Intro
Like many of you, I listen to a lot of IT security podcasts and read many articles where, when asked for career advice, the guests and authors stress the importance of these ambiguous “soft skills” that we (security community and professionals) need to work on to advance our careers and strengthen ties with our teams and clients – but often leave these undefined.
In this post, we’ll define empathy then break the term into a three pillar model, each with examples from my personal work history as the client during penetration testing engagements.
Defining Empathy
Typically defined as the ability to identify with or understand another’s situation, I believe that within the context of penetration testing, red team engagements and other security assessments, there are 3 major categories of empathy which one could develop, that will demonstrate empathy with their point of contact on their client or counterpart’s team.
Professional Reputation
First, its important to understand that your point of contact is human, and that your successes will highlight the weak points in their security controls, configurations, choice of vendors and more – directly to their c-suite. It can be a tense situation for them because while they don’t know what you are going to stumble into, they do know that your technical findings (depending on their nature) have the potential to erode their credibility both with their peers and superiors in some way.
The findings from the first penetration test that I managed were embarrassing, to say the least. Though it was a secondary set of duties for me and our program was only months old, I caught a lot of flak (only half of it friendly) from my team and employer. Over the next couple of weeks, I spent a lot of time trying to convince the owner of the company that he could trust me to get on top of the situation and guard their intellectual property and research, as his knee-jerk reaction was to hire someone else to perform the role full-time. While I was glad to have an expert opinion and learned much, I was scared that I was going to loose the role.
The pentesting group was/is top notch and 10 years later, I still do not believe that I can defeat their their efforts. However, if the report and brief had been handled with more empathy, I would have been able to focus more on remediation less on saving my job. Also, I would have invited them back for follow up work and periodic testing.
Core Business Concerns
The second way I believe that you can empathize with your client is by building a general understanding of their core business concerns, as pertains to the test itself. These concerns can often be concealed to some extent, and may go beyond what is outlined within the scope of engagement or what is said during your meetings. As such it must be inferred by you and your team, as this will modify your approach and enable you to answer the questions they have difficulty asking.
As an example from the client’s perspective: there were instances where we sought to enhance the security posture of systems and networks critical to maintaining sensitive intellectual property and records, accessed by both ourselves and clients thousands of times on a daily basis. Unfortunately, my leadership at the time had deemed the system too sensitive to name in a scope of work or test specifically, so we built a test environment to mimic many of the configurations but without identifying information or software. During this engagement, I was fortunate to have been assigned a project manager by the service provider, who was able to discern our true objectives with the test and fill in some of the blanks left by our policies (and paranoia), enabling them to deliver results and tangible steps toward remediation for the true system in question.
Post-Engagement Workload & Tasks
In my opinion, the third and final method of empathizing with your point of contact’s situation is to develop an understanding for the nature of tasks that lay ahead of them after your involvement has reached its conclusion. While it could be argued that some of these will blur the lines between empathy and the “service-mindset”, being able to identify with this workload will place you within your point of contacts mindset, and enable you to take some initiative toward advancing their goals.
In a general sense, your point of contact will be expected to deliver the following after your engagement concludes:
- A tangible path toward remediation: Understanding of both the vulnerabilities and your recommendations on remediation. While often a deliverable outlined in the scope of work, hints towards this will drastically reduce the amount of time your point of contact spends structuring his recommendations to his executive team.
- Understanding of potential business impact: It’s likely that your point of contact is going to be responsible for translating advanced technical security concepts (your findings) into a potential business impact for their company, to their c-suite team. The more you can help them get a start on this topic, the more productive they will view your working relationship.
- A realistic path forward: Once they’ve gained an understanding of the flaws present within their systems, networks and/or applications, their next challenge will be to evaluate and build strategic goals they can set today, which will make them more resilient to vulnerabilities of the same nature in the future. Your recommendations on practices, MSP’s and training for employees will be welcomed here as this is more about building resilience than remediation.
Closing Thoughts
Reputation, brand, certifications or resumes may get your foot in the door, but my preference goes to the penetration testing consultancies whom approach engagements with empathy for both my company’s and my personal situation, as outlined above.To reiterate, this means:
- Treating the point of contact as a human with professional reputation concerns
- Understanding their core business concerns as relevant to the test (spoken and unspoken)
- Identify with, and take a proactive approach to reducing the workload they have post-engagement
Through this, I believe that you’ll strengthen relationships with your clients and team members, eventually earning a reputation of “trusted partner” through out the industry.