CISO

The Art of Storytelling in Cybersecurity 

Share with your network!

Picture this: You just received a call from the head of your company’s board of directors saying they’re meeting in 10 minutes and would like your perspective on Q3 security priorities and where to dedicate the new budget for security investments. Not exactly the 2 o’clock you had in mind for your afternoon.

So, you head down the glass-paneled hallway to the empty conference room to collect your thoughts. Sixteen swivel chairs tucked into an extended white table sit before you as you try to structure your delivery. Of course, this is a topic you are well-equipped to discuss and have thought about exhaustively. But how do you do it in a compelling way that will reach your audience? Where do you start?

That’s where the ancient art of storytelling can play a critical role. Given today’s sometimes unpredictable threat landscape, board members are heavily invested in their organization’s security strategy, and chief information security officers (CISOs) are often responsible for presenting these technical or complex ideas. Trying to do so in a simple yet thoughtful way can prove challenging, though.

To help explore this topic, Resident CISO, John Checco, joined the Protecting People podcast. Below are highlights from the conversation, along with tips on how to master the art of storytelling. (Note: Quotes have been condensed and edited for use in this post.)

What makes a compelling story? 

First, you want to have a clear message to deliver. You may have a lot of data that you want to communicate to the board, but you should pick two or three specific points. You want to have a focus. If you start throwing around a lot of statistics and supporting data, it can muddle your message. 

Second is what I call semantics and sentiment. You want to take care to choose the right words to communicate your idea and build sentiment. And when you have that sentiment, you’re hopefully aligning the audience to your focus.

The third part is context and background. Data without context is just data points. But when you add context to data, you have information. And when you have background for that information, you have a narrative—you have intent and meaning. That’s really important because you want people to understand the meaning of what you’re trying to communicate, not just the words or the phrases. That becomes the part of the story that the audience can relate to.

Fourth is analogies and grounding. There are abstract concepts in the CISO world that are hard to communicate to board members who aren’t cybersecurity or technology savvy. So, you want to try to build a common platform that you can both communicate on. Analogies are a great help. Pick an analogy that the audience can relate to, and also relates to the points you’re trying to explain. 

Then, you have the communication itself—the delivery. You can have a great story, but if you have a terrible storyteller, no one will listen. So, you have to tell the story in a compelling way and emphasize the parts of it that you know will resonate with the audience.

This leads to my last point, which is about feedback and pivots. You have to be able to read the audience—the “social dynamics”—as you’re giving your story. Pivot if something isn’t working. Or, if something is working, focus more on that.

How do CISOs best prepare for the unexpected in board meetings?

I think it’s really important, especially if you’re reporting to the board on a regular basis, to have a champion on the board who can be your sounding board. Prior to the meeting, that person can help you craft the message or give you an idea of the board’s sentiment and concerns.

For some reason, security seems to be the last thing on the docket for the board. So, being able to get that heads up and having that sounding board can help you [deliver your message successfully].

When prepping to meet with the board, what tips should CISOs keep in mind?

You can’t use storytelling all the time; you have to use it judiciously. Also, there are long stories and short stories. A long story is an analogy or a narrative that you carry from one meeting to the next. That way, there’s some kind of activity or continuity of thought between board meetings. 

You can use short stories or small analogies to show a specific point. Short stories can be very effective. But if you use too many, then there are too many different grounding points, and it becomes confusing for the audience. 

If you’re going to meet with the board on a regular basis on the same types of topics, I suggest using a long story method and an analogy that carries over from one board meeting to the next.

What are some common mistakes CISOs make when presenting to the board?

Sometimes, the focus of security is not really the focus of the organization. So, having the right focus [in your message] is really important. 

Also, not being able to take feedback or pivot properly, is a problem. If you get stuck on the story you want to tell, then you’re not listening to what the audience is asking. It’s important to understand what the board is asking you and, if needed, cut short your narrative so you can address their questions under a new narrative.

What topics should be top of mind right now for CISOs addressing the board?

It really comes down to looking at your performance metrics: How comfortable or how mature are you today? Also, what’s trending? What’s at risk for tomorrow? And how is the organization going to address the unknowns? That means you have a process of assess, mitigate and defer. So, having that type of mentality when you present to the board, or when you’re planning for your security operations, is important, because it allows you to say, “We don’t know what’s coming next, but we have a process in place to handle it.” That helps you get the board comfortable with whatever’s coming next.

For the full interview, visit the CISO Hub or click here.