From Servers to Stories: Why CISOs Must Ditch the Logic and Embrace the Emotional Fire
Is your security budget presentation being filed next to the memo# From Servers to Stories: Why CISOs Must Ditch the Logic and Embrace the Emotional Fire
Is your security budget presentation being filed next to the memo about replacing the office coffee machine? Do your non-technical colleagues zone out when you talk about threat vectors and mitigation protocols? If you want to move your cybersecurity function from being seen as a pesky “cost center” to a mission-critical necessity, you need to stop arguing with spreadsheets and start telling unforgettable stories.
Logic is cheap, but emotion pays the bills. This truth, learned from a master persuader and veteran of advertising, is the essential skill that will transform your leadership, secure your budget, and build a culture of trust.
The Car Sales Lesson: How to Win Over the Unwilling
One of the most profound lessons about persuasion and marketing didn’t come from a textbook; it unfolded at the New Jersey State Fair. A car company was exhibiting its brand-new, full-size pickup truck, attempting to get people to walk around the vehicle in exchange for a branded cowboy hat. This kind of engagement is often “tough sledding” for employees.
However, the tide turned when two “tough old boys” showed up, dressed in bib overalls and trucker caps sporting a competing car company’s logo. A sharp young woman approached them, and the meaner-looking of the two flat-out refused, stating: “I wouldn’t get in that truck if you were handing out gold bars”.
Instead of debating the truck’s features, the young woman used a devastating emotional tactic. She turned to the friend and said, “I’ve seen this before. He’s scared he’s, scared he’s gonna like it, and he’d rather be wrong than change his mind“.
When the friend asked, “Is that true, Dale? Are you scared?” Dale naturally denied it: “I ain’t scared”.
The quick-thinking woman countered: “Talk is cheap, Dale, but you can prove me wrong. You can just lemme take you on a tour of the vehicle”. The expert observing this realized, “oh man, you are good”. Inside of about 10 minutes, those two men were walking around the fair proudly wearing the competitor’s cowboy hats.
The advertising veteran mused about how many ads he would have needed to show those men before they would wear those hats, concluding he “wasn’t sure [he] ever could have shown them enough”. When he complimented the young woman, calling her the best salesperson he’d ever seen, she simply replied: “I’m not a salesperson, I just love making friends.”
This story reveals that people do not make decisions rationally; they make them emotionally. Emotional decision-making is rapid decision-making, often equated with intuition, like deciding instantly whether to trust someone. Reality and truth are not what cause people to change their behavior—it’s something that happens on the emotional level. Storytelling is the key to activating this emotional connection.
The CISO’s Storytelling Playbook: Recommendations for High-Stakes Leadership
CISOs and security leaders face enormous challenges: mitigating risk in a hostile environment, securing budget, and convincing colleagues to adhere to strict protocols. One expert learned this firsthand while consulting with the Federal Reserve Bank of San Francisco on cybersecurity operations. The high stakes—an international breach at the Fed—made communicating cybersecurity commitment a “vital part of the job”.
Here are actionable, storytelling-driven recommendations for CISOs to apply in their organizations:
1. Shift the Perception of Security from Cost Center to Mission-Critical Asset
Security is often viewed as a “cost center,” likened to the employee restroom that just consumes funds. The goal is to move the conversation to revenue protection.
The Recommendation: Introduce the Villain (The Personal Injury Lawyer)
Instead of leading a presentation with technical jargon or budget requests, start with an emotional profile of the consequences they actually care about: massive litigation.
Illustrate the Stakes: Start your presentation by profiling “the slimiest ambulance chaser” or “douche waffle” attorney who specializes in data breach settlements. Detail the lawyer’s reputation and highlight that he is “praying for the day you have a data breach”.
Deliver the Punchline: Conclude this villain’s profile by telling your audience: “My job is to make sure you never meet that guy.”
Why It Works: This creates an immediate, visceral emotional connection—fear and urgency—regarding the need for funding and mitigation. The attack axis might be different now, focused on the damage law firms can cause, and this story immediately connects the audience to that reality.
2. Embrace the Power of the Uneventful Life
A good CISO, much like a great hockey goalie, needs to maintain an “uneventful life”. Your success is defined by what doesn’t happen. This can make communicating value difficult, especially when you need to be remembered come budget time.
The Recommendation: Frame Success as Invisible Mitigation
The White Shoe Law Firm Analogy: Explain that you operate like a “white shoe law firm”—one that resolves the case on the “golf course” before it ever sees the inside of a courtroom. A really good CISO ensures the organization never sees the inside of a courtroom (i.e., never suffers a visible breach).
The Goal is Silence: Use this analogy to explain: “My job is to make sure you don’t even remember that I’m on staff, and that’s how you know how good I am”. This helps executives understand that no news is, in fact, the best outcome.
Address Inevitability with Mitigation: Since it’s a matter of when, not if, a well-financed opponent attacks, position your job not as preventing cancer, but as “put[ting] into place a number of protocols where, you know, the risk factor is a lot lower” and protecting them if a breach occurs.
3. Build Trust by Never Being the Hero
Trust is the currency of influence. When you brag or make yourself the hero of your story, people immediately distrust you, viewing you as self-aggrandizing or trying to con them.
The Recommendation: Practice the Art of Shared Observation
Never Take Credit: When communicating something impressive, always make the story about someone else, where you are “simply observing their admirable behavior”.
If You Hired Them, Downplay Your Role: It is fine to talk about how great your team is, but if you hired them, take “no credit for hiring them,” or suggest that their talent discovery was “entirely accidental”.
Stand Shoulder-to-Shoulder: When you remove yourself from the spotlight, you are “shoulder to shoulder” with your audience. Like standing at the Grand Canyon, it’s not enough to admire the beauty; you have to share it to feel complete. When you tell stories where you are not the hero, you allow everybody to share that moment with you.
4. Transform Security Awareness Training with Narrative
Mandatory security awareness training often becomes a dreaded “check in the box”. Attackers win by creating an “immediate emotional state” (like fear or urgency) to trick someone into doing something they wouldn’t do if they thought about it.
The Recommendation: Use Compelling Stories to Teach Key Behaviors
Make it Emotional and Memorable: Instead of relying on logic, use compelling narratives that evoke emotion and leave a strong moral. If people are emotionally invested, they will stop, think, and count to 10 before clicking a suspicious link.
Focus on Hope (and Relief): While sometimes you might want to “scare the be jeepers out of people,” even horror movies offer hope and “a feeling of relief” at the end. Your stories should ideally be upbeat and leave your audience feeling relieved that your protocols are protecting them.
Connect to Personal Stakes: Illustrate the consequences of inaction by giving people “somebody to care about,” whether it’s a shareholder or “the poor person who... was the victim of the phishing attack in your building and now commit[ted] suicide because of the consequences”. This is the emotional difference between knowing about a disease and knowing your wife has that disease.
5. Cultivate Your Leadership Brand and Legacy
Every leader is a “brand” that can be searched out and judged within “24 seconds”. Your brand is defined not by your title, but by the “values that you believe in” and share.
The Recommendation: Model the Next Generation of Trustworthy Leaders
Life Gets Easier When People Like You: A fundamental rule of branding is that when people like you, they want you to win, help you when you ask, and want to be near you. As a CISO, if they like your company (your team), you gain an advantage.
Your Actions Tell the Story: Your legacy is determined not by how great you are, but by “how well the people who were assigned to you did”. When you support, grow, and look out for the career trajectory of your team, you are “telling the story of what it is to be a leader here”.
Model the Values: Be mindful that your behavior serves as an example for the next generation of leaders. Choose stories that are “legitimately gracious and generous” and communicate values of “team spirit” and “togetherness”. Warren Buffett, for instance, emphasized that while they could lose money, losing the “trust of our customers” would “kill us dead”.
Be a Relentless Self-Improver (Kaizen): To improve your communication and storytelling, you must practice. Record yourself, watch it back, cringe, improve, and do it again. The goal is continuous improvement (Kaizen); getting just 1% better every day means you are over 37 times better by the end of the year. For those in cybersecurity, this dedication to constant learning is essential to remaining relevant.
6. Frame the World as a Resource for Stories
Master storytellers start perceiving the world differently; they are constantly observant, looking for things to share and learn from setbacks.
The Recommendation: Engage in the Team Sport of Business
Look for the Good: The media often thrives on rage and division. Be the antidote by reminding people that they are “not all awful” and that nice things happen often. This aligns with the idea that business is “100% a team sport”.
The Gift of Connection: Use storytelling to persuade people that they are not alone, that “we’re all on a journey. We’re in this together”. This is the ultimate value of storytelling—it connects and reassures.
Use Setbacks as Learning Events: Don’t look at professional setbacks as tragedies; see them as the potential source of a story. Being persuasive and effective in communication is a skill that has worked for centuries. You don’t have to be the best storyteller in the world to gain an advantage; you just have to be “a little bit better than you were before”.