PM Confidential: Storytelling as a Security TPM

Do you like to tell stories? Would you be surprised to learn that storytelling talent equals success for security technical program managers?

"Storytelling is a powerful business tool and a skill that every business building a powerful and lasting brand should master" as Forbes is fond of saying. Stories connect ideas, challenge assumptions, and encourage growth. It's something we have that no robot can replicate.

It might sound crazy, but I've seen this happen too many times to be a coincidence - good storytellers make great TPMs. Let's take a moment to talk about why and how storytelling can be a force multiplier for your information security career path.

How to Tell Stories as a Security TPM

"But how do you tell a story?" Let's start there. Effectively communicating security issues and progress to non-technical stakeholders is a crucial aspect of the role of a Security Technical Program Manager. It's easier than you think! Here are some strategies you can use:

1. Use Plain Language: Avoid technical jargon and acronyms. Explain security issues and progress using plain language that is easy for non-technical stakeholders to understand. Use analogies or metaphors to illustrate complex concepts.
2. Focus on Business Impact: Translate technical details into business impact. Clearly articulate how security issues or progress directly affect the organization's goals, operations, and reputation. Use metrics and key performance indicators (KPIs) that align with business objectives.
3. Tell a Story: Craft a narrative around security issues and progress. Start with the context, provide a clear timeline, and explain the resolution or improvement. Storytelling can help engage and resonate with non-technical stakeholders.
4. Visual Aids: Utilize visual aids such as charts, graphs, and infographics to represent complex data. Visuals can help convey information more quickly and clearly than text alone. Highlight trends, improvements, and areas of concern visually.
5. Risk vs. Benefit Analysis: Frame security issues and progress in terms of risk and benefit. Clearly communicate the potential risks of security vulnerabilities and the benefits gained from implemented security measures. This helps stakeholders make informed decisions.
6. Regular Updates: Provide regular updates in a consistent format. Whether it's through reports, presentations, or meetings, establish a routine for communicating security issues and progress. Consistency helps build understanding and trust over time.
7. Interactive Sessions: Conduct interactive sessions, workshops, or training sessions to educate stakeholders. Allow for questions and discussions to address any concerns and ensure that stakeholders feel involved in the security process.
8. Highlight Compliance: Emphasize compliance with relevant regulations and standards. Non-technical stakeholders often appreciate knowing that security measures are aligned with industry best practices and legal requirements.
9. Scenario-Based Communication: Use real-world scenarios to illustrate security issues and progress. Walk stakeholders through hypothetical situations to help them understand the potential impact and the steps being taken to address or prevent such incidents.
10. Tailor Communication to Audience: Recognize that different stakeholders may have varying levels of technical understanding. Tailor your communication style and level of detail based on the audience. Executives may require a higher-level overview, while department heads may benefit from more detailed insights.

One of my favorite ways to practice these strategies is to look at other storytellers in the same space and see what resonates with me. Watch a TED talk, read a story on Quora, do a little YouTubing. I guarantee you someone has a story to tell that you can learn the storytelling skill from. By employing these strategies, you can bridge the communication gap between technical and non-technical stakeholders, fostering a better understanding of security issues and progress within the organization.

In fact, one time I had to give a last-minute presentation on Release Management for my team. No notes, no warning - get up there and talk about release management. What did I do? I told a story. "I'm sure you all got here on a plane today," I told the room "How many of you would like to fly on a plane that doesn't perform a pre-flight check?"

No hands went up.

The story was simple - it was unthinkable to fly on an unsafe plane, it's also unthinkable to release untested changes into a production environment. No big slide presentations - no walls of text - just a simple story. The team got the point.

Make sense? Now let's talk about some of the stories you'll tell as a Security Technical Program Manager:

Stories About Past Successes

Here's an example of how to tell a 'past success' story: "In my role as a Security Technical Program Manager, I've had the opportunity to lead our incident response efforts based on the Federal Government Cybersecurity Incident & Vulnerability Response Playbooks. While I can't disclose specific incidents due to confidentiality, I can provide you with hypothetical examples that align with the playbooks' principles.

For instance, we encountered a situation where our organization detected a potential compromise through advanced threat intelligence. Leveraging the playbook's guidance, we swiftly initiated an incident response plan that involved isolating affected systems, conducting a thorough forensic analysis, and collaborating with relevant stakeholders.

In another scenario, a vulnerability assessment revealed a critical flaw in a key system. Following the playbook's vulnerability management guidelines, we established a cross-functional team to prioritize and remediate the identified vulnerabilities, ensuring a systematic and well-coordinated approach to patching.

These examples showcase our commitment to a proactive and strategic approach to cybersecurity incidents, drawing on the comprehensive frameworks and methodologies outlined in the Federal Government Cybersecurity Incident & Vulnerability Response Playbooks. By adhering to these best practices, we not only effectively mitigated potential threats but also strengthened our overall security posture."

But wait, there's more! Now let's talk about what stories you want to tell ...

Stories About the Future

Now it's time to talk about the comprehensive security roadmaps that align with our organization's evolving threat landscape and technological advancements. In other words, stories about the future of information security! Future security initiatives should enhance overall security posture and resilience. Some key areas of focus include:

1. Advanced Threat Detection and Response: We are investing in cutting-edge technologies and threat intelligence to improve our capabilities in detecting sophisticated threats. This involves implementing AI-driven analytics, machine learning, and automation to identify and respond to threats in real-time.
2. Zero Trust Architecture: Our roadmap includes the adoption of a Zero Trust security model, where we continually verify the identity of users and devices, regardless of their location. This approach minimizes the potential attack surface and ensures that trust is never assumed, enhancing overall security.
3. Cloud Security and Hybrid Environments: Recognizing the importance of cloud technologies, we are refining our security strategy to address the unique challenges of cloud environments. This includes robust cloud-native security measures, identity and access management, and secure API practices.
4. Cybersecurity Training and Awareness: People remain a critical component of our security strategy. We are planning extensive cybersecurity training programs to educate employees about the latest threats, social engineering tactics, and best practices for maintaining a security-conscious culture.
5. Incident Response Planning and Simulation: To ensure preparedness, we are enhancing our incident response capabilities through regular planning, simulation exercises, and continuous improvement based on lessons learned from both internal and external incidents.
6. Compliance and Regulatory Alignment: We are committed to staying ahead of regulatory changes and compliance requirements. Our strategic initiatives include regular assessments to ensure our security measures align with evolving regulations and industry standards.
7. Supply Chain Security: Recognizing the interconnected nature of modern businesses, we are placing a strong emphasis on securing our supply chain. This involves vetting and monitoring third-party vendors, implementing security standards, and ensuring the resilience of our supply chain partners.

These initiatives collectively contribute to a dynamic and forward-looking security roadmap that is adaptable to emerging threats and technology trends. By staying proactive and continually refining our approach, we aim to ensure the ongoing security and resilience of our organization in an ever-changing threat landscape.

So, why does storytelling matter? It helps break down complicated security stuff for non-tech people. The article shares practical tips like using simple words, focusing on how security affects the business, and telling stories that engage listeners.

In short, storytelling is the key for TPMs. It's not just about talking tech; it's about sharing stories that make sense to everyone. Mastering this skill doesn't just help communicate—it builds confidence and plays a big role in making sure an organization stays secure. In the world of security, telling a good story is what sets successful Security Technical Program Managers apart.