How To
5 Steps to Communicate Security's Value to Non-security People
In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively
By Joan Goodchild, Senior Editor
Santarcangelo recommends asking yourself: "How can I explain this to them using their frame of reference? What is a story or example I can use to have that conversation?"
"If you are presenting to a broad audience, I always recommend using pop culture. Music or movies are great places to start. You can always preface with 'Did you see?'"
Of course, finding out what reference might work will take some prep work.
"The simplest way to do that is ask questions," said Santarcangelo. "If the executive you will be presenting to is outgoing and friendly, talk to them. Find out what kind of TV shows they watch or sports team they really like. On the other hand, coming in with a sports analogy to someone who doesn't like sports, is going to be a swing and a miss. Find out ahead of time."
Another strategy might involve taking a topical security reference, such as a high-profile breach, and asking: "How would we be impacted if that happened to us?"
Rehearse
The first time you make your presentation will be different from the time you actually do it, according to Santarcangelo. Because your window of time to make your pitch or presentation will likely be small, rehearsing is important for maximum impact.
"The reason I call it rehearsal instead of practicing or testing is because when you rehearse, you are allowed to make a mistake. We tend to trend toward too much information. Rehearsing let's us distill. Rehearsing allows you to make sure your sequence and flow make sense."
Getting a multi-thousand or multi-million dollar security project financed with a 15 minute presentation that you wing it through may be possible when times are good, according to Santarcangelo. But now, more than ever, tight budgets require finesse and precision when making the case for spending money.
Deliver
If each of the five steps were given equal weight, delivery is only 20 percent. Yet many people jump right into delivery without planning or thinking or looking for a connection and rehearsing, said Santarcangelo.
But when you get to delivery, the trick is to put it out there without worrying about being perfect.
"It's about being authentic," he said. "If you honestly believe in it, put it out there. Don't be afraid to make mistakes. You don't have to be perfectly polished. Don't worry about ums or ahs or reading from a script. The idea is to have a conversation."
Once you have thought through what you hope to get out of it, and once you have put together a story and rehearsed or practiced, be natural in the moment once you get to it.
security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
