Communicating Security Across

the C-Suite

RISKVALUE!!

METRICS!

Bill Lisse

"I need staff and I need more money to do my job properly. Executives don't get it! They tell me they want the systems and company to be ‘secure’ but don't want to listen".

Executives and Security DO work toward the same goal: "Securing the business". They differ in terms of focus, interests, beliefs, perspectives, way of working, and languages. 

It shouldn't surprise anyone that executives and security are not communicating well; and both are frustrated.

"Sorry I don't understand what you are saying, are you speaking Business?

“Every decision that affects our lives will be made by the person who has the power to make that decision, not the ‘right’ person or the ‘smartest’ person or the ‘best’ person. Make peace with

this fact.”

Executives DO listen but people responsible for security need to learn how to communicate effectively with them.

How do I improve the effectiveness of executive communications?

ISIS

Who are stakeholders? And what do they care about?

ISO/IEC 27001:2013

1. Interested Parties List2. Risk Owners List

Stakeholder Analysis

The Business ContextUse a system thinking approach

The Value Proposition for Security

• Focus on contribution to the larger good—not just the achievement of your objectives.

• Present a realistic "cost-benefit" analysis of your ideas—don't just sell benefits. Every organization has limited resources, time, and energy

• Don't waste time on issues that will only have a negligible impact on results.

The Value Proposition for Security

• Keep in mind that Executives see things from a business perspective as opposed to a technical perspective.

• Think like a business person.• Put everything in a manner that allows them to

quickly see the big picture and business impacts. Do not exaggerate; we will not go out of business!

1. DEFINE the problem set to help identify whether it’s a problem worth solving

2. Is the problem Unworkable?

3. Is fixing the problem Unavoidable?

4. Is the problem Urgent?

Communicating with Executives• Don't be afraid to discuss security issues openly and

“seek to understand”• When presenting ideas to decision-makers, realize that it

is your responsibility to sell, not their responsibility to buy

• Do not use “Techno” speak; use the language of the executive in business terms

• Put everything in a manner that allows them to quickly see the big picture. Use ABC – Accurate, Brief, and Clear

• Strive to win the big battles - don't waste time on issues that will only have a negligible impact on results

Einstein “If you can't explain it simply, you don't understand it well enough”

Use metrics that are meaningful to the executives and business; not just industry examples: Use scorecards, dashboards and colors.

Communicating with Executives

Respect and Trust• Make a positive difference—don't just try to "win" or "be

right" • Realize that powerful people are just as human as you are.

Don't say, "I am amazed that someone at this level…" It is realistic to expect decision-makers to be competent; it is unrealistic to expect them to be anything other than normal humans

• Focus on the future—let go of the past• “Treat decision-makers with the same courtesy that you

would treat customers—don't be disrespectful.”• Assume positive intentions• Support the final decision of the organization

Executives DO listen but people responsible for security need to learn how to communicate effectively with them.

Questions?

SUCCESS!!

CONCEPT

Customizethis!

ELEMENTS PAGE