Security Storytelling: How to Make Engineers Care

MINDSET
Written By Hannah Nairn

Security has a branding problem.

To a lot of engineers, it shows up as tickets with no context, policies that feel like speed bumps, or a Slack message that just says “can we talk about this risk?” Nothing kills momentum faster than that.

But here’s the thing. Most engineers do care. They just care about different things. Reliability. Performance. Shipping without breaking prod. If security doesn’t connect to those priorities, it gets mentally filed under “someone else’s problem”.

This is where storytelling comes in.

Why storytelling matters in security

Raising risks is easy. Getting people to act on them is the hard bit.

If you can’t explain why something matters, it will never be fixed properly. It might get a temporary plaster, or worse, it will be ignored until it turns into an incident with a name and a post-mortem.

Storytelling is an essential tool in the security belt. Not because engineers need dumbing down, but because humans understand stories far better than CVSS scores and policy IDs.

A good story answers the questions engineers are already asking in their heads:

  • What breaks if this goes wrong?

  • How likely is that actually?

  • Why should I care right now?

Speak developer, not security

One of my favourite parts of security work is translating risk into a language engineers already speak.

Metaphors and analogies are gold here.

Instead of “this storage account is publicly accessible”, try “it’s a staff-only door that anyone can push if they try”.

Instead of “we don’t really log or monitor this”, try “it’s a shop with a till but no one ever counts the cash”.

You’re not being flippant. You’re anchoring abstract risk to something concrete.

When security feels relatable, it feels actionable.

Make the boring stuff interesting

Let’s be honest. A lot of security topics sound dull on paper. Logs. Alerts. Training completion rates. Nobody wakes up excited for a pie chart about MFA.

That doesn’t mean they have to be boring.

At the end of last year, I put together a security wrapped presentation, Spotify-style, for a company town hall. Year-in-review stats, trends, and yes, a few jokes.

Things like:

  • How many phishing emails we blocked

  • Our most targeted departments

  • The company’s favourite character from security awareness training

The feedback surprised even me. People laughed. They stayed engaged. And several said some version of “I had no idea you were doing this much”.

That’s the power of storytelling. It turns invisible work into something people can see and appreciate.

Stories build trust, not just awareness

Good security storytelling isn’t about fear. It’s about trust.

When engineers understand the why, they’re far more likely to build security in from the start instead of bolting it on later under protest.

They start coming to you earlier. Asking better questions. Flagging things before they become incidents.

That only happens when security feels like a partner, not a gatekeeper.

Hannah Nairn
Previous

Supply Chain Attacks: Why Developers Overtrust Dependencies
Next

Why Invisible Security is the Best Kind