October 1st, 2020
Cybersecurity and Storytelling
I’ve been working in cybersecurity for over 20 years and have been working as a “virtual CISO” since about 2015. In the early days, I was drawn into the cybersecurity field by a fascination with the technical aspects of hacking and software security vulnerabilities. When I started with the NSA in March of 1998, as a penetration tester, I spent nearly every moment of every day reading Bugtraq posts, pouring over back issues of Phrack Magazine, and attending classified technical talks at NSA’s Research and Engineering Building. When I wasn’t soaking up hacker knowledge, I was practicing my craft on the office’s internal network, which was approved for hacker tools and no-holds-barred breaking-in to your coworkers’ systems.
If you were to ask me back then what a Chief Information Security Officer did, I probably would have thought that he (or she) would be something like a “chief hacking officer” (I think Marc Maiffret held that title once). I would have thought that a CISO was a master of the dark cyber arts and had amassed more technical cybersecurity knowledge than anyone else in the organization. There are, to be sure, some CISOs and cybersecurity consultants that have followed this approach and are the Jedi masters of their cybersecurity teams. However, in my experience helping clients improve their cybersecurity programs, I’ve found that my technical cyber knowledge has not been the key ingredient to their success. It’s been foundational, but not the most important factor.
So what is most important? A cybersecurity practitioner has to be able to create compelling narratives (stories) that explain why certain security investments are important, why certain changes need to take place, and what the consequences are for failing to act. The arc of their stories need to be connected to business reasons, not cyber fear mongering, so that the leadership of the organization can understand the importance of what’s being asked for. Contrary to public sentiment, most C-level executive are not stupid. But they’re also not typically technology experts. CISOs and cybersecurity consultants need to start from a solid technical understanding of the issues and then present those issues and solutions in terminology that their corporate leaders can readily comprehend.
Where can someone find materials for these cyber campfires? My favorite source is security incidents. I study the particulars of data breaches (how they started, what tools/techniques were used, and what endgames were). Then, I try to tie these details back into a framework like MITRE ATT&CK (https://attack.mitre.org/). An attack framework helps me explain the big picture of what the attackers were trying to accomplish to both technical and non-tech staff alike. An added bonus of working from the MITRE ATT&CK framework is that includes suggestions for cybersecurity protective measures that could prevent or detect the bad guys’ specific actions. With a little work, you can map these potential attack paths against existing protections and produce a cybersecurity gap analysis.
What else is needed? Soft skills. The cybersecurity community seems to be full of technical experts that are very bad at working well with others. A little empathy, relationship building, and listening will go a long way to help a cybersecurity professional find support to implement new security practices, protections, and policies. Never underestimate the willingness of people to help you when you allow them to receive most (or even all) of the credit.
As I was preparing to write this short article, I searched on “CISO as storyteller” and found that I am certainly not the first person to write on this topic. Some great ideas can be found here: https://www.cybereason.com/blog/blog-ciso-tips-balancing-the-hero-with-the-storyteller and here: https://www.tripwire.com/state-of-security/security-awareness/tripwire-connect-cybersecurity-pros-need-good-storytellers/.
Building an effective cybersecurity program is insidiously difficult–it’s like being asked to juggle while someone throws rocks at you. Instead of spending our time improving our cybersecurity protections, we spend most of our time getting funding, approvals, and support to make the needed changes. Cybersecurity storytelling is key to creating a shared understanding of the problems and solutions to obtain needed organizational support. As Jean-Luc Godard said,
“Sometimes reality is too complex. Stories give it form.”
CISO’s and cybersecurity consultants that fail to create compelling narratives will find it difficult to make progress implementing cybersecurity improvements. A little time studying storytelling would be time well-spent for most cybersecurity pros.