“Yes, And…”: Improv Principles Applied to Cybersecurity


As seen in Network Monitoring Best Practices

A number of years ago, I taught Chicago-style improv to salespeople.

I did this for a few reasons. One, it was fun, and I enjoyed it immensely. Second – and probably more importantly – the core improv tenet of “yes, and” fundamentally shaped how I approach all business endeavors, and it has paid off. Literally, the single most effective sales skill, providing the highest ROI, that I have ever learned. Most recently, this has been especially salient when I talk to people about how to approach evaluating and selecting cybersecurity technologies.

Improv Principals Applied to Cybersecurity

A Lesson on “Yes, And”

First things first: a brief explanation of what “yes, and” means for those who might not be familiar with improv. When you are performing improv, you are constantly feeding off each individual actor in the scene, always working together. This means whenever somebody says anything, your first job is to immediately accept what they’ve said as canon (the “yes”). If someone says the sky is purple, for instance, and your reply back is, “No, it’s not. It’s blue,” the scene has nowhere to go and dies. Your partner has just created a world where the sky is purple, and now you’re there because the next step requires you to then help build that reality further (the “and”). “Yes, the sky is purple,” you can say, “and the grass is red. I can’t believe what a great alien planet we have landed on!” Now you have helped shape the world you’re in and helped your partner know where to take the scene.

Accept your reality as it is, not as you wish it to be, then add more to it. That is the heart of improv. So, what does all of this have to do with cybersecurity technologies?

The Cybersecurity Threat Landscape

Over the last few years, the threat landscape has shifted dramatically. Just a few examples of this include:

  • Wider attack surfaces from remote and hybrid work, leaving networks more dispersed and harder to secure
  • More motivated threat actors who demand bigger and bigger payouts from their victims
  • Increased sophistication of attacks from threat actors who are well-funded, can find better ways to obfuscate their misdeeds, and even have “as-a-service” offerings such as Ransomware-as-a-Service (RaaS) where dark web denizens can simply pay threat actors to deploy attacks for them, meaning the attacks are coming more frequently, are more severe, and are harder to find

Sounds bad? You’re right. It’s bad. Network and security teams are left to fight a constant uphill battle to protect our networks and data while also facing budget restraints and a chronic, industry-wide cybersecurity staffing shortage. The pressures on these teams cannot be overstated: just one mistake can lead to the entire organization going down.

Alert Fatigue

One of the biggest challenges cybersecurity teams face is known as “alert fatigue.” This is when cybersecurity teams are flooded with so many alerts they cannot respond appropriately to all of them, leading to high-stress levels in trying to triage the alerts, as well as an inability to appropriately respond to all of them. Alert fatigue is one of the most-cited reasons cybersecurity professionals are quitting the industry in droves. Yet it is a symptom of a larger problem: security professionals have not been applying improv fundamentals in their security selection processes.

Organizations and security professionals have – understandably – been busy adding security technology after security technology to their stacks. For every new type of attack or way in (i.e., “threat vector”), a cybersecurity company produces a new technology to solve it after the fact, and it’s added to the pile. Many of these technologies can’t effectively communicate with each other and resulting in duplicate alerts for those already-strapped teams to babysit. This is an unsustainable way to continue even if it were working, but the hard truth is that it is simply not.

Defining Your Reality

Remember the first part of “yes, and”? Acknowledge the reality as it is, not as you want it to be. The threat landscape is constantly shifting, and we must not only accept that, but adapt to it. That doesn’t mean to haphazardly throw more technologies at the problem you see, but rather to see how the tech is – or isn’t – working to solve the problem at hand.

When we evaluate a security technology, whether we have deployed it or not, here are some of the fundamental questions to ask first that define your reality:

  • Does the technology solve a threat or attack vector as it promised?
  • How much bandwidth does it need to operate?
  • How many hours of my team member’s time will it take to manage, update, and monitor?
  • Where does the technology sit? Is it in the identify/protect (“left of boom”) stage or the “respond/recover” (“right of boom”) stage?

These are all fundamental, yet reality-defining, questions that will shape your understanding of what the technology achieves and its impacts on your team.

Unfortunately, that’s where most technology evaluations tend to stop, missing the critical “and” step. We can’t just be interested in what the reality is, we must also be interested in where the reality is going and how it adds to the ecosystem. Budgets are tighter every day, and we can no longer afford to invest in or keep security technologies that don’t “and.”

To do this, you have to ask some more questions about what else the technology does. These are questions such as:

  • Does this technology improve other technologies in the security stack?
  • Does this technology communicate easily with other technologies to mitigate redundant alerts?
  • Does this technology automatically update?
  • How does this technology leverage cyber intelligence? And how much can it leverage as more becomes available?
  • How does the technology scale in a constantly shifting threat landscape with more and more encrypted traffic and clever threat actors?

Final Thoughts on Improv(ing) Cybersecurity

Any security technology should do what it promises, of course. What I would argue, however, is that isn’t enough anymore. If your partner in an improv scene says the sky is purple, simply agreeing with the statement isn’t enough to keep the scene going. This is certainly better than a “no,” but not by all that much. The same is true in cybersecurity.

As we evaluate our technologies and security postures, the time is now to ask them, “Yes…and?”