Skip to main content

Perspectives Home / Security

Why Shared Storytelling Is Key for a Strong Cybersecurity Community

How a single-day event inspired a group of infosec pros to write about their experiences.

two climbers connected by a rope climbing a mountain

Mick Baccio

Mick is a former CISO, current security advisor, and co-editor of Bluenomicon: The Network Defender’s Compendium. 

In 2022, Splunk’s security research team SURGe hosted a community event, called Splunk Insider Minicon. SIM was a one-day cybersecurity conference before .conf, filled with talks by some incredibly talented infosec professionals, such as Nina Alli, Joe Slowik and Jon DiMaggio. Regretfully, we weren’t able to record or stream this event, but the number of requests and follow-ups refreshed an earlier idea of creating something more permanent. Something that could be shared.

So here’s the story of that effort — what became a collection of stories. And, hopefully, how it’s an example of making cybersecurity a better community for us all.

“Hey, we should jot that down.”

I heard variations of this phrase over and over in my computer network operations career. What will likely not surprise you is that acquired knowledge is rarely written down. Standard operating procedures (SOPs) and documentation often share an adversarial relationship with blue teamers — paper threat actors, as it were. Yet, this same blue team audience is filled with voracious readers who constantly seek out new information and learning experiences. Hosting SIM was the catalyst to creating a book filled with tacit knowledge from the blue team community.

And we did just that in “Bluenomicon,” a collection of essays from infosec luminaries, broken into three topical sections. Leadership tips from people like Wendy Nather, Rick Holland and Sherrod DeGrippo. Technical tips that will help you raise your skills as a network defender. And the last section of Bluenomicon is filled with DFIR tales from network defenders who have “walked the walk.” It also includes origin stories from the creators of the Pyramid of Pain, the Diamond Model and the Cyber Kill Chain, if you’re into that sort of thing.

However, as we got deeper into the weeds of this collaboration, it became clear that we were also — perhaps unwittingly — following a process mapped out by a tried-and-true thought model known as SECI, often used as a vehicle for knowledge creation and transfer.

Bluenomicon had become one of its real-world applications.

Bringing SECI back

SECI (socialization, externalization, combination and internalization) is a cognitive thought model, developed by Ikujiro Nonaka and Hirotaka Takeuchi in the 1990s. The model, which emerged from their research on how organizations foster innovation and generate new knowledge, is designed to understand and facilitate knowledge creation and transfer within organizations.

Nonaka and Takeuchi recognized the significance of tacit and explicit knowledge in the process of organizational learning, and aimed to provide a framework that explains how knowledge is shared, transformed and internalized within a collective setting. The SECI model emphasizes the dynamic nature of knowledge creation and the role of interactions, collaboration and documentation.

By delineating the stages of knowledge conversion, the SECI model helps organizations harness the power of knowledge and drive innovation. It highlights the importance of both tacit and explicit knowledge, as well as the need for social interaction, articulation, integration and individual understanding.

“Bluenomicon” was one way our security community brought this model to life.

Building community is the ROI

Throughout the creation of Bluenomicon, I have come to appreciate the importance of tacit and explicit knowledge specifically in the realm of network defense. Tacit knowledge refers to personal, subjective knowledge that is difficult to articulate or transfer directly. It includes the shortcuts, the small acts of digital wizardry that we’ve learned through hands-on-keyboard time. Explicit knowledge, on the other hand, is codified and can easily be communicated and shared — yes, this means the documentation and SOPs we all love to hate.

In the context of the SECI model, tacit knowledge plays a significant role in the socialization stage. It is during interactions, discussions, and collaborations with fellow blue teamers that tacit knowledge is shared and exchanged. This socialization process fosters a deeper understanding of shared experiences and community insights, turning tacit knowledge into explicit knowledge. It does take a village.

Explicit knowledge is crucial in the  externalization, combination, and internalization stages within the SECI model. Externalization involves transforming tacit knowledge into explicit forms, such as written essays and articles. The contributors to “Bluenomicon” shared their tacit knowledge, which was then externalized and made explicit through their written contributions. This externalization process allowed for the codification and documentation of their expertise, making it accessible to anyone who downloads it.

The combination stage of the SECI model involves integrating explicit knowledge from various sources. In the case of "Bluenomicon," we combined the essays and insights provided by different contributors to create a comprehensive body of knowledge.  Combining that explicit knowledge created something new.

Finally, the internalization stage of the SECI model refers to the process by which individuals acquire and apply explicit  knowledge for their understanding and use. I hope that when readers engage with the book, they internalize the explicit knowledge presented within its pages, gaining insights and expanding their understanding of network defense.

The circle of life learning

I’ve been lucky enough to have friends and colleagues in the cybersecurity community become subject matter experts in the most challenging technical areas, develop widely adopted frameworks and also rise to leadership positions. They all (not shockingly) note that a career in cybersecurity requires dedication to learning, and most in the community share a common desire to see others excel. Sharing knowledge and experiences builds our resilience, and prepares us for the challenges we regularly face in this field.

I am hopeful the explicit knowledge we’ve created in “Bluenomicon” will be combined with the tacit knowledge of readers, creating new explicit knowledge that can be shared with the world.

Get your digital copy of the book here.

Read more Perspectives by Splunk

July 18, 2023  •  2 Minute Read

The Security Detail Download: Cyber Threats to the Telecommunications Sector

Former CISO Ian Keller talks cyber hygiene, 6G, APTs and more in the latest episode of The Security Detail with SURGe.

July 11, 2023  •  3 Minute Read

The Best Pieces We’ve Read (And Watched) This Year — So Far

Splunk’s thought leaders share the most valuable reports, blogs, webcasts and articles they’ve encountered in 2023.

July 11, 2023  •  5 Minute Read

Strategic Investments CISOs Should Make for Long-term Success

Philadelphia’s new deputy CISO shares tips on training the next generation of security leaders and more.

Get more perspectives from security, IT and engineering leaders delivered straight to your inbox.