As technology moves to the centre of most organisational processes across the GCC, CIOs are communicating with the board more often, whether to discuss budget requirements or strategic cybersecurity defences. Although more people are becoming familiar with IT terms, geek speak can leave many feeling dazed and confused.
Talking about remote code excecution (RCEs), Internet protocol security (IPSEC), cross-site scripting (XSS) and cross-site request forgery (CSRF), for example, can leave listeners baffled and waste valuable board face-time.
Other terms often mean one thing in daily parlance but something else entirely to IT specialists. For instance, a ‘watering hole’ is neither a gathering place for oryx nor a venue to unwind after work; ‘whaling’ doesn’t include a net; a firewall involves neither fire nor a wall; and the sort of ‘container’ most frequently referred to doesn’t specifically concern maritime trade.
Security is a serious topic that the UAE’s senior executives are particularly alert to, so it’s important that there are no misunderstandings. IT and security teams must replace the jargon with language their listeners will understand, if they want to win support for their projects.
How measurable is it?
In general, upper management finds comfort in metrics. When talking to sales, for example, they seek to understand conversion and close rates. With marketing, it’s all about cost per lead. Security must, likewise, focus on quantitative assessments to compare and track performance. The most effective IT/security pros will be those that can translate the technology and correlate security controls to a metrics-driven conversation. Metrics are the Rosetta Stone of cross-functional conversation.
Here are four key pointers to keep in mind when deciding which metrics to use and how to present them in a way that wins and retains the board’s attention:
1. Quantifiable data: Information that can be monitored and analysed over business cycles serves to inform and educate non-IT audiences. For example, when a big vulnerability like BlueKeep hits – a security vulnerability that was discovered in Microsoft’s Remote Desktop Protocol that has the potential to spread in a worm-like fashion and replicate without requiring user-interaction – a demonstrable metric would be the estimated time required to patch against it.
This will highlight how long the company is exposed and at risk. Is it 15 days, 30 days or longer? How can downtime be reduced and, if investment is needed, what will the return be?
2. Lucid graphics: When presenting to management, it’s important to reduce complex graphs and analytical tables into simple indicators. List the things you want to talk about to keep the conversation focused on your goals. A good question to ask yourself is, “what is the intended outcome of showing this piece of data? What do I want the board to do?” If you can’t answer that, or have included the slide to fill time, delete it.
The best board-level presentations only show a handful of metrics, each selected to steer the conversation towards new investment or perceptible improvements.
3. Riveting presentation: The best route to winning buy-in for your proposals is a professional presentation with simple and precise information. Think about how you’re sharing this data. Spreadsheets, though easy to create for many, may not be the right format as endless columns of numbers can be hard to navigate.
And no one likes ‘death by PowerPoint’. To avoid these traps, consider a format that clearly underscores the point you’re conveying, and makes it compelling and eye-catching – such as an infographic. Rehearse your presentation and put yourself in the audience’s shoes: What terms are unclear? What graphics are hard to read? Modify or get rid of them and tweak your work so it attracts the attention of everyone.
4. Comprehensive ideas: Not everyone around the table will be a security expert, so avoid terms only the security or IT teams will understand – you’re not trying to teach them to speak geek. Instead of playing IT teacher, consider how to make your point simply and effectively, while presenting new ideas in bite-sized morsels that will give your listeners something to chew on. As we said earlier, you don’t want to risk someone in the room thinking you’re talking about port storage solutions when you’re actually discussing a development platform.
Instead, focus on making sure everyone can understand what is being discussed and all are in alignment of next steps. With understanding comes the opportunity for actual communication between the board and security experts – and with that comes buy-in.
To sum up, talk to the board in simple, easy-to-understand metrics presented in an attention-grabbing manner. Focus on measurable data and don’t overdo the geek speak. The board doesn’t need to be security experts – that’s your role. But you do need to make sure they understand what you require and why, as well as what it will deliver for the organisation.