntax, trace flags, "name the author of", etc.  Sure, put some in if you like trivia.  But that's only a tiny part of a data professional's job (or any professional's).

datachick
Level 12

Interesting take on this.  Words are important, for certain.  But they aren't 100% of the message.

datachick
Level 12

Preach!  I'm so tired of that argument.  Yes, some security requirements seem crazy outlandish.  But if you are keeping your company's data breach from happening, that's a good thing. And even if a breach still happens, in many jurisdictions, following required standards levels is a good legal defense.

datachick
Level 12

Ah...good resource.  And pretty much follows my advice.  That makes me feel clued in. Thanks.

tinmann0715
Level 16

Empathy is part of EQ (Emotional Quotient). When I come across an associate who is lacking empathy I begin to question their EQ. And from there it becomes a slippery slope of management doubt which does not bode well for him/her.

mtgilmore1
Level 13

Nice article.

ecklerwr1
Level 19

Actually for some of now with RMF - Risk Management Framework being mandated... encryption of data at rest and in motion will no longer be "optional."

byrona
Level 21

I am really glad that you noted EQ!  Studies have found that people with high EQ will generally be more successful than people with high IQ.

datachick
Level 12

And perhaps intelligent people can at least fake enough empathy to get along with others the worst combination are team mates and consultants who lack both.

They are harmful to others.

datachick
Level 12

Which is a good thing if done correctly.

byrona
Level 21

Over the years we have had some very intelligent people that we have had to ultimately part ways with because they were incapable of working with others.

datachick
Level 12

That’s a difficult thing to balance.

rschroeder
Level 21

That's definitely my experience, too.  It's almost cliche for IT experts to have powerful minds that can intuit process flows and logic, while simultaneously not having equivalent inter-personal skills that would enable them to easily make friends, communicate in non-threatening ways, and be fun people to hang out with.

Happily that cliche is not a rule!  But it DOES show up, with enough frequency among some of the more powerful thinkers I've met, to keep the cliche alive.

Sometimes those smart folks are kept on for their smarts, and everyone else is forced to accommodate their asocial ways.  Other times they're let go for the friction they cause, and an organization can be temporarily hobbled by their absence until a suitable replacement can be hired.

zippy1981
Level 7

Do you feel a person with a strict moral code that values security and privacy over performance and short term business concerns would be a security liability? I'm talking about someone physiologically incapable of empathy (e.g. diagnosed high functioning autism, stroke affecting the limbic system) that is completely incapable of thinking about how others (or even themselves) feel.

rschroeder
Level 21

I'd have to put that person's actions and behavior in context and then determine the benefits and liabilities.

Having a strict moral code could be slippery.  Does that mean they know some action is inappropriate, and feel guilty about it, and do it anyway?  That's probably not what you meant.  They probably will NOT willingly and easily do something that goes against their moral code.

Depending on the specifics of a person's moral code, some employees could be great people to have in charge of security, or to be responsible for any task or asset.  Or, they might be someone you wouldn't trust with the valued assets.

Who would you rather have in charge of the pharmacy inventory, of the bank teller, of your corporate secrets--someone who values security and privacy?  Or someone who believes performance and short-term business concerns are more important than security and privacy?

The knee-jerk reaction is to go with someone who values security and privacy.   But that doesn't take into account many big-picture views that high-level executives may be aware of, and who many not have shared these items with others below them.

Depending on the timing of the choices and the hiring, maybe someone's already making decisions you feel are very appropriate for the security and moral situation--or maybe you feel they are NOT appropriate decisions, based on your impression of a person's or team's priorities and moral code.

It's not hard to imagine a situation where decision-makers determine that short-term business concerns outweigh security and privacy.  Some people might believe any actions that improve the company's bottom line are moral and justifiable.  They might also take the stance that some kinds of security and privacy concerns may prevent the business from growing or from maximizing profits.

That's where valuing security and privacy can be trampled on by people who choose profit over safety or over some individual group's definitions of "good" or what's "moral."

Now I've described what might be an intolerable situation that's based on poor communication between those responsible for security and privacy, and those responsible for business performance.

So what's the right thing to do?  Protect the company and possibly get fired?  Charge ahead and make profits while leaving the company open for lawsuits and hacking?

That's where both sides need their own version of a "Get out of jail free" card.  And that card might come from many different sources:

  • Government oversight
  • Laws created to protect clients and investors or the public
  • Internal or rules or national laws put in place to protect management or the "corporate person"

The topic is bigger than any one person or group can define safely for all situations.  Sometimes doing the safe thing, taking the moral path, creates a company that stays in business for generations.  Other times it could result in a company going bankrupt in months.

Sometimes choosing to be risky for additional profit pays off.  Other times it can result in someone's career being ruined, or jail time--or worse!

Look to legal council for advice.  Get that "get out of jail free" card from OSHA or the FTC or the FBI.  Get a matching one from the folks in HR who write the contracts and who set the compensation and golden parachutes.   Have both sides come together to talk, to explain their rationale for their choices or wants or decisions.

Maybe there will be a compromise created that both sides can accept.

Maybe there won't, and it'll be "Do as I say or seek employment elsewhere."

Keep accurate records--they're another form of a "get out of jail free" card for you.  Not for use against another party--that's possibly immoral on its own.  Instead they can be your explanation for doing as you saw fit, or for doing what your boss instructed, or for doing as the stockholders voted, etc.

Not everyone can agree.  Many people can't see eye-to-eye on some topics, while at the same time they may share strong agreement on other topics.

It's not bad advice to work someplace you enjoy, doing what you love.  If you can find that kind of employment doing work that doesn't make you feel guilty, that's where I'd like to think everyone would go, and how everyone would act.  Then those who want moral compromises to be made for the sake of profits would end up with morally upright employees--since they couldn't find any who are morally bankrupt.

datachick
Level 12

I'm not really following the question. If you mean, someone who forbids access to data to people who need it because they might disclose it, then that would be "too secure".  My empathy concept is focused on people who only see 1s and 0s, not data that is owned by people - customers, employees, etc. and the IT pro doesn't care if it harms them if it is leaked/breached.  Because they can't see how that harm is bad.

zippy1981
Level 7

Maybe we just have different understandings of what empathy is. Maybe I think I am incapable of empathy because I'm trying to approach it the wrong way. let me attempt to clarify.

Yes, rigid and un-nuanced morals can lead to disastrous actions. A person could ultimately believe e.g. privacy is not a naturally occurring right, and minimal compliance to data privacy laws to keep their boss out of jail is the correct action. They could honestly believe that a powered off unplugged server locked  in a safe is the ideal, and be driven by their moral code to try to say no to every request possible. Both of those are impractical moral codes, but a person that believes in them would be a "moral person."

Ultimately for me, if I was the hiring manager my question would be "does this person's moral code align with the ethical behavior of a data professional in regards to securty." I'm actually not aware if the ACM or DAMA produces actual ethical guidelines, but I would roughly define such ethics as:

  • Privacy is a right to be protected (whether a natural or artificial right is a philosophical matter to be discussed after a 2 drink minimum)
  • PII should only be collected as necessary, and not shared unless needed
  • Reducing everyones "general access" to PII is desirable.
  • Audit trails of access are important
  • Allowing people easy access to relevant PII, especially when explicitly authorized by the person in question is as important and desirable as securing it from unwanted access
  • Compiling with the "spirit" of HIPPA and PCI is important as the letter

While I agree that your "scenario based interviewing" would let me decide if a candidate met those guidelines, I'm just not sure empathy is the reason all candidates would do that. I know I try to follow those rules and empathy or feeling aren't a large factor to it. There are two people on this earth I can honestly say I would be happy to read the obituary of. I cannot empathize with their life choices. However, because I accept their person-hood I would apply the above guidelines to any of their PII I became steward of. One of them was a client of a former employer, and I indeed had access to their private data. Never crossed my mind to use it.

ccieby30
Level 8

Great Article. Do you feel people can be trained to be empathic?

ecklerwr1
Level 19

I don't... I think you're born with it to a degree.  Also just think about people that are sociopaths... you can't reform or teach them to not be a sociopath... they just are.

byrona
Level 21

So what you are saying is that some people slip through the cracks in the factory and never get a moral compass installed? 

Sorry, I couldn't help myself on this one, it was the first think that came to mind when I read this.  

ccieby30
Level 8

Very True.

rschroeder
Level 21

"Nature versus Nurture?"  I agree with you--some folks must have an innate tendency to be better or worse than other folks.  And it can be obvious at an early age.  But it can be grown out of, or even trained out of to an extent.

"Nature" is the part that can show itself very early.

"Nurture" can be the result of a negative growth environment, and since there are no qualifications or criteria to pass or provide before becoming a parent, good sprouts can become stunted through being exposed to toxic environments.

And we, as employers or coworkers, have no clue about that situation until we discover that the problem in person.

david.botfield
Level 13

good Article

zennifer
Level 13

Wow, you hit the nail on the head. 

I often have to remind management that the cost of one breach could cost us more than all the tools that I ask for in order to be proactive.

It is not EVER a matter of IF, is is ALWAYS a matter of WHEN!

I appreciate this article, and will use points you have made to add as an argument to achieve better governance, which will aid me in the pursuit of security.

Performance is no longer an issue in my environment, so it can no longer be an excuse!   Currently, I make folks accept the risk in writing.  I am pretty smooth with e-mail, I have to cover my posterior when dealing with the folks that think they need all the warm and fuzzy stuff that the internet offers.

"I am not a Starbucks!"   I throw that one out there a lot too!!!

Thanks for sharing the info   datachick

zennifer
Level 13

Tried to correct my typos and punctuation... sorry ...

About the Author
Data Evangelist Sr. Project Manager and Architect at InfoAdvisors. I'm a consultant, frequent speaker, trainer, blogger. I love all things data. I'm an Microsoft MVP. I work with all kinds of databases in the relational and post-relational world. I'm a NASA 2016 Datanaut! I want you to love your data, too.