Empathy? That's Not a Technical Skill!If we all recognize that the personal data we steward actually belongs to people who need to have their data treated securely, then we will make decisions that make that data more secure. But what about people who just don't have that feeling? We see attitudes like this:
"I know the data model calls for encryption, but we just don't have the time to implement it now. We'll do it later."
"Encryption means making the columns wider. That will negatively impact performance."
"We have a firewall to protect the data."
"Encryption increases CPU pressure. That will negatively impact performance."
"Security and privacy aren't my jobs. Someone needs to do those parts after the software is done."
"We don't have to meet European laws unless our company is in Europe." [I'm not a lawyer, but I know this isn't true.]What's lacking in all those statements is a lack of empathy for the people whose data we are storing. The people who will be forced to deal with the consequences of bad data practices once all the other 10+ Ways I Can Steal Your Data I've been writing about in the eBook and this series. Consequences might just be having to reset their passwords. Bad data practices could lead to identity theft, financial losses, and personal safety issues.
Hiring for EmpathyI rarely see any interview techniques that focus on screening candidates for empathy skills or experiences. Maybe we should be adding such items to our hiring processes. I believe the best way to do this is to ask candidates to talk about:
- Examples of times they had to choose the right type of security to implement for Personally Identifiable Information (PII)
- A time they had to trade performance in favor of meeting a requirement
- The roles they think are responsible for data protection
- The methods they would use in projects focused on protecting data
- The times they have personally experienced having their own data exposed