TEISS guest blogger Gavin Millard, Technical Director at Tenable shares four tips about successfully getting your message across to the board!
The technology sector, and security specifically, can be a complicated minefield for those on the outside looking in. Particularly so given the language and terms used can easily cause confusion. To ‘normal’ people, talking about RCE’s, IPSEC, XSS, and CSRF means nothing.
Then there are the terms that mean one thing in everyday language, but something totally different to the geeks in the room. For example, a ‘watering hole’ isn’t a favoured destination for wildebeest , ‘whaling’ doesn’t involve a net, a 'container' isn't Tupperware used to store leftovers that never get eaten in the back of the fridge, and a ‘firewall’ is neither a fire nor a wall.
Security is a serious topic, and one that senior management care about, so it’s important that there’s no confusion or misunderstandings. IT and security teams need to translate from geek parlance to business dialect if they want to make the board listen and secure their support.
The Boardroom Conversation
When upper management talk to the sales team they’ll want to hear about conversion and close rates. With the marketing team it’s about customer acquisition costs. For finance its about EBITDA. All very different conversations with one key theme – they’re all metrics driven. Security must be the same.
The most effective security professionals will be those that can translate the technology and correlate security controls to a metrics driven conversation. Metrics are the Rosetta Stone of cross- function conversation.
Here are four key considerations when determining which metrics to use and how to display them to grab the board’s attention and keep it:
Information that is tracked and exchanged over time. For example, when a big vulnerability hits, like WannaCry last year that exploited a published vulnerability, a demonstrable metric would be the time taken to patch against it. This will highlight how long the company is exposed and therefore at risk to compromise.
Is it 15 days, 30 days, 60 days or even longer? How can this be reduced and, if investment is needed, what the return will be?
Being able to demonstrate to the board that the time-lapse between a major vulnerability being published and all systems being patched has improved will not only show ROI, but offer reassurance that the company’s risk is being reduced.
Defensible yet Sensible
When presenting to management it’s important to only have the simplest, most important information on the screen – the things you want to talk about to keep the conversation focused.
A good question to ask yourself is, “What is the intended outcome of showing a particular piece of data?” If you don’t know or are just including it to fill the screen, remove it. The best board-level presentations are those that only show a handful of metrics, each one selected to drive the conversation in a direction of improvement or required investment.
Any data you’re representing needs to be elegant, simple and precise. It’s important to think about how you’re communicating this data - is a spreadsheet the right format, probably not as everyone hates them and we’ve all heard the phrase ‘death by Powerpoint’.
Instead, consider a format that clearly demonstrates the point you’re conveying and make it compelling, eye catching and simple – such as an infographic. Final tip is make sure that anyone can look at it and understand the point being made - is it clear to the average person on the street.
Comprehension, not Education
Not everyone around the table will be a security expert, so don’t use terms only the security or IT team will understand – you’re not trying to teach them to speak geek. Also consider whether the terminology used could be misinterpreted. As in the opening paragraph, don’t risk someone in the room thinking you’re talking about plastic boxes when it’s actually a development platform being discussed.
Instead, focus on making sure that everyone can understand what is being discussed and all are in alignment of what the next step is. With understanding comes the opportunity for actual communication between the board and security experts.
In summary, speak to the board in metrics, but focus on those that are quantifiable and don’t overdo the geek speak. The board don’t need to be security experts – that’s your role, you just need to make sure they understand what you need, why you need it and what it will deliver for the organisation.
With his colleague, Jack Daniel, Gavin is presenting a session on this topic as part of Infosecurity Europe's Strategy Talks: Walking the Fine Line Between Corporate Bull & Practitioner Pedantry – Tuesday 5 June 16:00 - 16:25