Empathy Matters: Leadership in Cyber

Having both served in the U.S. Department of Defense in the post-9/11 era, we’ve found ourselves in far-flung outposts around the world, where Americans and Coalition partners served with courage and at great personal sacrifice, answering a call to duty in service of their nations. In these complex, uncertain, and challenging environments, great leadership is often the differentiator between mission success or failure – life or death – and is largely predicated on the ability to build a high-performing team, one driven by trust and shared purpose, based on what some might find a counterintuitive characteristic in combat leaders: an empathetic understanding and appreciation of backgrounds, experiences, and motivations. 

This recognition of the importance of empathy as a foundational characteristic of great leadership is a realization the corporate world is increasingly embracing – both for the overall health of an organization and because it’s good for the bottom line. Such an embrace is particularly important in the field of technology and specifically cybersecurity, where the imperative to foster imagination, unconventional voices, and even intellectual empathy with the adversary is paramount. At the end of the day, cybersecurity is about human beings, not computers.

Empathy is generally characterized as the ability to understand and share the feelings of another. In his excellent book, Empathy: Why It Matters and How to Get It, Roman Krznaric provides a richer definition: “the art of stepping imaginatively into the shoes of another person, understanding their feelings and perspectives, and using that understanding to guide your actions.” Rather than a “fuzzy, feel-good emotion,” however, Krznaric posits that empathy in fact has the power to transform lives and entire societies. 

Technology, equally, has the power to transform, but the two concepts—empathy and technology—are not often paired. Indeed, technology-oriented organizations have long valued technical ability over softer skills, including empathy, when making decisions about leadership. Furthermore, the resounding success of a few highly technical but empathetically challenged leaders has created the false perception that truly exceptional tech leaders are often, and perhaps even need to be, caustic and egotistical. In our experience, which includes more than ten years at the U.S. National Security Agency – the nation’s largest and most technical intelligence organization – nothing could be further from the truth.

In cybersecurity in particular, however, the idea of hiring your “best hacker” to run your team persists in many quarters. This temptation to hire someone specifically skilled in the key technical ability at the heart of a profession is perhaps understandable in emerging fields where organizations form around leaders with the technical skills to develop and innovate. The field of cybersecurity was particularly vulnerable to this because for many years only a few possessed those desirable and rare technical skills, creating a tendency to tolerate a lack of leadership qualities in those who did. This may have been understandable or even necessary in the early days, but as the field grows, empathetic leadership combined with technical skills will be critical to sustaining a vibrant and successful organization. 

The benefits of empathetic leadership in technology are manifold. First, with respect to retention, researchers estimate that globally 3.5 million cybersecurity jobs are likely to go unfilled by 2021, making retaining top talent imperative. Competing for talent in those conditions will demand leadership that can foster motivation among employees, initiative at all levels, and a culture of active listening and inclusion. The benefits are strikingly obvious: empathetic leaders make employees feel heard and valued, which fosters employee satisfaction, productivity and retention. Organizations with empathetic leadership also tend to be more collaborative, leading to less friction in the workplace and a greater sense of ownership amongst employees. 

Moreover, empathetic leaders encourage employees at all levels to share big ideas, even – and perhaps especially – unconventional ones, allowing their organizations to capitalize on diversity of thought in problem solving. In technology generally, and cybersecurity in particular, quick innovation and creative ideas must bubble up from wherever they reside, and frequently this is not at the top. In our experience, it is often a junior employee – someone working closely with code and infrastructure – that brings forth the most creative idea or solves a seemingly intractable problem. This can happen only when those employees feel empowered to speak up, execute, and make mistakes.

Finally, cybersecurity, much like counterterrorism (a field in which we have both worked), is a cat-and-mouse game – you must be one step ahead of your always-learning and ever-evolving adversary in order to win. It is also asymmetrical; an organization’s ability to defend against cyberattacks must be vastly better-honed than its adversary’s attack. Accordingly, the best way to protect yourself is to put yourself in your adversary’s shoes, i.e., the definition of empathy.  In the classic Errol Morris documentary The Fog of War, former Secretary of Defense Robert McNamara famously cites the ability to “empathize with your enemy” as the number one lesson of his long career in national security.  He specifically credits this attribute on the part of former Ambassador to the Soviet Union Llewellyn E. “Tommy” Thompson Jr. with defusing the Cuban missile crisis. Not only is an empathetic leadership and culture important when it comes to workplace relationships, but it is critical in fostering a mindset of understanding the adversary, a core factor in martialing a strong cyber defense. Specifically, analysts and leaders alike must be able to imagine and predict the likely motivations (including risk-reward tradeoffs) and methods by which an adversary would try to attack, and orient their organization’s defenses accordingly.

The good news is that cyber organizations are waking up to the reality that people leave bad bosses, not bad organizations, and recognizing that focusing on cultivating and incentivizing great leaders is central to attracting and retaining great technologists.  Even Google, whose founders are known for their tech-focused orientation, is coming around to the parallel importance of “soft skills.” Its 2017 study on the attributes of its top performers showed the seven most important qualities in achieving success at the company did not involve technical acumen.  And while acknowledging that there may indeed be an overlap between the two groups of people with soft skills and technical skills – we know and work with several such individuals in our own organization – great technologists may prefer to do deep technical work and not aspire to or be best suited for organizational leadership. 

To be clear, we are not arguing that technical individuals lack empathy nor are we saying that empathy is an innate quality that can’t be learned and developed. Far from it. Indeed, Krznaric writes about how to “switch on the empathic circuity of our brains” by cultivating a set of daily attitudes, habits that take real work and strong self-awareness, and are absolutely worth learning and practicing on an individual level. We are arguing, however, that empathy is a core aspect of great leadership; that great leadership is a skill in and of itself; and that at the most senior levels of any organization – but perhaps especially a technical one – empathy will often matter as much as technical skills to its overall health and long-term sustainability.  

Finally, and perhaps most importantly, we as a society need empathetic leaders at the forefront of technology and cybersecurity. The larger the role technology plays in our world, the greater collective responsibility tech leadership bears for the broader public good. We need healthy technology organizations that encourage active listening, value respectful dissent, and promote a culture of inclusion if we are to apply technology for progress and good and avoid the pitfalls that technological evolution and disruption can create. The stakes associated with technology are high today; the threats in cyberspace, including with the advent of artificial intelligence, are very real. Great leaders of people – those who actively practice and cultivate empathy – will be critical to progress and innovation, and to navigating the choppy moral and intellectual waters ahead.  Ultimately, getting cybersecurity right is a challenge that’s about far more than understanding code: it’s about understanding human beings.

 

Image: matejmo/Getty

 

About the Author(s)

Jen Easterly

Jen Easterly is a Managing Director of Morgan Stanley and Global Head of the Firm’s Cybersecurity Fusion Center, responsible for assessing, detecting, and responding to threats, vulnerabilities, and incidents that threats the Firm and its clients. She previously served as Special Assistant to the President and Senior Director for Counterterrorism at the White House from 2013-2016. Follow her on Twitter (@JenEasterly).

Whitney Kassel

Whitney Kassel is a Vice President of Morgan Stanley and Deputy Cyber Event Manager for North America. She served in the Department of Defense from 2008-2012 and has worked at Palantir, the Arkin Group, and the Council on Foreign Relations. She wrote a regular column for Foreign Policy from 2014-2017 and has written for Foreign Affairs, Defense One, Small Wars Journal, and others. Follow her on Twitter (@whitneykassel).