The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information.
Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101).
"They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.'
Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times.
Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate).
"The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'"
Instead, Santarcangelo recommends creating a presentation that keeps the motivation of the audience in mind.
"Talking to an executive is different from talking to a technologist is different from talking to an end user," he said. "If we are going to communicate with someone in a way that they understand the value and support what we are asking for, we have to know what we are asking for. We have to think about what we want them to know. "
We connect to people through stories, according to Santarcangelo. Before you make your pitch, find something in their experience base that you can reference that your audience can connect to and understand.
'What most people will do is say: "I've got a presentation in 20 minutes and they open up power point and start making slides. And when they are done they go and read the slides to whoever they are going to talk to and then they get rejected."
Santarcangelo recommends asking yourself: "How can I explain this to them using their frame of reference? What is a story or example I can use to have that conversation?"
"If you are presenting to a broad audience, I always recommend using pop culture. Music or movies are great places to start. You can always preface with 'Did you see?'"
Of course, finding out what reference might work will take some prep work.
"The simplest way to do that is ask questions," said Santarcangelo. "If the executive you will be presenting to is outgoing and friendly, talk to them.
Find out what kind of TV shows they watch or sports team they really like. On the other hand, coming in with a sports analogy to someone who doesn't like sports, is going to be a swing and a miss. Find out ahead of time."
Another strategy might involve taking a topical security reference, such as a high-profile breach, and asking: "How would we be impacted if that happened to us?"
The first time you make your presentation will be different from the time you actually do it, according to Santarcangelo. Because your window of time to make your pitch or presentation will likely be small, rehearsing is important for maximum impact.
"The reason I call it rehearsal instead of practicing or testing is because when you rehearse, you are allowed to make a mistake. We tend to trend toward too much information. Rehearsing let's us distill. Rehearsing allows you to make sure your sequence and flow make sense."
Getting a multi-thousand or multi-million dollar security project financed with a 15 minute presentation that you wing it through may be possible when times are good, according to Santarcangelo. But now, more than ever, tight budgets require finesse and precision when making the case for spending money.
If each of the five steps were given equal weight, delivery is only 20 percent. Yet many people jump right into delivery without planning or thinking or looking for a connection and rehearsing, said Santarcangelo.
But when you get to delivery, the trick is to put it out there without worrying about being perfect.
"It's about being authentic," he said. "If you honestly believe in it, put it out there. Don't be afraid to make mistakes. You don't have to be perfectly polished. Don't worry about ums or ahs or reading from a script. The idea is to have a conversation."
Once you have thought through what you hope to get out of it, and once you have put together a story and rehearsed or practiced, be natural in the moment once you get to it.
"Make your case succinctly and then have a natural conversation."
Review & Follow Through
When you are done, go back and ask yourself "How did it go?" and "If I had that conversation again, would I do it the same way?"
Once you've evaluated in your own mind how you think it went, follow through is important, said Santarcangelo.
"Many times our first connection and creation may not have been dead on. So when we had a conversation, things didn't get resolved," he said. "If you go back and say: 'I didn't connect the way I wanted to connect' you can follow up with your audience and say 'I didn't explain that the way I wanted to. I know you are busy, but can I have five more minutes? I'd like to explain it to you differently.'"
This story, "Steps to Communicate Security's Value to Non-security People" was originally published by CSO.