Practical Security Solutions
By Ron Collette & Mike Gentile
ron@cisohandbook.com, mike@cisohandbook.com
“They just don’t understand!” Have you ever found yourself muttering these words after an encounter with Executive Management? Don’t blame them; they are no different than any other security neophyte in the organization. Keep in mind that that your statement is accurate, they do not understand, but it is your failure to communicate effectively that has led to this problem.
Don’t feel bad, we have all done it and will probably do it again. The key to discussing security with executive management is threefold; understand them, understand your mistakes, and develop tactics that create useful communication. Let’s start with understanding executive management
Understanding the Target Audience
Executive management differs from just about every other group within an organization. Though they are all individuals they still often share many of the same characteristics. The first of these is that they are usually skeptical. They will often cross check every statement and number in an attempt to ensure the integrity of what is presented. This is due to the fact that the information they see is commonly used in making future decisions; driving a need to ensure its validity. Another factor that breeds skepticism is that executive management is often the center of corporate politics.
Their proximity to this political epicenter usually results in data having more than one use or meaning. In this alternative reality, the information that they receive is generally skewed to support a specific agenda. Think about it, this type of environment would instill a healthy dose of skepticism or paranoia in anyone. Not only are they skeptical, but like every subculture within an organization, they possess their own motives and agenda.
Never forget that the corporate executive is a political animal by nature; meaning, that each and every one of them has their own agenda and motivations supporting each decision that they make. This is relevant to the security professional in that information, arguments, and propositions need to consider the agenda of the executive that is being addressed. Next in our discussion, is the lofty altitude that most executives favor.
Executive management is concerned about running the whole company. That equates to a view that is generally at a very high level; favoring a macro versus micro perspective on the organization. The inclusion of detailed data can only bring despair and doom upon your program. Keep that in mind for your next conversation.
All of these factors combined equate to a unique language that is rarely spoken by anyone other than executives who reside on mahogany row. Congratulations! You are now one step closer to effectively communicating with executive management. With a cursory understanding of this language, you’ll be far more attuned to delivering messages that resonate. But, what about past mistakes when attempting this amazing feat?
Past Mistakes:
“Those who cannot remember the past are condemned to repeat it.”
George Santayana
Everyone has gotten torn up in an encounter with executives…..everyone. There are many reasons why we’ve been torched, but we’ll stick to the most common. The first is “Talking Techie.”
For the most part, information security professionals can trace their roots to the technical fields. This is a place where status and respect were gained through the development and display of ones technical prowess. In those days, you could talk your way out of anything by impressing the other guys with “Talking Techie.” Among other technicians this can be effective. With executives this is the “OFF” button. This approach only creates confusion and relegates the speaker to the level of an auto mechanic in the eyes of the audience. Don’t get caught resorting to the comfort zone of technical nomenclature, address the audience in their language: Business.
The language of business for executive management is not necessarily numbers. Most of them are concerned with the same concepts as you; namely, risk management. The risk elements that interest them are related to the profitability and continued viability of the organization. Therefore, an amateurish discussion of finance in an attempt to “impress” them with your business acumen is futile. You can’t compete with this crowd on their turf, and finance is their turf. Risk management is your expertise…use it. Convert the security risks that have been identified within the organization into elements that can affect the profitability and continued viability of the organization. For example, raising the impact of a regulatory compliance failure and its relationship to the profitability of the organization will addresses both security and business concerns. Successfully communicating that information will gain the interest of the audience. The items above are the most common mistakes, listed below are some others that may be applicable to your situation:
· Attempting to address micro versus macro issues
· Verbosity – Unable to make your point succinctly.
· Assuming the audience is interested in security
· Assuming the audience has an understanding of security
· Assuming security is only based on technology
Hopefully, this section has helped you review and assess your past performances with executives; identifying failed tactics. We’re getting closer. We’ve addressed the target audience and common mistakes when addressing them. Now, we’re moving to the final section of developing an effective communication strategy through the discussion of concepts and techniques.
Tactics
Based on the two prior sections, it should be easy to develop some tactics to improve our communication with management. We’ll make it short and simple:
Rule #1
Speak in their language, not yours.
Rule #2
All materials should be as “absolute” as possible; meaning that it should be very difficult to attribute a political motive to the information.
Rule #3
Base the conversation on Risk Management. If they wish to change the conversation to one of finance, keep raising the issue of risk.
Rule #4
If you have to present technical information, present it in the form of an analogy. That will act as a translator so that everyone can understand the conversation.
We hope that this small primer will aid you in future conversations with executive management. Please keep in mind that there are no full-proof formulas for communicating. What is important is the development of an analysis process to refine these communications until success is achieved. Our hope is that this article has provided some tips and concepts that will help you develop and evolve communication within your specific situation.