Why is storytelling important in cybersecurity? Because we have to convey information in a way that elicits an emotional response.
I've spent the majority of my career in threat intelligence. My job is to tell the story of the threats out there, what they’re intending to do, and how they impact our organizations. I had to get really practiced at telling stories, making predictions, and tying business risk to threats.
Storytelling was also critical when I was doing incident response. I remember at Netflix, we had this incredible thing called “The Wheel of Misfortune”. We would sit down with the incident responder on call and go through an imaginary incident. They had to work their way through the incident — much like a Choose-Your-Own-Adventure story. We’d throw curveball after curveball to get them to think creatively. A lot of it was coming off the top of our heads, but it's just another way to practice and flex those muscles in cybersecurity.
One of the most important storytelling realizations I’ve ever had was when I started a podcast. I heard hundreds of people’s stories and learned about their backgrounds. I didn't realize it at the time, but I was taking in a lot of this knowledge. I was adopting a lot of ways of thinking from all these guests, and I was learning just by listening to them.
Imagine what we can accomplish from a cybersecurity perspective if we get really practiced at telling stories?
Storytelling is important because it can empower, engage, inspire, and even teach from any perspective — especially in the realm of cybersecurity. It has the ability to make security relatable.
How can we harness this power? In the rest of this post, I’ll touch on all the aspects of good storytelling, plus key questions you should ask yourself when formulating a story.
Goal
What's your goal with telling a story? Never tell a story without a point — and always back up a point with a story. That's how we connect the left and the right brain, and that's how we get our story retold and remembered. And don't be afraid to use a little emotion if you're passionate about a project!
Audience
Now, identify your audience. What kind of people can benefit from the information you're about to share? Once you identify who benefits, then you need to outline what those people will do with that information. How will what you're sharing matter to them in the grand scheme of things?
Make it Memorable
Use a little emotion and let your passion shine through when you’re telling a story — but make sure all that enthusiasm doesn’t get in the way of your message.
If your message is too dense or complex, it’ll be hard for your audience to remember some of the tenets of your story. Use real-life examples in your story — whether from your own experiences or from someone you know. Those are the kind of details that make your message more relatable and help it stick in your audience’s minds.
Call to Action
Good stories elicit emotional responses and inspire people to take action. Don’t forget to include a cybersecurity-specific call to action at the end of any story you tell. Include what you want people to feel or think about, and what you want them to do next when it comes to cybersecurity.
Tying It Back to a Greater Purpose
Sharing information through stories is more impactful than sharing just data alone.
Stories are a fundamental way to assist people in learning and building teams. They create new perspectives and better understanding for new contexts.
Security policies and guidelines can feel abrasive (and even aggressive) to some system users when people don't understand the security-specific reason for a particular decision. People tend to find ways around that control, defeating the purpose of what we build in cybersecurity.
Storytelling is critical to cybersecurity. It ties emotion and understanding to the decisions and actions we need to take to protect our organizations and environments.
So get out there and start telling some stories!
