The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them

The goal of communicating cyber security topics with senior
executives and boards is to help them understand the top cyber
security concerns, the impacts to the business and possible mitigation
approaches so they can establish priorities and allocate required
resources. With such a critical outcome, why is it that most who
present fail to achieve this goal?

It’s About Them, Not You

Most cyber security presentations to senior management and board
members continue to focus on technology and poorly relatable data
points that are of relevance only to IT security operations personnel
and no one else.

While technology is critically important to security personnel,
because that is what they focus all their work activities on, it isn’t
the focus of the board. Executives will not be interested in the
speeds and feeds that make IT’s lives easier – or nightmarish when
something doesn’t work – unless it relates to something leaders care about.

How to Fix

  1. Ask questions and ask for
    help before presenting to executives. Get to know the senior
    leadership team and tailor communications to focus on the
    information they need to make their decisions. Question if the
    information being shared is important to each of them.
  2. Specifically, ask before presenting what the top five situations
    senior leaders never want to see happen, and address those. Some
    examples could be, “I do not want the CEO’s email read by a
    competitor” or “We do not want our specialized product IP disclosed”
    or “We do not want an attacker to have the ability to use a business
    partner’s network connection to gain access to our environment”.
    Understand their top concerns and highlight how they are being
    addressed by existing security solutions, or how they need to be
    addressed if not currently mitigated.
  3. Understand the
    business issues the executive team cares most about today and what
    initiatives they plan to focus on for the next year. Is there a
    specific business activity, new product launch, merger, acquisition,
    partnership or any other top of mind activity or concern in process?
    Understand these initiatives and how cyber security can assist in
    achieving their goals more quickly or efficiently, or how it can
    open a new opportunity. This makes the time spent with them much
    more valuable.
  4. Understand each of their personalities, the
    typical questions they ask, what they like to know and in which
    manner they like to consume this information. Create a presentation
    that is respectful of their time by arranging content in a way that
    will make it easy for them to consume and understand, and from which
    they can make informed decisions. After, ask them if their needs
    have been met and what they would like presented or changed for next
    time.
  5. Be tactical and be a very strict and stern editor. If
    something will not be relevant and there is no strong reason for why
    it should be presented, then remove it.

Bottom Line: The key to having a successful presentation is to
remember that when presenting to any audience it is about them, not you.

Drop the Technobabble

Even with the constant invasion of technology in all aspects of our
daily lives, the reality remains that being familiar with operating a
smart phone or using two-factor authentication is far cry from
understanding the technical aspects of cyber risks or the nuances and
subtleties behind a specific security issue.

Most in attendance in these cyber security presentations would love
to be more involved in the discussions because they do understand the
business, legal and operational impacts of cyber risks; however, many
are unable to because of the overuse of techno jargon by the presenter.

How to Fix

  1. When presenting to senior
    leaders or a board, eliminate all detailed mentions of technology.
    It might help to prepare some backup slides that do discuss these
    topics just in case the information is requested, but do not use
    them unless it is a specific request.
  2. Focus the message on
    abstracting the technical details into easy to understand concepts
    focused on business, operational and legal impacts. Instead of
    focusing on the technology feeds, speeds, uptime, downtime to Server
    X from a given cyber risk, abstract it to the workload impacts that
    could cause issues to a specific business process. It is worth
    repeating: focus on business process impacts and not technology
    process impacts. This change of focus is critical.
  3. Presenters should focus on the value of what they do, using
    terms the audience will easily understand. Analogies, simplified
    charts and dashboards are helpful. Use stories to relay the message
    and keep those stories succinct. This can be challenging. Presenters
    should ask, “What is the problem I need them to understand and how
    will it impact them?” and focus on the critical elements in that
    storyline. By doing so, they will build up credibility with the
    audience and they will be more receptive to the message.

Bottom Line: To be relevant to executives or boards, stop using
technobabble that is relevant to security personnel and no one else.

The Sky is Falling…Again!

Describing every cyber risk scenario using fear, uncertainty and
doubt has long been the most overused technique when presenting cyber
security risks to senior leaders and boards. The simple reality is
that it has completely lost its impact. How many times can anyone hear
the same headline over and over again before they eventually tune it
out? The same goes for senior leaders and boards. They are constantly
being told to be afraid in cyber security presentations, and most now
tune it out.

It is true that even with the best of protections something can and
will happen. Houses can be built to a strict building code using fire
retardant materials, have fire alarms and fire suppression systems,
and a fire can still break out and burn the house down. But that
doesn’t mean we should not build houses or that we should go overboard
with security measures to the point where we can’t live in the house.

Cyber risks exist all around us, so how do we strike a balance and
effectively communicate them?

How to Fix

  1. Stop using fear,
    uncertainty and doubt to pressure senior leaders and boards into
    action. These tactics do not work and only demonstrate laziness and
    a lack of understanding of the issue of interest to them.
  2. Discuss real risks impacting the organization instead of
    potential theoretical threats. Be rational and avoid hyperbole. Help
    leaders understand why certain risks are significantly lower or even
    highly improbable. There are many things that could happen in
    theory, but only a subset of them are relevant to the current
    environment. Help executives understand what has been put in place,
    and what the plans are for future updates or upgrades to mitigate
    risks.

Bottom Line: Stop scaring everyone into believing the sky is falling…again.

Too Many Threats

There is no perfect security posture that will defend an
organization against everything every time. There will always be
vulnerabilities and exposure of some sort, somewhere. Even the most
mature of organizations with the largest cyber security budgets and
most advanced technology deployments will run into issues. However,
highlighting all of them as current security concerns of equal
priority is unproductive.

How to Fix

  1. Senior leaders and boards
    must come to an understanding that perfect protection from every
    possible risk scenario is not a possible state. This may be more
    difficult to explain, but providing the context for cyber risk
    mitigation decisions is the role of cyber security during senior
    management and board presentations.
  2. Presentations must
    provide senior leaders and boards with the data they require to make
    informed decisions about which cyber risk scenarios will be a
    priority and which will not. There is no perfect protection, and
    some residual risks will have to be accepted. But what are those
    acceptable risks? This needs to be a business decision based on the
    various possible impacts. Some risks are more likely than others,
    some have higher impacts, some mitigations are more complex, while
    others are more expensive. Help decision makers by clearly
    explaining the options and highlighting the value of each, using
    language they will understand.
  3. Emphasize critical
    milestones and use graphics to communicate the message instead of
    text. Reduce the text in presentations to the absolute barest of
    minimums. If there is any text, move it to the talk track and use a
    picture or some other visual representation instead. The goal is to
    convey a message, not test executives on their ability to speed read
    lines of tiny text from a distance.

Bottom Line: It is critical to enable senior leaders and board
members to make rational informed decisions regarding risk management.

Lack of Consistency Over Time

Most senior management and board level presentations lack
consistency. Instead, presentations feel standalone and disconnected
and focus on the leading issue of the day, with a heavy emphasis on
technical information that is out of context and unconsumable to most
attendees. This makes it very difficult for the audience to understand
and relate to the information being discussed.

The senior leaders in these meetings have a limited amount of time
to consume content, and they will be asked to make decisions and
recommendations using the information being provided. The last thing
they want to do is waste valuable time trying to figure out the point
of a presentation or why something is critically important today when
they never heard about it before.

How to Fix

  1. Establish a consistent
    narrative and cadence to the presentation so that the audience
    becomes familiar with the elements being presented, the order they
    will be presented, and how they will be presented. The audience
    should never be surprised by how information will be presented, nor
    should they ever have to guess why what is being said is of
    importance to them.
  2. Always double check and triple check
    the information contained in the presentation, and make sure it is
    consistent with previous presentations. If 300 servers were
    mentioned in a previous presentation, but now a different number is
    being discussed, be ready to explain the difference before someone
    brings it up. Inconsistencies create doubt.
  3. Consider
    presentations as ongoing discussions that evolve over time, rather
    than individually encapsulated narratives that change each time.
    When presenting again, remind the leaders of their previous
    requests: “Last time you asked for additional clarification to
    understand x”. Highlight the elements under discussion in the
    context of the organization’s overall security posture, readiness
    and maturity.
  4. If something was important before, provide a
    progress report or highlight why it isn’t high priority any longer.
    Help the audience understand the story arc behind decision-making
    and how it is relevant to the overall organization.
  5. Focus
    on trending dashboards, changes over time and business process
    impacts. Use consistent imagery and diagrams. Can any audience
    easily understand a slide in 10 seconds or less, or does it need to
    be explained in order to be understandable? If it is the latter,
    start over.
  6. Highlight what is included in the appendix
    section, why it is there and where attendees can get additional
    information.

Bottom Line: There is nothing more damaging to credibility than
a lack of consistency over time.

Not Getting Something in Return

Most senior management and board presentations end with the
presenter asking, “Do you have any questions?”. This is the wrong
approach. At this point, if the presenter has been following the
guidance offered in this post, they should have an engaged audience
that is interested in what they are doing.

Don’t waste this opportunity. Transition from presenter mode to
conversation mode. Senior executives and board members are the best
source for business relevant advice, guidance and insight. This is a
great opportunity to ask them questions and demonstrate that this is a
mutual discussion.

How to Fix

  1. Ask them if what was
    presented has impacted their view of the business risks, assess how
    the delivery of the information matched their expectations, and
    ensure they understood the key takeaways. Use this insight to
    improve future presentations.
  2. Ask them what their top
    priorities are for the next quarter or next year, and identify
    opportunities to become more relevant for future presentations.
  3. Ask how they can help you understand more of what is on their
    mind, perhaps by offering contacts or introductions to business
    leaders who can help expand your understanding of their point of
    view and key concerns.
  4. Ask them if they are on other boards
    or have leadership positions elsewhere, and what the top concerns
    are in those organizations. This will provide additional insights
    into what they are thinking about and could provide an opportunity
    to network with others outside of the organization in order to
    resolve challenging issues.
  5. This is also an opportunity to
    highlight any relevant concerns and how leadership would suggest
    addressing them. Put in a request to discuss funding, support for an
    initiative or guidance on a decision in the next meeting.

Bottom Line: Be reasonable and respectful. Don’t overdo it, but
remember that they have been provided valuable insights and it would
be a shame to not get something in return.

In Conclusion

The key to having successful senior leadership or board level
presentations comes down to these simple principles:

  • Remember that when
    presenting to any audience it is about them, not you.
  • To be
    relevant to senior executives or boards, stop using technobabble
    that is most relevant to IT operations, but no one else.
  • Stop scaring everyone into believing the sky is
    falling…again.
  • Help leaders make informed risk-management
    decisions by ensuring they have (and understand) all the necessary
    information.
  • There is nothing more damaging to credibility
    than a lack of consistency over time.
  • While the leaders are
    being provided valuable insights, it doesn’t mean a presenter cannot
    get something out of the meeting as well.

Technology is our safe zone. Speaking effectively with senior
executives and the board requires the development of new communication
skills. The good news is that each of the biggest mistakes can be
addressed. It only takes time and a consistent focus.

Don’t hesitate to reach out to a network, mentor or coach and ask
lots questions. Be open to feedback even if it is frustrating because
communicating the value of cyber security to leadership and the board
benefits all of us.

Original Article

Leave a Reply

Your email address will not be published. Required fields are marked *