To the Chief Information Security Officer, the cyber security business case is often clear as day — it can even be hard to understand why rational business leaders may say no to investment. Yet they do.
Using the simple 10 step method below will not guarantee the result you need, however it can be delivered successfully in five minutes or less and will ensure that you have the attention of the room throughout.
State simply the decision required so everyone is clear what they are being asked for. For example, this could be “I am requesting the committee’s support for a $4ook spend over 12 months to address legacy application risks”.
Obtain engagement by highlighting why the issue matters in as few words as possible, connecting with any previous discussions to refresh memories. For example “In my March report, the committee recognised that this was a critical and urgent is and commissioned me to draw up a plan to address it”.
Recognise the decision that the group has to make, whilst avoiding any appearance of blame. Whether right or wrong, past decisions were made for a reason and there is usually no need to pick them apart or challenge them. “Recent incidents in the industry have shown that this posed a much greater risk than we knew when these systems were introduced”.
State clearly what the actual problem is. “We have 420 legacy websites of which only 31 have been assessed. Of those assessed 27 had critical issues — we estimate that approximately 90% of the remaining sites will have issues we will need to address quickly”.
This is business impact, not technical impact. If you have completed a quantitative cyber risk analysis this is where to raise it. If you have not, a qualitative comment will often suffice. “Many of these sites hold confidential data on our customers. If this is breached we will lose their trust and suffer significant costs, fines and penalties”.
Provide the answer. We are only seven sentences into our pitch now (count them!), but those seven sentences really matter. Now we are all on the same page and ready to hear the proposal. “We will assess 35 sites a month on a risk prioritised basis over the next 12 months to cover the remaining 389 sites before the end of the year. As soon as we become aware of issues we will commence remediation, and we will report back to the committee quarterly on progress”.
Acknowledge any expected challenges in delivery. If you have done your research, you will understand the interests of those around the table and be able to instinctively spot the questions they are likely to raise. Even if not, major concerns are often easy to see by looking at it through the eyes of stakeholders. Usually these are political, resource related, or confidence related. “We know this will take some time for the application support team, and they are under pressure right now due to major system upgrades.”
Address the obstacle head on. “We have spoken to the Application Support Manager and IT Director, and confirmed that we can schedule work away from the end of the month when they are busiest”.
Note — you may need to repeat steps 7 and 8 if there are a couple of issues you know will be raised. If there are more than two, create an appendix and refer to it: “We have socialised the plan widely and have addressed the key issues as shown in Appendix 1. I will be happy to discuss this further with you if there are any concerns”.
Social proof is not a wild-eyed theory. Most rational human beings want to know that regardless of your internal analysis, there is some external frame of reference. If you don’t address this directly, you may be asked to pause to get an external view. It’s not personal. The good news is that it can be addressed quickly: “Our competitor XYZ Plc implemented a similar approach over three years — however given their major breach last month, a year into their program, we believe we should move faster”.
This means going back to the beginning and the original request. “I would like to request the committee’s approval for the program as proposed”.
As you will see, this is quick to do. In our example it requires only 13 sentences to deliver — sometimes less. It takes the audience with you as an ally, rather than appearing to apportion blame or responsibility for the status quo. It uses your prepared presentation for support, but does not assume pre-reading or duplicate it’s content. It has a clear beginning, middle and end: saying what you will cover up front to avoid surprises or lack of clarity about the ask, covering it concisely in business terms and addressing any areas of contention, then reminding the audience what you need from them.
And, yes, you can do this in less than five minutes.
Download our free Infographic below to help you prepare for your board security investment pitch.
This is an extract from an article first published at https://medium.com/@matt_palmer/how-to-successfully-pitch-cyber-security-projects-to-the-board-in-less-than-five-minutes-245ff59b55b6.
To read the original article and case study click the above link.
Copyright 2020 all rights reserved.