• United States



CSO contributor

How CISOs can drive the security narrative

Dec 08, 20217 mins

If you want people to follow proper security practices, they need to understand why. That's best done by telling a good story.

storytelling primary
Credit: Thinkstock

An eternal discussion in security is whether technology, process or people are the critical element in information security at scale. Most security leaders will tell you it’s the people that matter. Changing people’s behavior to care about security practices requires more than simply taking poor practices off the table. It requires new positive habits and motivations. People connect with stories, and the brain naturally synthesizes the journey of a story with people’s own experiences and relationships.

The sales conundrum: When training and communication don’t change behavior

Some of the audiences that most struggle with security practices use narrative in their own businesses every day. As a leader in a consulting organization, several years back I came up against that eternal challenge of data protection: sales. Our policy specified certain ways of handling account information: where to store it, how long to hold on to business contacts, standards-provided locations. There were tools aplenty and email and training. Yet we showed signs of the same risky behaviors. What gives?

Our team failed to provide the motivation of change; we failed to think about this as people. Could people understand how the parts made for their success in the job? Could they understand the reason to start a move in the direction we wanted them to go – the nudge that got them going?

In short, we had to drive the narrative. A story of change has a beginning, a reason to get moving, and a motivation to keep moving despite opposing forces (which I will talk about in a minute). Can your team tell the story? Have you told your people the story for their role, their division, their customers or outcomes?

Change requires confidence, capability and competence. Start building those things by driving the narrative that long time employees can buy into.

anderson narrative Wayne Anderson

The persuasion slide

The CISO often wants to build and drive the narrative but may find it difficult to get communications support, or to entrust narrative building to specific teams. Not everyone knows how to tell a story.

Yet almost everyone knows how to use simple playground equipment the world over, including the slide. Roger Dooley introduced the “persuasion slide” in his Neuromarketing blog in 2013. It serves as an analogy for the process of getting people on board with an idea or goal.

On the playground – as any child (ahem, or former child) can testify to – you approach a ladder of some kind, climb to the top of the equipment, take a seat, and push yourself forward. Enjoy the ride down a smooth straight or curving surface and run back to the ladder to do it all over again.

The same exercise in the eyes of a physics student seems more complex, as different forces are in motion to complete this most basic of juvenile recreation. The first stage of using a slide requires a nudge. That is, a push against the equipment to generate some forward motion from the top of the equipment. Without a nudge, the potential rider will sit there and no motion occurs.

In a story, the nudge is the reason to get moving. What motivates a person to start going on the journey, and what does that beginning of motion look like? Be specific. What compels a person to start the journey with you?

The second factor at play is gravity, it helps direct the ride of the slide against the equipment throughout the journey. We take it for granted that gravity points “down” toward the floor as we walk to coffee in the workroom (or water in the kitchen these days).

In the workplace, however, gravity doesn’t always point down on security topics. When gravity includes past experiences, biases, concerns, excitement, or other factors, it may work in favor of making a change or more often against it. Understanding the direction of gravity by evaluating factors in the environment, surveying those who may be critical or highly affected by a change is key to structuring the story and the program well.

You often can do little to change gravity. Rather, you identify it, understand it, gauge the strength of it, and account for it in how you build your slide – your story.

The third factor in the physics of the slide is friction. Can you imagine for a moment trying to use a slide made of sandpaper? Your nudge and gravity together might get you moving a little bit, but the journey would hurt and soon your pants would snag on the playground equipment, without much distance traveled.

Friction is a reality in the process of any change. What is the friction? How strong is it? What kind of activities or concerns will drive more or less friction during the journey? Do you have an opportunity to help people prepare for the friction you know about? Can you reduce the friction?

Seldom in business can you eliminate friction completely. It is another factor that you find ways to manage, assess and quantify. The goal is to help people find it compelling to continue the motion down the slide of the story, the change, even in the face of the friction along the way.

The other key factor you set in the design of the slide – the factor that determines whether you overcome friction or not – is the angle of the slide. Set the angle of the slide too steep and the journey will be abrupt, potentially with a shock later. Set the angle of the slide too shallow or for too long and there may be a point where friction is no longer overcome, or the journey takes too long to complete. In your story, this is a critical opportunity for the security narrative: Why would this person want to continue the security journey? Do they still understand the outcome? The steps? The nearby benefit? The intended experiences?

These four elements of the slide – the nudge, gravity, friction, and the angle of the slide – provide a ready image for security leaders to build narratives in a way that help people identify the why, the what, and the how of a security story.

Re-approaching sales with a security narrative

With my sales colleagues, step one was sell the executive team on the need for change:

  • We are moving forward because our customers will not buy from an organization that cannot meet regulatory requirements (nudge).
  • We know that we want to move fast and in the past security programs were a stated reason – rightly or wrongly – that people felt collaboration on deals and reviews slowed down (gravity).
  • Together, we know along the way that we will need to update the way data is stored in the system, add review to how frequently customer data is accessed, and this will add thought and expense to our sales systems (friction).
  • If we do this together, we have a plan to help build a journey that rapidly unlocks reports, delivers better credentials to our sellers, supports our customer third party assessments, and help us win more and faster as we build experience with these systems and obligations over time (angle of the slide).

Today’s security teams need narrative more than ever to convince workers in a hybrid work environment to buy into security and compliance updates. This is as much about people changing practices, being sensitive to the risks of AI assistants and data protection, as it is about tools and technical bits. Your team can use the power of simple tools to drive the narrative and help build the capability, confidence, and competence that lead to change.

CSO contributor

Wayne Anderson leads security and compliance architecture to make high-integrity consulting security a core part of Microsoft's Modern Work business. As part of the Modern Work Office of the CTO, Anderson leads as a subject matter expert on security, Microsoft 365 compliance, and go-to-market development. He embraces a career defining focus on trust at the intersection of security, people, and new technology with global experience of over 17 years in security, including international leadership at Microsoft, McAfee, and Avanade and more than 20 years in technology.

More from this author