Cyber Empathy

Why cybersecurity thrives on authenticity, confidence, deep empathy

Episode Summary

In this engaging episode, Dr. Jessica Baker and I dive deep into the nuances of personal growth, the value of time, the true essence of confidence, and the underrated significance of empathy in cybersecurity. Join us for a deep dive into the transformative power of books (for both authors and readers) and the ripple effect of positive actions in a space often driven by a combative mentality.

Episode Notes

The "good vs. evil" battle is an integral part of cybersecurity's origin story. While it’s motivating and energizing, it also comes with language derived from military vocabulary, that brings a certain level of hostility and aggression. 

That’s why, often, the language we use in cybersecurity alienates the very people we’re trying to help. 

In this episode, the kind and compassionate Dr. Jessica Barker joins me for a conversation about the most underrated skill in cybersecurity: empathy. We also touch on using psychology and data to improve cybersecurity awareness and culture, optimism as a confidence builder, and more.

We had a fantastic conversation about the evolution of cybersecurity culture and Jessica's massively influential work on revamping cybersecurity vocabulary, whose impact reaches far beyond industry confines. Blending introspection and actionable insight, we also discuss imposter syndrome, balancing constant evolution with self-compassion, and other essential topics we deeply care about. 

Listen to this episode to discover:

Episode Transcription

[00:57] Andra Zaharia: Empathy contributes a lot to fighting cynicism in cybersecurity. It's so easy to get caught up in the endless list of problems you have to solve. Whether you're a technical specialist, a security awareness professional, or work in any shape or form that influences cybersecurity, it's honestly sometimes difficult to feel optimistic about the change we're making. So, being able to see the good that's happening around us—the positive changes that are rippling throughout the community and throughout the industry, and beyond it—is a great gift we can give to ourselves and others as well. This is why this episode makes me particularly happy because I got to talk to one of the people in the cybersecurity space who brings lots of positivity, kindness, simplicity, tolerance, and a very kind-hearted approach to cybersecurity. Dr. Jessica Baker is the special guest on this episode, where we dive into what it means to be confident about your ability to contribute to cybersecurity, build a career in this space, to use cybersecurity tools and concepts. And obviously, the role that empathy plays in all of this dynamic. Jess, as most people know her in the cybersecurity industry, is a wonderful professional that has continually devoted herself to this community and to this industry. And obviously, she is making great changes around her by showing people there are other ways to talk about being safe, to talk about what it takes to protect information, and to make cybersecurity relatable for literally everyone. I hope you enjoy this conversation that's really filled with positivity, energy, optimism, and lots of reasons for really tapping into the potential that cybersecurity has to educate us all—to make our lives better, safer, more stable, and more enjoyable as well.

[03:36] Andra Zaharia: Jess, this is such an exciting day to have you on the Cyber Empathy Podcast to delve into your work and to get the wonderful and very kind, very generous energy that you bring into everything that you do, actually. So, this is the official welcome to the Cyber Empathy Podcast.

[03:54] Jessica Baker: Right back at you, Andra. It's such a pleasure. Thank you so much for the warm welcome. I'm really excited about this conversation.

[04:01] Andra Zaharia: Me as well, especially because I feel like I draw inspiration from everything that you post and from everything that you do. It seems to have this galvanizing effect on my thoughts, on my ideas, which is something that I love. Something that I actually read recently—you posted on LinkedIn that most people in the world think the world is worse than it is. And yet, we're wired towards optimism in our daily lives. And I was wondering if you could talk us through what sits behind that thought because it was so lovely and so heartwarming for me.

[04:36] Jessica Baker: Thank you. I love to hear that; it makes it feel all worthwhile. But really, that was me drawing inspiration from some great work that's out there around, I guess, how we see the world and optimism. The book "Factfulness" I would highly recommend for anybody who hasn't read it. It really delves into the fact that we see the world, in general, as being worse than it actually is. We always think the world is getting worse and things are terrible. And actually, there's lots of evidence—or lots of a case to be made—for optimism about the direction the world is going in, or "possible-ism," as the author describes it. That actually, there may be more potential and more possibility for good. But then, on the flip side, if we look at how we see our individual lives, we tend to be skewed towards optimism. And here, I'm drawing on the work of Tali Sharot and her research teams, who are looking at the optimism bias. Their extensive research has found that 80 or so percent of people around the world, regardless of where you live, your background, or any kind of demographic factors, about 80% of people are wired towards optimism in their personal lives. So, we don't think we're going to get unwell; we don't think we're going to get divorced; we don't think we're going to lose our jobs; we don't think we're going to get hacked. So, we're kind of dealing with this way of seeing the world and way of seeing our own lives when we talk about cybersecurity.

[06:14] Andra Zaharia: It's so interesting to me that we always think about ourselves, or we sometimes think about ourselves also, of course, fueled by bias: the fact that we're either on one side of things or the other. We're either optimistic or pessimistic, or pragmatic to be somewhere in the middle. But still, we readily recognize that we hold within ourselves so many contradictions—so many contradictory feelings, so many contradictory beliefs. And it's not until someone holds up a mirror towards that, that we realize these contradictions are there, and that they're natural. 

[06:52] Jessica Baker: That’s such a good point. It kind of makes me think about introversion and extraversion as well. This idea: "Are you an introvert? Or are you an extrovert?" Most people are kind of in between. And it depends on the circumstances; it depends on the day; it depends on how we're feeling in ourselves, the challenges we've faced, or the context that we're in, actually, as to which direction we lean towards. And you're right; we're very keen to often put ourselves and other people into a box and a certain label. The same with, like, "Are you rational? Or are you emotional?" When we know that there are two ways of processing information that we all engage with multiple times a day, we can go between the two.

[07:34] Andra Zaharia: And this comes up, I bet for you often, in conversations with managers and people who expect certain things from cybersecurity professionals, from their teams, from the investment that they make. What do you tell them when they bring up the fact that, "Yes, empathy and things like that, they're nice, and we get the point. But we need some hard facts." How do you get them to pay attention to these things and see the potential dividends they can actually draw from them?

[08:05] Jessica Baker: Great question. It is a challenge. And something I've faced over the last 12 or so years working in this space is for people who might be a bit more cynical about the human side. It's how to actually show them tangible results. And so, one thing is to try and frame it in a way that appeals to them, that speaks their language. So, using data as much as possible; being able to prove that there is solid work behind this, solid findings behind this; being able to use case studies; and being able to reference peer organizations that may be taking a certain approach and have seen a benefit. And really, wherever possible, it's about using the language that resonates with the people you're communicating with. So if you're communicating with a board, understanding what's going to speak to them. If you can frame it in terms of any proven return on investment, then that can be really beneficial. So, if you're, for example, wanting to get more of a budget or a case for a program of work in terms of awareness, behavior, and culture, being able to show what's already been done, and where there have been benefits—where there's been a tangible business improvement or advancement—that is going to resonate most effectively, I think, with the people at that level.

[09:29] Andra Zaharia: That combination seems to be the winning one—the winning formula, let's call it that, although it's never a formula, it’s just more like a principle. I wanted just to add here to the fact that when I recorded an episode with Lance Bisnar, he mentioned security culture KPIs. And I find it so helpful that now we're able to define things and to measure things that were previously unmeasurable and difficult to track. And also, the fact that I feel that the entire body of research that's being done—and that's been done so far—on neuropsychology, psychology, communication, and many other soft-skill areas, I feel that that offers such a huge support. And I was wondering how your experience of doing a PhD helped you in building these types of arguments and building these types of business cases.

[10:24] Jessica Baker: Oh, I love that question. Thank you. Because my PhD was not in cybersecurity; it was in civic design. At a very high level, I was looking at the impact that the internet had had on societies, communities, and economies. So, I was thinking very much about the internet and about society, but not so much about security. Then, I was headhunted for a cybersecurity job. Luckily, the company that headhunted me could see that the work I'd done—both in terms of the theoretical work and the growth of the internet, looking at how communities work, how societies develop—related. Also, they could see that I had done hundreds of interviews with all sorts of different people, different stakeholders, in communities: from politicians to community workers, to academics, to business people. There was an understanding from the start that when you're able to communicate with all sorts of different people, you learn the right language for the person you're talking to. I think that's been a really big benefit for me. When we're talking about empathy, I always put myself into the shoes of the people that I am trying to communicate with. I think about what matters to them. So, it's still being true to my values, the points that I want to make, the information I want to share, but understanding where they're coming from, what incentivizes them, and how can I help them in a way that also achieves the objectives that I have. And I think that’s one of the most beneficial things that came from my PhD, alongside that kind of rigor around research. So, always my work in awareness, behavior, and culture, I’ve always sought to root it in the amazing work that is out there in psychology, sociology, neuroscience, and behavioral economics. There's so much great data that we can draw on and bring into cybersecurity. That's something that I've always done; coming from my PhD, I always want to follow the data.

[12:37] Andra Zaharia: And thankfully, just like you mentioned, there's plenty of it to draw from and to get inspiration from. One of the most appealing things about cybersecurity is that so many disciplines converge in the space. There's so much potential for translating and moving things from one side to the other, and having the ability to get inspired by this very fast but fascinating and dynamic.

[13:06] Jessica Baker: Yes, I completely agree. And I find—I'm sure it's the same for you—whatever I'm reading, whatever I'm watching, I can draw inspiration towards cybersecurity. I will see cybersecurity lessons everywhere. Sometimes it's quite tiring because you're always thinking. But I can see those cybersecurity lessons everywhere, and I think that is one of the most fascinating things about this field, like you say, is that it is so broad. There is so much relevance in terms of all these different elements of learning and society.

[13:41] Andra Zaharia: Speaking of relevance and society, one of the things that you mentioned in the book that I found so helpful, and it really triggers such an important mindset shift, is that information security is not just about securing technology and computers; it's about securing information, actually. What does that mean? How does that difference change the perception of people when they think about cybersecurity in any way?

[14:07] Jessica Baker: Yeah, I think the term "cybersecurity" or even "information security" makes us think very technically, and it makes us think very much about the technology side of things. Of course, it always comes back to people. We're not securing technology for the sake of the technology itself; this is all about the information. And beyond that, it's all about the people who are trying to use that information, trying to share it, trying to draw benefit from it, trying to create something new from it. And ultimately, the impact as well. Really, it's about coming back to people. A cyber attack or a breach, the technology doesn’t care. This is about people's jobs, well-being, communities, and their psychological safety. So, ultimately, what we're trying to do is protect people and protect society, even beyond that.

[15:00] Andra Zaharia: That is so true, especially because I'm a firm believer in the fact that cybersecurity plays an essential role in the stability of the world. In many ways, from every person using their smartphones up to geopolitical things and managing all of that with diplomacy, there's a lot of fear for everything that's involved. Speaking of the broadening of cybersecurity, this openness, the fact that it's now part of mainstream culture. It used to be in a corner, it used to be for certain kinds of people, but now it's part of mainstream culture. That is changing the culture in one way. How do you feel that there are now so many conversations around cybersecurity? How do you feel that this fact is changing the cybersecurity industry itself? How is the cybersecurity culture evolving?

[15:54] Jessica Baker: Yeah, what an insightful point. I think it's something that I've certainly seen over the course of my career, and people who've been in the industry for decades will have seen it even more. We've gone from cybersecurity being very niche to suddenly mainstream; it's in the news every day, and it's a subplot or an element of so many TV shows, movies, and books. It's in the public consciousness in a way that I didn't predict when I joined the industry 12 years ago and have seen that evolution. I think it has pros and cons. One thing is, I was recently asked by someone, "Do I face a lot of resistance when I'm delivering awareness-raising? People who don't want to change their behaviors or don't want to hear these messages?" It encouraged me to reflect on the fact that I used to receive a lot more resistance than I do now. And I think that’s because people are far more aware of cybersecurity. People come in with their own questions and with an appetite to learn. There is a good appetite to learn more about cybersecurity out there. But at the same time, we have this unfortunate scaremongering theme that runs through a lot of cybersecurity communications. That comes a lot from the profession itself, from a lot of the marketing around cybersecurity, very dominated by fear, uncertainty, and doubt. Also, there's an element of the media as well, because it can be a lot easier to sell a negative story than a positive one — really focus on the negative element to get people’s attention. So that, unfortunately, can make it harder to engage with people and can create this culture of cybersecurity that is seen as scary, intimidating, and off-putting. People want to avoid us because they want to avoid those uncomfortable emotions. That's what really encourages me to practice empathy, to listen to people, and to really try to adopt and encourage an empowering approach to help people feel more confident with cybersecurity.

[18:11] Andra Zaharia: And you do that so well! When people talk about their work, they do it not just with admiration, but with a very positive, heartwarming emotion. Because your tone of voice is so soothing; it's so welcoming, it really kind of dissolves tension or preconceived notions that people have about cybersecurity. And I think that that is such a big service that you do to this industry. Also, through the fact that you are contributing to changing the vocabulary in this industry, which tends to be aggressive because it's rooted in the army kind of universe. And it's so binary; and so black and white; it's so good versus evil. Which are obviously some very deep-rooted archetypes in the history of humanity. And we have that everywhere. But there are ways to talk about it that relieve some of the tension that we all have. And you're doing a lot of work in that direction. Do you remember if there was something specific that prompted you to want to build your career and your contribution in this direction? 

[19:21] Jessica Baker: That's really making me reflect, and encouraging me to think about that. And I could probably go way back. My parents both had careers in social work. They're retired now, but my father was a professor in family law and family protection. And my mom was a social work manager. They met through social work, and they worked their way up. So, I grew up, I guess, in this household that was very focused on society, and on helping others; but also in a way of like understanding others and taking empathy and being encouraged to think about how you add value, but also how you can approach the world with understanding and with a kind of compassion. So, I think that had a big influence on my mindset and on my approach from a young age. I've always wanted to understand the story behind the story. When someone is behaving in a certain way, or there's a negative element, I've always wanted to understand the "why." You mentioned kind of good and evil and that kind of archetype, I've always wanted to pick that apart and really understand the human story behind why certain things are happening. So that's been a driver for me. For as long as I can remember, that's really why I studied sociology and politics, and always wanted to have a positive impact. That's where I get value and what gets me out of bed in the morning. But cybersecurity really found me. Finishing my PhD, headhunted to work in this industry, had to Google "what is cybersecurity," when the opportunity first came in. And I was very taken by the industry, and by the fact that there was so much to learn, so much challenge, so much opportunity to focus on people in the industry. I think, though, a pivotal change came for me in a conversation with a taxi driver. Unexpected place, but I always have insightful conversations with taxi drivers. This one sticks in my mind. I'd been working in the industry for a while. 

[21:38] Jessica Baker: I was in a taxi in Liverpool, at the end of a busy week in London. The taxi driver asked what I did. And I said, quite proudly, "I work in cybersecurity." And his response? "Oh, give up, love. Go home, put your feet up, forget about it because the hackers have won." Those were his exact words: "the hackers have won." I was not used to that response. I was used to people more asking like, "What is cybersecurity?" in a taxi-style conversation. But he had that very definite perspective. It was driven by fear; it was driven by the headlines. He felt that there was no point even trying to have any level of security online; he avoided the internet as much as possible. And he'd just been telling me about the challenges he was facing in terms of the economic circumstances. He wasn't getting much work, and his family was experiencing some struggles. And yet, it was just past Christmas. And when his son wanted a skateboard for Christmas, he had two options: he could either buy it online, or he could buy it in person in a shop in London, which was like a five-hour drive, and it was more expensive than it was online. He took a day off work; he drove to London; he bought it in person; and he drove back. And I thought about the cost that must have meant for him—he's driving all the time, and he took on that extra drive—and I felt really disappointed that we were failing people, and that someone who was already going through a challenging time added more stress and more financial burden on themselves because they were scared to make a purchase online. Going back 10 years, I then decided I really wanted to understand the psychology of fear and cybersecurity. And that was a big driver for me.

[23:32] Andra Zaharia: Thank you for sharing that. I find that all of the people who are really pushing cybersecurity towards a better place—a healthier direction, a more ethical one, one that's really focused on truly helping people—they always have this personal connection. There's always something in their experience, in their past, in their way of seeing the world, in their personal needs for safety, for stability, for being able to manage risks. There's always something there that drives this kind of commitment and this kind of passion that leads people to not just build a career but build a contribution, like you're making through all of the things that you do online for free, in terms of videos and articles, and just generally showing up every single day. These are really great acts of volunteering towards something that is really meaningful for today's society. And thank you for highlighting that cause because I don't think that many people—or any people—hardly ever think about what it's like to not use the internet and everything that we are so accustomed to. We don't think about that; it's just so ingrained that we take it for granted. And we only become aware of it, obviously—like many other things—when we start missing it: health and many other things. Such is human nature. The ability to, again, to relate to everyone, and to relate to the people who are farthest away from us, I feel like that is something very important to cultivate. And I was wondering, can you recall an experience where you had a difficult time empathizing with someone? Relating to someone? A really difficult time understanding where they're coming from, what they're about, and what drives them.

[25:25] Jessica Baker: Oh, yeah, what an interesting question, because it is something that gives me meaning: being able to relate and understand people. And if I can't, then I find that quite unsettling. And I think, for me, it's probably that—and I can't think of a specific example—but it's that sense of if I feel like somebody else is not willing to see a situation from another perspective, or not willing to take that approach themselves, I find that very challenging because I can't understand not wanting to understand people. So, if someone is, I'm kind of thinking of some organizations I've known where they've wanted to take a very punitive approach to cybersecurity where someone has clicked a link in a phishing email, and they're punishing them. Somebody who said to me—I do remember this—around a table dinner years ago, a leader who said to me, "Three strikes, and they're out. If someone clicks a link in a phishing email, that's gonna destroy my whole network." It was very much that, like, "People are the weakest link." And we got into a discussion then of, like, "If someone clicks a link and it destroys your whole network, really, you're blaming that person that clicks the link? And not the fact that your network has not been built to withstand that kind of incident?" That individual was very much feeling like they were thinking in that mentality of, "People are the weakest link; people are the enemy; people are the problem." And I find that very challenging. And usually, I find that with some discussion that you can influence that perspective and lead people—and most people, I think, are open to that—to seeing it from a different way. But I find it very challenging if someone isn't; if someone is just wanting to judge people without trying to dig into the "why" of their behavior.

[27:29] Andra Zaharia: And I feel that sometimes we lack practice in this area, because we're surrounded by people who are constantly challenging themselves and are constantly learning, and they're in this growth mindset all of the time. So, I completely relate to that. I realized that sometimes these kinds of interactions are probably more triggering than I want them to be, and it’s a practice unto itself. And I say that also as kind of an act of self-empathy to sit with that discomfort, and to be kind to ourselves and realize that it's okay to experience this, and you're gonna lose some battles. Although, again, that's difficult to stomach.

[28:09] Jessica Baker: That's so true, Andra. I think I will hold myself responsible. If I can't chip through that kind of mentality, then I'll feel like, "I didn't get it right. What wording could I have used? What approach could I have used? What questions could I have asked?" I'll feel like I had an opportunity there. "How come I couldn't make headway with that person?" And that will frustrate me. And I think a lot of us are the same. We can have 100 wins, but that one time we didn't succeed is where we're going to really ruminate on.

[28:49] Andra Zaharia: Yes, exactly. Again, that's inherent wiring, biological wiring, for negativity and for remembering the things that we feel have threatened us and our existence to that degree. Given that you're always kind of pushing yourself to grow—and I don't mean this in a harsh way, but you're constantly expanding your interests—and obviously, we know that cybersecurity is challenging. It always throws things at us. The list of problems to solve really never ends. How do you show yourself empathy? Because you just mentioned a TED Talk that I'm going to reference in the resources on burnout, and why that constitutes a crisis in cybersecurity. So, how do you manage your energy, and how do you show kindness to yourself to be able to do this consistently without endangering your health and everything else that you want to do in your life?

[29:50] Jessica Baker: I'm so glad you mentioned Yanya's TED Talk because that was on my mind throughout this discussion that she has delivered this amazing TED Talk around burnout and cyber risk. She talks about kind of individual, organizational, social elements to this. And I really think it's something everyone should watch, because it's such an important topic, and she delivers it so expertly that it's really powerful. In terms of how I show myself empathy, I do hold myself to a high standard. And I do like to feel like I'm making progress. And I think that's something that many of us probably have in common. You mentioned a key thing earlier: you mentioned the growth mindset. And for me, embracing that throughout my life has been so important. So, the idea that we can always learn, we can always improve, rather than that fixed mindset of, "This is what I can do, and I can't go beyond that." So, embracing a growth mindset and trying to constantly challenge myself if I recognize I'm thinking about something in fixed terms, I'll kind of reflect back and try and think, "Why do I have a growth mindset in other areas, but in this one, I'm being very fixed?" So, I try to be self-reflective in that. Another big factor for me that actually I learned throughout my PhD was having hobbies outside of my area of work. So, while I was doing my PhD, towards the end, I was in the writing phase. Anybody who has been through that will know it's a challenging phase to be in. And I was both stressed and not making progress. And I spoke to my brother about this, and he asked me, like, "Jess, what hobbies have you got going on at the minute?" Knowing that the answer was none. All I was doing was either writing or, more accurately, just trying to write. He was like, "I think you might need to pick up some hobbies again." So, from that, I then went to like, "Okay, I'm gonna do some singing lessons, I'm gonna do some guitar lessons, I'm going to do some ballroom dancing lessons, I'm going to do some yoga." And it sounds counterintuitive, like you're already busy, already stressed, you're going to add more things to do. But I very quickly learned the lesson that having an outlet that is not at all to do with your day job, where you can also practice a growth mindset—that, for me, is fundamental to my self-care, my well-being, and my stress levels. So, whenever I notice I'm getting stressed, and I'm being particularly hard on myself, I'll take a look. And I'll think, "Hold on, am I practicing anything outside of work? Or have I fallen into this state where all I'm doing is working, and probably being less productive because all I'm doing is working?" So, for me, doing something that I'm not naturally good at, that I've maybe never done before, being terrible at it to begin with, and then seeing progress is a way of switching off. It's a way of occupying my brain. And it's also a way of me reminding myself, "You can always get better. It just takes work." 

[33:10] Andra Zaharia: Oh, that is honestly so inspiring because I have been wanting to start piano lessons. So, I think that this is my sign to just make the call.

[33:24] Jessica Baker: I expect you to report back on that, Andra. I want to hear about your piano lessons. I love that.

[33:30] Andra Zaharia: Promise. Thank you for highlighting this—highlighting the fact that just getting our bodies moving is, again, so important. I mean, we love information technology; we love computers, and we love all of the things going on. But ideas click for all of us when we're outside, when we're moving, when we're walking, when we're talking to other people, when we're just outside our comfort zone, like you mentioned. One of the interesting things that I see is that many people in this industry have so many diverse interests, and I love that you talked about yours. I recently saw a speaker at Offensive Con. She was a pastry chef; she was then an acrobat in a circus, and now she's a vulnerability researcher. And that's amazing. I also know that Eva Galperin, who's also on the podcast, in the first season, does acrobatics as well in her spare time. And I love that there's a kind of a small niche of people that are working on their fitness and their nutrition and everything. Seeing that in public, on top of the cybersecurity conversations alongside them, is extremely important as an example that we give people who want to build a career in this industry. I see younger people in their 20s being very hard on themselves, wanting to learn and make progress so fast, and scheduling like every minute of their day to max out their energy and their potential. How do you teach a dose of self-empathy? Because your book, "Confident Cybersecurity," is for people who want to build a career in this industry and who want to understand it. And one aspect of that is: how do we do this in a healthy way? So, what would be some things for them to consider in their development?

[35:37] Jessica Baker: It's a really important point. Actually, I had a lovely moment on social media a week or two ago, where somebody recommended my book to somebody who I believe is newer in cybersecurity. And they were talking about some of those negative impacts in terms of the imposter phenomenon. Somebody else said, "I've been in this industry,"—I think they said—"for decades." And they still go back to my book to take stock, and to kind of help them through some of those natural emotions that we can all have around imposter phenomenon. I think one thing is, we've talked about pushing ourselves out of our comfort zone. And I'm a big believer in that, and it's been great for me in terms of growth. But there's also a recognition of where the limit of that is. And I think it's important to push ourselves in a healthy way, at the right times, out of our comfort zone. But being able to recognize when doing that too much is actually stressful. And that's something we don't often talk about; often, it is just accepted that pushing out of your comfort zone is a good thing. But it's called the "comfort zone" for a reason. And sometimes there are times in your life, or you're dealing with circumstances, where actually, you need your comfort zone. And recognizing if you're pushing yourself too far can actually do more harm. So doing that in a way that feels good and is healthy, rather than is stressful and is putting too much burden on you, I think is one important point I'd like to raise. 

[37:11] Jessica Baker: Another one is around imposter phenomenon, or impostor syndrome, which is that feeling of, "I'm a fraud; I'm going to get found out." And no matter how successful you are, that feeling persists. And I think, on one level, it's a helpful feeling if you can channel it in a way that encourages you to grow in a healthy way. However, where it becomes an issue is when it plagues you, and when it holds you back, when it stops you from speaking up, when it stops you pursuing opportunities, or when it causes you a lot of exhaustion and distress. So being able to channel that in an appropriate way. And also, understanding—particularly if we're talking about people who are newer in the career or in the field—that feeling like you don't know everything is natural, because you're new. Nobody expects you to know everything. Comparing yourself to somebody who may be decades into their career is never going to be healthy for you. It might be a motivation to think like, "Wow, they're where I want to be," but you have time to get there. Nobody expects you to achieve that overnight. I always try to take the approach of—I don't know if you've seen "The Defiant Ones"— it's a documentary. And he talks about having your blinkers on and doing your work, but don't compare yourself to other people. And don't worry so much about what everybody else is doing. Think about your achievements, what you want to do, how you're growing, and take stock of those. I always recommend people keep a kind of "inspiration file" of the things that they have done—big wins, small wins—try and note them down so that when you're having a day where you're feeling like you're making no progress, you can look back and you can slow down and take stock of everything that you have achieved and how far you have come. 

[39:11] Andra Zaharia: That is one of the most important things that we can do for ourselves. And also, having the kind of friends and the kind of support system, that reminds us of that, that helps us see ourselves in the best light when we really don't feel like it. When we’re really having that day. Thank you for mentioning "opportunity costs." And I wish I would have learned that concept a lot sooner than I did. Because it gives you a more objective way of thinking about things and a better way to anticipate what that might cost you. And we're obviously not talking just about financial costs; we're talking about costs in terms of energy, relationships, everything else. Because we sometimes think that the people who are around us will be there for us no matter what. And while that's true, we have a responsibility towards them as well, to be there in ways which cannot be replaced, which is being face-to-face and spending time with them. It's probably an age thing. But the more time goes by, the more I appreciate the time that I get to spend with people, whether it's through work, or through personal experiences. And you realize that, honestly, that's just the most important thing that you have in your life.

[40:30] Jessica Baker: Yes, it's so true. And time is one thing that you can never gain back. And it's so true that everything we say "yes" to, we are saying "no" to so many other things that we maybe haven't even thought about. And constantly pushing yourself with work means that you can miss out on so many other wonderful things in the world.

[40:52] Andra Zaharia: Speaking of confidence, because to me, this is such a nuanced topic in the sense that confidence is not about being cocky and ego-driven, but gaining that confidence that you're doing the work that you want to do, with people you like, with people you respect. And having the confidence that you're internally aligned with your own values and principles. I saw some great reactions to your book. And I was wondering which of them were kind of unexpected for you? Because it feels like a book is such a different experience from anything else. I have a deep reverence for books; they're the most special objects to me in the world. They're magical. I was wondering how you saw that book reflected in other people's lives.

[41:41] Jessica Baker: Just having people read the book felt amazing. It's a really funny process to go through, writing a book, and I have amazing publishers, Kogan Page. I worked with an amazing editor, who was great. And she was giving me feedback and giving me encouragement and support. But you're in this phase where you're writing, and the editor's reading it, and that's it. Then suddenly, it's going to print. And then suddenly, you get this file where it's like, "Oh, this suddenly looks like a book." And there's a front cover. And there's all the page numbers and everything that you get with a book. But it suddenly becomes very real. And then you see it in print. And you realize, "This is out there." It still amazes me; it's like people read the book. And It's had over like 200 reviews on Amazon. The vast majority of them, I think it's on like 4.6 stars or something. It's really overwhelming to get that kind of positive response. For me, I felt in writing it to be true to myself, and to do the work, to do the research. Again, I think coming from my PhD, I always want to get the references in; I always want to make sure it is solid. But also being true to how I experienced and see the industry, the breadth of the field was something I really wanted to represent. So when I hear feedback along those lines, I know of one security leader who shares the book with their recruiters, saying, "To understand the field and who we want to hire, read this book." I did not expect that. And that was really overwhelming. I've had messages from people; I had one recently, really saying, "Thanks to your book and your advice, I accepted my dream job like last week." And that is so overwhelming. And to know that person is also making such a positive impact in what they're doing. I always speak about the positive ripple effect that I think we can have on the human side of cybersecurity. And to feel like my book is contributing to that really means the world to me.

[43:59] Andra Zaharia: And it means so much to us as well. Being able to reference this, being able to talk about it. Again, it's such a powerful experience. It's such a personal experience, and it gives you time to process things in ways that no other format does. It creates peace in your life to reflect and to sit with the things that are truly important for you. And having someone offer these red threads that you can pull out and follow, I feel like that is such a generous way to show up in the world.

[44:36] Jessica Baker: Thanks, Andra. Actually, in the second edition, which is coming out—I believe in September—again, saying that my book is still in for a second edition, that feels amazing. But in the second edition, I lean more into confidence and what confidence means. What confidence means to me, and has meant to me throughout my life, but also how we can embrace the growth mindset, how we can show ourselves grace, how we can tackle things like, and think about things like, the imposter phenomenon. So, I was really glad to have the space to lean more into the idea of confidence. Whereas in the first edition, obviously, I think that was something I attempted to weave throughout the book; I was able, in the second edition, to lean into that a bit more explicitly.

[45:23] Andra Zaharia: Because of all of the confidence that the first book builds — a self-fulfilling prophecy in many ways. To wrap up a conversation that I wish we wouldn't have to wrap up: You made a video talking about why empathy is the most underrated skill in cybersecurity. So, I thought that you could share just kind of the core—the nuggets—of that because I obviously will link to it in the resources. But I wanted to give a chance to listeners to hear it straight from you before they see the extended version.

[46:01] Jessica Baker: Thanks, Andra. And I have to say, the conversations you open up about empathy, I think, are so important. And I really mean what I say: that I think empathy is the most underrated skill. And I love the fact that you create space for the conversations around what does empathy mean in cybersecurity. And so, in the video, I wanted to delve into a bit more how I see empathy and how I see it playing a role in the human side. So, I break down what we mean by empathy because it can be this big—bit like cybersecurity—this big term; what do we actually mean by it? And I wanted people to take away the notion of compassionate empathy. Because we can have cognitive empathy, where we can understand someone's pain; we can have emotional empathy, which has been described as "your pain in my heart." So, we feel those feelings of somebody. And then we can have compassionate empathy, which is moving people to take action. And I think that's crucial. We've talked in this conversation about burnout. And the danger with empathy is if you lean into emotional empathy, that can be exhausting for you as a person. But that is that form of empathy—compassionate empathy—where we can understand the feelings; we can, to some extent, put ourselves in the shoes of the person, but we protect our own emotions, and we move into action. So, it is the most valuable form of empathy for everybody concerned. And I think, as the daughter of social workers, that's the kind of empathy I learned. Because my parents worked with very challenging, emotionally challenging circumstances, they were able to protect their own emotions, and by extension, my emotions, my brother's emotions, because they practiced—I believe, I'm putting words in their mouth—I believe they've always practiced compassionate empathy. So, I wanted people to understand that: that we can have empathy without exhausting ourselves and without further burning out. And I wanted to give people practical advice on, if you're running a Cybersecurity Awareness Program, what does empathy actually mean? How can we take this concept—a bit like culture—that can seem ethereal? And how can we apply it in practical steps?

[48:22] Andra Zaharia: Thank you for giving us the abridged version. And I hope that everyone watches the entire video, that they find the drive to act, and to go read your book, and to follow you in your work. So, they can draw constant inspiration and get plenty of reasons to fuel their optimism and use that optimism to do good, because you are a force of good. And I'm very grateful that I had a chance to talk to you, and that I get, just simply, the chance to be in the same industry as you.

[48:57] Jessica Baker: Same, Andra. Thank you for the warm welcome. And I think this conversation, we could continue all day, couldn't we?

[49:05] Andra Zaharia: Definitely. But perhaps, to be continued at some point in the future.

[49:10] Jessica Baker: I’d love that. 

[49:12] Andra Zaharia: Thank you again. 

[49:13] Jessica Baker: Thank you.