If you are a REN-ISAC member, then you probably know Frank Barton. Ever since joining in 2019, Frank has been an active member who asks smart questions during webinars, offers friendly responses to email threads, volunteers for project groups like the Technical Advisory Group (TAG), and was recently voted onto the Steering Committee. But that is just who Frank is. Whether he is volunteering for his kids’ BSA Scout Pack and Troop or working with faculty as the IT Systems and InfoSec Administrator for Husson University, Frank is an almost inexhaustible well of good will and positive energy.
So it was no surprise that when I asked Frank “what is most important for today’s infosec professional,” he answered, “Empathy.”
“One of my pet peeves,” says Frank, “is that when people talk about infosec, they see it as a technological goal,” but it is more than that. It is a community collaboration goal. “Our job is to have the empathy to help people help themselves.”
Empathy is especially important at an organization like Husson University. Husson is a small school with about 3000 full-time students (mostly undergrad) and a campus that fits inside a one-mile-long circular road. The typical R-1 university may have over 20 full-time employees in infosec. At Husson, Frank is currently the only one with “InfoSec” officially in his title; however, infosec is unofficially part of all IT staff duties. In his role, he works one-on-one with clients, creates personal relationships with the faculty and staff, and works closely with the rest of the IT staff to promote information security across campus.
What is the role of empathy in infosec? According to Frank, it is the foundation, the beginning of the client support relationship. “If a faculty member comes to me and says, ‘I need X system for my statistics research.’ The best response is to not just look at it from an infosec side and start planning how to secure this new system.” Instead, Frank says “we need to figure out what problem the faculty member is trying to solve with this new technology.”
He clarifies by using an analogy of visiting the mechanic. “All too often people will do their research and come to the conclusion that they need a specific tool to fix their issue. Then they go to the mechanic and say, ‘my left ball joint needs replaced.’ The mechanic does what is asked, but the car still makes a clunking noise at high speeds, leaving the owner upset that the car has not been fixed and the mechanic confused because they did what was asked.”
Infosec in higher ed is a lot like this. Frank says the best way to serve the client in these situations is to ask the client “What is the problem you are trying to solve?” This is the first and most important step to emphasizing empathy in the client support relationship. Understanding the client’s problem will, in the long run, be more successful because it will help the infosec professional to understand and fulfill the client’s complex array of needs, which may include process, budget, teaching, research validity, and other concerns.
These conversations also allow information security to be brought in on a foundational level. Understanding what data is being stored can greatly affect which product to choose. By using HECVAT assessments, Frank can illustrate to the client how they can get what they need while best protecting stored data.
Leading with empathy creates a more wholistic and positive IT support and info security process. “IT is an enabler, and we need to help enable our brilliant faculty and researchers by leaving our silos, understanding their needs, and collaborating to enhance the work they do. Most importantly, we need to make sure that they are comfortable coming to us when they have questions.”