Lessons Learned: Storytelling and Empathy in Cyber Security Awareness

We’re hosting a new series highlighting members of our Security Awareness Manager community and their lessons learned while creating and running awareness programs that go beyond checking the box, they make an impact.This week we're happy to feature SAM Community member Mark, The Afri-CAN, Shawa. He hails from Zimbabwe and currently works in South Africa as a cyber specialist in GRC for Vodacom while also wearing the security awareness manager hat.

Mark is passionate about connecting compliance and security with the human side - to share from a recent post of his, "As a Cyber Security GRC Practitioner and also Security Awareness Specialist, I am often caught between two parts of my job, The Compliance part and the People part.

Compliance says do this or else, but with people it says empathize and enable…now I’m curious to figure out how on Earth people are meeting the middle ground…I feel that the People aspect is highly unappreciated but yet the most important aspect.

What are we doing if it’s not to serve people as cyber experts? We sometimes get so caught up in the processes, policies, technology, bottom line and whatever other fancy jargon is out there that we simply forget the people.

There’s a huge opportunity for getting cyber experts to develop skills towards humanity, such as empathy, comprehension, negotiation, effective listening, communication and if we can bring that in, we can surely change the game when it comes to addressing cyber risks in the society and not just in an organisation.

And one way to empathize and enable is through the art of storytelling.

Storytelling Skills - Nature or Nurture?

While Mark admits storytelling has always been something that he's naturally done since childhood, it's also a skill he works on honing constantly as each person or team he meets have different needs and connect in different ways to the security story being told. As he says it, "it's not just about telling the story it's about how you tell the story and what emotions you're trying to evoke...it's a forever [learning process] if you want to tell stories, it's a continual process. The reason is because you have different audiences and different audiences need different ways you communicate with them."

"You can lead a horse to water..."

Using the well known adage, you can lead a horse to water but can't make him drink, Mark likens it to cybersecurity awareness training. We can guide our teams to the resources and lay it all out before them but if we don't understand what makes the horse thirsty and what would encourage it to drink the most pristine stream in the world won't tempt a slurp. At the end of the day it's not us needing to take our team to 'water' but rather enabling them so they will know where to go when they have the need. Mark breaks it down to understand from your audience:

• What motivates them?
• What is their way of working?
• What are their day to day tasks?
• What frustrates them?

Then, with that knowledge take it and apply security to it. Training needs to be built into what teams do in order to enable them to be successful in their jobs without adding barriers.

How do you take one-on-one storytelling and scale it?

Mark's approach is to look at the business and map out the different audiences within to identify the threats relevant to that particular group. It sounds familiar if you've done any sort of risk assessment. The difference is perspective. Instead of merely identifying risk and then laying down 'the law' - rather take the information and interpret it into scenarios and stories to convey not only the risk but train and enable through relevant stories or scenarios. Engaging leaders for each audience is also critical for a top down buy-in for its success as well as in understanding the overall sub-culture for each department.

Mark's question to leaders when starting a conversation is "what do you think your role is when it comes to securing your domain [of expertise]?" The question opens the door to empathy and listening. This opening gives insights into what affects them and their domain so as a security professional you can respond with more empathy and relevant solutions.

Additionally, Mark is a fan of hosting internal webinars for the company with the various leaders and stakeholders to share their perspectives and insights and provide another platform for questions and open communication between security and the organization as a whole.

Mark's Top Tips 

1. Read more fiction! And notice how the author activates emotions in different ways.
2. Use a mirror! Practice sharing some of the awareness messages in the mirror and tell yourself a story. Note your expressions and the flow as your share a lesson - it'll encourage you and make you more comfortable with delivering your message in a casual way.
3. Listen to great podcasts for examples of good storytelling. Mark recommends his own for starters :) Links below.
4. Listen more. Period. True listening builds empathy. "Listen to listen. Not listen to respond, answer or judge." Listen to listen so that if you are asked to repeat what the other said, you actually can - it's not as easy as it sounds! And then if you don't understand, be inquisitive.

Mark's parting thought was a message of encouragement for security awareness managers. "If your business is not about selling security, then you are [considered] as a support function. And it sucks when someone tells you that you're a support function.

But go back a little bit and understand the power of having support. Think about how important support for your back is; support coming from family or friends; just because you're a support function doesn't mean you're unimportant. It means that you play a crucial role in the background as you are able to keep people [and the business] afloat."

RESOURCES Recommended by Mark