Problem solve Get help with specific problems with your technologies, process and projects.

How to get information security buy-in from the executive team

When pitching security to the big bosses, it's important to brush up on public-speaking skills and lay out the case in advance. Mike Rothman gives his recommendations on how to prepare for a security presentation in order to receive the necessary managerial support.

Nothing makes employees freeze up more than the thought of having to make a presentation to the people that run...

their company. Public speaking is hard enough, but when all those suits are in the room -- it's terrifying. Take it from someone who has given a presentation or two (thousand) over the years: it's not that hard with the right preparations.

Having to present to executives is actually a good thing, since it indicates security is taken seriously within the organization. The job of a senior security professional is changing rapidly: it's more about persuasion and being able to navigate the political minefield of a large organization than it is about fighting bad guys.

Most executives are worried about themselves, so they want to hear whether there are any security concerns that might get them in serious trouble. Security professionals need to be able to allay fears by educating executives on the security program and its objectives, milestones and other aspects of daily security operations. These are valuable opportunities to set expectations, solicit funding, and ensure that security is a high priority within the organization.

Preparing a security presentation

First, preparation is key. Public speaking prowess doesn't just happen, and most technically oriented security professionals have never received any kind of training or education on the fine art (and it is an art) of presenting.

Thus, getting some speaking experience before it really counts is important. Join a local public speaking group like Toastmasters International or give a presentation to an Information Systems Security Association (ISSA) chapter. Practice makes perfect, so the more practice, the more likely the presentation will go well. Learn to love public speaking; it comes with moving up the ladder.

Next, figure out what to say. Here is an important tip: Executives don't care about how many patches were applied or the impressive 99.999% antivirus coverage on all devices. Executives want to know business-relevant information. Tell them about downtime due to security issues. Tell them about recovering from the last incident. Tell them how the technology environment is monitored to react faster to emerging threats. But whatever you do, don't tell them about technical mumbo jumbo they don't care about. If they fall asleep, that's a pretty good indication the pitch isn't going well.

Also, give them context. Spend some time explaining what's been done from a security program standpoint. These executive types understand sales, marketing and building things. They probably don't understand technology, and certainly not security. Use words like availability, intellectual property protection and private data confidentiality. They understand those terms. Terms like botnets, phishing email and rootkits? Not so much.

Be sure to walk them through the objectives of the security team. Also, detail the plans to meet those objectives. Executives focus on accountability, so they want to hear how the security team is being tracked to ensure milestones and objectives are met. That leads to a discussion on the way progress is reported and what data points are available for them to peruse about security operations.

Executives also want to hear about compliance. They know terms like PCI -- and, if you work for a U.S. government agency, they also know FISMA -- so address how the security program leads to being compliant and passing audits. Don't fall into the trap of intimating that compliance is the goal. It's not, and any time in front of the executives is a great opportunity to reinforce that message.

During your presentation, try to stick to your predefined script. Bring lots of supporting documentation, just in case they want details on anything being discussed. Also, if an executive asks a question to which there isn't currently an answer, admit that. Ensuring a follow-up with the answer as quickly as possible is much better than making something up.

Of course, that's assuming there is time to prepare. There will be instances, perhaps during an incident or outbreak, when an impromptu presentation is required. The key during this kind of presentation is to be candid, clear and honest, even if the security team messed up. Sugarcoating the situation is not going to help anything and will severely undermine the credibility of the security team.

For more information

Build a stronger security culture by developing risk management frameworks

Incident response: Learn the five steps to success

Ultimately, the key objective is to convince the executive leadership that the security program is under control, and that credibility is built by communicating what's going to happen and why. Then, systematically achieve those goals and let execs know what's been successful.

A presentation to the people on Mahogany Row can be intimidating, or it can be a great opportunity to set expectations and show the great success of the security team. It's part of the job description of a security professional, so avoiding the presentation isn't an option. And lastly, have fun. It's not like your job is at stake.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.

This was last published in September 2008

Dig Deeper on Information security program management