SANS Security East Baltimore 2025: Keynote - From Entertainment to Action – Storytelling as Cyber Strategy
The art of storytelling has long been recognized as an essential tool for business leadership, including for cyber defense. Professional storytelling is much more than entertainment. A good story can turn complex topics into memories, dry facts into inspiration, and successes (and failures) into lessons. The right story can also create the goal that inspires people to come together in common action.
In this talk, I’ll describe several stories developed during my career at the National Security Agency – and how they brought people and ideas together into a single theme that helped change missions, organizations, and the industry.
For example, I grew up in the NSA world of security testing for defense – Red Teams, Blue Teams, product vulnerability analysis, etc. Each project or task was a “one-off” – helpful to a customer or a project, but not really addressing root causes. “Security Sampling” was a story that helped people see their individual jobs as part of a larger whole, where each job is a “sample” of the environment that allows us to draw meaningful conclusions about the population from which we are sampling (the networks of the Defense Department).
I’ll describe similar stories that led to national consensus on security benchmarks; an open framework of Cyber “Plumbing” and Security Automation; and the origin of the CIS Security Controls. With each story there’s an idea, a lesson, and an outcome.
