Imagine your next meeting with the board. You know you’ll only have a few minutes to say what you need to say, and you also know that this line of communication isn’t open nearly as much as it should be.
But hey, you think to yourself. Cybersecurity is just one of the bazillion things the executives and the board have to think about. Sure, it’s important, but security isn’t the business, right?
Security is just there so we can help them get these objectives across the line.
You’re prepared. You have all kinds of stats and numbers to share with them. We haven’t had any major incidents in at least a quarter, and we’re doing so much better on keeping our global infrastructure up-to-date on patching.
And we’ve even started to be able to do something with all that threat intelligence we’ve been paying for for the last 14 months since we were able to hire two new security engineers—even in this tough job market.
So, you’re planning on how to present all these things in as short a timeframe as possible, and then you remember the last time you did this…
The questioning looks that turned into blank stares…and then you saw it. Not one, but 3 people checked their phones during your presentation!
How could they do that? I’m trying to keep their ass out of jail or the business from getting a big, fat fine, and they’re checking their f-ing phone!
Really?!??!! It was only a 10 minute slot!
This time, that can’t happen. I’ll need to do something different—but what?
So, yes, the above was a dramatization. No cybersecurity or business professionals were harmed in the creation of the above.
And yet, based on conversations I’ve had with both business and security professionals as well as surveys conducted by the Big 4, a pretty big issue facing security leaders is that…
…the business just doesn’t believe you’re doing your job.
Yes. Of course.
But what’s the standard response?
…oh, sorry. Were you saying something important?
Unfortunately, not really—
…not to them, anyway.
Because they just don’t care about all that crap we care about as security professionals.
We’re making them try to care.
We’re making them try to understand what all this stuff is about.
And it’s just wrong.
We’re the support staff.
No, really….we are.
They’re the ones controlling the destiny and the future of the business.
So, what do they want to know most?
They want to know they can have confidence when they go into meetings with their biggest investors that the company will exceed its performance targets.
They want to know they aren’t going to end up on the wrong end of some WSJ headline about how “we’re doing everything necessary to protect the privacy of our customers” when millions of leaked PII records show up on a pastebin somewhere.
Basically, they just don’t want surprises. Because if they get surprises, then they’re going to look stupid.
And if they look stupid, then the company takes a hit.
Maybe it’s the stock price.
Maybe it’s from activist investors.
Or, maybe it’s even from the government regulators.
Your job is to make sure you give the right information about your part of the world to the people representing the business to the “real world” so that they don’t…
- get surprised, or
- look stupid.
Ok, ok….ok…. I get it that you get it.
You’re asking how, right?
How do you give “the business” confidence you have their back and there won’t be any surprises?
It’s 3 slides:
Slide 1: You show some visual representation of the organization and its primary objectives, key revenue contributions and critical customer segments. Maybe it’s using the Business Model Canvas, but it doesn’t have to be.
Slide 2: You show an overlay of all the business and cybersecurity risks that can potentially cause harm or impact to critical customers and products, causing impacts to key revenue targets and pressure on key elements of the current strategic plan.
Slide 3: You show those risks you’re already covering, you show those risks you’ll cover in 3-6 and 12 months with ongoing security strategy initiatives, and you show this risks that you really can’t manage today. You show where you’re on track, and where you’re behind.
And then you say something like this:
“Here’s what we’re doing right now to keep the organization safe, and here are the key risks we’ve identified we believe can cause the biggest impact on the organization’s strategic objectives.
“For the most part, we think we’re in pretty good shape — especially based on conversations with our industry peers. And we think that we’re investing in mitigating the most relevant risks to the organization with our ongoing security strategy implementation.
“It’s not all perfect. We see indications of some potential issues here, here and here. But we’re aware of these problems, and we’re actively working to make sure these don’t escalate and cause you any surprises.
“Based on what you see here, what are your concerns? Is what you see aligned with your own expectations and priorities?
“What else would you like to see from us that would give you even more confidence at our next meeting?”
And that’s pretty-much it.
You field their questions, you get their input, and you go away with clear directions for improvement in both what you’re reporting and with updated insights as to the organizational priorities and objectives.
…GETTING to the point where you can have confidence yourself that you have the right 3 slides, and that the information on those slides is as accurate as you can make it is gonna take about 1,000 duck feet madly paddling under the surface of that lake—not just 2.
And that’s what I do.
I help you put everything required in place so you can present the right information in the right way to resonate with the right executive and board members…
…so that they have confidence you’re doing the job they hired you to do…
…and they have confidence the organization is actively being protected against ever-escalating cyber threats…
…and they have confidence that they’re not going to get a 3AM phone call saying that a security researcher has found a bunch of pilfered information on a dark web repository and do they have any comment they would like to make.
Can you do all that today?
If not, would you like help fixing that particular problem?
Then there’s no time like the present to get started by stepping on over to this link: https://archistry.com/go/SecurityLeader
…and apply to be one of the select few security leaders accepted into the Archistry security leadership coaching program before the end of the month.
Because…at the end of the month, the current offer ends…the price goes up…and you may miss your chance of nailing that next board presentation.
Let’s build those 3 slides together.
Are you up for it?
If you are, here’s the link again: https://archistry.com/go/SecurityLeader.
I’ll you on the inside.
Andrew S. Townley
Archistry Chief Executive