If you try to sell your security measures to a company board by pointing out that current systems are rubbish, the company is not doing well when it comes to security, and overall everything is a hot mess behind the scenes they “won’t appreciate it and they won’t thank you for it.”
That’s the view of Killian Faughnan, Group CISO at bookmakers William Hill, who was blunt on the many blunders he has seen in the industry, when speaking at this year’s Infosecurity Europe event in London.
He warned that security pitches to board members often get too bogged down in the weeds. He believes that when information security offices address the board they should become marketers: “What we are doing when we talked to the board is we are marketing our product to our customer.”
Yet this leads to an uncomfortable truth that marketers know quite well: “Perception is more important than the truth of things or reality.”
He admits that as someone who works in an industry that is very much based on facts and hard truths this is a ‘discomforting’ reality to accept.
The key is understanding that the members of the board are human beings: “They’re not homogenous institutions, the board isn’t an individual; it’s a collection of people who have different views on what ‘good’ looks like. They have different goals, different ambitions, different agendas,” Faughnan noted.
Knowing that they have different views and agendas from each other should be factored into how you approach each meeting. It’s important to know: “What would delight one of them and what would frustrate another.”
All of this should come into play when you construct a message for the board about the security of the company. Remember that you are part of the packaging for the product you are selling, the product is still security, but you are the tangible manifestation of that security, he emphasised.
The message needs to be delivered in a simple, but engaging manner.
Faughnan commented that: “If I try to land more than three messages I will confuse myself and I’ll confuse them and your message will get lost beneath all the detail. Your customer will tune out. If you confuse your customers. If you distract them with data. They will just buy your product from someone else, which unfortunately for us means they will hire someone.”
He suggest that people should keep it simple, slides need to be at a minimum, aim for one slide, “Obviously, you’ll never get down to one slide,” yet that is what he aims for each time and this drives him to cut out the unnecessary data that looks incredibly important to security offices, but is not needed right there and then.
You need to know all the data, the stats, the graphs, but they don’t. What they need is the message the data is communicating.
“Your job is to take all that data and crunch it down into something meaningful and be able to present that to the board in a way which makes them feel that you know what you’re doing and they trust you,” he states.