The power of storytelling isn’t something you’d normally pair with the highly technical field of cybersecurity awareness, but RingCentral’s CISO Heather Hinton believes the opposite.
Cybersecurity is more than ones and zeros. In Heather’s words, this field is all about passion and problem-solving. As children, we learnt morals and social skills through fables and tales, and as adults, we’re no different. Stories are the best way to distil complexity and motivate people to solve problems together.
Hinton explains how businesses can tap into storytelling to engage employees and raise cybersecurity awareness in this interview.
How can organisations make cybersecurity accessible?
When we talk about the evidence that shows people aren’t embracing cybersecurity best practices, that’s because we (security leaders) aren’t creating content that people immediately relate to.
It’s about switching from a technology point of view and putting scenarios into a context that people understand – telling the story of what could happen.
For example, this month we’re running a competition. My team created funny videos that depict typical cybersecurity best practices. Some of them are seriously funny. We have videos on password reuse, USB sharing, compromised email and many more. Part of the reason we’re doing this is so when people see a similar situation, they’ve got a story they remember. We’re sharing the videos virtually across RingCentral’s internal groups and getting people to vote for their favourite with the chance of winning a prize.
Is there any other advice that you would give to business leaders?
In a variation on storytelling, I believe in doing fire drills. You do fire drills when you’re at school, and everybody learns how to leave the building. You have to be very, very careful how you do it. Internal fire drills beyond the Incident Response Team are a great way to get people involved. Again, you have to be careful how you do it because it could be messaged incorrectly.
One of the things with cybersecurity is that everybody loves to tell accounts of when they were involved in an incident. When cybersecurity people get together, it becomes this contest on who resolved the most ‘exciting’ incident. Everybody compares notes on what is the scariest thing that happened to them and all that. More people should share how they helped, what they saw and what they learned in the public domain. Again, it’s about bringing the story to more people.
A lot of security leaders do this with their companies through activities like social engineering exercises.
What are social engineering exercises?
There’s a show called White Collar. It’s very loosely based on a famous conman who got caught by the FBI and put into jail. The FBI eventually makes him a consultant to catch similar criminals. His role serves a similar purpose to what we see in ethical hackers today. It’s all about finding vulnerabilities. In White Collar, the ex-conman achieves this through social engineering. In one episode, the main character goes into a bank, steals the identity badge off of an employee so that he can use the related proximity part to move through the building. That’s social engineering for you.
That’s one way to get people to think about risk in real terms because it’s always when you let your guard down that things happen.
The problem with cybersecurity is we have to be right 100% of the time. Our attackers have to be right only once. The odds are in their favour, not mine.
From a cybersecurity point of view, that’s why we don’t say, “If we are attacked,” we say, “When we are attacked,” how quickly can we respond and shut the threat down?
Where do you get ideas from to increase awareness of cybersecurity?
I like the content that GCHQ shares – to me, it’s the gold standard because they are approachable. For example, they’ve had a great series on cybersecurity for the farming community for the last month. Its Twitter, web pages and programmes are so different and engaging. The CISA in the US is the other place I look. Both organisations have super smart people dedicated to raising awareness of this space, and they see all sorts of stuff that I don’t see.
Are there any plans for cybersecurity education at RingCentral beyond this month?
We will have our cybersecurity newsletter coming out in a couple of weeks with a lot of resources for RingCentral employees. I’m kicking around a couple of other ideas that others in my field have suggested (a book club is one of them). Watch this space.