The boardroom and back again: The art of storytelling in cyber security

Cyber Security should be a no-brainer, but for many organisations it’s not always as simple as asking “do you want to have a newsworthy cyber breach on your sensitive data and critical systems?!” In a field dominated by acronyms and assumed knowledge, it can feel impossible to convince people around you to care about that cyber risk you feel could bring everything crashing down.

Whilst stakeholders are becoming more cyber-aware, there are still key barriers to success:

1. Stakeholders still are not as cyber-aware as they need to be to effectively work out the right solution to solve their problems.
2. Stakeholders are trying to deliver on business outcomes and improve their bottom line. Cyber is a significant cost and doesn’t always clearly lend itself to delivering business value or direct positive impact to the bottom line.
3. Stakeholders have multiple, competing priorities. It is often hard to carve out enough budget or focus on cyber amongst other initiatives.

We aren’t here to tell you how to educate all your stakeholders on cyber or why the CISO needs a seat at every table. Most already know this is an important journey to take. Gaining business buy-in is not only about telling a compelling story, but telling the right story for your audience.

We will walk through the following in our presentation:

• Know your audience – If you don’t understand where your audience is coming from, you can’t know what they will care about. There is a reason Disney films contain jokes for both kids and adults. You need to be able to identify who needs to hear your story, what they care about, and how they want to hear it.
• Tell your story on your audience’s terms – If you are going to use an acronym, make sure the audience will understand it. If you are going to write a story, do it a chapter at a time. While you have all the information, your audience rarely does, and so it’s important to break the story down into parts or perhaps sprints that your audience clearly understands, written in a language they speak.
• Find what resonates – not everyone cares about Frodo when they could follow the adventures of Aragon. If you understand what themes, personas, and horribly overused tropes appeal to your audience, then you can create a story which uses these, creating a better experience for your audience. Not everyone cares about the story, but almost everyone cares about how they experience it.

To illustrate these ideas we will talk through examples in the Cyber Defence and Identity and Access Management fields where we have used these principles to tell stories that make people care about cyber security (or at least agree to implement change).

Whether you are a CISO or security manager selling the value internally, a SOC analyst trying to make the CISO care about your incident, or a consultant trying to express the value of your solutions, this session is for you!