5 Steps to Communicate Security's Value to Non-security People
In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively
By Joan Goodchild , Senior Editor
March 10, 2009 — CSO —
The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information.
Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101).
"They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.'
Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times.
Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate).
"The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'"
Instead, Santarcangelo recommends creating a presentation that keeps the motivation of the audience in mind.
"Talking to an executive is different from talking to a technologist is different from talking to an end user," he said. "If we are going to communicate with someone in a way that they understand the value and support what we are asking for, we have to know what we are asking for. We have to think about what we want them to know. "
We connect to people through stories, according to Santarcangelo. Before you make your pitch, find something in their experience base that you can reference that your audience can connect to and understand.
'What most people will do is say: "I've got a presentation in 20 minutes and they open up power point and start making slides. And when they are done they go and read the slides to whoever they are going to talk to and then they get rejected."