How CISOs can master the art of cyber security storytelling – CyberTalk

EXECUTIVE SUMMARY:

Powerful stories can mean the difference between stagnant security that incites adverse outcomes and 10X better security that fully protects the environment.

Bridging the divide

Due to the volume of cyber threats and the impact that they can have, Chief Information Security Officers are now regularly invited to corporate board meetings. More than 90% of CISOs report attending such meetings – a trend that’s expected to continue as new cyber security rules take effect.

However, when asked to lead boardroom cyber security discussions, CISOs’ points or requests are commonly dismissed, as board members lack the context for and interest in the material at-hand.

This disconnect with and diminishment of cyber security widens a chasm that can potentially lead to egregious cyber security gaps and gaffes. If the board does not understand the need for email threat prevention tools, for example, a stealthy attack could undermine the organization.

Chief Storytelling Officer

In turn, the CISO needs to become the Chief Storytelling Officer – someone who can clearly convey cyber security concepts in a way that builds favorable sentiment and consensus around solutions.

As CISO Tom August adroitly notes, “…a confused mind always says no.” It is incumbent upon CISOs to help board members connect the dots in the language of business, not just the language of security.

Storytelling transforms the abstract into the tangible and comprehensible. Yet, the real feat is to ensure that cyber security storytelling not only informs and expands viewpoints, but that it inspires action.

Cyber security storytelling best practices

So, how can a CISO develop storytelling capabilities and transcend communication gaps?

The key lies in starting with the ‘why’. As many an expert has observed before, change of any kind is a participation sport. For people to participate, they must buy into it via the story that’s told about it. A story provides the opportunity to facilitate an emotional connection with the ‘why’.

CISO stories should also have a ‘throughline’ or a connecting thread that brings various ideas and examples together. The throughline is a core message that stakeholders should be able to easily convey to other stakeholders. It should be memorable and repeatable.

In telling a story, CISOs need to humanize cyber risks. CISOs need to show the impact of failing to take certain actions vs. moving forward with certain actions. Claims should be supported with data and metrics, although not with so many metrics that the audience loses interest.

The final messaging in a CISO’s story should point the board in the direction of the response that is required.

Nailing the narrative approach

Think of the narrative approach as savvy and strategic, rather than a watered-down version of reality for cyber security simpletons. The objective is to create a shared understanding, a shared sense of purpose and a shared interest in solving a business problem.

As cyber security threats and needs change, and as the business itself changes, so too should the narratives that cyber security leaders tell. CISOs should aim to continuously educate the audience and to bring them along on a shared journey.

In conceptualizing the CISO role as that of a Chief Storytelling Officer, at least in the context of board-level discussions, CISOs can reshape dynamics and empower organizations to make informed decisions that ultimately enrich cyber security and ensure resilience.

For more on this topic, click here. Lastly, to receive thought leadership insights, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.