We can all agree that translating value up to leadership is a daunting task (and usually is the bane of our existence when our plates are already full with day to day work). Even more challenging is the task of successfully obtaining approval for increased budget or a specific tool. I had the pleasure of attending SecureWorld here in Seattle earlier this month where I heard Annie Searle address this very topic in her presentation on “How to Translate Value to Leadership”. This post will summarize Searle’s presentation by outlining:
- The current situation in cybersecurity
- Insight into leadership’s (CEO and Board member) priorities
- How to successfully prepare and deliver your pitch
- A few quick tips
The Situation
As many of you are aware, there was a groundbreaking precedent set when the FTC effectually sued Wyndham Hotels for a breach back in 2008/2009. This was a clear message that companies are liable and responsible for maintaining effective security practices to ensure privacy of customer information. Interestingly enough, around 50% of boards are familiar with this lawsuit (according to Searle’s presentation) and 90% of consumers believe businesses should be held liable for these breaches. Therefore, by assuming liability, companies have been empowered to improve their security. Finally, Searle referred to Andrew McAfee’s mantra from “Mastering the Three Worlds of IT” (Harvard Business Review, 2006): Do not look at tools as technology implementations, but rather as periods of organizational change they have to manage to ensure the long term exploitation of the technology.
Leadership’s Priorities
Before groups or individuals can persuade leadership, they must have an in-depth understanding of their priorities and align their presentation with what leadership defines as valuable. With this in mind, Searle summarized the major concerns of the CEO and questions the Board of Directors consider during presentations:
Life of a CEO:
- Mitigating Financial risk (which is always present)
- Managing the Board of Directors
- Staying on top of new regulations
- Communicating with fellow executives in meetings that often involve communicating unpleasant information
Questions the Board considers during presentations:
- How is the quality of information they are receiving?
- Are there good explanations of findings and gaps?
- Is there too much confidence in the C-Suite?
- What issues are not already on the C-Suite’s radar?
The Pitch
As you are well aware, C-Suites have limited time to dig into documentation. Therefore, it is recommended that you summarize the most potent information on one page in an executive summary format. Below is the format of Searle’s executive summary method that she has employed several times with success:
Background Information
- High level description of problem in your particular industry
Current Situation
- Steps already taken by your company
- Gaps that remain
Risk Exposure
- Likelihood and probability of impacts if nothing is done
- Minimum requirements to prevent financial loss
- Optimum solution
Action Requested
- Cost and timeline for minimum response
- Cost and timeline for optimum response
- Commitment of advocacy time from C-Suite
Quick Tips
In order to provide more context, here are a few quick tips mentioned during this talk to help increase the probability of an effective pitch, document and presentation:
- Minimize or exclude any technical jargon (write in plain english)
- Name the document an “executive summary”
- Ensure symmetry by writing a beginning, middle and end
- Use a tone which is not overly-dramatic (do not cry wolf), but also doesn’t underestimate the complexity of the issues
- Send the document to parties prior to the meeting
- Post meeting, send a summary of your discussion with next steps
- If possible, leverage as much external support as you can prior to the meeting
Hopefully this provides your team with a strategy for quick wins at the C-level. If you are interested in some other interesting material on how to persuade leadership in the security space, I also recommend Charles Herring’s presentation from GrrCON (Process: The Salvation of Incident Response). A big thanks to Annie Searle on her presentation at SecureWorld for her engaging and valuable talk! Searle is the Principal at Annie Searle & Associates LLC and a part-time lecturer at the University of Washington’s school of information.
