Going through my RSS the other day, I found this blog post on HBR that everyone in our field should bookmark for future reference. It’s entitled, The Right Way to Present your Business Case, by Carolyn O’Hara. As I was reflecting on the successful (and not so successful) pitches in my career, I thought that this type of message also works perfectly for information security. We have all had that moment in our careers where we knew something needed to be done, but we struggled to communicate it effectively. I distinctly remember a conversation early in my career about adding a security product to a company I worked for and the CEO said, “Until Amazon gets hacked, nobody is going to care about security.” This conversation happened in 1999.
I failed to convince the CEO to invest in my project because I approached it the way any young pup who had not yet learned the art of persuasion would. I simply presented only the facts, thinking that my infallible logic would clearly be enough to win over the hearts and minds of anyone who spent a few minutes considering it.
I should mention, I was a bit of an arrogant punk at that time in my career. I’ve refined my approach since then.
To summarize the items in the post (do go read it in its entirety, and consider picking up the toolkit linked at the end) and then apply it to security:
- Tell a story. When you are presenting your security initiative you should tell a story that has emotion. Most people react to change with fear, so to minimize that reaction you want to create a story that is appealing to their hearts.
- Don’t bury your lead. Don’t beat around the bush or start by listing off all of the initiatives you have successfully led. Break the ice and describe the need.
- Focus on your audience. This tip is universal when it comes to communication. In this case, be sure to cater to the needs, wants, and desires of the people who will evaluate your proposal. If you can make their initiatives more successful or profitable, they will be more likely to support you.
- Maybe don’t use slides! PowerPoint may not be the best way to approach your pitch. Get creative and do something different or unexpected.
- Along those lines, connect with your audience. Don’t read from your slides or hide behind a lectern. Connect with your audience in a meaningful way.
- Prepare to be bumped. You may have thirty minutes on the agenda, but other issues may grab more attention. Ensure you can do the elevator pitch in five minutes or less, and also have backup slides if your issue gets more attention.
Go check out the article and add some comments below (or on Twitter/Facebook)! Do you have a story to tell about a success or failure in getting your security initiative funded?
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini