Before coming across Andra Zaharia, I’d never really heard the words “cybersecurity” and “empathy” used together. But the communications specialist has convinced me that the two topics should be spoken about in the same breath. 

“One of the first things I saw [in the cybersecurity community] was that the people are extremely empathetic,” Andra explains. “They’re focused on helping others find meaning and do something purposeful with their work, skills and talent.”

Yet according to Andra, when we think about cybersecurity, empathy doesn’t come to mind at all. She believes we don’t talk enough about empathy in a practical and relatable way. We instinctively know what it is, but we don’t know how to break it down. 

So how do we do that? Here are Andra’s thoughts about empathy in cybersecurity and the ways we can champion it. 

Empathy is a trending topic for a reason

There was an article on Forbes a few months ago, Andra points out, that said “the most valuable skill for leadership is empathy”. 

“Of course it is!” she says. “Empathy involves thinking about the other person you’re serving and figuring out their needs, not trying to force them into your view of the world. Even if people know that they should prioritise empathy, they don’t do it, maybe because they don’t know how and sometimes because they don’t potentially see the real value.”

Things are changing for the better 

Mental health is now emphasised more in cybersecurity, says Andra. In the last 7 years, she has started to see recruiters set up mindful expectations of the people that they want to hire. She’s witnessed them make sure technology and processes are aligned with what real people need beyond the screen in their regular lives. 

Empathy bridges the gap between cybersecurity experts and everyone else

In cybersecurity, there’s an echo chamber where people talk about the recurring issues among themselves, Andra points out. But people outside of this sphere don’t really care about them. 

“They don’t know why it’s important, and they can’t make the connection between what’s happening there and in their lives in context. Empathy helps bridge that gap,” says Andra.  

Empathy is a way to elevate our critical thinking

Andra explains that empathy creates a space where we can pause and ponder the real human aspects of what we’re doing with technology.

“When everything pushes us to move away from harm or seek instant gratification, having that space where we can just sit with things and make a better decision is something that’s very rare, and empathy offers that,” Andra says.

Experts need to make cybersecurity easier to understand

Beyond all the layers of technology and the fancy terms, there are people who are doing complex, meaningful and difficult work in cybersecurity, according to Andra. 

“And not just to build the tech that we need to stay safe and the processes that go with it – because you can’t have one without the other – but also by figuring out ways to educate themselves and others, to help us navigate the complexity we live in,” she explains.

It’s not going to get any less technical or easier, Andra points out. “We just have to get better at having the fundamental knowledge and basic skills [of cybersecurity], so we can move around the world without going insane! And hopefully while enjoying what we do and staying safe.”

Empathy helps people find meaning in cybersecurity

Andra wants to make sure more people in the industry are in it for the right reasons. 

“Do you want to chase hypergrowth and unicorn status or do you want to build something that’s meaningful, helpful and sustainable?” Andra asks. 

“I’m very lucky to be able to work with founders and technically minded people who want to build sustainable businesses and do it in a very personal, committed way.

“And that gives me hope that this model is going to spread and that we’re able to build better technology that works better for people and that’s not as difficult to use, intimidating and unfamiliar.” 

Cybersecurity experts need to educate leadership 

“Working in the capitalists’ paradigm has led us to chase hypergrowth and numbers,” says Andra. “And this takes humanity out of the equation. Cultivating empathy is a key value in how we educate business people, and how we get founders and decision-makers to look at people beyond the screen, to see and empathise with the person at the end of their products and services.”

This is where cybersecurity specialists who lead with empathy have a big role, says Andra, because these people have immense technical skills and experience. They can use those abilities when they talk to business leaders, to show them the consequences of their decisions before they make them.

Data never paints a full picture 

CEOs or CFOs and so on need to understand the implications of cybersecurity on their customers. And empathetic professionals in the industry should use real-world examples, rather than statistics, to help them gauge this.

For example, if a fintech company goes down because of a cybersecurity breach and its services become unavailable, people might not get paid. They might lose something that’s important to them, – ike the opportunity to buy a house.

“Then the stakes become personal,” says Andra. “We need to get leaders to have skin in the game; to see how something would affect them personally, and to bring those consequences closer to them, so they can metabolise them on an emotional level and not just make entirely data-driven decisions that are sometimes devoid of empathy.”

Cybersecurity professionals can play a big role in this by talking about these things over and over again and showing what it looks like when you have a positive experience with cybersecurity. Many people are already doing this, Andra says, but it’s a matter of expanding this awareness, seeing the gap that empathy can and must fill, and watching those ripple effects build up over time. 

Training employees properly in cybersecurity is key 

Companies are, of course, keen to have their employees identify the risks and threats of technology effectively. Ideally, everyone working in a business would be able to recognise a phishing email, for example, says Andra.

But, first of all, you need to get employees to care about cybersecurity. 

“So one of the first things is to get people truly involved in cybersecurity – not just have them tick something off a checklist or do the quarterly or yearly training,” Andra explains. “We need to help them see what’s in it for them, how it helps them help themselves, their families and their loved ones.” 

When people learn cybersecurity concepts – how to identify threats, how to tell a real email from a fake one – these train them for other situations like identifying personal fraud. 

“And they should also train you to react to these situations – to know what to do when they happen,” says Andra. “Because the truth is, even the best-trained people might fall for a scam or a cyber attack.”

Companies should have an enthusiastic cybersecurity representative 

The conversation around cybersecurity should be more human, according to Andra. She believes that companies should appoint cybersecurity reps who truly enjoy talking about the topic and have that person explain it to their colleagues in plain English. 

“Not only will they be able to convey the passion that they have for it, but it’s also going to make cybersecurity relatable,” says Andra. “Employees need someone trustworthy to talk to about their questions. Maybe they feel inadequate or don’t want to look stupid in front of their colleagues. They might be reluctant to ask questions like ‘what is phishing?'”

Companies need to have employees’ backs when it comes to cybersecurity crime

It’s essential for companies to explain any repercussions on the employee when they fall for a cybersecurity crime, says Andra. 

For example, what happens if they click on a phishing link and expose the company to a business email compromise, where cyber criminals try to get someone in the accounting department to pay money to a different account than the legitimate one? If they fall for that, is it their fault? Do they get fired? Do they have to repay the money? 

Companies need to set these expectations but also support their employees. They need to tell them that if shit happens, they have their back and that they’ll fix it together. 

“This is missing from a lot of cybersecurity training,” Andra says. “It’s not about scaring people into things; it’s showing how people can contribute. And you can only do that through empathy and by understanding, and by not talking about people as the weakest link but to tell them that they can make a contribution no matter how tech-oriented or non-tech-oriented you are.”

Voila – the link between empathy and cybersecurity, explained! To find out more about the topic, listen to my podcast with Andra. I hope you find it as enlightening as I did.