Security is a complex space – changing and emerging threats, multiple interconnected technologies that each do one small piece of the security landscape, and an ever-changing regulatory and legal environment. And frankly, most senior executives don’t have the patience to really understand the threats to their business in great depth.
So what can a smart security executive do to capture and hold management attention on security issues? Become a great storyteller. There are lots of reasons storytelling helps in the security space:
- People remember stories much more than they remember a bunch of data points or random facts
- Stories connect emotionally as well as intellectually, making them more impactful, and increasing stakeholders’ investment in the topic
- Having people re-tell stories is both a great validation of your original point but also a powerful way to make sure that your point is shared throughout the organization so that everyone understands security better
Start by studying storytelling. There are some basic plots for stories, such as boy meets girl, hero vanquishes evil, etc. There’s also a basic narrative structure you can use (see Exhibit 1):
So with this structure, you can explain security threats to your executives.
- Exposition – threat the business faces, including what part(s) of the business, are affected (sales, brand reputation, data, etc.)
- Rising action – how that threat is evolving
- Climax – impact on the business if that threat occurs
- Falling action – steps being taken to address the risk and protect the business
- Denouement – any residual implications, requests for support or budget, etc.
You leave out the details that will take the focus off the overall story but leave the ones that add color and help people connect with the story. So, examples of how other companies are handling the threats can stay, but likely the reporting spreadsheets of the quarantined threats should go. This balance of the details is key to effective storytelling. Your team may find deep data invaluable, but it may cause your audience to give up trying to follow your story.
You’ll also save a lot of time. How? Typically, when something happens, you give the details and then try to explain those details in context. If you’ve told a story people understood, then when you have a conversation about details, you can refer back to the story and have the person “get it” faster. You can tell this works when stakeholders start asking more, and more relevant, questions. People who don’t understand a topic don’t ask as many questions.
How will you know the storytelling approach is working? When more people in your organization start to change their behaviors to support your security goals. And when senior executives begin to get more invested in your work.
Bottom line: To really improve security, get outside of security data and details and become a great storyteller.
Posted in : Security and Risk
