Show, Don’t Tell: How a Highly Respected Fiction Trope Can Serve Any CISO
By Barak Engel, Skytop Contributor / April 11th, 2022
Barak Engel’s company, EAmmune, manages security programs across many companies and verticals. He was CISO and Chief Privacy Officer for MuleSoft just prior to its $6.5 billion acquisition by Salesforce, and has seen StubHub as its CISO through the company’s $4B acquisition by ViaGoGo and its massive digital transformation project.
Barak serves on multiple board advisory positions, providing critical technology, risk, product and market insights to boards and CEOs. First gaining exposure into the intersection of business and security while at Netvision, Israel’s largest ISP during the dotcom boom, he became focused on how security will inevitably become an essential business discipline. Barak has built, managed and counseled security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Live Nation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others.
Barak’s first book “Why CISOs Fail – The Missing Link In Security Management” has been widely praised for its brutally honest assessment of why so many security leaders fail to connect effectively with their CEO and board, why that failure has created unnecessary additional risks for enterprises, and how it can be fixed. In recognition of its critical contribution to the field, the book was nominated and accepted into the Cybercannon in 2021. Barak’s second book, “The Security Hippie”, published in January 2022, aims to make the field of information security more accessible to the average reader.
I have been writing my third book recently.
No, it’s not in security. It’s actually a fantasy book. It’s a lot of fun, and it has also led to a pretty neat and innovative (or so I like to think) experiment that you can join if you like.
So what does that have to do with anything?
To explain, and as is often my wont, let me take you on a little adventure. By the time we get to the destination, I promise you that we’ll at least have had some fun along the way.
As I am writing the book, a really good friend of mine “sort of” volunteered to help edit it. Corey has one massive advantage over me, which is a liberal arts education, and an extremely strong knowledge of some of those invisible “rules of writing” that you get taught in fancy schools that give you degrees in things like English Lit.
As a foreigner, whose mother tongue is not English, I am certainly facing some unique challenges of writing fiction in English. Things like order force (large green apple sounds normal, but green large apple comes with its own foreign accent) and ablaut reduplication (big bad wolf sounds scary, but bad big wolf is downright weird, even though the former breaks the order force rule).
Corey, bless his heart, has also been sharing with me some of his education, and earlier this week I had an epiphany of sorts, which translates directly into the field of information security. The specific “rule” in question is show, don’t tell, which in the context of literature basically means that it is more effective to imply a property than to state it directly. For example, it is more engaging for a reader to learn that the hero “had to lower her head as she entered the door” than to be told that the hero “was six foot eight”.
What occurred to me is that I’ve been using this trick my entire professional life in security.
If you’re reading this, then you probably know by now how strongly I believe that the best security leaders are good storytellers. If not, then perhaps you might choose to read one of my two books. Indeed, the ability to connect with your audience is the key factor in a security leader’s success. It’s not about the technology, stupid.
Read that again. Memorize it.
Why is storytelling such a valuable skill? So much so that it overrides any other?
(trigger warning: bad word incoming)
Because security is a field that is, at least for now and until everybody chills the fuck down about it, which won’t happen for another twenty years or so, primarily driven by fear.
Fear of hackers. Fear of a breach. Fear of the unknown. Fear of the jerk that is sitting there in front of you trying to scare you into giving them more money to spend on tools that should allay your fears, but never do so.
Yes, your security leader.
A good storyteller, and one that isn’t so driven by their own ego and sense of importance that they can focus on the other people in the room, can often find a way to ease the tension and fear, and make their audience more comfortable. And once someone is less fearful, they are far more able to engage in productive conversation about any topic.
This is very basic human psychology, which is the reason my top bullet recommendation for any organization that wishes to help their security leader grow is to have them take a psychology class. Sounds weird, I know, but trust me, if they are willing to learn how people work, they will do so much better as leaders. I suppose it applies to any kind of leader, now that I am thinking about it (there must be a reason every MBA program includes at least one such class). Still, it seems like in the field of security you are pretty much always running into leaders who really, really need this sort of help.
See, security leaders, even the rare, friendly ones, often struggle with getting their point across. It’s a well-known problem. “They won’t invest in security” is perhaps only second to “they won’t listen to me!” on the list of common complaints by CISOs about their executive peers (and company board members). This dynamic, in fact – which in my view is caused by the CISOs themselves – is the primary driver for one of the most common forms of security mismanagement strategies. It’s called management by compliance, and it basically means that the CISO has concluded that the easiest way for them to get what they want is to threaten everyone that if they don’t get it, the company will fail some important audit, with terrifying outcomes. The truth is that in the vast majority of cases, they are lying to you, and often to themselves.
If your organization seems to only care about SOC2 or ISO or PCI or HiTrust or whatever compliance thing when it comes to security, then I hereby give you a gold-plated guarantee that the lies are not only common, but by now, institutionalized.
It’s terrible, but it works.
And, incidentally, we have finally arrived at our destination.
If you accept the value of storytelling in security, then it may be helpful to consider what professional storytellers can teach us. You know, fiction authors. Remember our six-foot-eight lady from earlier in this piece? Let’s take this lesson and apply it to our field.
See, security comes built-in with another interesting feature. Once you get past the fear, it is extremely engaging for most people. You see this play out in popular culture, with movies and TV shows and every kind of media. Like, all the time (remember War Games? gawd, I love that movie). It’s exciting precisely because it is a little mysterious and comes with a sense of danger. People are fascinated by it.
When it comes to security, people are naturally curious.
As a security leader, what an incredible advantage this is to have!
So, Mr. CISO, why aren’t you using it?
Instead of telling people about your “risks” and “threats”, show them. Describe the setting, and let them fill in the gaps for themselves. Here, let’s try it. Let me show you.
Which sounds more engaging and likely to lead to greater buy-in?
This:
“Our engineering team is downright incompetent! Look at the results of this pentest – there were 47 findings, 19 of them high, and they only fixed 2 of them in the last three months! They are not paying attention, and we are going to get breached, and it’s going to be their fault because they are not doing what they’re supposed to do!”
Or this:
“You know, the pandemic has made a lot of companies shift to the cloud and rearrange to remote work, and I gotta tell ya, hackers have noticed it too and are trying to exploit it. So we’ve been running some tests, and we found a bunch of things that probably need a bit of extra attention, especially in this kind of environment. Hey, have you heard about that big ransomware attack that cost that utility several million dollars two months ago? I can share the link if you wanna check it out”
No, really.
I don’t need to tell you any more about this, do I?
“The CISO ducked her head as she left the room, a satisfied smile on her face.“