Selling security to the board is all about effective product marketing, and as such requires a deep understanding of the product and audience, and a simple, well-delivered message, according to a leading CISO.
Speaking at Infosecurity Europe, William Hill security chief, Killian Faughnan, argued that keeping things simple is one of the most important things CISOs can do to sell their vision to the board room.
“Data has its place. But that place is mainly in your dashboard. Your job is to crunch that data down to something meaningful,” he told attendees.
“You should always be aiming for just one slide. I never do more than three. If I try to land more than three messages I confuse myself and them, and the audience will just tune out.”
Knowing what kind of message will work depends on reading the customer (board) not as a homogeneous whole but comprised of individual members, with different views and priorities. That requires the CISO to “know what will delight one and frustrate another” and then work out the best approach to maximize impact for all.
“It’s a very soft skill but one of the most important,” Faughnan added.
The art of selling a message, or ‘product,’ to the board, is heavily dependent on the skill of the person delivering that message: the CISO.
“If you confuse them, they’ll look to buy the ‘product’ from someone else, which unfortunately means [in this context] they’ll hire someone else,” he said. “You’re part of the product as much as everything else, so how you present is important. If you’re more engaged, they’ll enjoy it and feel positive about you and your product.”
Part of this skill in delivering a compelling message requires CISOs not to focus too heavily on the negatives, but rather to argue that “the company is doing well but could do better” — before explaining in simple terms how to achieve that, he said.
The focus throughout should be on “stickiness” — what makes a message stick. It’s a concept also crucial to driving success in employee training and awareness programs, Faughnan argued.