Security Masterminds

Storytelling to Improve Your Organization's Security Culture

Jim Shields Season 1 Episode 5

Send us a text

Storytelling is a powerful medium to help get messages across and one feature is the ability to deliver humor into the story. 

In today's episode we interview Jim Shields, an author, actor, director and now cybersecurity expert. Jim is the director of the popular KnowBe4 video series, The Inside Man. He discusses with our hosts the use of comedy and drama in video and storytelling.
 
Mr. Jim Shields eleven years working in comedy increased his storytelling capabilities to become a successful film director and storyteller of cybersecurity lessons. 

Jim Shields:

Do you want your employees to just be compliant that they did that training? Or do you want to change behavior? And that's what we got in on really early. And that's like eight years old, is that argument. And it's nice to see that that's where everybody's headed today, but it took a long time to get everybody to catch up in a way.

Sarah:

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things, cybersecurity, taking an in-depth look at the most pressing issues and trends across the industry.

Erich:

If you could use storytelling to convince your senior management or someone in your organization or industry, what would that be like for your success?

Jelle:

Jim shields joins us for an entertaining discussion of storytelling, security culture, and the importance of drama and comedy in the world of cybersecurity.

Sarah:

This is episode five"storytelling to improve your organization security culture", with our guest Jim Shields.

Jelle:

Welcome all to another episode of Security Masterminds. It's me your host for today. Jelle Wieringa and my good friend and colleague, Mr. Erich Kron.

Erich:

I got to tell you Jelle, we've been doing these for a few episodes now every time we have a guest, I'm even more impressed.

Jelle:

Well, then, then today's going to be a treat. Cause today we are going to talk to Mr. Jim Shields, a guy that has a background in theater, opera, filmmaking, basically he's the storyteller of us all, and he's been doing standup for the last 11 years. And if you meet the guy he's just brilliant. He's a good laugh we asked him how did he end up in this industry?

Jim Shields:

I took a wrong turn. Really. The story is that we were a busy, fully functioning production company specializing in the tech sector. Especially IT and nothing to do with security. especially One of our biggest clients, a company called Alcatel-Lucent we'd been working for them for years and they had a specific request to say, how can we make our employees more interested in our security policies? And then they sent me a 200 page document, and I think I had the answer right there. And I said this is not how people absorb information. If especially in written form, if you want them to care, you probably have to undergo some sort of storytelling and we can help with that. So we were commissioned to make a short film through a series of three short films. They were like four minutes each. And we affectionately refer to them these days as Adam and Jeff. And they are just two guys who share cubicles in an office and there just the kind of guys that, like to see each other suffer. And the story started though with Alcatel-Lucent. So we made these three little films and then we caught the attention of a guy called Steven Bonner at Barclays bank in London. Steven came to us and said that we have the same problem. And also there'd been a BBC documentary about somebody finding a load of printouts in a dumpster behind the one of the branches of the bank. And it went mainstream and there were obviously understandably a little bit embarrassed about it. So there, a lot of customer details ended up unshredded out in the wild. This was a story at one time. And so we were brought in to fix the communication side of that with employees. And Steven was brilliant because he really knew he understood that you need to do something different and you need to do something based on storytelling. So we suggested a comedy series called The Risk. And it was a series of short films that also had to be edited together to do a kind of thirty minute piece. In the UK, they closed the branch down on a Wednesday morning to do training with staff. And so for a couple of hours, they'd shut the branch and then they'd all get together and they do one hit on training. That'd be it. So the had to be that purpose, a 30 minute thing, but also then to run it as a campaign, they wanted six episodes. So we came up with an idea of the Barclays manager who needs to get a video made and the video director that was supposed to come in and do it as part of our story was ill. And they had to get a stand in at the last minute. And this guy was a really flamboyant, want to be the Hollywood guy and massive ideas that are totally unachievable. And the comedy came from him saying, we want people to fall in love, darlings, and this manager's"Oh Lord", there goes my budget and possibly my career. And so that was how that started.. So that was the beginning of all of twist and shouts security foray, because they very kindly use those videos on a world tour of awareness. They now became the leaders in awareness and they were speaking at events all over the world, like in Las Vegas and oh, where all these events are the and they very kindly put a credit for us on the last slide. And I don't, what happens, everyone gets their phone out and goes, click and grabs the, grabs the details off the last slide for all the people they want to contact. And the following two years after that, we made about 50 short films on security into years. And some of them were serious. Some of them were standalones, but it went off the charts. And then after that, we said, we are so bored with making films about passwords. Let's just make a series and publish it. Let's do it and license it cause everyone was trying to buy Barclays off them and it wasn't set up for that. And, we just we thought we'll make one and then we won't have to make any more and it'll be great. And obviously that didn't work. Cause look at me now. But the the idea was that they promoted us albeit on officially and that took off there. So that's the start of Twist Shout relationship with information security. And they have it. That's how we got into it.

Jelle:

I love how organizations like this, just form out of passion and then get successful. It's just really cool. It's cool that a person like Jim shields, he's like, ah, no, I actually, I didn't start in his industry. I just roll into it. That's the same for all of us. Isn't it?

Erich:

Yeah, I, personally can't say that I know anyone that when they were growing up in middle school or whatever said I'm going to be in cybersecurity. We all seem to like trip and fall into it. We end up in this space, and it's interesting with this and I, I love the way that, although we kind of stumbled into it, he hit on something that was really needed and the way this has grown, it really goes to show there was a hunger for a new type of content and a new way of giving this content to people making them more involved in it. And I think it's great that he latched onto that and his style helped create a lot of this newer security stuff that we're seeing, where it's a storytelling experience, as opposed to just here's what you should do and what you shouldn't do.

Jelle:

I love his comment about that. He was just becoming bored of making films for passwords and that's he gets how you need to basically interact with people. You need to motivate them. It needs to be fun. And that's perfect.

Erich:

well, and if we're getting tired of making films about passwords, imagine on the other side and the people, how tired they are seeing things just about passwords. Right? I think that's why this is so popular.

Jelle:

And we wanted to know from Jim whether, it's more challenging to work with drama or comedy when trying to convey a message and teach somebody something in, the cyberspace.

Jim Shields:

Yeah, that is a really good question. The bottom line is that in emotional terms, it doesn't make any difference. If you make somebody laugh or you make somebody cry. You've made a really strong emotional connection. And the thing about storytelling is that is something that the brain does that puts you in the story that is, we don't know why that happens, but we know neurologically that is what the brain does. So when you're watching a movie that's exciting or terrifying or scary or heartbreaking, you will get involved with those emotions and they have done live scans of the brain that shows activity going when they're actually under a threat. Or they're watching a movie about somebody under threat. It is the same as far as the brain is concerned, emotionally speaking. And we knew the power of that. And the reason that we did comedies to start with was because we knew that if you look at the three things people look at on the internet comedy, sex and violence sex and violence are generally frowned upon by HR. So we didn't go there. We stuck with the comedy thing that was all it was left to us. And also I had taken up a hobby, which turned into a big sideline hobby of stand-up comedy. So I did stand up for 11 years and I knew lots of funny people and I knew lots of writers. I got to understand during those 11 years how comedy worked and was sneaking into our work at Twist Shout quite a lot. We did lots of conferences and live events, where there was a lot of comedy involved. And so it felt like the obvious starting point for us, which was to write something. For the first series of Restricted Intelligence, it was a real risk cause I got a consortium of 10 companies to put in some money to finance it because we didn't have any resources. We were living month to month at that time and about a week before the shoot for the first series four of them dropped out because of cultural misalignment. They were like, they'd had a word with somebody and said, oh, we've got involved in this great scheme we're going to put in a few grand and they're going to make the series. And we get to use this series and management sometimes. Security is a really serious issue. You can't make a comedy about security. Nobody will take it seriously. That's a terrible idea. So we lost financing about a few weeks before the shoot. So I plowed ahead and put my house on the market. As in, I released some equity from my house, which did not go down well with the Missus. So that's how we financed the first series and the rest is history and we've found that there were progressive companies who didn't have the same problem and they were really happy to get something engaging. And it boiled down to one question. Do you want your employees to just be compliant that they did that training? Or do you want to change behavior And that's what we got in on really early. And that's eight years old. Is that argument. And it's nice to see that's where everybody's headed today, but it took a long time to get everybody to catch up in a way.

Erich:

Comedy though is one of those scary things, because what's funny for some people is not funny for others. It's really easy not to get comedy right. To where only a certain segment sits back and says, oh, that was funny. And the others are just staring at it like I don't get it.

Jelle:

I love his remark on that. They get the brain tests. It really shows that if you do it right, if you really focus on bringing that emotion to the table, it can have a really powerful impact.

Erich:

what they've done really resonates with not only technical people, but non-technical people as well when it comes to their comedy series and things like that. I think they did an amazing job with putting that altogether.

Jelle:

Jim really understands how to make comedy accessible to everyone, how to leverage it. So we already talks about storytelling as being an important part of what Jim does. And we know that Jim has written several books about storytelling. We wanted to know what factors really are important to storytelling when trying to convey a message to your audience.

Jim Shields:

The thing about storytelling is this there's three things. Basically character is the main thing. Character we want interesting and complicated characters. And we're talking about drama now, rather than comedy. Comedy can be simplier. You can deal with stereotypes and comedy a little bit because you need to be efficient. But, with drama. And I remember Rob and I realizing how much fun it was to start making the Inside Man, because if we thought we liked making people laugh, that is nothing compared to making a room full of people cry that felt like real power. And that, I was like, oh my God, this is better. This is really cool. Character was the main thing where you can have complex characters and you identify with them. And so the brain wants to be with them or even be them. And so you have complex characters that are believable. We're trying to suspend disbelief here, which is very important so that you can just lose yourself in the story. The other thing is that there is a moral of the tale. At the end of it if you reconcile the story with something that is satisfying in some way, whatever the message might be. It will resonate because of the story thing. And we feel bonded to it, which is why it's a really powerful device to get people to change behavior. And the third thing weirdly is location. If you set a drama that is purely in a hacker layer, that happens to be set on the moon, nobody can relate to that. I don't know if I know any hackers or at least I'm not aware of it. I don't know if I know those places is the movie cliche of the hoodie and the thing, I think that's fun, but I can't connect with it. So you need real characters that we can connect with. And the locations are places we know. So when we choose locations we are like an office, we know what an office, does we know what somebody's house does? We know? So it's just about familiarity at that point and removing the friction from the story. And that those are the three main things the, I think the most important is character bringing complexity you know, what is the moral of the tale? What are we really saying here? And location and like, how can we make it rich? How can we make it visually stunning.

Jelle:

So this is a good lesson for all of us that want to build or use storytelling in our security awareness campaigns. How can we teach people? Well, storytelling is one of the answers, one of the ways to do this and the way that Jim talks about it, it's a guideline for all of us.

Erich:

Doing drama, I think is so much harder than doing comedy. If we take what we learn from this, and we take what we learned from what Jim just said this something that can really help us in our careers, especially when it comes to changing behavior on people, getting them involved, relating to these folks and then showing them a certain behavior can help them move in the right direction on the behavior. And I think this is the power of the drama part when you get involved with the character, you almost automatically emulate in some ways, some of the traits of characters that you click with, that you feel bond with as well. And I think that's a, very powerful thing.

Jelle:

So security awareness and security culture are two hot topics nowadays. We asked Jim how does storytelling and engagement to help security professionals who aren't in a theater, be successful?

Jim Shields:

There's two things I want to say there that I think first of all, the information security department or an individual responsible they're never the cool kids, because they are always the world of"No." No, you can't go on that website. No, you can't do this. No, you can't click on that link it's a world of no with good reason, but it doesn't make them the most popular people in the building. What our material did was it was popular with employees and suddenly they became the cool kids that were like making this comedy and putting that out. And the second thing is what I would say to professionals out in the industry is stories don't have to be fiction. You can pick up stories from the news about breaches and about security incidents and use those stories. Did you hear that time when the pipeline was shut down and blah-blah-blah, and you know those are stories, so you don't have to be mega creative, you can just take note of what's out in the news, what goes public and just tell those stories, because people are fascinated. You are the guys who are the curators of that content for your employees. They don't care at this point. They're not caring as much as you do, and they're not going to follow all those stories. And it has to be a big story to hit mainstream news right? Gladly more and more stories are getting reported to mainstream news outlets, but on the whole people don't really follow it. So if you can be that curator and you can follow for them and go, Hey, here's today's story guys. What do you think of this? That's great. You're helping them out. They don't have to go digging for this stuff cause they're not going to do that. And you present them with something to go,"oh my God, I've got a friend that is their bank. And they've been hacked. Oh no." So it becomes very real and those are stories. So that's my advice to professionals out there trying to get engagement going.

Jelle:

He does a very powerful thing by including real world examples in his storytelling, we did the same thing with our platform, right. We basically use real-world phishing attacks and present those to the users to sure that they are training on real world stuff. And he does the same thing.

Erich:

Yeah, I, love what he said about, not being the most popular people in the building. that I found that to be very true in a lot of my security career and for good reason, a lot of times, because he's right. We're so often the no people. and I think that we have a lot of PR work to do as security professionals. And I've always said my goal, my thoughts on our role is to come alongside people and help them make better security decisions. That's kinda my goal and my thoughts on things. And by doing what he's talking about here, where something that they may have seen on the news, you inform them a little bit, Hey, you may have seen this on the news and this is what it means. For us, because a lot of times they may see it on the news and they go, I don't know what that really means. Yeah, it's my bank. But is this something I should be worried about? and eventually you become a source of information for these folks where they don't mind coming to you. And I can tell you from personal experience, once the people are comfortable coming to you, it can be very helpful. I once had a gal who, we were almost hit with a W2 scam. In other words, they were trying to steal tax forms and she got this email. She actually picked up the phone and she called me and said, you know, is probably nothing, but it just feels a little weird to me. And sure. It turns out that it was somebody trying to gather information. But if she hadn't have been comfortable enough to pick up the phone and say, this is probably a waste of our time, or this is probably nothing, it's entirely possible that we could have had a pretty significant issue on our hands

Jelle:

Security is there to support the business. and that whole department of no mentality basically, moves us away from that. So, I love that story and how basically IT can be as cybersecurity hero, what people turn to when you have questions. And there are no wrong questions. There's no bad questions out there.

Erich:

Making us in that role where people look to us as a source of information and looking to us somebody who can offer them guidance, not just somebody that's always saying no is a very important thing in any security role.

Jelle:

So we asked Jim the guy that has so much success, created so many good series, he must have had some failures too. So we wanted to learn what's his biggest failure. And what did he learn from it?

Jim Shields:

My biggest failure is perfectionism. I'm just obsessed with getting it right all the time. I can't let it go. I'm just so reliable and brilliant. I just, I don't know what to tell you. I can't help it. Yeah, that was a great question. Cause I don't get asked that a lot. Okay. I have a saying when we're making these programs is that it's all made in the casting and now, and again, we have made casting snafu's. Where we honestly, it's usually when somebody drops out at the last minute, because there've been offered, I don't know, a movie or something. And they drop out and then we have to scramble to get somebody quickly. And we go to the B list and we've seen maybe a tape, audition, and we haven't met them there isn't time. And they turn upon set and, you know, the old industry saying don't cast off headshots is very true because when they turn up, it's a bit like dating, they turn up on like, that was your picture? Who are you? You know, When was this taken? There's a little bit of that, but if you think of it in acting terms as well, And we set such just high standard for our acting in this areas that somebody turns up and they're not up to muster it stands out like a sore thumb. And so I've made it I feel like I made a couple of casting missteps once or twice over the years. And usually because there's a time crunch, but I wish I shouldn't compromise like that. We should delay rather than cast to hit the deadline.

Jelle:

So he's talking about that casting process.

Erich:

Yeah, You know, I, knew that casting was a complex thing, but there's so much more that goes into this and it, it is such a key element in the stories. If you have the wrong person in a role, I can see where it's just not going to feel natural, and I never realized until talking to Jim, just how important the casting piece is.

Jelle:

So in doing our research for this episode, we discovered that Jim has delivered a TEDx Talk. He explained how theater has saved his life. Now with his current career involving cybersecurity, we wanted to know how has cyber security allowed him to help save organizations?

Jim Shields:

All right. It's a good, it's a good question, actually, because if certainly, if you talk to any of the actors, they'll say I had no idea. They read these scripts and when we tell actors that's what happens in the world and the fact that you use the same password for absolutely everything. And it's your dog's name, then you're an idiot, but it terrified them into all being educated, which was quite good. I have become the local kind of, and this is so not me. I am now the tech support for my entire street. Based on this, like the old lady that lives at number seven, who, is, asking me if something's legit or not. And I get sent a ton of stuff via WhatsApp going, should I click on this? I'm like, no. And it feels good, actually. It feels really great. And I have a lot of amazing conversations with my boy who at one time was thinking of becoming a white h at hacker And so he's genuinely interested in that career. So yeah, I become a bit of the security guy. I'm horrified when I see somebody who either doesn't have a a lock code on the phone or something like that, I help them out by turning it into Turkish or Russian or something so that it just teaches them a lesson, you know? that's what I love about the work that we do is it is genuinely protecting people and helping people.

Jelle:

So Jim, welcome to the world of tech support. People look to us as their heroes to fix things, but seriously though, it's just really cool to see how he made the transition from theater and smoothly moved into cyber security the is using the same tools that he did in theater to basically teach people about cybersecurity and help people in an organizations that way.

Erich:

Yeah, I'm a little jealous about the Ted talk thing, but it's kind of funny because, you know, we do get kind of pulled into that and seeing him go from theater to being involved in some of the cybersecurity and seeing how that all pulled things together for him. And he is now somebody that they look to. I saw this when I recorded with four of the actors with the Inside the inside man series and we asked"how has this changed the way you do cyber security?" And all of the actors basically said,"yeah, no, I'm, so much more aware of what's going on these days than I was prior to being a part of these projects. Again, as people get some sort of a personal involvement in this, or they find something that makes it relevant to them, they can start bringing that into their lives as well.

Jelle:

So the Inside Man series is really, successful. We asked Jim, what does he think? What didn't does no other organization in his industry, doing something like that.

Jim Shields:

Oh, wow. I think it's to do with overlaps. I'd like, I mean, it sounds braggy to say, oh, what we do is so difficult, but it's to do with overlapping. real estate, So if you take drama or comedy and the experience we have with actors and all of that kind of thing, and the writing, and you overlap that with cybersecurity, that's a tiny little piece of real estate. That overlap is the bit that special. And I honestly believe that it would take an incredible amount of risk and resource to get even close to where we are today because they wouldn't even catch up. Because the interesting thing about stories is they're continuous. So you can't just beat the Inside Man today because there's four seasons, right? Do you know what I mean? We have an install base. If you want to use a technical term of fans who love it very difficult, we just need to keep true to the cause of keeping the story going in a way that the fans will appreciate and trust. But that's going to be very difficult to beat off the starting blocks for anybody else. It would be quite a big risk and it would also be a massive investment. So I'm hoping those two things keep the wolves at bay for now.

Jelle:

It's really hard to copy something like this as the series has been ongoing for such a long time. And we've really do have fans of the series, people in the community that really are looking forward to the next season.

Erich:

I do like, and I would love to see this idea spread throughout the community. We're in this to fix a problem. And that problem is the human issue in cybersecurity. And if we can get more of these out there, if we can get this to help people, I think it would be great if we can do it.

Jelle:

We want to help the community. It's not so much about competition. It's about creating good content that really resonates with the audience. That's a good thing. Now it's all about building that safer world out there and helping the human to make better security decisions. So what we do, isn't easy. It's security awareness training is proper work. You need to really work at it to get the message across. So we asked Jim how do you suggest organizations market and basically use what you create?

Jim Shields:

Well, I would refer you to a presentation that I gave many years ago. and It was in front of a security audience and the title of the presentation was think like a marketer. And it's using campaign theory to get people's attention. So you have a movie poster in the break room. People go what's that? And then when they get the link and they get the icon, they recognize it as the same thing. So now we're into branding. My best advice would be work with your internal communications or marketing department to say, how would you get the attention of this specific group of people? Because that's what marketers do. Yet you can change their behavior by a campaign. That's why Twist Shout, always used to generate a lot of campaign items that went with the video series so that they were ready to go, the posters were ready to go. We gave them the artwork so that they could download it and change their helpline number or whatever it was they needed to do. We just made it easy for them and took the friction away. We know that these are security professionals not necessarily trained in marketing. So we built a kit. And we wanted to really help them do it themselves because you're fighting for bandwidth in an organization. There are lots of other campaigns and materials that go out to employees every day. The inbox is the battleground of communications. It's difficult to get attention. So if you're a marketer, you go, what will get people's attention. And we think comedies and dramas and movies get attention. And you just talk to your marketing team and ask them for advice that is far better than trying to steal it off them and getting them going, hang on, we're marketing you can't do that. Or we're internal comms. You can't do that. If you go and ask internal comms for help psychologically, they're like, oh yeah, they came to us. We're special. And it works. It's just basic psychology and they will help you. So that's my advice, work with the people who know how to do campaigns

Erich:

You know, he mentioned marketing, but also PR can do some of that as well. Get any of those groups you can together and come up with some ideas. And he's right. Most of the time in my experience, they've been willing to do it. they like being a part of something like that. And as far as the campaign stuff goes there's lots of posters available that you can send out and have printed that go along with other things. There's a lot of power into creating these campaigns as opposed to just, Hey, by the way, there's training, let's go check it out.

Jelle:

So that was it for this episode. We want to thank Jim Shields for being an awesome guest on the show, like subscribe and spread the word about what we're doing here. We welcome new listeners.

Erich:

This has been a great episode with a lot of great information. Thank you everybody for joining and take care.

Jelle:

We'll see you next time.

Erich:

Goodbye, everybody.

Jelle:

Oh, and we want to thank our awesome producer this time. He really is awesome.

Sarah:

You've been listening to the security masterminds podcast sponsored by KnowBe4. For more information, please visit knowBe4.com. We invite you to subscribe to the podcast on your favorite platform and listen to our new guests each month and also please share with everyone.

People on this episode