Removing the disconnect between organisation’s board and security

Maher Jadallah, Regional Director, Tenable Middle East.
5 years ago

As technology moves to the centre of most organisational processes across the GCC, CIOs are communicating with the board more often, whether to discuss budget requirements or strategic cybersecurity defenses. Although more people are becoming familiar with IT terms, geek speak can leave many feeling dazed and confused. Talking about Remote Code Execution RCEs, Internet Protocol Security IPSEC, Cross-site Scripting, and Cross-site Request Forgery, for example, can leave listeners baffled and waste valuable board face-time.

Other terms often mean one thing in daily parlance but something else entirely to IT specialists. For instance, a watering hole is neither a gathering place for Oryx nor a venue to unwind after work; whaling does not include a net; a firewall involves neither fire nor a wall; and the sort of container most frequently referred to does not specifically concern maritime trade.

Security is a serious topic that senior executives are particularly alert to, so it is important that there are no misunderstandings. IT and security teams must replace the jargon with language their listeners will understand, if they want to win support for their projects.

In general, upper management finds comfort in metrics. When talking to sales, for example, they seek to understand conversion and close rates. With marketing, it is all about cost per lead. Security must, likewise, focus on quantitative assessments to compare and track performance. The most effective IT and Security pros will be those that can translate the technology and correlate security controls to a metrics-driven conversation. Metrics are the Rosetta Stone of cross-functional conversation.

Here are four key pointers to keep in mind when deciding which metrics to use and how to present them in a way that wins and retains the boards attention:

Quantifiable data

Information that can be monitored and analysed over business cycles serves to inform and educate non-IT audiences. For example, when a big vulnerability like BlueKeep hits – a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol that has the potential to spread in a worm-like fashion and replicate without requiring user-interaction.

A demonstrable metric would be the estimated time required to patch against it. This will highlight how long the company is exposed and at risk. Is it 15 days, 30 days or longer? How can downtime be reduced and, if investment is needed, what will the return be?

Lucid graphics

When presenting to management, it is important to reduce complex graphs and analytical tables into simple indicators. List the things you want to talk about to keep the conversation focused on your goals. A good question to ask yourself is, what is the intended outcome of showing this piece of data? What do I want the board to do? If you cannot answer that, or have included the slide to fill time, delete it.

The best board-level presentations only show a handful of metrics, each selected to steer the conversation towards new investment or perceptible improvements.

Riveting presentation

The best route to winning buy-in for your proposals is a professional presentation with simple and precise information. Think about how you are sharing this data. Spreadsheets, though easy to create for many, may not be the right format as endless columns of numbers can be hard to navigate. And no one likes death by PowerPoint.

To avoid these traps, consider a format that clearly underscores the point you are conveying, and makes it compelling and eye catching – such as an infographic.

Rehearse your presentation and put yourself in the audience’s shoes: What terms are unclear? What graphics are hard to read? Modify or get rid of them and tweak your work so it attracts the attention of everyone.

Comprehensive ideas

Not everyone around the table will be a security expert, so avoid terms only the security or IT teams will understand – you are not trying to teach them to speak geek. Instead of playing IT teacher, consider how to make your point simply and effectively, while presenting new ideas in bite-sized morsels that will give your listeners something to chew on. As mentioned earlier, you do not want to risk someone in the room thinking you are talking about port storage solutions when you are actually discussing a development platform.

Instead, focus on making sure everyone can understand what is being discussed and all are in alignment of next steps. With understanding comes the opportunity for actual communication between the board and security experts – and with that comes buy-in.

To sum up, talk to the board in simple, easy-to-understand metrics presented in an attention-grabbing manner. Focus on measurable data and do not overdo the geek speak. The board does not need to be security experts – that is your role. But you do need to make sure they understand what you require and why, as well as what it will deliver for the organisation.

Maher Jadallah, Regional Director, Tenable Middle East.

Key takeaways

  • The best board-level presentations only show a handful of metrics.
  • People are becoming familiar with terms, but geek speak can leave many feeling confused.
  • With understanding comes opportunity for communication between board and security and with that comes buy-in.
  • Talk to the board in simple, easy metrics presented in attention-grabbing manner.
  • Focus on measurable data and do not overdo geek speak.
  • The board does not need to be security experts, that is your role.

Overloading the board with jargon and complex charts does not help make the case for the security department, explains Maher Jadallah at Tenable.

Don't Miss

Tenable Highlights Toxic Cloud Trilogy at BlackHat MEA 2024

Tenable will exhibit at BlackHat MEA 2024 held from 26th to 28th
Maher Jadallah, Senior Director Middle East North Africa, Tenable

Tenable Now Available Through AWS Abu Dhabi Region

Tenable introduced that Tenable Cloud Security and Tenable Vulnerability Management are now