Art of Persuasion — Selling Up in the Organization

The afternoon discussion, The Art of Persuasion—Selling Up in the organization, was moderated by CSO editor Derek Slater, and included panelists David Burrill, CSO British American Tobacco; Pete Metzger, Partner, Heidrick & Struggles, and Krizi Trivisani, director systems security operations, CSO George Washington University.

While 3:45 is a dangerously good time of day for a nap, an ice cream truck happened to pull up outside the conference room, so everyone entered the session seeming somewhat renewed. Slater began the panel with breaking news: “Conference tracking tells us that CIOs eat more than CSOs, but CSOs drink more than CIOs.”

On a more serious note, Slater told us that 70 percent of the 350 CSOs polled in our State of the CSO Survey said that their company’s upper management has put a greater emphasis on risk management this year than in previous years. He asked the panel if this is an uptick?

Trivisani: We meet twice a year in front of the board, security gets five to six minutes to present their progress, plans and needs. The board seems much more informed. All I have to do is say NIST and they say, we know we need to be at level three, how are we doing?

Metzger: Those who play in the international level are keenly aware of threats against their brand and people. It’s not hard for me to sell up when they come to me looking for this.

Burrill: I think times have never been better than they are now to influence up. There’s a growing professionalism among security folks and a growing recognition among the board that this is an area they can’t neglect. The two are probably related. There’s a tremendous opportunity here to cash in on. But I think it’ll be a gradual improvement rather than an overnight change.

Slater: That’s good news: it’s a fertile time for security awareness and a good time for CSOs to put their cause forward. Let me ask you to recount the first time you presented to the board.

Burrill: I looked for a topic I could brief them on, tried to find a topic where there was clear multi-functional concern. I was briefing them on something that was fundamental to the business. Counterfeit. Give them something they would welcome. In that sense, I had an easy one. If you’re going to represent any company at any level, if you can interface with them and feel comfortable than there are benefits to that.

Slater: What are the presentation skills you’re looking for?

Metzger: The ability to present oneself with confidence is important.Qualities our clients seek:

• Ability to act as a peer;
• Establish yourself with a credible history;
• Ability to understand business;
• Need to understand enough about the business;
• To show value to your security programs;
• Ability to think expansively.

You need to think about what’s happening three or four countries or continents away and how it can affect my business. That’s something CEOs are paying a big compensation package for right now.

Trivisani: The CSO before me only lasted two days. He told people what to do.

Slater: You have to be particularly careful at the university, which is open and doesn’t want to be locked down.

Trivisani: Make your security message personal and relevant to the person you’re trying to convince. Look for ways to make it personal to that individual.

Burrill: I tried to make sure everytime the board got together, I got my face in front of them. I only talk to the board for five minutes when I go in. I choose one topic that I want endorsement from them. That’s what I concentrate on. There’s never been an occasion when it hasn’t worked. It’s good to be in front of them, and talking to them.

Slater: What do you do when you identify someone whose endorsement is important, but seems improbable.

Metzger: Sit down with someone and clearly determine what their objections are. Show them the wisdom of listening to a different perspective. Show them how it can return shareholder value. That comes through competence, self-confidence and experience. Be convincing in your logic. Even if they don’t like what you’re saying, they have to endorse it.

Burrill: I don’t have enemies, I have friends and potential friends. I don’t want enemies around. It’s seeing everyone in the best light and not being naove about it. I’m selective with what I present to the board. I pick a particular topic and give them some statistics and an example. I’m not driven by metrics, I’m driven by relationships with people.

Metzger: Make your message redundant, clear and simple. If you can’t put the rules on a t-shirt, no one is going to read it.

Question from the crowd: Do you have tips to help us gauge the risk tolerance of our corporations?

Metzger: If you create the opportunity to meet with your leadership with the purpose expressly being, one, I’m responsible to you for the security operations for this company. Two, you are responsible for the leadership of this company. You’ve delegated me authority. At the conclusion of this discussion, I’d like you to tell me where your risk tolerance is. Understand the risk tolerance of the person who is responsible for the business. My best professional advice to you Mr. chairman is X. They can then do with that advice what they want.

Trivisani: Their tolerance at GW is this: Keep us out of the Washington Post. So if you see GW in the Washington Post, you probably won’t see me there anymore.

Burrill: We need to know the risk tolerance of the board in every area.

Question from crowd: What do you think of using something from the board person’s past to bring into the present context.

Burrill: That’s due diligence. Yes.

Slater: What about FUD. Is FUD effective?

Metzger: I don’t think it’s necessary to use scare tactics, all you have to do is live in this world. People know there are threats.

Burrill: No. Your risk factors when you use scare tactics soar. You need to play it straight. If you don’t play it straight and you’re called out, you’re done. If they see through you, then you’ve lost them. The answer is no, no. no.

Trivisani: I agree, no. Just state the facts. Our motto is: We partner and protect; we don’t punish.