๐Ÿ”ฅCommunity Favorite

From Technical to Tactical

John Hoy · 23:27 · 2024

careerincident-responseleadershipspeaking

John Hoy, CISO of Clemson University, teaches how storytelling transforms security communication with non-technical leadership. He shares two unforgettable war stories โ€” accidentally DDoSing his own university and investigating a student linked to one of the largest DDoS attacks ever recorded โ€” while walking through Matthew Dicks' storytelling framework.

Open on YouTube โ†—

From Technical to Tactical: Storytelling for Security Professionals

John Hoy, CISO of Clemson University, delivers one of the more practically useful talks at Simply CyberCon 2024. His premise is simple but powerful: security professionals need to stop leading with data and charts and start leading with stories.

The Accidental DDoS

Hoy opens with a story that immediately hooks the room. In 2016, a grad student in Clemson's student-run SOC was doing denial-of-service research. Hoy set her up with an attacker VM and a victim VM. The problem? She typed the victim IP address one octet off and pointed her DoS tool at an IP in Taiwan -- through the university firewall. She brought down the entire campus network. Twice. On the first week of school.

The lesson isn't the technical mishap -- it's what Hoy did next. He owned it. He called his boss and said it was his fault, drawing on the principles from Extreme Ownership. The network team still gives him grief about it to this day.

The Storytelling Framework

Hoy recommends Matthew Dicks' books on storytelling (Storyworthy and the follow-up). The core framework: every real story needs a transformation or realization -- a "five-second moment" where the protagonist changes. Without that change, you just have an anecdote. He uses Indiana Jones and the Raiders of the Lost Ark as an example -- Jones goes from skeptic to believer.

Practical tools include "Homework for Life" (daily micro-journaling of significant moments) and "First, Last, Best, Worst" (a prompt matrix for mining story ideas from your career experiences).

The Krebs Story

The second war story is wilder. A Clemson student ends up on the front page of Krebs on Security, allegedly connected to a DDoS extortion ring. The student had previously submitted a SQL injection vulnerability to Clemson's help desk -- but went too far by dumping the entire database without authorization. DHS gets involved, the student gets detained, and ultimately does community service... working for Hoy's security team. You can't make this up.

Who Should Watch

Anyone in cybersecurity leadership or aspiring to it. If you present to executives, boards, or non-technical stakeholders, the storytelling framework here is immediately applicable. Junior professionals will benefit from the war stories as examples of how real security incidents play out.

Key Takeaways

Stories begin with location and action. Find your five-second moment of change. Use homework for life to build a story bank. Own your mistakes with extreme ownership. Back stories up with data, but lead with the narrative.