Good storytelling improves cyber security

Forensic readiness helps organisations make relevant data visible in a timely manner so that good decisions can be made in the event of a security incident. To convey its importance, good storytelling is essential.

Text: Darja-Anna Yurovsky, published on 15. May 2024

Digital traces depicted on a giant screen.
Adobe Stock | Shutter2U #748156112

I look at my reflection in the mirror this morning in Santa Cruz, Tenerife. After a fitful night, I practise the text for my presentation that day.

It's about a subject close to my heart.

In front of an audience already overloaded with information, my topic should resonate. Forensic readiness belongs to the proactive preparation for possible IT security incidents. It's still early in the morning, and after my second cup of tea, I'm getting better and better at presenting in front of the mirror. I can feel my nervousness slowly fading.

The challenge

The real challenge on this afternoon is not to speak in front of 150 people, but to arouse their interest in my topic and to ideally inspire them in their further thinking and acting.

You all know the situation: you are passionate about your topic. You flood your audience with PowerPoint slides, because your topic is ultimately complex and super exciting - and by the third slide at the latest, the first person starts fiddling with their smartphone or is getting their laptop out of their bag. They want to give the impression that everyone is taking notes. But you and everyone else in the room know that the energetic typing has nothing to do with your topic, but more with their inbox.

A brief excursion into the theory of forensic readiness: it describes an organisation's efforts to collect digital traces as effectively as possible and use them for its own situational awareness while keeping costs as low as possible.

What can be summed up in one sentence in theory is, in practice, a complex interplay of processes, policies, measures and technologies. It is about making the relevant data visible within your own organisation in a timely manner in order to make well-informed decisions during an IT security incident. And that is exactly what I am presenting in Santa Cruz today.

The conflict

Shortly afterwards, it's showtime. With sweaty hands, I stand in front of the expert audience, hardly noticing any distracted participants - I'm sure I’ve got their attention! I start with how to behave in the event of a security incident. Then, I move on to the importance of the current situation as a basis for sound decision-making, and show how the effectiveness of the measures could be improved in order to ultimately overcome the IT security incident.

Slide three is barely over when it happens: a laptop opens! This is followed by a second, a third and then a smartphone. I'm distracted for a moment, it takes me an instant to regain my composure, calm my inner voice, and resume my presentation. But as happy as I am to have the full attention of the first four rows, I can't ignore the fact that instead of valuable insights, many emails will leave this room again today.

I like to drink when I'm frustrated. My favourite is camomile tea. Although a martini with a James Bond olive on the pompous hotel terrace would have been a more appropriate choice. But even that cup of tea does little to smooth out the wrinkles on my forehead that evening. Why couldn't I wow the audience beyond slide three?

The turning point

As the active ingredients of camomile permeate my hippocampus, I remember a key moment: a few years ago, I was asked to explain to the Switch Foundation Council how our Computer Emergency Response Team Switch CERT supports universities in the event of a security incident. It's a very specific area of IT, and even the most tech-savvy people might not be familiar with it.

There I was in our nicest meeting room, my computer tablet in hand, being scrutinised by the expectant group. I was supposed to explain and make them feel what it meant to be involved in IT security incidents. Technical jargon wasn’t going to cut it with the mixed audience, so I grabbed my tablet and began to vigorously sketch out the process of a security incident with stick figures and symbols.
 

Process of a security incident with stick figures and symbols.
First version of the incident response process. Illustration: Darja-Anna Yurovsky, Switch

I am pleased to say that my drawing skills have improved since my first version, which should also benefit my audience. Despite the simple graphic presentation, unlike in Tenerife, the laptops remained closed, and I felt the full attention of the entire audience. Hand-written notes were made and shocked looks were thrown around the room as I demonstrated what my audience would expect in the event of such an IT security incident.

Yes, shocked looks, because the question is not whether you will ever be attacked, but how you will respond to a security incident. And forensic readiness can make a significant contribution to successful management. Our heterogeneous Foundation Council suddenly realised this. The drawing does not show any technical details, but the impact of a security incident on the organisation, the employees, the electronic door lock and the data. Poor preparation can be very costly in terms of money, effort and perhaps even reputation. This was absolutely clear to everyone in the room.

And it was also clear that, with proper preparation, such an incident can even become a catalyst for positive change. Because even in the absence of a security incident, the preparation of forensic readiness can expose gaps in an organisation that, if closed, will have a positive impact on the security of the organisation. Every time I tell this story, in whatever setting, it has the same effect. It sparks discussions, everyone feels the importance, and people are inspired to act.

The enlightenment

That very evening, on the hotel terrace, I realise what kept the attention on my topic beyond slide three. I instinctively wrapped my topic in a story, without any technical frills. My audience found themselves in the story, could relate to it and identify with it. Through the combination of language, drawing and imagination, they became involved in the story and were able to empathise. It was a common thread that ran through all the stages of the story. The IT security incident described the hero's journey in which each member, as a heroine or hero, successfully collaborated with the others to skilfully overcome the incident.

The happy ending

And so I leave Tenerife with the intention of wrapping the Forensic Readiness Framework in a story for a tech-savvy audience - and to draw more. So that in the future, my audience will engage with their imagination rather than their inbox.

Cyber Security

Darja-Anna Yurovsky

Security Incident Responder

Switch

View all posts