One skill I never expected to learn as I grew into a security practitioner is the Art of Storytelling. When you first hear about telling a story, you may think about children’s storybooks or fiction novels. However, stories exist in EVERYTHING, they just require some intention. Storytelling isn’t always about creating one rather finding the story in your own writing. Like many others, I didn’t expect much writing let alone storytelling within the IT and cybersecurity field. It’s better understood today, but writing is crucial to your career growth.

Stories that improved my work

When I initially started as helpdesk analyst, the first tool introduced to me was not Active Directory or NirSoft, it was the ticketing system. At first, it felt like a chore, and I thought it was pointless to document every call. Then, one day a customer’s browser couldn’t load their legacy internal website. I persistently googled for possible solutions to no avail. Then, I decided to look through past tickets in the system and voila. There lies a robustly documented ticket completed over a year ago describing the exact issue I was combatting. I attempted the described solution, and it worked perfectly! This ticket was not a how-to guide or knowledge base (KB) article, it was simply someone who took to time to clearly write out the issue, impact, and solution. A clear concise story that saved me hours of time and I am eternally indebted to that person.

Later in my career as an application administrator, my manager asked me to monitor the cybersecurity consoles while the team was out of the office for several days. During this time, I found hundreds of strange alerts regarding a potentially malicious browser. After hours of investigating, I found it was a false positive, but the alerts multiplied every minute. It wasn’t a situation that required escalation, however the alerts were extremely distracting and could lead someone down the same rabbit hole I just climbed out of.

No one is available to discuss and leaving it alone could cause more problems, so what should I do? I decided on the strongest cantrip of the corporate warrior, craft an email! As I drafted it, I kept thinking about the perspective the security team who don’t know my skills or credibility to investigate this issue. The email slowly evolved into a report detailing how I investigated the alert, the potential impact and solutions. When the team returned and viewed my report they were thrilled! They wrestled this alert for several months but couldn’t convince the application owner to make the change to stop the alert. However, after forwarding my report email, they quickly made the change without question.

Power and growth

That’s when I learned, good storytelling has power. My report wasn’t convincing because I had a list of details, but because I created a compelling story around a mundane situation that moved someone to act. I could go on and on about how many times writing as a story led to changes well above my pay-grade. The details of any problem are always important, but you want to take time to craft a narrative and allow someone to read your perspective. If you want to inspire someone to decide, you need to elicit emotion, data is not enough. How many times have you heard technical staff say the following:

• “I just want the facts”
• “Follow the data”
• “The data doesn’t lie”

There is a time and place for strict facts like court cases or extracting data. Summarizing takeaways from stories with pure facts or outlining a list of findings should not be ignored. However, in most situations you are drafting a report, email or message to achieve a goal. Simply providing facts, does not give the recipient enough context to act. Part of your role is to interpret the facts and data to help others make the best decision. In my experience emotion is what drives lasting changes. It doesn’t have to be an extreme emotion, but you want them to feel something. Sympathy for handling thousands of unnecessary alerts, fear of experiencing a cybersecurity breach or pride in a team accomplishment.

While I was proud of my writing accomplishments, there is still a lot more to learn. If you’ve followed my blog, you’ll know I emphasize note-taking and report writing extensively. In that spirit I am always looking for ways to improve myself. I had previously taken Chris Sanders’s course on “Investigation Theory”, and I absolutely loved his emphasis on the “soft skills” rather than solely focusing on technical ability. So, poking around his catalog I saw “Effective Information Security Writing.”  I promise I’m not sponsored, but this course really opened my eyes and put words to what I was feeling. It provided practical skills and advice that exponentially improved my overall ability to write.

My one huge takeaway from this course is the entire point of this blog, always tell a story. If you couldn’t tell already, I highly recommend this course if this post speaks to you in any way! Today I feel extremely confident about my writing. It will never be perfect, but I feel excited to share my viewpoints and analysis through writing. It’s a similar feeling as learning a new language well enough to effectively communicate with native speakers. It sounds cheesy, but I love doing peer reviews, rewriting documentation, and spending more time on my reports. Personally, I think folks fear writing because they’ve never expanded their skills to improve it.  I’ll share a few things I’ve learned after going through all this since I hope you also are seeking to improve your writing no matter your experience.

My unsolicited advice

The first thing I want to mention is the amount of learning material on the internet regarding writing and storytelling. The community is massive and just like cybersecurity there are numerous YouTube videos, articles, blogs, and courses. It is easier than you think to get started. You can learn quickly and find excellent reference material in a matter of minutes.

Next, recognize how much you write in your day-to-day work. Emails, reports, documentation, and messages are all great opportunities to test yourself. Just like any skill, improvement comes from consistent and deliberate practice. Reading benefits you as well, especially when you intentionally identify the story structure. If you pay attention to your own writing as well as others, I promise you will start to see the improvement quickly. Always have a goal with your writing, anytime you are drafting try to think what you want the reader to do after they read it. Do you want them to make a change to a system, reset their password, block an IP address, pay you more money, etc., etc., etc.

My next piece of advice is to take ownership. I often find in cybersecurity we are afraid to form confident opinions without a mountain of evidence. I will often see and even catch myself writing statements like “I think our team might benefit from updating the security tool a different version, but I haven’t really looked into it.” You can see all the unsure words in that sentence such as “think” and “might.” Then continuing by not specifying a specific version and directly confessing to limited research. I’m positive most of you have read and likely written a similar statement.

I understand the sentiment, you don’t want to attribute yourself to the result in case it is wrong. That should be an indication that you need more time and research to answer. If timing is crucial, you could provide a more direct answer and give a confidence level. I believe you are better off just saying, “give me a moment to research” and then provide more clear statements. However, it is a learning process, you WILL still make mistakes. I’m not here to give you advice to be perfect all the time. Imperfection is not the problem, refusing to grow from imperfection is what stunts trust.

Finally, we come full circle to storytelling with your writing. Who’s the protagonist? Antagonist? What is the struggle? I highly recommend reading about proper story structure and embrace creativity. The protagonist could be an Endpoint Detection and Response (EDR) tool that managed to block a suspicious file. The struggle may be finishing work expectation while attending too many meetings. Just as I mentioned you want to find a goal with your writing and seek an emotion you want to evoke from your story. I know it sounds gaudy, but I promise it works with time and practice. If you’re ever unsure of your skills, find that person who’s reports amaze you and ask them to help. I think you’ll find most people are willing to help if you are willing to ask.

I mostly focused on writing here, but you will see the same changes in your presentation skills. Everything I mentioned also applies to presenting, but I emphasize writing because writing doesn’t go away. Your presentation is dependent on someone’s memory, a written document will remain forever. If you haven’t heard it before, it’s always great advice. “Words are great, but always get it in writing.”

As I mentioned at the start, storytelling is a skill I never thought I’d need in this field, but it has become an invaluable tool in my career. From troubleshooting technical issues to persuading others to act, the ability to craft a clear, compelling narrative has saved time, built trust, and driven change. Storytelling, whether it’s an email or a detailed report, is about more than just data—it’s about providing perspective, influencing decisions, and ensuring your voice is heard. So, take the time to refine your “stories.” It’s not just a soft skill, but a critical one that can elevate your work to the next level. Maybe you have a time your writing improved your career, I’d love to hear about it!

As always thanks for reading!

Terryn Valikodath

Twitter: @CyberCoat

Mastodon: @ChocolateCoat@infosec.exchange

LinkedIn: terrynvalikodath

GitHub: https://github.com/chocolatecoat/

REFERENCES

• Chris Sanders’ Investigation Theory Course
• Chris Sanders’ Writing Course
• https://www.coursera.org/learn/the-art-of-storytelling-iese
• https://developers.google.com/tech-writing
• https://www.infosecinstitute.com/podcast/storytelling-in-cybersecurity-the-impact-of-a-great-story-cyber-work-podcast/
• https://annhandley.com/everybodywrites/
• https://www.thearcanelibrary.com/blogs/news/how-to-write-a-d-d-adventure-the-complete-guide