This post was contributed by Josh Bruyning, Solutions Analyst at TrustMAPP
While the cybersecurity industry loves to focus on hot topics like ransomware and corporate espionage, one boring yet vital issue often gets lost in the weeds: communicating cybersecurity performance to senior leadership. We often overlook the importance of translating our wired world into business-speak, often to the detriment of the ultimate objective. Before installing another firewall, enabling MFA, or spitting out another round of training to our end users, we must first prepare, talk to the right people, and relay the cybersecurity journey to those who have the resources to achieve business goals.
Preparation is the bedrock of communication. Choosing what to say, how to say it, and to whom we say it to dictates what gets done. Before jumping into your presentation, consider a few ways to warm up before your big meeting and ensure that you will effectively captivate your audience.
If you must communicate bad news, do so before the big meeting, not during. Bad news can derail your discussion and overshadow all the good things you have to say. Always remember that you have a limited amount of time to say what you need to say. Spending your precious minutes doing damage control and playing psychologist to a room full of angry executives who didn’t see the curveball coming would be a disaster. Before the meeting, perhaps a few days, speak with your direct manager and explain some of the problems that you could not resolve, and better yet, prepare your plan to improve and demonstrate the lessons you’ve learned. If your direct manager gives you the green light, share your concerns with your peers in the same manner as you’ve shared with your manager. This approach gives everyone time to digest your information, plan, and come with ideas so that your future meeting would be more productive and less of a dumpster fire.
Leave all negotiations and decision-making to the days before your big meeting. The time to communicate is not the time to negotiate. Again, time is limited, and you want to leave the time-consuming stuff to the days leading into your presentation to give your audience room to focus on what you have to say.
If you are going to gamify your presentation by offering a pop quiz to measure security or statistical competence, please, for the love of all that is cyber, do it before the big meeting and do not share the scores of your peers. On your big day, the last thing you want is a room full of brooding stakeholders silently fuming at you, each other, and themselves. I assure you; this is not the way to get things done. Gamify, send pop quizzes, give prizes to those who do well, and try to not embarrass senior leadership when the poor scores roll in – unless you’re a massive fan of angry phone calls and a presentation that has failed before it has begun.
Share material ahead of time and use the big meeting to answer questions. Don’t stingily hoard your golden information in hopes of wowing your peers on the big day. Although it makes sense to you, much of your information will conflict with the goals of your peers. Remember, time is limited, and you do not want to spend it focusing on rebuttals. If there must be a discussion related to conflicting goals during the meeting, it should focus on – at least partially fleshed out – ideas and solutions, not insults and groans. Draft a sample itinerary for your cybersecurity info session, laying out the main points (none of which should be a giant bombshell), allowing your peers to know what to expect.
2.Think about the language
Prepare a statement of business objectives and tie tech-speak in with business-speak. It is vital to your credibility as a leader and cybersecurity evangelist that you demonstrate an awareness of your business environment and an understanding of business problems just as much, if not better, than your peer. We all know the mantra: cybersecurity is there to support the business, not the other way around, and a resounding demonstration of that fact is often the difference between support and disdain for your program.
Avoid acronyms like MFA, CRM, LMS, I&AM, CMDB, IQPL (I made up that last one, and I bet you went along with it because you don’t want to feel cyber-illiterate). At best, the business folks who have zero technical training, so 98% of them, will pretend to understand what you mean and will never google a single letter. At worst, they will grow impatient, ignore you, and stick your name at the bottom of the priority list. If you must explain a technical concept, use the acronym, explain its meaning and use, and tie in concepts such as revenue, projections, scaling, operational efficiency, value-added, and time-to-market into your explanations. A robust business lexicon will demonstrate your understanding of the businesses, letting your peers know that you’re on their side and you’re all working toward the same business goals. When the time comes to negotiate, they will be much more open to your solutions and ideas.
3. Tell a story, don’t flaunt numbers
Have you ever heard the story of the young CISO who could? “Once upon a time we were at X, we are now at Y, and here is what it takes to get to Z.” Okay, that’s not a real story, but you get the idea. When presenting to your peers, make sure to tell a story of the business’s cybersecurity journey. People respond to arcs – there’s a reason I still cry at the end of The Lion King. Walk your peers through the dark ages when phishing emails go undetected, introduce them to the heroes such as the Intrusion Detection System, celebrate the golden years of penetration testing, and foreshadow the dark days of ransomware attacks. Assure them never to abandon hope, but with vigilance and money, you will carry them through to the promised land of revenue, data forecasting, and departmental integration. And when your business has become an industry leader, remind them that with great power comes great responsibility. Or something like that. Give the board credit where credit is due and commend everyone for playing their part in a successful cybersecurity program. Highlight wins and lessons learned from losses. And instead of throwing numbers around, wielding charts like a mad, flaming sword, tie your numbers into revenue projections, the top line, the bottom line, and milestones. The end.
4. Use graphs and data wisely
Choose your graphs and data wisely. The is no shortage of fancy charts and metrics to choose from, and many are top-notch, but – say it with me now – you have limited time. Choose a graph that you are familiar with and populate it with data points that you can explain.
You may consider the following if you’re looking for a place to start: The organic variance chart allows you to communicate performance metrics from one point in time to another, using variance as the unit of measurement. The point of this chart is not to compare statistical tools but to use a unit of measurement that doesn’t cough up enormous numbers. Variances are low, numerically speaking, and get the point of relative performance across to most audiences.
Maturity scores are gaining popularity in the cybersecurity industry. Organizations around the world find “maturity” to be a superior tool to static scores. It tells a broader story and gives stakeholders a comprehensive idea of where the business stands relative to its younger self and other companies in the same industry. A tool such as TrustMAPP dedicates itself to measuring your organization’s cybersecurity performance over time, comparing your maturity score to industry benchmarks, and laying out a roadmap to reach your maturity goals.
Nuke most of your slides! Slides can substantially and positively impact your audience if done correctly. Keep a few simple points in mind.
Remember to use white space effectively. Too much clutter will distract your audience from you, the presenter. You want your audience to pay attention to what you have to say, only glancing at the slides for a quick reference and to stay up-to-speed. A graphic, a title, and a short phrase strategically placed on a white slide can go a long way.
Start with as much information as possible on lots of slides, then NUKE! Remove irrelevant information, always keeping your audience in mind. The number of slides and the length of your presentation depends on your audience’s appetite. If they are a bunch that loves details, include details, and lengthen your presentation to about fifteen to twenty minutes. Otherwise, keep your entire production under fifteen minutes. If that sounds short, remember that preparation accounts for much of your communication. Leave five to ten minutes for questions. If the group expresses an interest in particular points, they may allocate more time. But the allocation of extra precious time, as it is coming out of someone else’s allotted slot, should be a group decision, not yours.
There you have it—five tips for communicating cybersecurity performance to senior leadership. Consistently prepare, tie cybersecurity language into relatable business concepts, tell a story that takes your audience through the organization’s cybersecurity journey, use graphs and data wisely, and nuke excessive slides. Oh yes, use your time wisely and communicate effectively.