The art of storytelling in cybersecurity perspective

Andrew Rose, Resident CISO, EMEA at Proofpoint, explains how storytelling can be adapted to support CISOs to communicate cybersecurity imperative.

The popularity of storytelling is astounding. It is rare to find a TED session without some expert expounding on the miraculous virtues of storytelling to give us influential superpowers, and YouTube is awash with storytelling tips and techniques.

Most of these lectures, however, focus on improving main stage presentations or enhancing the effectiveness of marketing campaigns. And while there is real value in these, they can seem disconnected from the reality of the CISO role, and the everyday stresses we must face.

Today, criminals are continually targeting people to expose confidential data and compromise networks. Human error is considered to be an organization’s biggest cyber vulnerability, according to 50% of CISOs in the UAE.

CISOs are tasked with empowering employees, at all levels within the organization, to understand security and the risky behaviour that can lead to breaches. Training and awareness programs are crucial, but only if they are tailored and coupled with effective communication.

This is where storytelling can be adapted to support CISOs in their goal of better communicating the cybersecurity imperative.

The Benefits of Storytelling

There are many positive outcomes that result from a story well told. Listeners can recall details and facts much better, and they often hear more and listen longer.

Stories give the presenter an opportunity to clothe boring messages in an appealing wrapper; they slow down the thinking process, which helps establish credibility and trust; and they build emotional connections that draw people in and encourage positive participation and decisions.

Cybersecurity stories can be the connective tissue between a problem, the ask, and a positive outcome. All these benefits should be the aspiration of any C-Level executive.

How does it work?

There is no shortage of people willing to explain how storytelling can work. Everyone should find their own model that works for them. However, in consuming hours of that content in research, certain key components stand out.

• Build common ground – show awareness of the listeners’ situation, whether they be an intern or a Board member, so that they know this story relates to them and deserves their attention. Therefore, many story presentations start with an audience interaction of “How many of you have/feel/think…”, which immediately establishes a collective agreement on a core component of the story. It provides a solid foundation for the scenario you are about to build.

• Paint a vivid picture – stories talk to emotions, and emotions are the leader in decisions, followed by facts used to justify that decision. We need to create a drama that engages the audience. This can be the classic ‘hero journey’, but simply a reversal of a fortune tale will suffice, when described in detail. However senior, the listener will still respond more positively to a human drama rather than just a business one, so create relatable personalities at the heart of your narrative.

• Unleash the power of contrast – as part of the vivid picture, it’s important to describe what is versus what can be – show a picture of the world on the current path, and one where that path is changed. Convey this back to the characters within the story to make the world change real and relatable.

• Make a proposal – the accomplishment of any corporate storyteller is gaining approval for their desired outcome, so make your proposal clear. The story should show how your solution is logical, how it accommodates and tackles the peril that you have described, and how it will transform the outcome of the tale to a positive.

When to use a story?

With compelling benefits, and a logical model, adopting a story to relate to CISOs is ideal. The challenge is when and where this applies, outside of main stage keynotes and marketing focus.

There are several suitable opportunities:

• Promote behaviour and culture change – perhaps the most suited scenario is when talking to business units about security awareness and behaviour change. People will subconsciously copy characters they can relate to. Outlining a tale of peril and cyber consequence, and then offering an alternative path, can create a dominating learning opportunity – especially when you back up that peril with real-life examples.

• Explain a complex situation to C-level executives –wrapping the fact-based narrative within a story is a better way to communicate, influence, and drive information retention. The enthralling Zeigarnick Effect shows that people will retain even fine details until a story reaches its completion, and other studies show that facts are 20 times more likely to be remembered if related in a story form.

• Drive a business decision – by creating that emotional entanglement that a story can spark, you will better influence business decisions. Creating stories as hooks to ensure that staff across all levels of seniority can recall and relate to a driver for a change will protect that initiative from diversion or defunding. Use the story in your top-level presentation, but then cascade it down as a summary of what the decision is and why.

• Establish credibility and trust – we have all used examples from our own careers to establish credibility and trust with our Executive Board. This is our natural usage of storytelling coming to the fore, so leverage the same process more consciously to build relationships across the enterprise.

Storytelling is a natural act that humans can relate to, and it has always been part of human nature, so it is no surprise that it remains one of the most effective models of communication. Corporate life may often overwhelm our natural instincts with data and analysis. However, as security leaders, our role is increasingly about influence and relationships. Fundamentally, storytelling is still in vogue because of its underlying power.