Blog

Do we get enough “soft skills” training in (CyberSecurity) our curricula?

Why are empathy, negotiation and communication skills considered as soft skills while they are one of the first skills sought after by hiring managers in security [1] ? When we use the term “soft skills”, is it not a way to look down at these skills, as if they were irrelevant?

But, let me start with 3 short stories…

Years ago, when I was still doing my internship as a clinical psychologist, I met a brilliant young boy in one of my first counseling session. This young lad refused to comply with his doctor orders mainly because the doctor wasn’t nice. Digging a bit into that story, it appeared that the doctor just gave his diagnostic and the prescription without any further explanation and was even a bit rude. By chance, at least in this case, this smart boy wasn’t always a good communicator himself and he recognized that, as for himself, not being empathetic, doesn’t mean the diagnosis and the treatment prescribed were wrong. So, he finally accepted to go for the best option for him and he decided to take his pills.

A few years later, I was planning to build an extension to my house. I hired an architect to whom I explained what I was expecting (an additional space for my office). The guy came back with a nice plan of an extension and a complete remodeling of my ground floor as he felt my living room was not at the right place. When I said it was not my priority, he insisted, and I finally decided to stop the contract because I didn’t feel I was heard.

The 3rd story is closer to home for security professionals as it happened to a young brilliant security professional working for a large company. After a couple of years working there, building an impressive set of skills, he asked to be more involved in the decision process, to be empowered, to get new challenges and some recognition. His management came back with a certification plan (he already had a few of the classic ones) and a career path. What he was expecting was an opportunity to make a difference, his advises to be considered and an involvement into the new strategic projects. As you may have guessed, he was disappointed, and resigned soon after.

Being a doctor in medicine requires a lot of technical knowledge and skills in order to perform an accurate diagnosis. But it also requires empathy and communication skills (that are often looked down as being “soft skills”) to ensure your patients will comply with the treatment and get better (That’s the end goal, isn’t it?).

Being a architect requires also a lot of creativity and technical skills. But what’s the point of drawing the plan of a house that doesn’t suit the owner?
Even more, why do companies promote technical expert to manager if they are not skilled to manage people?
But, even before that, why are “soft skills” training considered so futile by students and academic curriculum designers while they are so important for the success of most professions?

Don’t get me wrong, medicine school and architecture school offer communication and other “soft skills” classes but I never hear anybody failing due to these courses. While I witnessed many projects failing due to miscommunication issues and a lot of companies struggling to attract and retain their workforce due to average or even bad people management. And that is a big risk for companies nowadays. So, when this will change? Will companies have to put all their new hires through specific trainings to improve their “human” skills? It seems very expensive and very long (yes, it takes time to develop people skills, at least for most people), isn’t it? What do you think?

[1] See (ISC)² cybersecurity workforce study 2018 at https://www.isc2.org/Research/Workforce-Study

Emergency numbers were down in Belgium. Be-Alert warned us and might have already saved people.

Today (April 5th, 2019), the 1st telecom operator of Belgium had major issues with its landline network. As a consequence, the emergency numbers (100,101, 112) were unavailable for 4 to 5 hours. Contigency solutions were rapidly set in motion but communication with the population was paramount in the effectiveness of these measures (If you setup an alternative number and nobody knows, it’s useless, isn’t it?).

The cautious amongst you who registered on the Belgium Crisis Center (@CrisisCenterBe on Twitter) early alerting system Be-Alert (https://be-alert.be), received rapidly and email informing them of the new numbers (and also of the return to the normal situation). So, no need to wait for a storm or a terrorist attack to see this governemental warning service being helpful.

So, if you weren’t registered yet, well, you just to click on the link!

Improving security culture by stopping toxic behaviours

Lately, I’m witnessing a lot of toxic behaviours that prevent my clients to improve their human security posture. Toxic behaviour are not bad behaviour per se but behaviours that act against your security culture and awareness campaigns.

Let me give you a few examples:

  • Internal website use non-recognized SSL certificates while you try to educate your staff to distrust non-SSL and badly signed websites
  • The company is using external email addresses for official internal communications or actions (like for surveys, training, HR, and so on) while you try to make people to be warned by such kind of emails
  • The company is using a zilion different domains for their internal and external website(s) while you try to educate people to recognize the good one(s) from the bad ones

Rings a bell? All these “accepted ” deviation to the common sense and usability makes it even more difficult to educate your staff and change their behaviour. It is like trying to explain the principle of a good diet to your kids while eating a big donut and giving them candies. It’s like slapping their hands when they do something wrong but forcing them to do it so they can do their jobs. In psychology, we call that a double bind and it is believed to be at the source of some psychological diseases. So, imagine what it does to your staff and how adverse it can be to your attempt to develop a positive security culture.

So, should we put a focus on getting rid of toxic behaviours first? I think so. Do you?