In talking to CIO’s while researching my upcoming book, I’ve been noticing a pattern forming across sectors and countries. In responding to my questions, many CIO’s have said that when hiring security leaders, they are looking for story tellers who are inspiring, uplifting and influential. And while these words don’t always appear on a job description, they are certainly used to describe an ideal security leader.
I found this interesting because of the ‘why’. Why do we need security leaders to have a spirited way of delivering content?
Is it because the information being shared is considered boring or dry? Is it to win over the audience? Is it because security needs to be dispelled across varying audiences? It is in fact all of these things and more.
Sometimes becoming more secure requires change on a grand scale (even if you are planning for it to be done incrementally). And change at a grand scale needs a big story. Security problems often impact the entire organisation, and its customers too, so your positive story about the benefits and the desired outcome will want/need to be heard by many. In contrast to this, some smaller scale changes can be discussed in hallway conversations…and these still need to be compelling.
No matter your storytelling skills, you still need to know the audience if you want to capture them (which I wrote a little about here). Your story will resonate better and you will be more likely to keep the busy people in front you engaged if they know you and feel you know them. Nurturing relationships with the leaders or designers or project manages you’re speaking to remains key to your story landing on listening ears. Also, remember to listen yourself for what stories your audience are already telling themselves and others about security? Their content is rich for you to digest before addressing this audience also.
Storytelling brings emotion and energy to the message and often allows for a much stronger call to action. It makes security memorable and creates a visual image in the mind of the audience that stays with them. We want security stories to land with the audience, no matter if the content is technical, or otherwise. So even if the only story you are telling today is in a technical pen test report, remember to know your audience, what they need to hear and deliver it in language they understand so that your call to action is heard. How you connect to your audience is paramount to everyone walking away with great outcomes. As a security leader, do you meet the story telling requirements of a hiring CIO?
If you are a CIO, or you are a security leader working for a CIO, please connect with me to join my research.