Join us as we dive into a discussion centered around storytelling with Joe Vinck. Joe is the host of “The Business of Cyber”, a cyber risk aficionado, and just a cool cat…(channeling my inner Lenny Bruce).
Our conversation takes us from reporting structures for CISO's to who your audience is and how much time you have are critical factors in what your story is and how you tell it. Whether you’re presenting to a board of directors, talking to your peers about the importance of security awareness training, or writing up an email to ask for funding for a new project… this episode provides a lot of insight into that process and things to think about. Oh - and we explain what the heck is up with our podcast logo - so if you ever wondered “ what the heck does this podcast logo mean?” - we answer that mystery….tune in!
F-sides Episode with Joe Vinck.mp3
Jason Loomis [00:00:10] Hello and welcome to F-Sides.
Paul Love [00:00:13] That's Jason.
Jason Loomis [00:00:14] That was Paul.. and this is F-Sides.
Speaker 2 [00:00:19] We're going to get that down where he's dazed and almost.
Jason Loomis [00:00:21] Almost. It was so close, it was almost there.
Jason Loomis [00:00:25] This is the Cyber Humanity podcast.
Paul Love [00:00:28] It's where we focus on the human side of cybersecurity. So I hear we're going to have an exciting show for our listeners today, Jason.
Jason Loomis [00:00:35] This is going to be a real good one, Paul
Paul Love [00:00:36] Yeah, we're going to talk about storytelling, which is something that I personally feel like I've struggled with most of my career. Especially at the beginning, you know, being able to effectively put a whole bunch of data into a story. And, you know, you and I have talked about this recently and, you know, I self criticize myself and said I am probably not a great storyteller. And, you know, you you had some really good insight into how we may be harder on ourselves and we may be telling stories and not realizing it.
Jason Loomis [00:01:09] I think you're putting that very nicely. I thought I threw something at you. Did Picard. Picard face palm when you said that? Because as my mentor in cybersecurity, you had one of the best stories, the best analogies that I've ever heard. And I still use it to this day, and somehow I still get credit for it, even though I do try to call out. That is not me at fault. But it was the if you recall, it was when we were talking about how to write policy standards and guidelines. And you used making a pizza as an analogy to that. It was like mind blown. Such an amazing, easy way to tell a story to get a simple idiot like myself, to understand policy standards and guidelines and the difference between them. So yeah, it's storytelling is a skill set you have. Well, you're not good at it.
Paul Love [00:01:54] You're one of the smarter people, so you give me too much credit. But, you know, I had actually got me to thinking when you said that I had an epiphany that stories aren't necessarily these long tomes of information like an encyclopedia or, you know, a big book of stuff. A story could be an analogy. Right. Or, you know, I if I recall, you know, the logo that we have. Right. Tells a story. And that was a story that you told really effectively. You spent a lot of time on our logo. And Jason, do you want to share? Because, you know, for me, that really changed my perspective that a story can be as simple as a logo.
Jason Loomis [00:02:31] Yeah, that's absolutely as it's for those of listeners who may not have seen our logo, we it is a picture of a hacker sitting at his laptop getting how I explain this, getting sucked by an elephant. The elephant's trunk gets up on the face and this is catching the guy by surprise. And it's meant to impart the idea of how this framework about the writer, the path and the elephant, which is a way to look at how to change human behavior either in individuals and organizations or in teams. And to change behavior, you have to do these. You have to have these three things in sync. And the analogy of the rider, the path and the elephant represent each represent each one of those three things the writer represents logic or the Spock for you Trek fans out there, and the elephant represents the human emotion or the Henry Dr. McCoy for the other the other Star Trek fans with the same Star Trek fans. It's the human emotion and the logic to this little writer that weighs maybe, you know, a buck 20, a buck 40, trying to move a 6000 ton elephant. Who do you think is going to win that? Usually human emotion overrides us all the time. You know, the analogy, the idea is that when you're on a diet and you're like, Oh, yeah, I've got this, I've got this planned this whole week out, and somebody put Cinnabon right in your face like that human that elephant is is going to override that whole writer that you had and the path, which is the plan for your diet, because your emotions are going to going to get overwhelming at one point. And I think in cybersecurity, what we're trying to highlight through this podcast is how important it is in cybersecurity to think about how you're going to motivate that elephant when it comes to implementing cybersecurity.
Paul Love [00:04:09] Yeah. And you know that that's an interesting point because we all are in the business of storytelling, especially the higher you get up in management. And the storytelling is ensuring that, one, that you're effectively communicating to your audience in a manner that resonates with them. And people are usually use move by emotion and things that they feel. Even though we all like to think we're totally data driven, most human beings are not. But the other thing is, and you the our conversation about this, Jason, just made me think about this is that we're also all about improving stories that we've heard. Right. Like the story you mentioned that I had talked about, like policy standards. Right. I'm sure you've added the Jason element to that and made that an even better story. And that's kind of how human history's work. Right? We've all told these stories and. The verbal story, the verbal storytelling aspect, and even proved on it or clarified things so.
Jason Loomis [00:05:07] Well, I've changed it just enough to get past it.
Paul Love [00:05:09] I guess. Yeah, but I mean, there's a history of human beings doing that, right? So why, why would security people fight that? And, you know, for me, storytelling has been probably the most impactful thing in my career when I started to understand, because, you know, you and I have talked about this before, where my managers always told me when I was started my career, Paul, tell the story. It's like all the data say there, what are you talking about? I'm telling the story. Right. I didn't realize that I was giving like, you know, if you look at a Hemingway novel, I was just giving all the details, but I was pulling all of that stuff together to tell what was going on once I understood that. And it took me ten years to figure that out. How to tell a story. Once I figured it out, my career started to move a lot faster.
Jason Loomis [00:05:57] Yeah, man, you just hit it. Data by itself does not tell the story. That should be. That should be splash in titles. People expect a lot of cybersecurity practitioners and people in cyber will just think, well, here's the data to look where my vulnerabilities are. I'm 80% out of compliance.
Paul Love [00:06:13] Yeah.
Jason Loomis [00:06:13] That's not a story. It's a data point. And you got to have that create a little bit of that creativeness to be able to say, okay, how do I explain this to a fifth grader? And I am going to talk about the fifth grader real quick because I literally just popped in my head. I had an epiphany as you were talking, Paul, about how we have to present to boards. And it's almost the opposite of what you expect in life, in education, for example, when you're in kindergarten, you're talking to a teacher, you're going to talk to that teacher in a certain way. You're going to start getting better at your language and your math. And as you move up through to college, you're going to be talking to professors. And it feels like once you get in the business world, it's almost reverse that the higher up you go, the simpler it needs to be. Where you're almost like, we're at a probably a college level in cybersecurity, but when I go to my board, I need to talk to them like they're a fifth grader.
Paul Love [00:07:00] Well, that's not a bad thing, right? Because when you say that, there could be negative connotations to it, but what you're really saying is you need to speak to them in a language they understand. Like we think about security all day, every day. And if I present just a bunch of data elements in an AI, and I wonder why you're not getting it, it's because I think about it and I already know the end of the story. So the data elements, I'm not learning something by sharing a bunch of data elements. I'm just telling the story. I already know the conclusion of We need to tell the story to our executives and board members and everybody that is outside of security, you know, in a meaningful manner that resonates with them. And too often I hear acronyms and all kinds of stuff going around security. People are using fear, uncertainty and doubts like, no, no, the board members, executives are extremely smart. They know finance, they know the business. We need to do our part of the job. And that's our job as CISOs is to explain it in a manner that is actionable. Right. So when you say you have to clarify it, it's I almost think of it. It's like make make the information actionable. You're going to disagree with me, I bet, because we all, by the way, we often disagree on stuff. So that's okay.
Jason Loomis [00:08:10] I am definitely disagreeing with you on that because I feel it's clear to tell somebody else to go before a board, to talk to them like a fifth graders and not sugarcoat it like, well, talk to them a language they understand, because I don't know what they understand, but I do know what a fifth grader understands. And you're never going to go wrong with going to the lowest common denominator of the audience, because you can always go up from there. You're going to say, I want to hear more about that. I want to know more detail. Absolutely. Here's another way to you know, you start digging in deeper.
Paul Love [00:08:36] Which is the same set, very similar to what I just said. I think you're you're hearing me differently. I'm not using the fifth grader because, again, sometimes people may you know, if I've heard that when I was more junior, my career people said that it's like, well, they're smart people. It's like, yes, of course they're smart people. What I'm saying is that you're articulating it in a way that is meaningful to them. So to do that, you have to have empathy and understanding of what what their knowledge is. Right? If I'm talking to a technical executive, I can use some more technical terms. If I'm talking to someone who is an attorney. Right. Super smart at law, but they don't know technology. I need to speak in terms that, you know, that individual understands. So I think we're saying the same thing. I'm just saying it in a different way. And ultimately it comes to the same thing, is making sure that we're aligned with our business leaders and sharing the information and doing our job and making sure that it's clear what what they need.
Jason Loomis [00:09:36] Yeah, well, this is this is going to be a great podcast today because of speaking to business, speaking about speaking to business leaders. We have our next guest is my invite. And I'd just like to say a little bit to our tens of tens of listeners out there about our guest today. And actually, you know, I think we're past ten. I think last time I said we're at tens of thousands of listeners. I think we just hit 15 the other day. I ran into. An old college buddy of mine. And said he would give us a listen. So I think we're now at 15 balls.
Paul Love [00:10:05] Yeah.
Jason Loomis [00:10:05] And you have total listeners.
Paul Love [00:10:07] Yeah. And I told you that I'm going to go down the street playing it loud in my car whenever I drive home and stuff. So we'll get more passive. Oh, passive listeners. Oh, wait, wait. So we need to decide, are we doing active and passive listeners in this total count.
Jason Loomis [00:10:19] Hits, hits on websites. So even if it's if we bought it and it's the listeners we're all I know is we're 15 I'm bored.
Paul Love [00:10:27] Passive and active listeners are on board. So yes. So yeah.
Jason Loomis [00:10:30] All right. We're going to get some sound effects. Do ring a bell every time we get a new listener. This would be great.
Paul Love [00:10:34] So who do we got today?
Jason Loomis [00:10:37] So my guest, he's the host of The Business, a cyber podcast where he interviews CISOs. The CEO and founders to discuss non technical aspects of cybersecurity in the cybersecurity industry was kind of like exactly what we want to focus on, which is the elephant. So he's focusing on the same like non-technical aspects of cyber. And especially now that cyber is a board level of concern and there's tens of billions of dollars that are being invested in security startups, you know, it's no longer an exclusively a technical discipline. And this guy, you know, he highlights that in this podcast. And I if I could do my my godfather voice for me, he's the godfather of podcast because he is the first. But actually that was pretty good. Here's the first podcast I was ever on and just it was fantastic being how he ran it and the questions that he asks and the way that he asked the questions. So when he isn't running the business of cyber, he's part of a sales leadership team at risk lens. If you haven't heard of risk lens, you need to check for a pulse. It's a cyber risk management company that helps CISOs in their teams, improve conversations with business peers by quantifying cyber risk into financial terms, which is what everybody loves to hear, is when it comes to money. Where's the money? Yet as a more experienced and polis and just awesome podcaster, he's great storytelling. And now let's welcome Joe Vink to the show. Joe.
Paul Love [00:11:57] Hey, welcome.
Joe Vinck [00:11:58] Hey, guys. Yeah, thank you so much for for the invite and for the kind words you Jason.
Jason Loomis [00:12:04] Awesome to have you looked at.
Joe Vinck [00:12:06] Yeah good to be here.
Jason Loomis [00:12:08] So your tell me about my first question. Tell me about the why did you start the business of cyber.
Joe Vinck [00:12:14] It was coming up on two years ago and a couple of drivers for it. So two years ago, what was what was going on in the world? It was COVID had really just picked up. You know, lockdowns were full effects. Quarantine was kind of the norm. And I was at home kind of thinking to myself, what's something productive and useful and valuable that I could start doing and create with this free time that I now have? And I was reflecting on that and based on kind of some observations I had and what I learned in my day job at risk funds, what I had seen over a couple of years is really a transition and a reframing of the security leader role. And we can, of course, dig more into why storytelling is such an important part of what I think really the modern CE. So in today's so needs to needs to be. But what I had seen was, you know, 15 years ago when you talk with people about what was life like a security leader ten, 15 years ago, it was prevent breaches and make sure bad things don't happen. And security professionals had to really help convince people that security was a big deal and warranted attention. Now, today, for a lot of organizations, that's changed. For certain organizations, that may still be the case, but especially for larger enterprises, they take security really seriously and that reframing has completely shifted the role and responsibility of the C. So now it's not just make sure bad things don't happen, but help the organization to understand the risks that they're carrying and determine the most cost effective way to treat that risk and storytelling, which we'll dig into as a critical skill to do that piece effectively. But that was the primary thing I noticed is that that gap that that reframing that was happening warranted conversations. And I didn't see anything that existed in terms of a space where security leaders could go to talk about how do you communicate effectively with peers outside of the security department over the last two years? And you touched on a couple of different things that I talk about on the show as well. I brought in the scope of it to be more on the security industry and just looking at the business aspect of it. So when I'm not talking with CISOs about this concept of improving communication and leadership and operating as a corporate executive, I'm talking with. Founders and CEOs about the problems their companies are helping to solve and investors about the security landscape and the billions and billions that continue to get added into the security space. And I think there's some interesting storytelling parallels in those domains as well. But that's ultimately what I saw two years ago and kind of why I started it. And it's actually really funny. I was looking just before we started recording here, just doing a little bit of prep and obviously you both then been guests on the show, I think, Jason, you were last year, Paul, you were 2020. Your two episodes are both in the top five of most listened to. So wow.
Jason Loomis [00:15:46] Oh, that's great. And all three of us combined, we're going to 20 we're going to get 20 listeners under this. I know it. I know that. That's fantastic. Can I ask a silly question? Like with did did it come naturally to you with your first one like cut away? How do I get the story out of the out of the guest? Like, how do I what questions do I ask? How do I know to get to the the heart of what I'm trying to get on the app? Something like, did you watch Donahue as a kid? So he's an old time talk show host.
Joe Vinck [00:16:16] It definitely didn't come naturally. And one, it was repetition in terms of just what what made it become more natural. But it was also kind of acknowledging that all I was doing was having a conversation. And the most interesting episodes in your two episodes, some of the most listened to are the ones that I wasn't really thinking about what I was going to ask next. Next, I'm just focused on the person across the table or in this case, the face on the screen and just really getting into what they're saying and ensuring that I'm really understanding it. So it didn't come naturally. I think interviewing is definitely a skill, but what I found myself focusing just on on the conversation, those ended up being the most interesting and thought provoking episodes.
Jason Loomis [00:17:09] That's awesome. And that's broad credit. Paul, I saw that. You're going to ask a next question before you get that question. And to our listeners, that idea of what Joe said about, you know, it took practice, it took just doing it over and over and over. Storytelling is the same thing. You're never going to tell your first story. You write analogy or simile. Just pick yourself back up and try again. Try a different way to tell it. Just keep trying to tell the story and keep at it. My advice to our listeners.
Paul Love [00:17:35] Paul Yeah, no, that's a great point, actually, because people ask me how, how I'm good at metaphors and what they don't realize is I've been doing it for 20 years, right? Some of my first ten years of metaphors were horrible, like nobody could understand what like, what are you trying to say? So definitely took a lot of time. But you know, Joe, one thing I wanted to ask and I don't know if there's correlation, but I definitely like your insight. So the average tenure for a CSO is about two years, right? I'm sure you've heard those stats. I don't know if it's changed or whatnot with COVID, but before COVID it was about two years. And one thing I've always thought about that was, you know, if a CSO can't connect with the board or with their executive management or with their peers, you know, it's it's hard to stick around past two years, right? The first year you can kind of muddle through. The second year you're probably struggling. But I've always wondered and I definitely like your insight is that do you think that storytelling and that connection might be part of that 24 month average tenure?
Joe Vinck [00:18:40] Yeah, I think I think it definitely could be. You know, I just had Carl Sharman on an episode. I think it went live yesterday. I don't know if you guys know Carl, but he's the he's a cybersecurity recruiter at a recruiting firm called Scott May. And so we talked about this concept of. The average ten year olds and failing C so rolled etc. and he talked about the demand for for C sales and how C so searches are some of the easiest for him to fill because there's so many people interested in being a C. So so I'm not directly answering your question yet. I will of it. I think the first layer to it is is on one hand. But I think if that's the environment that a C is in, then and they're dissatisfied enough to go look for another opportunity. I think the opportunities are abundant. Right. There's other organizations that realistically they could be searching for that. And in seeking that out as part of the interview process, add a new a new new company. That being said, I think if they can't connect, yeah, there's a potential that poor storytelling or storytelling is not working and not resonating is is definitely part of the equation. That's been one of the big things I've been trying to focus on. And I think one of the big challenges I've noticed in talking with dozens of C sales like you guys over the last couple of years, is that it's a lot easier said than done. And being like translating the tactical and technical dynamic world that is cybersecurity into something that is at that fifth grade level and clicks that can be really challenging. So if that's being done poorly or it's not sticking for whatever reason, I think that absolutely could contribute to the low average tenure that we see across the space.
Paul Love [00:20:42] And one thing, you know, that I've been curious about as well is the ability to effectively use the tools that you have. So for instance, right and this goes in the storytelling I think is sometimes you'll I've seen my peers will struggle and they'll use a tool brain to say, hey, I need a dashboard, right? I need a really cool dashboard. And this dashboard will solve all my problems because it'll immediately tell our board and our executive management what's going on. In the way I think about that is like, well, does a dashboard on a car tell the story? Right. It gives you some really fancy information. But the story is you want to go somewhere, right? So, you know, have you seen that? And are you seeing people move away from that kind of behavior or because I mean, I still see this every day in my like my different social media feeds, like, oh, this is the dashboard that will solve all your problems, right?
Joe Vinck [00:21:35] Yeah, absolutely. I think that's that's a huge problem. And it gets towards the the the buzzwords, like the silver bullets and the single pane of glass that tells your risk story for you. You know, I think something like a dashboard as a concept or as a tool is a perfectly fine resource to use to help enable your story and to help shape the narrative that you want to shape. But the biggest thing I've learned from both business of cyber and from my work with customers and responses is ultimately it's all about decisions. And using something like a dashboard or report or whatever the actual deliverable will be to demonstrate why a decision has been made or should or should not be made. And I think that's that's an important piece. You never want to show just a dashboard and say, here's our risk. What do you think? But you want to show a dashboard that says, here's our risk exposure. Here's what I'm going to do about it, and here's how that's going to be useful for the business or here's options that we could pursue as it and business partners. So I think the decision making component is the most important part of the story of how are you going to enable a business decision.
Paul Love [00:22:51] Yeah, so beautiful dashboards alone aren't a story either. And that's something, you know, I've almost seen it advertised that way. It's like you just said, is that, you know, this dashboard will tell your story. Well, the dashboard won't tell the story. The dashboard is just data, and it's very pretty. But it still has to be that human element of telling the story. And you can never get rid of the individual, you know, and that's why there are seasons, right? Otherwise you could automate automate the function out of out of existence and just have a bunch of dashboards.
Jason Loomis [00:23:20] Joe, how have you have you seen other people that you've talked to like and I know that I'm going back to the elephant idea because that was a topic that we brought up. And when I hear people that know about it and you knew about it in their conversation. Yeah, yeah, I'm familiar with that framework. I'm like, yes, I'm one of the high five you. But we were virtual we're. How have you seen across your wide gamut of interviews, how do you see other cybersecurity practitioners? Do you see that as a focus at all or have you found ones that were successful? And if they were, maybe you can give some insights into how they did it or what they were doing to motivate that often, if that makes sense.
Joe Vinck [00:23:57] Yeah. So what other. Have I heard of other so like using this analogy essentially.
Jason Loomis [00:24:03] For it being successful at that moving the elephant to realize that they were doing it, but some way that they had an emotional impact with the change that they were trying to implement. And it wasn't about a dashboard or was something unique that they did.
Joe Vinck [00:24:15] A couple ideas. One, I had I had a C so that names escaping me right now. But one of the episodes that's one of the interviews I've been a part of talked about, there were essentially three levels of conversation that they would prepare for. One was people within their team. So this was a C shop until they could be they could afford to be a little bit more technical with peers within the security team. So when they're preparing presentations or meetings, whatever it may be, that was kind of one type of story. Another was peers of their fellow direct reports, risk owners throughout the business, heads of I.T and different business units, etc.. Peers of theirs. The tier above that was executive leadership. So CEO direct reports and board of directors and depending on the audience, they would think about their message in a different way. So I think. If the elephants in that case, bear with me on an analogy to tie into a story. If the elephant in this case is is the concern about how am I going to tell the story, get my point across as a C? So two different audiences, different people throughout the business, an analytical way of looking at it. The writer could be, all right, well, I'm going to approach this by kind of categorizing, who am I talking to? Is this a senior leader who I need to make this a fifth grade level? Is this a peer of mine who maybe has high technology background but just runs? Is a fellow director part of a CIO or is it my security management team? And then that will help shape how you prepare the story and the message and the narrative for that. So that's probably the most specific example that comes to mind, is categorizing your audiences into groups and then approaching based on the audience itself.
Paul Love [00:26:15] Yeah, that's a fascinating point, because one thing that I consider is that I have to market and sell to multiple different groups of constituents. Right. Like a leadership. I have to sell my ideas to them, but I also have to sell the ideas to the people that are on my team. Right. To inspire them, I have to sell it to my peers. Right. There's a lot of selling that we have to do in marketing of our programs and initiatives. And the best way to do that is through storytelling. Like, why? Why do I care, right? Why? Why is this going to help our organization? So I found that to be exceptionally helpful too, is not to try to push the same story to all all three different groups, but, you know, customize that story.
Jason Loomis [00:26:56] That makes me want to go back to not being a C. So which is the. You're absolutely right. It's it is A-B-C always be closing Phillip Glengarry, Glen Ross, everything else. But it is so much sales it's so much. Yeah. It makes you want to go back to a hands on keyboard when life was simpler. Remember those days?
Paul Love [00:27:14] Paul Yeah, but I actually, I think it's a, it's a fascinating to me. I've actually gotten more reward out of being a see so and I'm sure you have to write is that, you know, I feel like I'm able to move the needle more and to influence and really to to do the things that I saw, the great leaders that I followed, you know, that I'm trying to aspire to be be able to do that within an organization. So but yes, it is. It is. I totally when I when people tell me they want to be a see. So I try to share with them what that means. Right. That it's not a just means you get to deal with technology. In fact, I'm not even in a technology group.
Jason Loomis [00:27:53] Do you get technology, what?
Paul Love [00:27:54] Like 90% of my day is, you know, working on figuring out what the strategy is, communicating externally and internally and so forth. Right? So and a lot of that is telling what the story of the program is. And that's why storytelling so critically important.
Jason Loomis [00:28:10] Joe, have you seen I want to hit it on something Paul just said about that. We're you know, I think Paul and I are a lot of like at our the level that we're at and see. So do you see that there is a difference in see those out there where because I'll be honest I've I've been hit up by recruiters here and there and some of them I seen are just like it's a it's almost a director level sysadmin role. Oh yeah. We need somebody who's hands on and know Splunk and knows this and like, it's not really what I see. So does Joe. Do you see that out there, that there's a wide variety of like levels of CEO positions or or most definitely.
Joe Vinck [00:28:40] Yeah, yeah. No, 100%. This this was one of the other things that I talked about with Carl the other day. So it's it's top of mind. But we were talking about reporting lines in that agile debate of who should you so report to the CIO or fill in the blank and where because you went to is that does it really matter that much? Frankly, what matters more is what's the level of authority and access that is has throughout the organization. So who their direct boss is that, you know, whoever. But they need to have part of the assessment right as you're thinking about C so role should be what's the level of authority and access that you have? Do they have a monthly call with the CEO? Do they have, you know, quarterly check ins with the board, etc.? That matters a lot more does a lot more influence on the ability to execute that the CEO has or does not have?
Jason Loomis [00:29:36] Yeah, totally. So for, you know, the the people that are wanting to be CISOs out there, I feel that there are like you don't listen you to back when I was when I wanted to be a so you know I look at someone like Paul the guy can never do what he does is amazing. He was like up here, you know? And to be honest, I kind of segway into it or got into it through that. It's not that it's a lower level position, but it's more technically focused because I had the tech down and so they needed somebody who could step in as a C, so had the tech and then slowly build and be more strategic and get to the maturity level. To me, it is a maturity level that Paul's at from the technical level. So there's a lot of positions out there for people that are interested in CISOs that are more technically focused. And that's a really. Good to be a good stepping stone to get into something that's more strategic and larger with larger organizations. And I've seen that, too. The larger the organization, the more you're going to just naturally not have time to do the tactical things.
Paul Love [00:30:30] You bring up a good point just because there's technical CISOs and non-technical CISOs. And I think sometimes that the technical CISOs may think that they don't need to tell stories. I'm a non-technical C, so right now. Right. I don't I don't report into it. So my days are spent in a different kind of conversation. But Joe, what from what you've seen, and I'm sure you've dealt with technical and non-technical CISOs, what, what are the differences or what are the things that the different components you're seeing in from a storytelling perspective? Like, is there a different way that the stories told or do they have a different audience that they have to consider? Like what? What's some of your thoughts on that?
Joe Vinck [00:31:13] You know, the biggest thing that I've noticed is kind of in going back to those concepts of authority and access where, you know, I've over the last probably 12 months, started to see cases where CISOs are reporting directly into like a CEO and president. Those are usually technology businesses or some other type of organization where security is truly mission critical to the ongoing, you know, revenue generation for the organization. And that changes the storytelling dynamic because the spotlight on security is as big as it gets where they're there weekly, one on one with their bosses, the CEO of the company. And they've really got to have a tight story regarding what they're doing, why and how that's delivering value for the business. That's that's probably been but one very specific example. Others have been, I would say, more just the traditional quarterly board reporting cadence where once a quarter they've got an app that and what I've seen, though is that usually the duration has increased where in some organizations they might get 7 minutes once a quarter as part of an IP presentation. They've got a sliver of the CEO's hour or something like that. Other organizations have gotten a little bit more broader or even more frequent in terms of the spotlight that they have and the opportunity that they have with with senior leadership. So that's probably been some different examples that I've heard of over the years.
Jason Loomis [00:32:59] Yeah. That you gave the story about sometimes as the C, so you can't control that window of time or the importance of the message and that is frustrating. Okay, you got 2 minutes to put in 2 minutes for a story, this whole thing prepared. And yeah, that is very frustrating when companies have boards or meetings where they just they give you this small window of time because security isn't that important to them at. No downplay it. So that's tough. Those of you listening on our podcast learn to tell a good story in 2 minutes. Think of a better message in that. But, you know, figure it out. It's tough and whatever time you got. Try to make it as engaging as possible.
Joe Vinck [00:33:38] Or on short notice, too. That's that's another one in terms of a story is when you've got a quarterly meeting, you know what's on the calendar and you've got some time to think about what's your message, your narrative going to be where I don't know if you guys have experienced this recently or as part of the your day jobs or anything. But all of the recent incidents and I've heard about CISOs being called in and saying, hey, we're pulling together senior leadership meeting and we need to talk about the impact or the risk that we're exposed to it, an ABC type incident, so that that sort of changes the story as well because you've got to prepare on shorter notice and you know, those sorts of things.
Paul Love [00:34:21] So yeah. John, one thing that I've thought about and I'd love to hear your thoughts on this are as I've grown in my career, I've discovered that consistency in my story at all the different levels is critically important to ensuring that the message gets across. Meaning if I'm going to use the same terminology, for instance, I have to be consistent and use it from meeting to meeting or from audience to audience. But I also have to have the flexibility to pivot to external forces. So, for instance, if I have this like my information security strategy and I can I can talk to somebody in 2 minutes about it, if they give me 2 minutes or I could talk to someone for 35 minutes. Right, if I can. But that if there's an external force, like a regulatory requirement, I know I need to adjust it, what have you. How would you recommend to people? Because I'm not quite sure how I got to be able to do that. And, you know, somebody who studies storytelling and who's, you know, interviewed lots of people, you probably have some tips and tricks for people to be able to do that. Consistency.
Joe Vinck [00:35:27] Yeah. So practice is kind of a lame answer, but I think repetition is probably one part of the response where it's just, you know, in order to truly, you know, I think the example you gave or if you've got a 25 minute version and the two minute version, you really understand whatever that thing is because you could explain it in depth or you can do it in your talk about it for 90 seconds or 2 minutes if you need to. So I think that's that's a skill in terms of understanding something enough where you can give an elevator pitch if you have to. And I think that just comes down to to practice. And this was one of the early episodes. Do you guys know Rick Howard? He was the CEO at Palo Alto Networks for a while.
Paul Love [00:36:13] I know the name. Yeah.
Jason Loomis [00:36:14] I think I listened to that episode.
Joe Vinck [00:36:16] Yeah, it was one of the early ones. It was like five or six or something. But at any rate, he, he talked about how he would actually set up role plays like this for himself and for his team members and practice sessions. And he would write up a situation and say, all right, we're going to role play this conversation, which, you know, in terms of picking up a cue from sales and marketing. Right, that that's what we do with new salespeople as they are learning and practicing conversations, as we create scenarios. And they've got to practice talking through it. And I think that's that's one thing that your security leaders do in practice and get more reps in the same way you would do this for a sport or, you know, anything you're practicing is just create a situation and simulated.
Paul Love [00:37:00] That's a great point because one thing that I like to do is test my messages and test my stories with people, different audiences. And I and I'll preface to say, hey, I'm thinking about this, right? This is kind of my vision or whatnot. And before I, before I establish that this is the vision, right, I'll actually try to get the audience to participate in, in the storytelling or the story creation and ideation phase. And, you know, for me, that's been helpful. And it goes directly to what you said, you know, try to create the situation. But I you know, I also I think there's multiple different ways to create the situation to see how your story resonates. Right. Practice it. Tell people it's a draft. Right. It doesn't even have to be formal. Say if it's your manager, say, hey, I've been thinking about this. Right? What your thoughts and kind of gauge the room.
Joe Vinck [00:37:50] Yeah. I had a guest talk about that, doing that exact thing with one of their board members. And it was a particular board member who I can't recall if they had a cyber background or for whatever reason, they were very interested in cyber. The CSO developed a really good just one on one relationship with them, and he would do a dry run to the board meeting of the full board meeting with this individual board member one on one, you know, before every broader session. So it was just that it was a chance to rehearse and practice. And then, you know, it's almost like the meeting before the meeting and by the time you're under the lights, you run.
Jason Loomis [00:38:29] So that the worst for me, the worst feeling is the boards that you've never been in front of before. So you don't know what the room is like. You don't know what the what the level, how you talk, the context. And those are the worst. Having an inside track to have somebody advise you before you go in is great. Another thing you brought up, Joe, too, that I've done with my team and it's great for succession planning is having your team work on stories as well so.
Joe Vinck [00:38:52] That, you know.
Jason Loomis [00:38:53] Paul wins the lottery or gets hit by a bus could go either way his next next in line. Can they do the storytelling he does and working with my you know, getting my engineers and my people that want to move up to director to you know, Deputy C, so can they do the storytelling as well? And that's a great exercise. So I am actually wrote that down. I'm going to steal that for my next offsite. Yeah. Prior to that, we're, we're, we're about to wrap up on time and we do this on every interview we're going to, we're going to have Joe answer questions. It's actually three questions. And it's a it's a popular exercise. It's called Start, Stop and Continue. And specifically, we're going to ask Joe if he could ask to cybersecurity in his life, if he could start doing something, stop doing something and continue doing something, what would those three things be? So, Joe, the cybersecurity in your life and and how close you are could be really close could be kind of distance. What would would it be start stop, continue be for cybersecurity your life.
Joe Vinck [00:39:52] Yeah, I think. Sorry if you heard my dog barking. I joke he's my my co-host on this.
Jason Loomis [00:39:59] Make you have a lot to say.
Joe Vinck [00:40:01] So yeah.
Jason Loomis [00:40:02] We'll stop barking.
Joe Vinck [00:40:03] Haven't gotten a question yet. Yeah. So yeah from a start standpoint, I mean we talked a little bit about it a few minutes ago, but I think security professionals should study sales and marketing tactics. There's a book that I think every human being should read. It's called To Sell as Human, and it's a sales leader. But what he talks about is, I mean, the title kind of gives it away. It's no matter what you're doing in your role, there's an element of selling to it. And it's, you know, the relationship building, it's understanding the person who you're trying to communicate with and the communicating effectively. Those are just the critical principles that it, you know, it talks about. So that's probably a start is so the technical the technical aspects obviously hugely important part of cyber, but study sales and marketing as well. Stop to put on my vendor hat for a second. On behalf of the vendor community, I think I would love to see vendors stop being, frankly, just annoying in terms of their tactics, in their outreach and how it is that they go to market. It's just something you hear about all the time. There's entire podcasts dedicated to it. Right. It's beating up on vendors is a pastime on LinkedIn, but just the brazen tactics of just cold emailing everyone, cold calling, and frankly doing things that are just not productive or approaching things that are not humanistic manner. So I think that would be a good thing to stop doing. It's it's challenging and not to go too in-depth, but with the amount of cyber companies that are out there, all the funding that's been raised, there's so much pressure on cybersecurity technology companies just to grow, grow, grow. And it's really easy to download a list of names and emails, plug it into a system that just emails a thousand people five times a week, and boom, now we have a marketing program. So I would love to see cyber security stop, do it. Security companies stop doing that and start thinking about it a little bit more humanistic.
Jason Loomis [00:42:21] Those are both amazing, by the way. All right. And for the last one is what do you what would you like cybersecurity or like to continue doing?
Joe Vinck [00:42:28] You know, I think over the last couple of years, this this type of conversation we've been having, you know, the the role of us. So the role of a security leader and how they need to become more business oriented and business-aligned and develop different skill sets or different traits. I think that needs to continue. And I felt like a little bit. You know, not to give myself too much credit, but like a shepherd in the desert, when I first started talking about this like two years ago, where there wasn't a lot of people talking about this. So it's really great to see what you guys are doing and that this is becoming a little bit more mainstream, that the role is reframed, and that reframing requires a different set of skills. So I think that that I would love to see that continue.
Jason Loomis [00:43:16] And those were awesome. Thanks, Joe. Those are great. So for the listeners, I want to recap. It was go buy this book to sell as human. Joe had mentioned how multiple skill sets are involved in in being a C. So these days it's not just about the cybersecurity and the tech part. Sales, marketing, salespeople. Vendors. Stop it. Stop it. Cut it out. You're being annoying. Cut it out. Be nice. And the last one I heard was how business is now aligning with cyber and continue being more business aligned as a cybersecurity practitioner. And he says those were great men, really good. And for our listeners to the business of cyber is one of the best podcasts out there. We are second to only one and it happens to be the business of cyber by Joe Vink. Check it out. It's a great podcast. It's awesome. Both Paul and I are on it. That's not the reason why we're saying it's great. It's great because it's an awesome podcast, man. Joe, I really appreciate your time. Thanks for being on the show.
Paul Love [00:44:10] Yes, thank you.
Joe Vinck [00:44:11] Of course, guys. Yes, it's fun. Thanks for having me on.