Which security story are you telling?

Getting buy-in and support from other leaders comes from connecting. Popular advice suggests using a story. Use the right story built on 3 essential elements.

2014 12 05 cso which story
Credit: BigStock

How do you get people to pay attention to security?

A common challenge for security leaders and their teams is the ability to translate the complexity of security into understanding. We struggle to communicate our value effectively.

Whether you seek information, supporting, funding, or need people to consider a change to their behavior, how do you connect?

Frequently, the suggestion to “tell a story,” or “tell your story” is offered as a suggestion. It’s a great idea. But we have two types of security stories.

Which are you telling?

Consider this real example of the two types of security stories.

The two types of security stories

I asked the participants in a workshop to prepare a brief story to share. Here’s what happened when one of the security analysts took the stage:

As he stepped up to the front of the room, he looked down at his shoes, careful to avoid eye contact. It was the first time I saw someone visibly shake when standing up to present. It was his turn to share a brief story of how he got started in security.

It was painful to experience. Not because he was nervous, but because his story wasn’t a story. He offered no emotion. Nothing to engage. It was just a laundry-listing of facts. This is a common approach to telling stories. 

We worked on it for two days (along with his colleagues). Early in the workshop, he revealed that he used to play minor-league baseball. Without intending to, he captured everyone’s attention. Suddenly he realized a better way.

He came back the next day with something different. He came prepared with an actual story. The sort we need more of in security.

Now when he stepped in front of the (small) audience, he had the stance of a confident baseball player. He looked each of us in the eye. I don’t recall precisely what he said, but he explained that as a second baseman, he needed to do his job to prevent the runner from advancing, from scoring.

He talked about the need to know his role, to communicate with his teammates, and to pay attention to many things at the same time. He led us through a play - from the pitch, to the crack of the bat, to the successful out. He seamlessly explained how he draws on the same skills as a security analyst. When I looked around the room, everyone was fixated on him.

He hit a homerun with his story.  

Normally I suggest people avoid sports metaphors. In his case, his experience made it appropriate. His delivery compelling. He told a story. He shared emotion, his struggle at leaving baseball to start a new career. Then he shared the connection and how it worked out for him.

3 elements of every good story

Regardless of plot, twists, and approaches, there are 3 basic elements every good story needs (link):

  • Characters: introduce the people involved. Move past a listing of facts to provide the essence. Explain the context. Reveal emotions. They need to be real.   
  • Conflict: the lesson is often illustrated in how the character transforms through challenge. It's not always adversity. Take time to describe what they're going through. Include emotions, changes in context, and changes in perspective/understanding.
  • Resolution: how did the character(s) change? It may not be a happy ending. Provide the necessary context and emotion for the audience to make the connection and process the story.

Current attempts to tell stories in security (and in business) focus on environment instead of characters, symptoms over conflict, and present a resolution without the journey and transformation (if appropriate). All without emotion, insight, or connection.

Security success is driven by our connection with people - our stories

While we continue to make advances in technology, the reality is that we depend on people for our success. Especially when it comes to the frequent need for them to shift behaviors. Without effective communication, we encounter a lot of friction.

Better results start with better communication. A proper story connects people to the challenge we’re trying to solve. It offers the audience insight into struggle -- and an opportunity to contribute their experience and voice into the process. They get a chance to join the journey and be part of the resolution.

If we want better results in security, we need to get comfortable telling better stories. Our ability to tell better stories comes directly from building better stories. While there are entire books and courses of study on crafting and telling better stories, anyone who understands and incorporates just three basic elements tends to show remarkable improvement.

What happens after working with the three elements of story?

Distilling to these three basic elements changes the way we listen to stories. It changes how we create them. With practice, it improves how we tell them.

While the example above is the most dramatic improvement I’ve experienced, even short workshops fundamentally change how we think about our communication (not just stories). We reconnect with ourselves, and start to bring it forward.

After some hands-on practice, people come up to me to point out when other people aren’t really telling stories -- when the speaker falls back into what passes as a “story.” It’s not to be mean; instead, it’s how we start to process our own actions.

It takes some exploration and discovery to uncover and distill the three elements. It's a patient process that involves asking questions in a relaxed and conversational way. That might mean spending 20-40 hours just to get a 2-minute story right. Some spend longer.

The ability to deliver a good story, however, is a skill developed with practice. The good news is that each day presents opportunities at work, home, and the activities in which we engage.

If “they” don’t get it, check which story you used

If we fear someone just doesn’t get it - they might not. But that limitation might be more on us than on them. Check your story. Was it a true story, or just a listing of facts? Did you skip to the punchline, expecting someone else to naturally understand?

Check out  “3 basic elements every good story needs” for an example of a typical security story and how to make it better (loosely based on experience -- see if you relate to the story).

By embracing the three elements to guide a loosely structured practice, each of us has the ability to craft and tell better stories. The key is regular practice -- when listening, crafting, and telling stories.

Take a few moments today to consider how you can tell a better (security) story. If you’re inclined to share, I’d enjoy the chance to learn from your story -- share in the comments. tweet it out (@catalyst), or send me a message.

Let me know how using the right story to connect, lead, and grow benefits you and your team.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.