BOSTON -- Cybersecurity professionals who want to improve their organization's security practices and culture must adopt effective data storytelling to convey key concepts to both IT and non-IT stakeholders.
That's the contention of David Grady, security evangelist for Verizon Enterprise Solutions, who presented at the AWS re:Inforce security conference.
Verizon performs what it calls "executive breach simulations," which bring together executives with different functions, he said. These begin with a peaceable discussion of participants' day-to-day duties.
"Then, we introduce a scenario where the you-know-what hits the fan," Grady said. "We say, 'Now who's responsible for this?' They point at each other; they don't point at themselves anymore."
This type of exercise serves as a Trojan horse for substantive discussions about security issues, such as how to handle a ransomware situation as experienced by cities like Atlanta, Grady said. That high-profile incident last year cost the city more than $5 million to resolve.
"Think about using those stories to open up the conversation and get to an agreement in your organization over whether you'd pay [ransomware thieves]," he said.
Beyond narratives, good data storytelling relies on data, such as that provided in Verizon's recently released Data Breach Investigations Report, which it produces each year with help from security vendors, such as Cylance and McAfee. Grady referred to the research repeatedly in his AWS re:Inforce presentation.
The data breach report relied on about 40,000 reported incidents and determined that more than 2,000 were confirmed data breaches. Within that, 23% came from nation states or state-sponsored threat actors, a sharp rise from 12% in 2018, the report found.
Such findings can heighten a sense of urgency among company stakeholders with regard to cybersecurity strategy and provide a basis for focused discussions.
"With data, you can tell your stakeholders what's more likely, what's more probable," Grady said.
Embrace the power of metaphors
David GradySecurity evangelist, Verizon
Effective metaphors can help cybersecurity pros and their teams present a clear picture of their roles, challenges and requirements to other company leaders, Grady said.
"As security people, we're like the golf warden, the guy who's in charge of the golf course," he said. "We try to make it challenging for players, so what do we do? We put in sand traps, we put in water hazards, we cut the grass to a certain height. ... [But] the bad guys are really like evil golfers. They don't care about the rules. They will pick up the ball and throw it."
Metaphors such as this one may come off as silly, but they serve as an ice-breaker and help listeners put themselves into the situation, Grady said.
"Think about in your daily life, the things that resonate with you," he added. "Borrow other people's stories, anecdotes and metaphor, and make them your own. But remember that you're communicating for a specific reason -- to change behaviors."