The Biggest Mistakes Made When Presenting Cyber Security to Senior Leadership or the Board, and How to Fix Them
Mandiant
Written by: Steven Booth, Eric Ouellet, Chris McKie
The goal of communicating cyber security topics with senior executives and boards is to help them understand the top cyber security concerns, the impacts to the business and possible mitigation approaches so they can establish priorities and allocate required resources. With such a critical outcome, why is it that most who present fail to achieve this goal?
It’s About Them, Not You
Most cyber security presentations to senior management and board members continue to focus on technology and poorly relatable data points that are of relevance only to IT security operations personnel and no one else.
While technology is critically important to security personnel, because that is what they focus all their work activities on, it isn’t the focus of the board. Executives will not be interested in the speeds and feeds that make IT's lives easier – or nightmarish when something doesn’t work – unless it relates to something leaders care about.
How to Fix
- Ask questions and ask for help before presenting to executives. Get to know the senior leadership team and tailor communications to focus on the information they need to make their decisions. Question if the information being shared is important to each of them.
- Specifically, ask before presenting what the top five situations senior leaders never want to see happen, and address those. Some examples could be, “I do not want the CEO’s email read by a competitor” or “We do not want our specialized product IP disclosed” or “We do not want an attacker to have the ability to use a business partner’s network connection to gain access to our environment”. Understand their top concerns and highlight how they are being addressed by existing security solutions, or how they need to be addressed if not currently mitigated.
- Understand the business issues the executive team cares most about today and what initiatives they plan to focus on for the next year. Is there a specific business activity, new product launch, merger, acquisition, partnership or any other top of mind activity or concern in process? Understand these initiatives and how cyber security can assist in achieving their goals more quickly or efficiently, or how it can open a new opportunity. This makes the time spent with them much more valuable.
- Understand each of their personalities, the typical questions they ask, what they like to know and in which manner they like to consume this information. Create a presentation that is respectful of their time by arranging content in a way that will make it easy for them to consume and understand, and from which they can make informed decisions. After, ask them if their needs have been met and what they would like presented or changed for next time.
- Be tactical and be a very strict and stern editor. If something will not be relevant and there is no strong reason for why it should be presented, then remove it.
Bottom Line: The key to having a successful presentation is to remember that when presenting to any audience it is about them, not you.
Drop the Technobabble
Even with the constant invasion of technology in all aspects of our daily lives, the reality remains that being familiar with operating a smart phone or using two-factor authentication is far cry from understanding the technical aspects of cyber risks or the nuances and subtleties behind a specific security issue.
Most in attendance in these cyber security presentations would love to be more involved in the discussions because they do understand the business, legal and operational impacts of cyber risks; however, many are unable to because of the overuse of techno jargon by the presenter.
How to Fix
- When presenting to senior leaders or a board, eliminate all detailed mentions of technology. It might help to prepare some backup slides that do discuss these topics just in case the information is requested, but do not use them unless it is a specific request.
- Focus the message on abstracting the technical details into easy to understand concepts focused on business, operational and legal impacts. Instead of focusing on the technology feeds, speeds, uptime, downtime to Server X from a given cyber risk, abstract it to the workload impacts that could cause issues to a specific business process. It is worth repeating: focus on business process impacts and not technology process impacts. This change of focus is critical.
- Presenters should focus on the value of what they do, using terms the audience will easily understand. Analogies, simplified charts and dashboards are helpful. Use stories to relay the message and keep those stories succinct. This can be challenging. Presenters should ask, “What is the problem I need them to understand and how will it impact them?” and focus on the critical elements in that storyline. By doing so, they will build up credibility with the audience and they will be more receptive to the message.
Bottom Line: To be relevant to executives or boards, stop using technobabble that is relevant to security personnel and no one else.
The Sky is Falling…Again!
Describing every cyber risk scenario using fear, uncertainty and doubt has long been the most overused technique when presenting cyber security risks to senior leaders and boards. The simple reality is that it has completely lost its impact. How many times can anyone hear the same headline over and over again before they eventually tune it out? The same goes for senior leaders and boards. They are constantly being told to be afraid in cyber security presentations, and most now tune it out.
It is true that even with the best of protections something can and will happen. Houses can be built to a strict building code using fire retardant materials, have fire alarms and fire suppression systems, and a fire can still break out and burn the house down. But that doesn’t mean we should not build houses or that we should go overboard with security measures to the point where we can’t live in the house.
Cyber risks exist all around us, so how do we strike a balance and effectively communicate them?
How to Fix
- Stop using fear, uncertainty and doubt to pressure senior leaders and boards into action. These tactics do not work and only demonstrate laziness and a lack of understanding of the issue of interest to them.
- Discuss real risks impacting the organization instead of potential theoretical threats. Be rational and avoid hyperbole. Help leaders understand why certain risks are significantly lower or even highly improbable. There are many things that could happen in theory, but only a subset of them are relevant to the current environment. Help executives understand what has been put in place, and what the plans are for future updates or upgrades to mitigate risks.
Bottom Line: Stop scaring everyone into believing the sky is falling…again.
Too Many Threats
There is no perfect security posture that will defend an organization against everything every time. There will always be vulnerabilities and exposure of some sort, somewhere. Even the most mature of organizations with the largest cyber security budgets and most advanced technology deployments will run into issues. However, highlighting all of them as current security concerns of equal priority is unproductive.
How to Fix
- Senior leaders and boards must come to an understanding that perfect protection from every possible risk scenario is not a possible state. This may be more difficult to explain, but providing the context for cyber risk mitigation decisions is the role of cyber security during senior management and board presentations.
- Presentations must provide senior leaders and boards with the data they require to make informed decisions about which cyber risk scenarios will be a priority and which will not. There is no perfect protection, and some residual risks will have to be accepted. But what are those acceptable risks? This needs to be a business decision based on the various possible impacts. Some risks are more likely than others, some have higher impacts, some mitigations are more complex, while others are more expensive. Help decision makers by clearly explaining the options and highlighting the value of each, using language they will understand.
- Emphasize critical milestones and use graphics to communicate the message instead of text. Reduce the text in presentations to the absolute barest of minimums. If there is any text, move it to the talk track and use a picture or some other visual representation instead. The goal is to convey a message, not test executives on their ability to speed read lines of tiny text from a distance.
Bottom Line: It is critical to enable senior leaders and board members to make rational informed decisions regarding risk management.
Lack of Consistency Over Time
Most senior management and board level presentations lack consistency. Instead, presentations feel standalone and disconnected and focus on the leading issue of the day, with a heavy emphasis on technical information that is out of context and unconsumable to most attendees. This makes it very difficult for the audience to understand and relate to the information being discussed.
The senior leaders in these meetings have a limited amount of time to consume content, and they will be asked to make decisions and recommendations using the information being provided. The last thing they want to do is waste valuable time trying to figure out the point of a presentation or why something is critically important today when they never heard about it before.
How to Fix
- Establish a consistent narrative and cadence to the presentation so that the audience becomes familiar with the elements being presented, the order they will be presented, and how they will be presented. The audience should never be surprised by how information will be presented, nor should they ever have to guess why what is being said is of importance to them.
- Always double check and triple check the information contained in the presentation, and make sure it is consistent with previous presentations. If 300 servers were mentioned in a previous presentation, but now a different number is being discussed, be ready to explain the difference before someone brings it up. Inconsistencies create doubt.
- Consider presentations as ongoing discussions that evolve over time, rather than individually encapsulated narratives that change each time. When presenting again, remind the leaders of their previous requests: “Last time you asked for additional clarification to understand x”. Highlight the elements under discussion in the context of the organization’s overall security posture, readiness and maturity.
- If something was important before, provide a progress report or highlight why it isn’t high priority any longer. Help the audience understand the story arc behind decision-making and how it is relevant to the overall organization.
- Focus on trending dashboards, changes over time and business process impacts. Use consistent imagery and diagrams. Can any audience easily understand a slide in 10 seconds or less, or does it need to be explained in order to be understandable? If it is the latter, start over.
- Highlight what is included in the appendix section, why it is there and where attendees can get additional information.
Bottom Line: There is nothing more damaging to credibility than a lack of consistency over time.
Not Getting Something in Return
Most senior management and board presentations end with the presenter asking, “Do you have any questions?”. This is the wrong approach. At this point, if the presenter has been following the guidance offered in this post, they should have an engaged audience that is interested in what they are doing.
Don’t waste this opportunity. Transition from presenter mode to conversation mode. Senior executives and board members are the best source for business relevant advice, guidance and insight. This is a great opportunity to ask them questions and demonstrate that this is a mutual discussion.
How to Fix
- Ask them if what was presented has impacted their view of the business risks, assess how the delivery of the information matched their expectations, and ensure they understood the key takeaways. Use this insight to improve future presentations.
- Ask them what their top priorities are for the next quarter or next year, and identify opportunities to become more relevant for future presentations.
- Ask how they can help you understand more of what is on their mind, perhaps by offering contacts or introductions to business leaders who can help expand your understanding of their point of view and key concerns.
- Ask them if they are on other boards or have leadership positions elsewhere, and what the top concerns are in those organizations. This will provide additional insights into what they are thinking about and could provide an opportunity to network with others outside of the organization in order to resolve challenging issues.
- This is also an opportunity to highlight any relevant concerns and how leadership would suggest addressing them. Put in a request to discuss funding, support for an initiative or guidance on a decision in the next meeting.
Bottom Line: Be reasonable and respectful. Don’t overdo it, but remember that they have been provided valuable insights and it would be a shame to not get something in return.
In Conclusion
The key to having successful senior leadership or board level presentations comes down to these simple principles:
- Remember that when presenting to any audience it is about them, not you.
- To be relevant to senior executives or boards, stop using technobabble that is most relevant to IT operations, but no one else.
- Stop scaring everyone into believing the sky is falling…again.
- Help leaders make informed risk-management decisions by ensuring they have (and understand) all the necessary information.
- There is nothing more damaging to credibility than a lack of consistency over time.
- While the leaders are being provided valuable insights, it doesn't mean a presenter cannot get something out of the meeting as well.
Technology is our safe zone. Speaking effectively with senior executives and the board requires the development of new communication skills. The good news is that each of the biggest mistakes can be addressed. It only takes time and a consistent focus.
Don’t hesitate to reach out to a network, mentor or coach and ask lots questions. Be open to feedback even if it is frustrating because communicating the value of cyber security to leadership and the board benefits all of us.