Cyber Empathy

Empathy in cybersecurity is about picking a side

Episode Summary

In today's episode, I'm joined by the incredibly talented and eloquent Jenny Radcliffe, The People Hacker. She is a Social Engineer, Author, Burglar for hire, Award-winning Podcast Host, Keynote Speaker, Panelist, and 2022 Infosec Hall of Fame Inductee. Her latest book, "People Hacker: Confessions Of A Burglar For Hire," reveals how she gains access to top-grade private and commercial properties using her inimitable blend of psychology, stagecraft, and charm. A thrilling conversation you won't want to miss!

Episode Notes

Regardless of the power, wealth, or influence a person or company might have, the only thing that can protect them from being hacked is another great (ethical) hacker.

Although the dark side of cybersecurity has several routes to explore and experiment with, they all have the same destination, and – spoiler alert – it is never a happy place. That’s why empathy in cybersecurity is about picking a side: you either use your skills to harm people or to protect them from cybercriminals. 

In today's episode, I'm joined by the incredibly talented and eloquent Jenny Radcliffe, The People Hacker. She is a Social Engineer, Author, Burglar for Hire, Award-winning Podcast Host, Keynote Speaker, Panelist, and a 2022 Infosec Hall of Fame Inductee. Her latest book, "People Hacker: Confessions Of A Burglar For Hire," reveals how she gains access to top-grade private and commercial properties using her inimitable blend of psychology, stagecraft, and charm. 

We had a fantastic conversation about what it really means to be a social engineer, why she believes empathy in cybersecurity is about picking a side, and the importance of learning to manage emotions as a defense mechanism against malicious hackers. Jenny also shared her thoughts on gaps in the education system, the importance of mastering so-called "soft skills," and so much more! 

In this episode, you can expand your views with:



Connect with Jenny:

Let's connect!

Episode Transcription

[00:42] Andra Zaharia: Jenny Radcliffe, the people hacker, brings her vivid storytelling and awe-inspiring generosity to Cyber Empathy. I've been thoroughly enjoying Jenny’s book, “People Hacker: Confessions of a Burglar for Fire,” where she reveals how she used her unique blend of psychological insight, stagecraft, and charm to breach high-security properties and uncovered their vulnerabilities. It's a captivating read that really speaks to how insanely difficult the work of a professional social engineer is. Just like in the book, Jenny brings her wonderful sense of humor to this conversation, in which we talk about guiding principles, the ethics of people hacking, the role of emotions, and what we need to teach children so they can safely navigate the overwhelming world we live in. It's time to discover why the only one who can protect you from a malicious hacker is an ethical hacker. Enjoy Jenny's fascinating stories and perspectives. There's no one quite like her.

[01:59] Andra Zaharia: I wanted to just go right into it and say that first of all, I'm in awe, I'm amazed that I'm able to talk to you, Jenny. I’m so thrilled.

[02:08] Jenny Radcliffe: Oh, no, it's my pleasure.

[02:12] Andra Zaharia: We're so lucky to have you in this industry. We're so lucky to have someone like you who's such a great storyteller who's able to capture all of this nuance, and who's able to share all of these experiences in a way that we can all learn from them. I mean, listening to your book was a fantastic experience.

[02:30] Jenny Radcliffe: Oh, you're very kind. But the thing is, social engineering is one of those jobs, every job has a story. I'm very lucky in that what I do just create stories. And I think the only trick, if there is one, is remembering some of the details and trying to connect with what people might resonate with within those stories and not make it too much about the job itself. For me, it's never really just about the job, it's about the people I meet and the situations that you see. And social engineering jobs, physical infiltration, particularly, always give you stories because, at the end of the day, you're either pretending to be someone else in a site, so that in itself is a story, or you're on your own in a building and things happen that don’t happen during the day. So, it's lovely of you to say, but I do think I have a massive advantage in that what I do is always a story. If you can take the time to tell it in the right way, every job is a story, really.

[03:36] Andra Zaharia: It is. But it also takes a lot of courage to be in these situations and work up just the nerve to be in the situations. I recently talked to a team of pen testers who were on their first physical engagement, and they were really, really nervous because they're such good, nice people that they have a really hard time pretending to be someone else.

[04:01] Jenny Radcliffe: And you're fooling people, and that's hard for people to get across as well sometimes; these very nice people deceiving. The way I always kind of got past that was, “Well, it's better to me than it's the bad guys. It's a fire drill.” And we've got to make sure that we follow that off and make sure that people understand that they've not been caught out because they're stupid or they’ve made anything other than a very human mistake. These are targeted. And it's so cute to you say that the team was nervous because they're paid to do it. This is the thing I always say absolute worst-case scenario, these days anyway, we are authorized and paid to do this. So you just produce your letter and say, “Well done. You got me. This was a test. That's a great job,” and then the business can learn from it. I think back when I started that wasn't the case. If I was caught on some of those jobs, it definitely was dodgy. But pen-testers these days, it's a legitimate assignment, so they need to not be so nervous. I'd love to speak to people about to do the first one, I must volunteer to do that because you shouldn't be nervous on it; you should be a little bit nervous, but only if that you do a good job.

[05:17] Andra Zaharia: It feels like your entire job is such a strong emotional education. First of all, I consider cybersecurity to be a way to really evolve your self-awareness, your emotional maturity, just to grow as a human because it gives you all of these concepts, all of these tools, all of these connections to people from different backgrounds, and so on. But what you do specifically, I feel, is an incredibly intense emotional experience. And the way that you talk about all of your formative years in the book and all of those key jobs that stayed with you, to me, has this strong emotional component. And I was wondering, how do you hold all of these emotions within you? How have you learned to manage them? Because it is such an important part of your job, but it's also something that comes across a lot from everything that you do.

[06:13] Jenny Radcliffe: That's such a good question. I'm not often asked that question. Well, the thing is, I did a lot of work of study and emotion, actually, because I studied psychology, body language, deception, and things, and that all links link to that. The advantage I had, which sounds like a disadvantage, was because I wasn't technical, and I never felt that I would be a technical person. I worked with such good technical experts and people who are happier with the computer in front of them and code and things. I never wanted to try and be good at that because one of the pieces of advice that I think is very good is you should specialize in what you’re good at and what you enjoy. So I could learn a little bit, and I do know a few things after hanging around a lot of hackers, but nobody wants an okay hacker, you want to be a great hacker. And I knew that my strength was never going to be on the technical side. So it was very clear, I was going to work with humans and with the brain, and how that worked. Humans are emotional beings, so I had to really dig deep into where emotions come from and what they are, and if there was ever commonality in emotions across humans. And you need to do that, if you learn nonverbal communication, you have to learn that because emotional reaction is what we're looking at. So for example, if you look at something like stress, stress presents the same in most humans; it's in different orders and it's in different intensities. But essentially, we go through freeze, flight, fight, and flight. If we're looking at those things, I would need to know that so I could judge who I was talking to and interacting with in a job that I'm that present physically and psychophysical. So I'm looking at all those things. So, to do that, to be able to analyze others, what emotional intelligence is about is, first of all, you have to understand that yourself. When it comes to management, I'm no better than anyone else at managing emotions, that's a very difficult thing for any of us to do; if you're frightened, you're frightened; if you're angry, you’re angry. To get those things under control, there are ways to try and manage it. But essentially, if you're scared, you're scared. So we can come down a little bit easier and learn some techniques, but that's a difficult thing to do. But understanding is useful. 

[08:35] Jenny Radcliffe: For example, if someone's sad, it means they feel they've lost something valuable, it's the loss of a valued person or thing. So, if I knew that, and I know if I'm talking to someone and they're sad, then I need to work out what it is they think they'd lost and how we can replace that or comfort them about that. Now, those types of things are useful in self-management because I can say, “Okay, well, why am I feeling like this?” If you can recognize what that feels like. The first thing is self-awareness, then it's self-management, then it’s awareness of others, and then managing other people. So, you’re right, emotional intensity and emotions generally. I think the reason that when you read the book and when I talk, it seems to be talking so much about emotion: one, because it's manipulated by criminals; two, it’s manipulated by social engineers or at least understood by social engineers. But I notice those things and write about those things because those are the things I really understand. And I had to understand something good because I couldn't understand the tech. And it was interesting to me that I could see any human being in an emotional state and kind of be able to understand how to pull them out of that state or how to increase it. So, for example, in interrogations, if we see stress signs on someone — we don't call them interrogations anymore, we call the intensive interview, actually. But when we do an intensive interview, if we see that we've got someone in a stress state, then do we want to keep them in that state to get them to elicitate and to talk? Or do we want to relieve that state? And how do you do that? So it was very useful in the job in terms of dealing with people to be somebody that worked with emotions and understood them. And I think that's why it comes out in the book.

[10:21] Andra Zaharia: You are definitely an expert on the human OS. Another guest called just our entire system of functioning, you're definitely an expert on that. And I feel like this topic is finally getting the spotlight that it deserves in cybersecurity and we're finally reaching a stage where we realize that all of the technical solutions that we've devised, obviously, have limited effectiveness. And tackling this idea of helping humans figure out their way around threats, manipulation, and other types of risks is a completely different ballgame, which is much more difficult, much more nuanced, and much more difficult to codify into solutions that are scalable because every human is different.

[11:15] Jenny Radcliffe: You can’t throw money at the human problem the way you can throw it at the technical problem. You can invest in a magic box and it will solve some issues. It requires time, focus, and attention to really manage humans. And I think partly the reason that it took so long for this to really take hold was because there was a lot of nonsense written about it and spoken about it in the past. When the internet first came out and when I first started working with some people in cybersecurity, I'd look for things about this topic, and it would be very basic level—still is a lot of the time—and there would be lots of assumptions and tropes and things that said, “Well, humans do this,” or “the users do that.” And I think it really led the industry astray for a long time. And then there was a point where everybody was a social engineer. Like I said, “I can't throw an infected USB in the air without hitting someone who said they were a social engineer.” And I think what's happened now is that people say, actually, there are people who can talk to culture or to awareness. And there are people who can talk about crisis communication and that type of thing. But there are really very few people who I genuinely will consider to be a social engineer — like a proper, that is their expertise, anything else they do is the side dish to the main course. Whereas in the past, people say, “Well, I'm a social engineer,” or “I do a bit of social engineering.” And you’d think, “Well, no, doing a phishing email does not make you a social engineer.” It's a very specific skill set that needed to be defined properly, I think, in the industry, and the people to say, “There are elements of that and what I do, but I'm not going to speak to that on a stage or anything else,” unless you really are a social engineer. Because as the rest of the industry got more educated and more knowledgeable, I think the industry as a whole realized that this is a very distinct subset, it's not something that you just add on, it's a specific thing and it's not the thing that everybody can do. And I think that's why it's getting attention now because I think some of the nonsense has been sifted out. And some people used to say that they were social engineers and I'll talk about other things, because it was trendy and everyone thought, “Oh, that's easy.” And then you realize, actually, to do it really properly and professionally is like any other skill. It's not easy. It might be simple at times, but it's not easy. And that was one of the things I wanted to get across in the book as well: This is an actual profession. Just because you can pick a few things off and try—which is great if you've got the right ethical mindset—it doesn't mean that this is the thing that you do until it's the thing that you do and everything else is an add-on.

[14:11] Andra Zaharia: You've highlighted a phenomenon that keeps repeating in the history of humankind, generally, is this hype cycle, where you have to wait out for the trend chasers to fade into the background. And then if you follow a topic for long enough—I'm talking about this from my perspective, as someone who follows people, who have stayed the course and really gone in depth into their specialization and into their profession for years, decades, and on end—those are the people you want to follow. I've learned this from stoicism and it resonated with me because you phrased it so well, applied to social engineering is that you have a lot to learn from the things that don't change, from the people who stayed the course, from the built-in human traits that haven't changed in thousands of thousands of years. And those are still our biggest unsolved problems. Even the things that you work with, this lack of ability of the human mind to maintain awareness of itself all the time, it’s such a big thing. I don't think we're ever going to be able to solve it because we don't understand the human brain, we're just barely scratching the surface. How does it feel for you because you created experiences that change people, that change their mindset, that triggered those aha moments, where they really feel like they're just taken outside of their contexts and they're suddenly faced with their own behavior, their own faults, their own blind spots? How does it feel for you to see people react in this way to your work?

[16:02] Jenny Radcliffe: It's an amazing thing. With the talks, I've been doing keynotes for so long all over the world, and I just told a little bit about the job, what I did, what it was, and why it worked, and then some anecdotes as well—people love the anecdote—and I wasn't surprised in one way that people love the anecdote because I can see that the job is interesting. But bear in mind that I'd never really spoken about it before a few years ago and told the stories of the jobs before in the way that I started to do as a keynote or as just a talk. So, at first, people were just like, “Oh, my God, I love that story, that job is amazing.” And it wasn't a surprise, because I knew it was great, but the intensity of it and the amount of people who said that was a pleasant surprise. People think it's me creating those experiences, but I feel like I'm really am just the person who's telling the story of the people involved in the job. So, in some ways, it's the people outside of me that create this and make these stories funny or whatever. And of course, I focus on people a lot because that's what I've always had to do. But I think the thing that really took me by surprise was the positive reaction to the book. There are a lot of stories that I've told in the keynote that didn't tell them in full in the keynote; you don't have time. People knew things like putting the the notice on the door of the factory and then opening the door for me, they knew that story, but they didn't know everything behind it and the people I worked with. And I had to sketch those characters, and they're not characters, they are real people, so I apologize when they listen to this. I keep getting called to a character. So when I was talking to TV people and film people, they were like, “The character of journey,” and I’m like, “It's not a character. This is me. I’m real.” But obviously, it's a character and as much as it'll be on the screen, it will be a character. But I had to put emphasis on the other people in the story. So I felt that I told it more fully. Now, I knew people liked the stories of the jobs and I knew people were fascinated with my job. So what I did was I picked 12-15 jobs that I had either spoken about or that were different in some way, some of them I've never spoken about, that just showed the range of social engineering and what that experience doing that role was. So I just pick different ones. And I knew that they kind of liked that, but what was lovely was people said things like, “This was an easy read,” “This was an exciting read,” or “It was well written.”

[18:45] Jenny Radcliffe: So many people, people I respect, said, “This is so well written.” That, for me, was the nicest thing. Because, like I say, I know they're gonna enjoy my job, my job is interesting, and I see that it is, but it's the fact that they said that I wrote it well. That was the nicest thing. And I wrote it specifically so that people could read it quickly. And that's because of one of the things that you said before is that we're all very distracted easily, me as well, these days. We've all got thousands of things, we're busy. And if you get fed up or bored, we can reach through the phone, watch any movie that's ever been made, read any book that's ever been written. So unless something holds your attention and moves quite quickly, it probably wouldn't have done as well. So I wanted to raise it to the people picked it up, read the story, even if they read a chapter at a time and just said, “Oh, that's great,” and didn't get bored, that was my goal to write it. And it was so nice for people to come back and say, “I read this in a weekend,” or “I can put this down,” or “This rattles through me.” One of the big newspapers in England said, “This is a rattling rip-roaring read,” or something like that. You read through it really quickly, that was the goal. And I was pleased that I achieved that. But people have been very very kind and very generous about the whole thing. I'm eternally grateful for the support of the cybersecurity community because they got supported me as they always have.

[20:12] Andra Zaharia: We're extremely lucky to have you as an author and to have someone who writes so well, someone who communicates so well in this industry. These are incredible things. And to me, the fact that I listened to the audiobook because I saw that you narrated it, and I was like, “Yes, I want this, I definitely want to listen to this aside from reading it.” And I just have this distinct feeling that I didn't want it to end.

[20:44] Jenny Radcliffe: Maybe means there should be another one because, as I say, I estimate, I can't say exactly, but it's about 600 physical infiltrations. If I take an average over a year, some years worth more, some useful ones. There's about 600 jobs. This as an exclusive, but I kept diaries. So I've always kept diaries of everything I've done. And I literally just picked those stories that I knew I could obscure some of the clients and the details but would resonate. But it was hard to pick those 12-15 out of all of the stories. And this is one of the beauties of looking at the TV show because the beautify of fiction is that I can pick the stories that were still true but we can obscure details that for security reasons I couldn't put in the book.

[21:32] Andra Zaharia: To me, it is fantastic that your work becomes this product of the culture. Because one of the essential things that makes cybersecurity interesting to me is the culture behind it, the ethics behind it, the hacker manifesto, even pop culture bits and pieces created by movies or TV shows that have taken this job and this role outside of the confines of the industry, that have made it interesting. This has led to young people taking an interest in cybersecurity, hacking, and eventually becoming great professionals. The cultural aspect of it, to me, is incredibly important because it can permeate different layers of our society. To me, ethical hackers are the people who lead cybersecurity, they push cybersecurity forward, they ask for more, they test the boundaries and just constantly push them a little bit to make sure that we're growing, we're not becoming complacent, we're not just becoming about commercial things. We're not just an industry that makes money; we're an industry that tries to help people. And going back to that ethical code, to me, is incredibly important. The cultural product that your work is becoming taps directly into that. It highlights the ethics of it, which to me is incredibly important. And it is this discipline that we need to bring back in terms of importance and as a tool for becoming better professionals and better humans, and it's also something that entertains people.

[23:15] Jenny Radcliffe: It's entertaining for people to watch. It's not entertaining for you if you've fallen off roofs and being chased by guard dogs and things. But yes, people seem to be entertained by the idea of me breaking my leg.

[23:25] Andra Zaharia: I know it sounds a bit, maybe, cynical at times. But I feel like this kind of approach is really important in our ability—and I talk about the cybersecurity community—to communicate these things is what determines the effectiveness of anything that we try to do, anyone we try to persuade, from getting budgets to doing communication campaigns, whatever it is. So, what I wanted to emphasize is that your book begins with one of the key ideas of your work, which is so simple but so important that security only works if you use it. A: And to me, when I listened to that, the thought that came immediately after, because I was thinking about the podcast, is that empathy only works when you use it, but we don't really know how to. So, I was wondering where is the empathy in hacking people? Where does it sit within your toolkit, within your ecosystem? 

[24:29] Jenny Radcliffe: Well, there's a lot to unpack. But I think one of the things that the cybersecurity community — and I'll get to specifically what you're talking about an empathy in a minute — but one of the things that we need to remember as a community is it's quite a powerful skill that our community has. If you put it together, we really can make or break people. And I'm talking about technical hackers particularly. The culture that we live in now and the times that we live in now, I don't think we've even realized this to community just how much power there is. So, for example, I was speaking to a client the other day, and now that client is on behalf of another client who's a high net worth person. They said that that high net worth person felt that because they have money, they were immune to being hacked and then they were hacked. And then we came into manage different parts of that investigation and the protection of the person, their family, and their business. Now, what I said to them was, “The only thing that will protect you from being hacked by a good hacker is another hacker.” So we can tell you, “Put this tech in place. We can give you some education on social engineering. But essentially, not me, but you need someone on the team. No one's immune.” And then what you really do, and it's almost a battle of the Titans. It's the good hacker against the bad hacker, it really is that kind of almost biblical Bible, at that level, because money won't protect you if someone's got you in their sights. What we'll protect you is some tech alongside some education and a constant kind of vigilance. And I think that's the thing that comes into play when we talk about empathy is that I came to know how powerful it was to really be able to understand people that well, and constantly educate yourself on different things. So, I looked at training in lots of areas in illusion, hypnosis, and linguistics, and all these different areas, all with the idea of I've got to know people really well. But the thing that I knew best was the con artistry side of it as well. So, I study that. And I think what happens then is that you make a choice and you think, “I can see how, not everyone, but for a lot of people, this would work.” “I could persuade you this way, I could trick you that way.” Or “I could use this and not do that. And I could use this to try and help people and stop this.” I think that's where empathy comes in. Because if you make the choice not to hear people, and it's not an easy choice to make, not so much not to hear people, but to be a good person to not steal the picture off the wall, to not just say, “Sorry, I kind of for persuade my way into--” I mean, I do still go and persuade my way into parties and events and things I'm not invited to sometimes. 

[27:15] Jenny Radcliffe: So, I'll give you an example. I was in the US, and I spoke at an event, but my flight was a day later. So I wasn't leaving that evening, I was leaving in the following evening. So, I had an evening to myself and a late flight the following day with a lie-in and a late checkout. What would you do? I go to the bar, I ordered a drink. I was just having some drinks and some food, and just sitting there. And a guy came over to me who'd been at my talk, and he was in the same position, his flight was until the next day. So, what are gonna do? We're gonna sit and have a drink and eat some chicken or should we see if there's something else we can do? And in the hotel, there was another conference, and they had one of these fabulous corporate evenings with a casino on an auction and all these things. And I said to this guy, “Should we go to that party?” And he's delighted because he's never done anything like that before, and he's like, “What do you mean? Sneak in?” I said, “Yeah, we'll just black our way in, and that's it. We'll just go to a party as opposed to sit at the bar.” And we went, and he loved it. And he was channeling in a persona and everything, and he was doing really well on the casino. It wasn't real money, it was a toy casino. But he ended up winning a really expensive drone in the auction. So apart from things like that. And just to say, I did sort of know someone at that even so I knew we'd be okay. Apart from things like that, am I ever going to use it to be a bad person? And it's a struggle not to do that. And I think that's where the empathy comes in because what you have to think is, the consequences of me using this, even if it seems quite benevolent, could be huge. You pick a side, you're either here to help people and have integrity or you're not. What empathy does is I've seen the devastation that even little things like someone's Instagram account being attacked or a house being burgled. I've seen what that does to people. And I don't want to be someone who causes that. I want to be someone who helps prevent that, and limit the damage if it happens. But you can only do that with empathy. 

[29:32] Jenny Radcliffe: The problem with empathy and the reason people find it so difficult is when there's a situation where there's a difference of opinion or when there's a problem, humans want to blame someone. Now, I've done hundreds and hundreds of training courses on negotiation and persuasion and influence, I still do a couple a year for only certain people. But what I say is, sometimes no one's to blame, or sometimes someone's made a mistake. We attack before we understand in our society. We're all guilty of it because it's easy to shout at someone and blame someone, than to say, “This system is imperfect, we need to fix it.” Or maybe nobody is being malicious, maybe it's just not a great situation, help me work it out together. I feel that we are losing our cooperation if it was ever really there. We don't cooperate as well. It speaks to social media and influencers, and it speaks to mobile workforces and working in isolation more, but we don't cooperate well, as a species, I think, not always anyway. Obviously, we do sometimes. When we do, it's so beautiful and we all love it. But a lot of the time we compete, and when we compete, we lose empathy, because you can't compete well with someone that you understand where they're coming from.

[30:53] Andra Zaharia: Empathy is definitely the part of a generous mindset, a part of the mindset that says that there's enough for everyone, that yes, we can compete with each other but in knowing that there's enough for everyone. 

[31:07] Jenny Radcliffe: See what people think is they think it means sympathy. So I've done criminal negotiations with bad people and I don't sympathize with where they come from at all. These are violent people, these are criminals, these are people who cause hate and harm to people. Cruelty is unforgivable. But I have to try and understand where that comes from for me to solve that problem, so I can empathize with someone's position even if I don't sympathize with their position.I honestly think, Andra, these are the skills that we should be teaching kids. Because whilst in the meantime, we're forcing children to do something like maths until they are eating — no one's saying mathematics isn't obviously incredibly important — but you can't say there's no time to teach people psychological skills, negotiation skills, these are the things that talk people off a ledge, these are the things that resolve situations and stop conflict. I gave a TED talk on it, but I really think the curriculum that we teach kids is lacking in basic skills, budget skills. I spent hours in school in things like algebra, and no one taught me about filling in a tax return or saving for a pension. So these are the things that I think are really important when it comes to actually living in the world that we're in now, which is faster-paced, more complicated, we need more than that analytical skills. And I do think it comes back to what we first spoke about a little bit as well, which is why people say, “Oh, I'm an expert in this, I'm an expert in that,” and then the next become an expert in something else. It's because they're not analytical, they're just hanging on to every trend. And if we were in the cookery industry, that would be quite bad because someone's going to get a bad meal. But in the security industry, when someone says they're an expert in something and they're not, lives, data, information, money is really at risk. It's very serious. So I think it's a gap.

[33:13] Andra Zaharia: Thank you for speaking to that. I feel that that's why sometimes we often look to countries in Northern Europe, which tend to have a different educational model that's very based on teaching cooperation, on doing things, doing activities together. 

[33:33] Jenny Radcliffe: Finland are very highly sensitive because not only do they teach analytical things in school, I think, although I'm not sure what they call it, but they actually have people who analyze the news and things as well and the public will say, “Well, this source is reliable or this source isn't reliable,” or think about who wrote it and what are they trying to achieve? Obviously, that comes from geographical proximity to other countries in some ways. But you're right, there are some skills that are urgently required, and are urgently required in cyber just as much as they are in wider society, for sure.

[34:11] Andra Zaharia: Our, let’s say, digitally powered culture, I feel like cybersecurity has a role here to create literacy, literacy in how we interact with technology, with how we use it, with how we understand its effect, its impact, its consequences, but also the good things that we can use it for. And without this understanding, it's good just going to take over like we already see it doing. And in the midst of all this, taking time to think about ethics, to think about empathy, to think about critical thinking. I feel that people still see them wrongly as soft skills, which is something that puts them in an area where that's nice to think about, but not entirely necessary. But just like you mentioned, they're actually vital for or how we function, for our health, physical, mental, emotional, and so on.

[35:06] Jenny Radcliffe: I do love it when someone says “soft skills” to me. It just makes me smile a little bit. I did a call with a guy  and he gave me this whole technical spiel, and he said, “Social engineering is just gonna get passed off.” And I said, as I'm talking to you, I know I get passed because your arrogance is your weakness. You've just literally given us the way in. But you can't think like that. Fundamentally, you're dealing with people in them. However technical you are, there's still someone somewhere that you get to interact with, and you need to understand that. And if nothing else, understand yourself, your motivations, and what it is that gets you out of bed in the morning. And if you get out of bed in the morning because you want to climb Everest and hack a bank, then how do you channel that into positivity? Because on the negative side, and I've known plenty of people who've been criminals and have gone down the wrong path in my time. It just doesn't end well. A guy called Brett Johnson, a great podcaster, a great storyteller, formerly FBI's most wanted cyber criminals, who has now produced this great show. He gave a presentation and he shows all these pictures of former associates who are criminals, and he says, “Most of them are dead. If they're not dead, they're in prison. It doesn't end well.” So find out what you love and what you're skilled at, and then find a way to channel that into positivity so that you have a happy life. And it's such a huge thing, but it sounds so simple: I do what I love and I’ve a happy happy life. That's what it’s about. Really, that's what you need to think about. You're not going to be happy if you hurt people, not in the end. It doesn't end well.

[36:59] Andra Zaharia: And if you depart from your internal structure or from your set of principles that guides you, even if you've never articulated them on paper or somewhere else, I was wondering if there are any experiences where you are on the receiving end of an empathetic behavior that have helped you understand what your principles are, have helped you understand or define what your motivation is, and what you want to do with the skills that you've continued to develop.

[37:33] Jenny Radcliffe: I don't know about if I can think of an incident that stands out where someone was very understanding of me and it was a lightbulb moment. But I do think that people talk about is mentors. I have some people who I see as mentors in a way, but mentor is not the word I'd use. I have a circle of people, in my head, I call them the board of directors; they are the people who I can go to, who are always very patient with me, but will tell me if I'm putting a foot wrong. So, for example, I'm offered lots of projects and things in TV and other things, and the temptation is always to take it because it's TV. And I've got people around me saying, “No, don't do that.” And they're right, but my ego wants to say yes, because of course, you want to be on telly. You want your family to go, “Oh, there's Jenny on telly.” So, I only do certain things, but it's people who will say to you, “I know you want to do that, but you shouldn't,” or “I know you're scared to do this, but you should.” Putting that team around you is very, very important. So, I think we kind of get lost in the term “mentor.” I don't think mentor really is what we mean, or at least for me. It was just more having these trusted people that I go to for certain things and I stay in touch with. But I know if something comes up, there's a financial thing that I don't understand, I'll go to this person. If there's a business thing, I've got a few people that I go to and say, “Look, from a business point of view, I'm not very good at this. So, what would you do?” I think as you get older—and we spoke about it before—it's really about understanding what you are good at and almost staying in your lane. And I don't mean not taking risks, but saying, “I'm in this lane and I recognize that there are other people who are better at other things than me. So, go into them, and then letting them understand if you've done something and you know that's not right, and letting them tell you.” So, taking the criticism and reaching out. I think there's a tendency, especially when you run your own company, and especially when you've got something, to try and do everything and to try and feel like you're right all the time. And what comes with maturity is going, “I'm wrong a lot of the time, and there's so much I don't know that it's like I wish I didn't have to sleep.” Because I'd love to learn all these things. But the reality is, “Now, I'm going to bring these people in.” So, I don't think I've had an incident that stands out with someone just showing me empathy and it was game-changing. I think I've been lucky to have people who made an effort to understand me, and then made an effort to guide me in an empathetic way, which made me better at what I did.

[40:22] Andra Zaharia: That's a precious gift, that's a very precious gift that we can offer others. And the thing that you mentioned, I remember a friend of mine telling me this. She's a coach, and she'd read about this framework where to learn or to evolve the fastest, we need to be in three roles at the same time: We need to teach someone, we need to learn from someone, and we need to have trusted peers that are going through similar experiences as us that can provide this supportive and trusted space where we can grow. And they can also keep us accountable, of course, because that's a huge element. So what you mentioned and the way that you shared this part of your life, really, reminded me of this concept of having this group that grounds you, that becomes sort of a second family, or perhaps a spiritual family in the sense that-- 

[41:21] Jenny Radcliffe: It’s the family you choose. But I do think that you need to be careful with who you trust. So, the way that I see it is I can go almost anywhere in the world, call up someone from the hacker community, from the cyber community and have a beer. That is one of the loveliest things about this community is that you know that you can do it. There's going to be a BSides or there's gonna be a hacker group kind of anywhere. And probably, if you get going, “I'm here, I'm in your city, and it'd be great to have a beer,” obviously, you've got to be very careful, especially, if you're on your own. Bit generally speaking, we can do that. But then there are people who support you from a business point of view. So I've got business people who I can talk to, I've got business friends, that's another circle. So, security is like the onions. And then I have a very close-knit group, not necessarily in the business, who don't care how successful I am or not, and absolutely will tell me if I'm being a dick. But, first principle, “You are now being stupid for something,” or “Now you are being arrogant.” And they don't care if the book does well, and they don't care if there's a TV thing. They just don't care, right. They're happy for me, but they don't care because they'd be just as happy if I worked in a sweet shop and was happy. And that is not easily found. I think one of the things in our industry is that we build Gods; we put people on pedestals, and we worship with the pedestal. And people really don't think carefully enough and really analyze what they're seeing. Those people are not necessarily someone who's going to be there for you or look up to you or support you. That's just the community. That's just social media. It's important to really see different people with different things and really look after that privacy. So one of the things I would say that people realize when they talk to me is, I give tons of interviews, I always give people an interview if they ask for it, nearly always, because I did a podcast and people gave me their time. And I was blown away by the generosity of people in the industry with hundreds of thousands of followers who came on my show. I couldn't believe it. And even if they didn't have that many followers, someone just came on, they gave me their time. So I've spoken a lot, I've done lots of interviews and articles over the years. But actually, people don't know that much about me, personally. The book is the thing that gives you the most information. But even the book doesn't really tell you that much about me now. And I think that's important as well, you've got to guard part of yourself. We're in security, we should all be paranoid. We should be guarding that little privacy. Share bits of yourself with people, but the real you, it's people who don't care. They don't care whether you look great or you look awful, they don't care. But they'll tell you, “You don't look so well.” There's too much kind of sycophancy. There's a different life online and a different line with people's public persona. 

[44:36] Andra Zaharia: It really is. Thank you for sharing that. I feel that's such an important point about learning how to be vulnerable with certain aspects of yourself. And I mean vulnerable in the sense of the psychological vulnerability, not the other kinds of vulnerabilities that we talk about all the time. Learning to be vulnerable with specific elements that are essential to human connection, and that you feel comfortable with just showing people, and then keeping that core private. That's so powerful and so important. One of the key things that cybersecurity can actually teach the industry outsiders in a world that glorifies oversharing, and that builds influencers in such special based on this, but this is not natural, nor is it healthy.

[45:29] Jenny Radcliffe: In the security industry, we should know, as a community, not to trust everything we see online. We also have, I think, a good awareness of mental health issues in our community as well. Don't share things on Twitter. Think about what you're saying on Twitter. Not everyone who smiles is a good person, not everyone who follows you. I see some people, and you can see what they're doing, they've got podcasts or whatever they've got. And you see them pick an influencer or someone who's well-known, and start to like every post, and then retweet every post, and then comment on every post, and it's just such a cynical build. And then you see people fall for that. And I just think that we as a community should lead the way in terms of just privacy, just a little bit of personal awareness. All of those things are helpful, because then when you're building a business, and you build on what you love, if that comes crashing down for whatever reason—so if Elon must get rid of Twitter altogether or wherever—you've still got something. I think people just overshare too much, and it's weird. I think it comes from the confidence the security community has that we can deal with anything, because we think we'd recognize it and we know what to do if we’re hacked and all the rest of it. And I think it's just better to hold some of that back.

[46:51] Andra Zaharia: It absolutely is. Thank you for all of your stories, for all your wisdom, for all of the humor, for everything. To me, you're such a great, well-rounded person to learn from.

[47:05] Jenny Radcliffe: Well, you're lovely. I'm glad it comes across that way. I'm sure that there's a million things. But no, it's lovely to be interviewed by someone who's asking such clever questions because a lot of the questions you've asked me in this conversation, it's gone in a direction that a lot of the time they don't. So it was a real pleasure to talk to you, Andra.

[47:25] Andra Zaharia: I appreciate it so much, Jenny. Same here. And I would love for everyone who's listening to listen or read your book. I can't wait for the TV version of it. And I can't wait to see what many other things you have to teach us. Thank you for being here and thank you for being so generous with everything.

[47:48] Jenny Radcliffe: Aw, it was my pleasure entirely. Thanks so much for having me on the show.