As a nation, we have a mandate to protect our assets, protect our personal data, protect our citizens and our companies. For the last few of weeks, I have been working with NCSC, using a unique blend of storytelling and tech to try and portray this message. It has been a real honour to do so, and I have learned a lot, whilst also imparting some of my own knowledge on the institution.
Cybersecurity is an issue that effects everyone and has to be a collective effort. But, as a relative newcomer to the industry, one thing that has struck me is how abstract security can feel, and how staid the industry can come across. So, it is no wonder that many people aren’t engaged with cybersecurity, and we continue to see so many security incidents caused by human error.
This is an area that the cybersecurity industry is really struggling to overcome – getting the message across. There are two things the industry needs to do to turn the tide – use creativity and storytelling to portray a clear, digestible message, and increase diversity so that people can relate to cybersecurity.
Why diversification is key
There are so many methods that have been deployed to try and combat cybercriminals, and there are some great technical tools out there that are used to protect our devices, and the industry is starting to realise that more needs to be done to blend creativity and learning in security awareness. However, many of the tools that are out there for security awareness training are uninspiring and are clicked through as fast as possible by users – people simply aren’t engaging with cybersecurity and the message isn’t sinking in.
Looking at the industry as a creative storyteller, it is no real surprise people aren’t interested in dull content. Cybersecurity’s number one goal should be to become more relatable, but this will never happen if we don’t create more interesting content in the space. A key component of this is diversity.
This means opening the door to talent that the industry has traditionally ignored. By doing so, you don’t just increase the diversity of the industry in terms of ethnicity or gender, but also diversity of talent and thought. It is encouraging to see green shoots already appearing in this respect, with initiatives like Women in Tech really championing gender diversity, but we must build on this.
The cybersecurity industry has to reflect the community it is designed to serve, otherwise you will never get people to engage with it. By no means do I think that a career in cyber is for everyone, and if you had asked me a decade ago whether I thought I would be running a company in the cybersecurity field, I probably would’ve laughed.
However, if anything, this proves my point. I am a creative, and always will be. I have made a career from storytelling and making complex issues more relatable and have been lucky enough to be able to move my company in the direction of issues that matter to me. Until my bank account was breached, security never interested me – to me, it was something that happened to big businesses and certainly not to me. I was wrong, but suddenly realised that there is a real problem with engagement around cybercrime, which exacerbates the problem, but there was nobody telling the story in a way that would make me – as a layperson – listen. This is why I started to make experiences for cybersecurity training.
By increasing diversity, the story instantly becomes easier to tell – people feel they can relate to things that reflect their own life. You encourage different approaches, which is crucial because the old approach clearly isn’t working. You start to attract people from outside the industry, all contributing towards making cybersecurity easier to understand and spreading awareness in a much more digestible way, appealing to a much broader range of people.
Storytelling is in all of us
And this is where storytelling also comes into play. People of all ages, of all backgrounds, consume stories. Storytelling as a method has always been the easiest way to both share and retain information – it becomes immediately shareable and is the way in which we explain cause and effect. It utilises endorphins and stories are structurally created to make us feel a certain way. They are an age-old method of transferring that knowledge from one person to another. We have used this method in nursery rhymes and fables for centuries. In modern times, this has been advanced, and movies and video games are now telling stories in a cutting edge, interactive way, so why not take the same science and apply it to security awareness?
The cybersecurity industry doesn’t make use of storytelling nearly enough. But we should – by doing so, suddenly you invite people from outside the industry in, bringing with them a totally new perspective – one that is easier for the layperson to understand.
My company employs a racially, gender and neuro diverse array of people. They come from disciplines such as audio engineering, voice talent, scriptwriters, developers, 3D artists and security experts and we have a black founder and CEO – me. So not necessarily what you would call your traditional cybersecurity company – or not yet anyway. However, all these skills and backgrounds come together to make cybersecurity more engaging.
In turn, the audience sees people that look like them, or work in a similar field, talking about cybersecurity in a way that strikes a chord – suddenly, they listen.
The cybersecurity industry can’t keep telling the same story in the same way. To cut through, we must diversify and tell engaging stories that people listen to, otherwise we will continue to see the number of security incidents caused by human error to rise and never make meaningful in-roads into the human side of security.
By Simeon Quarrie, founder and CEO of VIVIDA