Storytelling: A CISO’s superpower against cybersecurity indifference

The popularity of storytelling is astounding. It is rare to find a TED session without some expert expounding on the miraculous power of storytelling to give us influential superpowers, and YouTube is awash with storytelling tips and techniques.

Most of these lectures, however, focus on improving main-stage presentations or enhancing the effectiveness of marketing campaigns. And while there is real value in these — one charity doubled donations simply by representing its message within a story — they can seem disconnected from the reality of the CISO role, and the everyday stresses we must face. How, then, can we adapt storytelling to support us in our goal of better communicating the cybersecurity imperative?

The benefits of storytelling

There are many positive outcomes that result from a story well told. Listeners can recall details and facts much better, and they often hear more and listen longer.

Stories give the presenter an opportunity to clothe boring messages in an appealing wrapper; they slow down the thinking process, which helps establish credibility and trust; and they build emotional connections that draw people in and encourage positive participation and decisions. 

Cybersecurity stories can be the connective tissue between a problem, your ask, and a positive outcome. All these benefits should be the aspiration of any C-level executive. 

How does it work?

There is no shortage of people willing to explain how storytelling can work. Everyone should find their own model that works for them. However, in consuming hours of that content in research, certain key components stand out.

Build common ground

Show awareness of the listeners’ situation, whether they be interns or board members, so that they know this story relates to them and deserves their attention. To accomplish this, many story presentations start with an audience interaction, something like “How many of you have/feel/think…” This immediately establishes a collective agreement on a core component of the story. It provides a solid foundation for the scenario you are about to build.

Paint a vivid picture

Stories speak to emotions, and emotions take the lead in decisions, followed by facts used to justify those decisions. We need to create a drama that engages the audience. This can be the classic “hero journey,” but a simple reversal-of-fortune tale will suffice, when described in detail. However senior, the listener will still respond more positively to a human drama rather than to just a business one, so create relatable personalities at the heart of your narrative.

Unleash the power of contrast

As part of your vivid picture, it’s important to describe what is versus what can be. Show a picture of the world on the current path, and one where that path is changed. Relate this back to the characters in the story to make the potential change to the world feel real and relatable.

Make a proposal

The success of any corporate storyteller depends on gaining approval for their desired outcome, so make your proposal clear. The story should show how your solution is logical, how it accommodates and tackles the peril that you have described, and how it will transform the outcome of the tale to a positive.

When to use a story

With compelling benefits, and a logical model, adopting a story to relate to CISOs is ideal. The challenge I see is when and where this applies, outside of main stage keynotes and marketing focus.

There are several suitable opportunities.

Promote behavior and culture change

Perhaps the scenario best suited for storytelling is when talking to business units about security awareness and behavior change. People will subconsciously copy characters they can relate to, so outlining a tale of peril and cyber-consequence, and then offering an alternative path, can create a dominating learning opportunity — especially when you back up that tale with real-life examples.  

Explain a complex situation to C-level executives

Wrapping the fact-based narrative within a story is a better way to communicate, to influence, and to drive information retention. The enthralling Zeigarnick Effect shows that people will retain even fine details until a story reaches its completion, and other studies show that facts are 20 times more likely to be remembered if related in a story form.

Drive a business decision

By creating the emotional entanglement that a story can spark, you will better influence business decisions. Creating stories as hooks to ensure that staff across all levels of seniority can recall and relate to a driver for a change will protect that initiative from diversion or defunding. Use the story in your top-level presentation, but then cascade it down as a summary of what the decision is and why.

Establish credibility and trust

We have all used examples from our own careers to establish credibility and trust with our executive board. This is our natural usage of storytelling coming to the fore, so leverage the same process more consciously to build relationships across the enterprise.

The staying power of a good story

Storytelling is a natural act that humans can relate to, and it has always been part of human nature, so it is no surprise that it remains one of the most effective models of communication. Corporate life may often overwhelm our natural instincts with data and analysis. However, as security leaders, our role is increasingly about influence and relationships. Fundamentally, storytelling is still in vogue because of its underlying power.

Andrew Rose is resident CISO, EMEA, at Proofpoint.

Originally appeared on: TheSpuzz