I have been writing my third book recently.
No, it’s not in security. It’s actually a fantasy book. It’s a lot of fun, and it has also led to a pretty neat and innovative (or so I like to think) experiment that you can join if you like.
So what does that have to do with anything?
To explain, and as is often my wont, let me take you on a little adventure. By the time we get to the destination, I promise you that we’ll at least have had some fun along the way.
As I am writing the book, a really good friend of mine “sort of” volunteered to help edit it. Corey has one massive advantage over me, which is a liberal arts education, and an extremely strong knowledge of some of those invisible “rules of writing” that you get taught in fancy schools that give you degrees in things like English Lit.
As a foreigner, whose mother tongue is not English, I am certainly facing some unique challenges of writing fiction in English. Things like order force (large green apple sounds normal, but green large apple comes with its own foreign accent) and ablaut reduplication (big bad wolf sounds scary, but bad big wolf is downright weird, even though the former breaks the order force rule).
Corey, bless his heart, has also been sharing with me some of his education, and earlier this week I had an epiphany of sorts, which translates directly into the field of information security. The specific “rule” in question is show, don’t tell, which in the context of literature basically means that it is more effective to imply a property than to state it directly. For example, it is more engaging for a reader to learn that the hero “had to lower her head as she entered the door” than to be told that the hero “was six foot eight”.
What occurred to me is that I’ve been using this trick my entire professional life in security.
If you’re reading this, then you probably know by now how strongly I believe that the best security leaders are good storytellers. If not, then perhaps you might choose to read one of my two books. Indeed, the ability to connect with your audience is the key factor in a security leader’s success. It’s not about the technology, stupid.
Read that again. Memorize it.
Why is storytelling such a valuable skill? So much so that it overrides any other?
(trigger warning: bad word incoming)
Because security is a field that is, at least for now and until everybody chills the fuck down about it, which won’t happen for another twenty years or so, primarily driven by fear.
Fear of hackers. Fear of a breach. Fear of the unknown. Fear of the jerk that is sitting there in front of you trying to scare you into giving them more money to spend on tools that should allay your fears, but never do so.
Yes, your security leader.
A good storyteller, and one that isn’t so driven by their own ego and sense of importance that they can focus on the other people in the room, can often find a way to ease the tension and fear, and make their audience more comfortable. And once someone is less fearful, they are far more able to engage in productive conversation about any topic.
This is very basic human psychology, which is the reason my top bullet recommendation for any organization that wishes to help their security leader grow is to have them take a psychology class. Sounds weird, I know, but trust me, if they are willing to learn how people work, they will do so much better as leaders. I suppose it applies to any kind of leader, now that I am thinking about it (there must be a reason every MBA program includes at least one such class). Still, it seems like in the field of security you are pretty much always running into leaders who really, really need this sort of help.
See, security leaders, even the rare, friendly ones, often struggle with getting their point across. It’s a well-known problem. “They won’t invest in security” is perhaps only second to “they won’t listen to me!” on the list of common complaints by CISOs about their executive peers (and company board members). This dynamic, in fact – which in my view is caused by the CISOs themselves – is the primary driver for one of the most common forms of security mismanagement strategies. It’s called management by compliance, and it basically means that the CISO has concluded that the easiest way for them to get what they want is to threaten everyone that if they don’t get it, the company will fail some important audit, with terrifying outcomes. The truth is that in the vast majority of cases, they are lying to you, and often to themselves.
If your organization seems to only care about SOC2 or ISO or PCI or HiTrust or whatever compliance thing when it comes to security, then I hereby give you a gold-plated guarantee that the lies are not only common, but by now, institutionalized.
It’s terrible, but it works.
And, incidentally, we have finally arrived at our destination.
If you accept the value of storytelling in security, then it may be helpful to consider what professional storytellers can teach us. You know, fiction authors. Remember our six-foot-eight lady from earlier in this piece? Let’s take this lesson and apply it to our field.
See, security comes built-in with another interesting feature. Once you get past the fear, it is extremely engaging for most people. You see this play out in popular culture, with movies and TV shows and every kind of media. Like, all the time (remember War Games? gawd, I love that movie). It’s exciting precisely because it is a little mysterious and comes with a sense of danger. People are fascinated by it.
When it comes to security, people are naturally curious.
As a security leader, what an incredible advantage this is to have!
So, Mr. CISO, why aren’t you using it?
Instead of telling people about your “risks” and “threats”, show them. Describe the setting, and let them fill in the gaps for themselves. Here, let’s try it. Let me show you.
Which sounds more engaging and likely to lead to greater buy-in?
“Our engineering team is downright incompetent! Look at the results of this pentest – there were 47 findings, 19 of them high, and they only fixed 2 of them in the last three months! They are not paying attention, and we are going to get breached, and it’s going to be their fault because they are not doing what they’re supposed to do!”
“You know, the pandemic has made a lot of companies shift to the cloud and rearrange to remote work, and I gotta tell ya, hackers have noticed it too and are trying to exploit it. So we’ve been running some tests, and we found a bunch of things that probably need a bit of extra attention, especially in this kind of environment. Hey, have you heard about that big ransomware attack that cost that utility several million dollars two months ago? I can share the link if you wanna check it out”
I don’t need to tell you any more about this, do I?
“The CISO ducked her head as she left the room, a satisfied smile on her face.“