Black Hat USA 2024: Insights from Cybersecurity Storytelling Strategists
While annual threat research reports like Verizon DBIR make big media splashes, the reality is security vendors, reporters, and government agencies are doing threat research storytelling everyday. With cybersecurity a national security issue, the “how” these stories get told is more important than ever. With Black Hat USA around the corner, I thought it would be timely to speak to my Big Valley colleagues, Cybersecurity Media + Influencer Lead Alexis Harrison and Cybersecurity Strategy + Policy Consultant Chris Palm, who have deep experience in the “art” of threat research storytelling.
Q: You both graduated with Humanities majors – Chris, with a BA in English Literature; Alexis, with a BA in Political Science and Government. How did that education prepare you for your work in cybersecurity communications?
Alexis: I chose political science because I was passionate about politics and history. I’m also a very curious person at heart. I think my art of storytelling came from my Dad, who was a sports writer and editor and wrote numerous books. He taught us that words matter and humanizing a story is really critical. My curiosity and need to dig for the truth led me first to a career in broadcast news. Then I moved out to Seattle and got a job on the cybersecurity team at the PR agency for Microsoft. I just fell in love with cybersecurity. There’s tension there – good guys, bad guys, people trying to fight for the privacy and security for end users, which is really important because technology is in everything we do. After Microsoft, I did storytelling for IBM Research’s security unit, which was an incredible experience, before moving on to Deloitte.
Chris: The fact that my mother was a technical writer in Silicon Valley validated for me that an English Lit degree could be applied to a career explaining technology concepts to audiences beyond the product engineering team. Several members of my family worked in the defense sector during the Cold War and I always expected to grow and do some kind of work involving technology and national security. After the Berlin Wall came down, I found myself drawn to cybersecurity because it was about using technology to protect people, but in the cyber realm. During my time at McAfee, my spokesperson bench had opportunities to speak to a wide range of topics, including the rise of ransomware, election security, the economic implications of intellectual property theft and the national security implications of the US and its allies falling behind nation state rivals in technology innovation.
Q: What are the essential ingredients for a good threat research report?
Chris: From the vendor’s perspective, you first have to start with: What are the business objectives of the organization? What are the brand objectives you want to achieve? And then, what can you see out there on the threat landscape? What kind of threat data can you produce? What stories can the data be relied upon to tell? What can you see that other vendors cannot? How do your products address risks on the threat landscape? Answering questions like these will form the guidelines for storytelling, and help you avoid veering into story areas your threat researchers and executives can’t really discuss from a position of authority and expertise.
Alexis: The threat research reports not only need to be educational, but they also need to have actionable information. The more we know about how and why the bad guys are committing cyberattacks, the better we can mitigate and stop these attacks from happening. As people who work in security say, they have to be right all the time, but a bad actor only has to be right once when they break into a system. Threat research reports contribute to a lot of our education about our adversaries, especially when it comes to nation state attacks.
Q: So, what is the “art” of threat research storytelling?
Chris: We all grow up watching and reading crime stories. Crime stories can make technology concepts come alive with the right data. But crime stories also need villains, victims, and motives as well as weapons and crime scenes. Note that it’s the human elements that all of us remember from every crime story we’ve ever heard. Human elements always make technology topics more accessible than narratives about product features and case studies about minimizing cyber business risk. The more you can connect your threat research to the humanity of villains, victims, politics, geopolitics, culture or celebrities, the greater reach you’re going to have in terms of a total addressable audience. Ideally, you can reach well beyond trade publications to business and general national audiences. While most audiences might not understand an underlying technology and attack vectors, they can understand the human impact of cyber threats, whether it’s Grandma’s lost credit card number or a patient’s surgery being delayed by hospital ransomware. The more human a crime story you can tell through your threat research, the broader the audience you can reach through the media.
Alexis: I agree about product features. The press don’t want to hear product pitches; they want to hear those really dark moments of major breaches that could have major ramifications to companies, customers, its reputation, its financials down the road. They want to get to that human story and see how it really impacts a real-world scenario. I think products are secondary.
Q: This discussion is a good segue into my next question. What exactly is the media looking for in threat research reports?
Alexis: They want to tell a story that has some tension, news that’s exclusive to them, and something that’s new. For example, as we near the election, misinformation will be a big topic, but reporters will want something really unique. They’re getting pitched all the time from different vendors and companies.
Chris: Reach is also important. These [journalists] are human beings who want to advance their careers and tell bigger and bigger stories to more and more people. They’re looking to you to extend the reach of their work. For example, look at the CCP-sponsored Volt Typhoon attacks on critical infrastructure. It’s one thing to tell a mother that there’s evidence a hostile foreign government is hacking the US government. She assumes governments already spy on each other. It’s quite another thing to tell her there’s a hostile foreign government that has planted something in a nearby critical infrastructure provider and it could turn off her family’s water, power, first responder services, hospitals, and communications. That’s new and different. But it also has reach because suddenly the technology threat and risk becomes real for her day-to-day life and those she loves and protects. Reporters are human, they have families and they have ambitions to tell bigger and bigger stories. Give them all the news and the reach you can to help them flesh out those bigger cybersecurity crime stories.
Q: Cybersecurity is now a national security issue. As a result, many vendors are reluctant to publish any information around cyberattack attribution or other sensitive data about either the cyberattacks themselves – or the targets – in their reports. How should vendors straddle this issue? What advice would you give to your security clients?
Chris: There’s an old parable of some blind men and an elephant, where each of the blind men touches a different part of the elephant. They describe the elephant based on the limited evidence each of them can perceive: the trunk, the leg, the ears, the flank, the tail or the tusk. The nation state actors are the giant elephants on the global threat landscape and vendors can only perceive segments of their activity.
While the private sector controls and protects upwards of 70% of US digital infrastructure, the federal government is always in the best position to make definitive assessments of nation state threat activity. The government combines private sector cyber threat intelligence with its own and complements this information with intelligence from a wide range of military and intelligence community sources to make conclusions on things like attribution.
As communicators, we need to work with our clients, their legal and government affairs and government partners to help them tell the most responsible, data-based versions of nation state cyber threat stories. They’re only going to be able to tell a portion of these much bigger stories in the public domain, and the government will always be the biggest storyteller given its ownership of national security.
Alexis: Yeah, absolutely. Technology companies play a pretty unique and critical role in protecting not only their customers, but also the country. And there are a lot of conflicts that are intensifying across the world, especially with cybercrime. So there’s a tremendous amount of responsibility. I think most companies want to be certainly open and transparent. As PR practitioners, we can help guide them through that process and work with their legal teams to see what’s appropriate that we can share with the press.
Q: Let’s talk about the storytellers themselves. Who makes a good spokesperson?
Alexis: I think it is beneficial to have a deep bench of spokespeople at a company because security is so multilayered. It’s critical to have someone who’s on the front lines of defending a company because they really understand the threat landscape; their insight is really important. Reporters don’t want to hear about the products but rather the bigger problem that they can solve and why. But you also want to have a balance because you don’t want a spokesperson who is using a lot of jargon that people don’t understand. You want people to relate to the story and understand it.
Chris: Definitely. Building the right spokesperson bench for the different audiences you need to reach is always important. We have to help vendors identify and coach up the right spokespeople for the right audiences–and often explain why they’ll need a bench of spokespeople for their different audiences. Some threat researchers will be coachable to be able to tell a cyber crime story on “Good Morning America, others will have the government origin story to speak to Congress, and others will be best suited to speak to the faithful at Black Hat, DEFCON and BSides.
Alexis: You want spokespeople with interesting backstories too. I mean, it’s kind of a unicorn sometimes because it’s not always attainable, especially in the tech world. But I remember working with a spokesperson, who, before he was a security analyst and then eventually a CISO, was actually a security guard in a jail. He was able to talk about how he always loved defending people and being on the front lines.The reality is a lot of journalists do want diverse voices. I know a few years ago Bloomberg wanted to include more female voices in their stories. So again, it’s not always attainable, but I think bringing diversity and unique voices to stories is really important.
Chris: We should always remember that the diet for threat intelligence reporting changes over time and I think that’s something that both vendors and their comms teams must remember – and keep pace with. I remember the Target hack in 2013 marked a significant milestone. After the breach, my grandmother called me in tears. She was worried the hackers were draining her life savings because she purchased a pair of socks there for my grandfather in 1997. In that moment, I realized the threat research reporting game was going to totally change in terms of the audience that was out there to be educated and the content we’d be challenged to produce for them. The audience wasn’t just CIOs and cyber practitioners anymore. After that incident, consumers wanted to know the story. My grandmother wanted to learn about the bad guys and their evil schemes. Business executives wanted to understand the liabilities and potential brand reputation damage of data breaches. Even the technical folks were done with threat reports telling them there were more threats detected this quarter than last quarter. Now they would want to see forensics and understand the tactics, techniques and procedures behind the attacks. Target and the high profile consumer breaches that followed changed the threat research reporting game for everybody in the industry.
