The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them
The goal of communicating cyber security topics with senior
executives and boards is to help them understand the top cyber
security concerns, the impacts to the business and possible mitigation
approaches so they can establish priorities and allocate required
resources. With such a critical outcome, why is it that most who
present fail to achieve this goal?
It’s About Them, Not You
Most cyber security presentations to senior management and board
members continue to focus on technology and poorly relatable data
points that are of relevance only to IT security operations personnel
and no one else.
While technology is critically important to security personnel,
because that is what they focus all their work activities on, it isn’t
the focus of the board. Executives will not be interested in the
speeds and feeds that make IT’s lives easier – or nightmarish when
something doesn’t work – unless it relates to something leaders care about.
How to Fix
- Ask questions and ask for
help before presenting to executives. Get to know the senior
leadership team and tailor communications to focus on the
information they need to make their decisions. Question if the
information being shared is important to each of them. - Specifically, ask before presenting what the top five situations
senior leaders never want to see happen, and address those. Some
examples could be, “I do not want the CEO’s email read by a
competitor” or “We do not want our specialized product IP disclosed”
or “We do not want an attacker to have the ability to use a business
partner’s network connection to gain access to our environment”.
Understand their top concerns and highlight how they are being
addressed by existing security solutions, or how they need to be
addressed if not currently mitigated. - Understand the
business issues the executive team cares most about today and what
initiatives they plan to focus on for the next year. Is there a
specific business activity, new product launch, merger, acquisition,
partnership or any other top of mind activity or concern in process?
Understand these initiatives and how cyber security can assist in
achieving their goals more quickly or efficiently, or how it can
open a new opportunity. This makes the time spent with them much
more valuable. - Understand each of their personalities, the
typical questions they ask, what they like to know and in which
manner they like to consume this information. Create a presentation
that is respectful of their time by arranging content in a way that
will make it easy for them to consume and understand, and from which
they can make informed decisions. After, ask them if their needs
have been met and what they would like presented or changed for next
time. - Be tactical and be a very strict and stern editor. If
something will not be relevant and there is no strong reason for why
it should be presented, then remove it.
Bottom Line: The key to having a successful presentation is to
remember that when presenting to any audience it is about them, not you.
Drop the Technobabble
Even with the constant invasion of technology in all aspects of our
daily lives, the reality remains that being familiar with operating a
smart phone or using two-factor authentication is far cry from
understanding the technical aspects of cyber risks or the nuances and
subtleties behind a specific security issue.
Most in attendance in these cyber security presentations would love
to be more involved in the discussions because they do understand the
business, legal and operational impacts of cyber risks; however, many
are unable to because of the overuse of techno jargon by the presenter.
How to Fix
- When presenting to senior
leaders or a board, eliminate all detailed mentions of technology.
It might help to prepare some backup slides that do discuss these
topics just in case the information is requested, but do not use
them unless it is a specific request. - Focus the message on
abstracting the technical details into easy to understand concepts
focused on business, operational and legal impacts. Instead of
focusing on the technology feeds, speeds, uptime, downtime to Server
X from a given cyber risk, abstract it to the workload impacts that
could cause issues to a specific business process. It is worth
repeating: focus on business process impacts and not technology
process impacts. This change of focus is critical. - Presenters should focus on the value of what they do, using
terms the audience will easily understand. Analogies, simplified
charts and dashboards are helpful. Use stories to relay the message
and keep those stories succinct. This can be challenging. Presenters
should ask, “What is the problem I need them to understand and how
will it impact them?” and focus on the critical elements in that
storyline. By doing so, they will build up credibility with the
audience and they will be more receptive to the message.
Bottom Line: To be relevant to executives or boards, stop using
technobabble that is relevant to security personnel and no one else.
The Sky is Falling…Again!
Describing every cyber risk scenario using fear, uncertainty and
doubt has long been the most overused technique when presenting cyber
security risks to senior leaders and boards. The simple reality is
that it has completely lost its impact. How many times can anyone hear
the same headline over and over again before they eventually tune it
out? The same goes for senior leaders and boards. They are constantly
being told to be afraid in cyber security presentations, and most now
tune it out.
It is true that even with the best of protections something can and
will happen. Houses can be built to a strict building code using fire
retardant materials, have fire alarms and fire suppression systems,
and a fire can still break out and burn the house down. But that
doesn’t mean we should not build houses or that we should go overboard
with security measures to the point where we can’t live in the house.
Cyber risks exist all around us, so how do we strike a balance and
effectively communicate them?
How to Fix
- Stop using fear,
uncertainty and doubt to pressure senior leaders and boards into
action. These tactics do not work and only demonstrate laziness and
a lack of understanding of the issue of interest to them. - Discuss real risks impacting the organization instead of
potential theoretical threats. Be rational and avoid hyperbole. Help
leaders understand why certain risks are significantly lower or even
highly improbable. There are many things that could happen in
theory, but only a subset of them are relevant to the current
environment. Help executives understand what has been put in place,
and what the plans are for future updates or upgrades to mitigate
risks.
Bottom Line: Stop scaring everyone into believing the sky is falling…again.
Too Many Threats
There is no perfect security posture that will defend an
organization against everything every time. There will always be
vulnerabilities and exposure of some sort, somewhere. Even the most
mature of organizations with the largest cyber security budgets and
most advanced technology deployments will run into issues. However,
highlighting all of them as current security concerns of equal
priority is unproductive.
How to Fix
- Senior leaders and boards
must come to an understanding that perfect protection from every
possible risk scenario is not a possible state. This may be more
difficult to explain, but providing the context for cyber risk
mitigation decisions is the role of cyber security during senior
management and board presentations. - Presentations must
provide senior leaders and boards with the data they require to make
informed decisions about which cyber risk scenarios will be a
priority and which will not. There is no perfect protection, and
some residual risks will have to be accepted. But what are those
acceptable risks? This needs to be a business decision based on the
various possible impacts. Some risks are more likely than others,
some have higher impacts, some mitigations are more complex, while
others are more expensive. Help decision makers by clearly
explaining the options and highlighting the value of each, using
language they will understand. - Emphasize critical
milestones and use graphics to communicate the message instead of
text. Reduce the text in presentations to the absolute barest of
minimums. If there is any text, move it to the talk track and use a
picture or some other visual representation instead. The goal is to
convey a message, not test executives on their ability to speed read
lines of tiny text from a distance.
Bottom Line: It is critical to enable senior leaders and board
members to make rational informed decisions regarding risk management.
Lack of Consistency Over Time
Most senior management and board level presentations lack
consistency. Instead, presentations feel standalone and disconnected
and focus on the leading issue of the day, with a heavy emphasis on
technical information that is out of context and unconsumable to most
attendees. This makes it very difficult for the audience to understand
and relate to the information being discussed.
The senior leaders in these meetings have a limited amount of time
to consume content, and they will be asked to make decisions and
recommendations using the information being provided. The last thing
they want to do is waste valuable time trying to figure out the point
of a presentation or why something is critically important today when
they never heard about it before.
How to Fix
- Establish a consistent
narrative and cadence to the presentation so that the audience
becomes familiar with the elements being presented, the order they
will be presented, and how they will be presented. The audience
should never be surprised by how information will be presented, nor
should they ever have to guess why what is being said is of
importance to them. - Always double check and triple check
the information contained in the presentation, and make sure it is
consistent with previous presentations. If 300 servers were
mentioned in a previous presentation, but now a different number is
being discussed, be ready to explain the difference before someone
brings it up. Inconsistencies create doubt. - Consider
presentations as ongoing discussions that evolve over time, rather
than individually encapsulated narratives that change each time.
When presenting again, remind the leaders of their previous
requests: “Last time you asked for additional clarification to
understand x”. Highlight the elements under discussion in the
context of the organization’s overall security posture, readiness
and maturity. - If something was important before, provide a
progress report or highlight why it isn’t high priority any longer.
Help the audience understand the story arc behind decision-making
and how it is relevant to the overall organization. - Focus
on trending dashboards, changes over time and business process
impacts. Use consistent imagery and diagrams. Can any audience
easily understand a slide in 10 seconds or less, or does it need to
be explained in order to be understandable? If it is the latter,
start over. - Highlight what is included in the appendix
section, why it is there and where attendees can get additional
information.
Bottom Line: There is nothing more damaging to credibility than
a lack of consistency over time.
Not Getting Something in Return
Most senior management and board presentations end with the
presenter asking, “Do you have any questions?”. This is the wrong
approach. At this point, if the presenter has been following the
guidance offered in this post, they should have an engaged audience
that is interested in what they are doing.
Don’t waste this opportunity. Transition from presenter mode to
conversation mode. Senior executives and board members are the best
source for business relevant advice, guidance and insight. This is a
great opportunity to ask them questions and demonstrate that this is a
mutual discussion.
How to Fix
- Ask them if what was
presented has impacted their view of the business risks, assess how
the delivery of the information matched their expectations, and
ensure they understood the key takeaways. Use this insight to
improve future presentations. - Ask them what their top
priorities are for the next quarter or next year, and identify
opportunities to become more relevant for future presentations. - Ask how they can help you understand more of what is on their
mind, perhaps by offering contacts or introductions to business
leaders who can help expand your understanding of their point of
view and key concerns. - Ask them if they are on other boards
or have leadership positions elsewhere, and what the top concerns
are in those organizations. This will provide additional insights
into what they are thinking about and could provide an opportunity
to network with others outside of the organization in order to
resolve challenging issues. - This is also an opportunity to
highlight any relevant concerns and how leadership would suggest
addressing them. Put in a request to discuss funding, support for an
initiative or guidance on a decision in the next meeting.
Bottom Line: Be reasonable and respectful. Don’t overdo it, but
remember that they have been provided valuable insights and it would
be a shame to not get something in return.
In Conclusion
The key to having successful senior leadership or board level
presentations comes down to these simple principles:
- Remember that when
presenting to any audience it is about them, not you. - To be
relevant to senior executives or boards, stop using technobabble
that is most relevant to IT operations, but no one else. - Stop scaring everyone into believing the sky is
falling…again. - Help leaders make informed risk-management
decisions by ensuring they have (and understand) all the necessary
information. - There is nothing more damaging to credibility
than a lack of consistency over time. - While the leaders are
being provided valuable insights, it doesn’t mean a presenter cannot
get something out of the meeting as well.
Technology is our safe zone. Speaking effectively with senior
executives and the board requires the development of new communication
skills. The good news is that each of the biggest mistakes can be
addressed. It only takes time and a consistent focus.
Don’t hesitate to reach out to a network, mentor or coach and ask
lots questions. Be open to feedback even if it is frustrating because
communicating the value of cyber security to leadership and the board
benefits all of us.