I'm a director of information security for a midsize company, and I'm preparing for my first meeting with the executive management team. I've been asked to give a 15-minute overview of our information security program. What points should I emphasize when presenting to executives, and should I use the opportunity to stump for some badly needed resources?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
It is critical to set a good first impression in your meeting with the executive team. Have a short, organized agenda prepared and distributed before the meeting. The topics should be brief but provide a good overview of the current state of security and ongoing initiatives. I created a template that I used every quarter when presenting to the auditing subcommittee of the board. This template consisted of the following agenda items:
1. A summary report of all IT security incidents. The report would contain categories including, but not limited to, malware infections, abuse of permissions and breaches of unencrypted personally identifiable information. The execs may ask for details on incidents, so be prepared. Your main goal is to make your presentation interactive.
2. A top 10 list of IT security risks to the organization's data. (It works for David Letterman -- so why not IT security pros?) This grabs the execs' attention and facilitates discussion about the prioritization of IT risks. This also gives you the opportunity to listen to them in order to understand what IT security risks are important to them. This list should not be based on fear, uncertainty and doubt, but on real IT security risk management data. FUD will only advance the conversation so far. Engaging the executives in real discussions about IT security risk is the goal here.
3. A list of your current IT security initiatives and how they relate to the risks you presented. This is where the judgment call comes in about whether to mention the need for additional resources. Hopefully, you have conveyed a sense of urgency to the executives in the previous two agenda items. Since this is your first meeting, you may want to wait until you have a better read on the executives. Do not request more resources if you don't feel that the executives are open to the request. If they are open to the request, proceed by explaining the details of what is needed and how it relates back to mitigating the top 10 IT security risks.
Executives are charged with distributing a limited amount of resources to an unlimited amount of requests. They will respond to honest, well-thought-out and well-presented requests when deciding where resources should be allocated. I have had a good degree of success when requesting resources by using this meeting format with executives. It is all about how much you listen and how well you translate the techno-legal jargon that is the practice of information security.
This was first published in August 2013