SlideShare a Scribd company logo

Communicating Security Risks to Management

A
Alberto Marroquin

How to sell information security to managers

Software
1 of 9
Download to read offline
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Selling Security To Management One of the biggest complaints heard from security professionals is related to the fact that they feel that management does not understanding or properly appreciate the problems related to ensuring the security and privacy of their systems. As with all problems of this nature, this problem is the result of a failure to communicate with management. While I realize this is not your typical topic for a SANS discussion, it is important to our credibility as professionals because, if we cannot effectively communicate with th... Copyright SANS Institute Author Retains Full Rights AD
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 1 Selling Security To Management Jeff Hall GSEC Certification Practical Version 1.2e One of the biggest complaints heard from security professionals is related to the fact that they feel that management does not understanding or properly appreciate the problems related to ensuring the security and privacy of their systems. As with all problems of this nature, this problem is the result of a failure to communicate with management. While I realize this is not your typical topic for a SANS discussion, it is important to our credibility as professionals because, if we cannot effectively communicate with those who control our success, then we will continue to be relegated to our present role in the organization. The better we are able to communicate our issues to management, the more likely it will be that management will respond positively to our issues. This document will help you understand how to create presentations that will engage management and will discuss the common presentation pitfalls that befall technology people. Creating Great Presentations Great presentations do not just occur; they are the culmination of a significant amount of work. If you do not plan, then your presentation will not deliver the message that you are trying to communicate. Planning Planning of a presentation requires you to develop a topic to be presented. Barbara Minto wrote a seminal work on writing, thinking and problem solving logic in the mid-1980s entitled The Pyramid Principle. As a management consultant with one of the “Big 5”, this book and a related, internally developed training class was required for anyone in a management position within the Firm. Unfortunately, Ms. Minto’s book is no longer in print, but if you ever get a chance to obtain a copy, I would highly recommend that you take the opportunity to add it to your bookshelf. Ms. Minto argues in her book that effective communication of ideas is constructed like a pyramid. At the tip of the pyramid is the message or theme to be communicated. Underneath the tip of pyramid are the details in support of the theme that create the foundation of the message being delivered. The further you go down from the tip, the more detail that is offered. The Pyramid Principle goes on to discuss that the construct of a presentation can flow from top to bottom (summary of findings and recommendations and then a discussion of the details that support those findings and recommendations) or from bottom to top depending on the needs of the audience. For senior management presentations, the top to bottom approach is usually the best way to organize your document because it effectively provides an executive summary of your findings and recommendations and then allows for selective discussion regarding the details
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 2 that support your findings and recommendations. A bottom to top approach is typically used in the development of tutorials or training materials where ideas or concepts build on one another. The result of this process is a definition of your message or theme and an outline of the material you wish to present and the strategy you will use to present it. Research and Analysis Now that you have an outline, you need to give it substance by researching your subject and developing sound conclusions and recommendations. The problem most people face with this process is that there is typically an over abundance of information, but you only have so much time in which to present. However, now is not the time to worry about quantity, now is the time to get all of the quality facts that you can find. Focusing all of this information is done in the next step when we will edit it based on the needs of your audience. Using your outline from the previous step, gather together as much information related to your various points as possible. Make sure you gather information that may be contrary to your position, as you will need it for your analysis later in this step. The SANS GIAC practical assignment does an excellent job of describing the research effort. Once you have gathered all of your information, perform your analysis for the development of conclusions and recommendations. Do not be surprised if you find that some of your preconceptions regarding the topic to be misguided. Audience The next step in the process is remembering to focus on WHO is your audience. During this step, we will determine how to “filter” all of the information you’ve gathered to this point. A security professional’s audience is typically going to be a group of business executives with titles such as Chief Executive Officer (CEO), President, Chief Financial Officer (CFO), Chief Operating Officer (COO), Chief Information Officer (CIO), Chief Marketing Officer (CMO) and the like. To help you understand your audience, the following provides a brief description of each position’s responsibilities and potential influence on your presentation. CEO/President/General Manager – These people are responsible for the overall management of the company, division, subsidiary, etc. These people will have a varied background, but they typically come from the operations or finance areas and have shown a broad base of knowledge regarding the industry and the organization. Their focus will be on the big picture and they will rely on the other executives to provide their own perspective based on their area of expertise. Their interest will be in determining if the definition of the problem is appropriate, the analysis of the possible solutions are well thought out, and the recommendations make sense based on the analysis presented.
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 3 CFO/VP of Finance/Division Controller – These people are responsible for the financial well being of the organization. To dispel a popular myth, they are not always just “bean counters” concerned with every last expenditure. These people are also responsible for ensuring that the controls of the systems (manual and automated) are adequate. As such, you should make sure that your presentation provides information regarding how your recommendations improve the control environment. COO/VP Operations/VP Manufacturing/VP Distribution – These people are responsible for delivering the goods and services that your organization provides its customers and clients. Their primary focus is ensuring that the processes and procedures related to delivering goods and services are as efficient and effective as possible within the control environment. If you are recommending changes in policies and procedures, you will need to provide details on how those changes will either not impact operations or will improve other aspects of the operations of the organization. CMO/VP Marketing/VP Sales – These types of people are responsible for selling the goods and services of your organization. Their focus will be on making sure that your recommendations are not going to adversely affect sales. If your recommendations affect only non-sales users, these people will likely go along with your recommendations. However, if your recommendations affect customers or the sales force (a secure VPN for example), then these people will want to minimize the impact or possibly will argue that your recommendations are too onerous and should not be implemented. You need to remember the impact your solutions may have on customers and remote users. CIO/VP IS/Director IS – You should already have a good idea of this person’s role in the organization and this person should be your champion during the presentation. It is important that this person review and comment on your presentation prior to the actual meeting. This person can add insight into the internal politics between the previously mentioned players and can help you adjust your language so that it plays better to the audience. Mr. Lenny Laskowski has produced short document on how to focus this analysis. He has broken down the word audience as a memory aid. A nalysis – Who are they? How many will there be? U nderstanding – What is their knowledge of the subject? D emographics – What is their age, sex, educational background? I nterest – Why are they there? Who asked them to be there? E nvironment – Where will I stand? Can they all see and hear me? N eeds – What are their needs? What are your needs as the speaker? C ustomized – What specific needs do you need to address? E xpectations – What do they expect to learn or hear from you? If you can answer these questions, you should have a good understanding of your audience and what they will expect from your presentation and how to filter your information to meet their expectations.
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 4 Create A Draft At this point we now have identified and filtered the information that we want to use, but we still have not really created the presentation. Now is the time to put your thoughts together in PowerPoint, Word or whatever you use for your presentations. Using your outline, the information you have gathered and the information filters you have identified, you now need to actually develop the presentation. Forget about the amount of time you have to present, just get your thoughts on paper. We will edit the content after the draft is completed and has been reviewed. If your organization has a standard presentation template, USE IT! Nothing helps you fit in than making your presentation look and feel like all other presentations created by your organization. If your organization does not have a standard template, Ms. Ann Agee of George Mason University has developed a set of rules for formatting a presentation. § You should have no more than six to eight words per line. § No more than six to eight lines or 50 words per slide. § Use only two fonts throughout your presentation. Ms. Agee suggests a serif font like Times Roman for page titles and a san serif font like Ariel for the body of your presentation. § Fonts should be no smaller than 24 point to ensure your slides are legible when projected. § Use graphics to make a point or enhance your analysis, but be careful to balance your graphics on the page. § Avoid special effects such as screen wipes and sounds. They will give the appearance that your presentation is more show than go. § ALWAYS spell check your presentation. Not once, but every time you make changes – make sure you spell check it prior to finishing your PowerPoint session. In this day and age, there is no excuse for poor spell and grammar. Edit For Time Now that you have your draft created you can now edit it for the amount of time you have to present. A good rule of thumb is each slide takes one to two minutes to present. Also plan for questions either throughout your presentation or at the end of the presentation. Another good rule of thumb is 10 minutes of questions for every hour of presentation. In the beginning, you will probably find this part of the process the hardest to deal with. After all, you have all of this good information, but you cannot share it all with your audience. If you find that you are having difficulty with the editing, save your presentation and walk away from it for a while. When you come back you will be amazed at how well you will be able to trim it down. A Second Set Of Eyes
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 5 Another key to a great presentation is to get a second set of eyes to review your presentation. Your second set of eyes should not be your buddy in the cubicle next to you; you should get your mentor or their mentor to review your presentation. They can provide you further input regarding further clarification that may be required, further editing for time and the all-important editing for political correctness. Practice Now that you have a presentation, you need to get comfortable with it. It does not matter how you practice, but you need to practice. If you are not comfortable with public speaking, then you will want to have a lot of practice. The key is to practice until you are fully comfortable with the flow of the presentation and the information you are presenting. Technology Presentation Pitfalls The following is a list of presentation pitfalls and potential solutions that I have accumulated over my 25+ years of management consulting. This is not a complete list, but I believe that it covers a significant number of the presentation sins that I personally have committed or have seen committed over the years. 1. Techno-babble and Acronyms There is nothing more uncomfortable to any audience than unfamiliar terms used in documents and presentations. The next most uncomfortable thing to an audience is a speaker who assumes that they should know the terminology. The key to avoiding this pitfall is to remember WHO your audience is and WHAT their comfort level is with the topic being discussed. If you are not sure about the audience’s level of understanding, then take some time to explain the technology and the terminology. If necessary, include a Glossary Of Terms as an appendix to your presentation as a future reference. 2. Expert Myopia All subject matter experts suffer from “expert myopia”. This is not a bad thing, but it is something that every person needs to be aware. Every person has some area of knowledge where they are the perceived experts and as that expert, they tend to be very focused on that topic and assume some level of understanding of their expertise from others. However, where things go awry is that we, the experts, typically assume a greater level of understanding because of questions or discussions with our audience. When answering questions in your area of expertise, take a step back and politely probe the audience’s comfort level with the topic so that you can appropriately discuss the topic with the correct level of detail and background. 3. Failure To Practice
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 6 Very few people can just get up in front of a group and speak off the cuff. However, speaking extemporaneously is not what a professional does. A professional practices their speech over and over. These practice sessions can range from just repeatedly going over the presentation in their head to practicing their presentation in front of a mirror. The key to addressing this area is to find a method of practicing your discussion so that you are comfortable with your delivery and your gestures. The more comfortable you are, the more comfortable your audience will be during your presentation. 4. Forgetting Your Audience’s “Hot Buttons” There are reasons or “hot buttons” that has prompted management to request your presentation to them. As the expert, it is your job to make sure that you find out those reasons. Everyone has or should have a mentor that is higher up in the organization. Go to your mentor and find out the reasons for your presentation. If your mentor does not know the reasons, prompt them to go to their mentor for the reasons. Once you have the reasons for your presentation, take those reasons and incorporate them into your presentation. When giving your presentation, focus on those “hot buttons” by consistently tying your discussions to the “hot buttons”. 5. Humor Humor is a tough subject. Some people are good at telling a joke and some people are not. If you are one of those that cannot tell a joke well, then a presentation is not the place to inject humor. And it is definitely not the place for using humor if this is one of your first presentations. If you are going to use humor, make sure it is relevant to your topic and presentation, the humor is not off color and the humor does not embarrass the audience. Remember that like a stand up comic, sometimes the room is just tough and your humor may not solicit a laugh from your audience. Hopefully this document has given you some ideas on how to improve your presentation skills and get your ideas across.
© SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 7 Bibliography Creating A Great Presentation, Anne Agee, September 1998, http://www.irc.gmu.edu/scampbel/aagee/aagee.html A.U.D.I.E.N.C.E. Analysis - It’s Your Key To Success, Lenny Laskowski, 1996, http://www.ljlseminars.com/audience.htm Gathering Information & Materials, Lenny Laskowski, 1997, http://www.ljlseminars.com/gather.htm Speech Preparation As A Process, Lenny Laskowski, 1997, http://www.ljlseminars.com/gather.htm Elements Of An Effective Speech, Lenny Laskowski, 1997, http://www.ljlseminars.com/elements.htm Overcoming Speaking Anxiety In Meetings And Presentations, Lenny Laskowski, 1996, http://www.ljlseminars.com/anxiety.htm The Minto Pyramid Principle: Logic In Writing, Thinking and Problem Solving, Barbara Minto, ISBN: 0960191046, May 1996
Last Updated: January 29th, 2013 Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location SANS Scottsdale 2013 Scottsdale, AZUS Feb 17, 2013 - Feb 23, 2013 Live Event SANS Belgium 2013 Brussels, BE Feb 18, 2013 - Feb 23, 2013 Live Event RSA Conference 2013 San Francisco, CAUS Feb 24, 2013 - Feb 25, 2013 Live Event SANS Secure Singapore 2013 Singapore, SG Feb 25, 2013 - Mar 02, 2013 Live Event SANS Egypt 2013 SEC560 Cairo, EG Mar 02, 2013 - Mar 06, 2013 Live Event SANS South Africa 2013 Johannesburg, ZA Mar 04, 2013 - Mar 09, 2013 Live Event SANS 2013 Orlando, FLUS Mar 08, 2013 - Mar 15, 2013 Live Event SANS Secure Canberra 2013 Canberra, AU Mar 18, 2013 - Mar 23, 2013 Live Event SEC573 Python for Pen Testers Washington, DCUS Mar 18, 2013 - Mar 22, 2013 Live Event SANS Monterey 2013 Monterey, CAUS Mar 22, 2013 - Mar 27, 2013 Live Event SANS Abu Dhabi 2013 Abu Dhabi, AE Mar 23, 2013 - Mar 28, 2013 Live Event SANS Delhi 2013 New Delhi, IN Apr 01, 2013 - Apr 12, 2013 Live Event SANS Northern Virginia 2013 Reston, VAUS Apr 08, 2013 - Apr 13, 2013 Live Event SANS Secure Europe 2013 Amsterdam, NL Apr 15, 2013 - Apr 27, 2013 Live Event SANS Cyber Guardian 2013 Baltimore, MDUS Apr 15, 2013 - Apr 20, 2013 Live Event SANS CyberCon Spring 2013 Online, VAUS Apr 22, 2013 - Apr 27, 2013 Live Event AppSec 2013 Austin, TXUS Apr 22, 2013 - Apr 27, 2013 Live Event SANS CDK Seoul 2013 Seoul, KR Apr 22, 2013 - Apr 27, 2013 Live Event Critical Security Controls International Summit London, GB Apr 26, 2013 - May 02, 2013 Live Event North American SCADA and Process Control Summit 2013 OnlineFLUS Feb 06, 2013 - Feb 15, 2013 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

Recommended

Seven pitfalls to avoid in online collaboration
Seven pitfalls to avoid in online collaborationSeven pitfalls to avoid in online collaboration
Seven pitfalls to avoid in online collaborationJon Kennedy
 
Moving To A Risk Based Approach To OHS
Moving To A Risk Based Approach To OHSMoving To A Risk Based Approach To OHS
Moving To A Risk Based Approach To OHSMark Mitchell
 
Essay Narrative Example. Narrative Essay PDF Essays Narrative
Essay Narrative Example. Narrative Essay PDF Essays NarrativeEssay Narrative Example. Narrative Essay PDF Essays Narrative
Essay Narrative Example. Narrative Essay PDF Essays NarrativeElizabeth Pardue
 
Linkedin 2
Linkedin 2Linkedin 2
Linkedin 2Angus Elder
 
Top Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESITop Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESISusan Ippoliti Kavanagh, RP, CeDP, CLSP
 
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM Project
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM ProjectTop 5 Ways Political Wrangling Can Kill Your ERP or CRM Project
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM ProjectLionshare Software, Inc.
 
Winnie-the-Pooh Strategic Communications Planning
Winnie-the-Pooh Strategic Communications PlanningWinnie-the-Pooh Strategic Communications Planning
Winnie-the-Pooh Strategic Communications PlanningPaula Newbaker
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docxchristiandean12115
 

Recommended

Seven pitfalls to avoid in online collaboration
Seven pitfalls to avoid in online collaborationSeven pitfalls to avoid in online collaboration
Seven pitfalls to avoid in online collaborationJon Kennedy
 
Moving To A Risk Based Approach To OHS
Moving To A Risk Based Approach To OHSMoving To A Risk Based Approach To OHS
Moving To A Risk Based Approach To OHSMark Mitchell
 
Essay Narrative Example. Narrative Essay PDF Essays Narrative
Essay Narrative Example. Narrative Essay PDF Essays NarrativeEssay Narrative Example. Narrative Essay PDF Essays Narrative
Essay Narrative Example. Narrative Essay PDF Essays NarrativeElizabeth Pardue
 
Linkedin 2
Linkedin 2Linkedin 2
Linkedin 2Angus Elder
 
Top Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESITop Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESISusan Ippoliti Kavanagh, RP, CeDP, CLSP
 
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM Project
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM ProjectTop 5 Ways Political Wrangling Can Kill Your ERP or CRM Project
Top 5 Ways Political Wrangling Can Kill Your ERP or CRM ProjectLionshare Software, Inc.
 
Winnie-the-Pooh Strategic Communications Planning
Winnie-the-Pooh Strategic Communications PlanningWinnie-the-Pooh Strategic Communications Planning
Winnie-the-Pooh Strategic Communications PlanningPaula Newbaker
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docxchristiandean12115
 
Secure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On BoardSecure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On BoardqliqSoft
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin..."From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...Revelation Next
 
Sales training for an IT consulting firm
Sales training for an IT consulting firmSales training for an IT consulting firm
Sales training for an IT consulting firmAllied Consultants
 
Engaging Advocates by Vertical
Engaging Advocates by VerticalEngaging Advocates by Vertical
Engaging Advocates by VerticalDon Currie
 
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docxDisc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docxlynettearnold46882
 
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...vonreventlow
 
Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1Dragon1 Inc.
 
System Thinking - Making sense before acting
System Thinking - Making sense before actingSystem Thinking - Making sense before acting
System Thinking - Making sense before actingAndre Jankowitz
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
 
7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication SkillsDigicast Productions
 
Lorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 MisLorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 MisTonyversity
 
Business Analyst Documentation
Business Analyst DocumentationBusiness Analyst Documentation
Business Analyst DocumentationYaswanth Babu Gummadivelli
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Team building tsunami
Team building tsunamiTeam building tsunami
Team building tsunamiFlora Runyenje
 
knowledge management document
knowledge management documentknowledge management document
knowledge management documentVishakha Choudhary
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersMaria FutureThoughts
 
What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1IANS
 
How To Write Essays In English
How To Write Essays In EnglishHow To Write Essays In English
How To Write Essays In EnglishJulie Kwhl
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

More Related Content

Similar to Communicating Security Risks to Management

Secure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On BoardSecure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On BoardqliqSoft
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin..."From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...Revelation Next
 
Sales training for an IT consulting firm
Sales training for an IT consulting firmSales training for an IT consulting firm
Sales training for an IT consulting firmAllied Consultants
 
Engaging Advocates by Vertical
Engaging Advocates by VerticalEngaging Advocates by Vertical
Engaging Advocates by VerticalDon Currie
 
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docxDisc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docxlynettearnold46882
 
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...vonreventlow
 
Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1Dragon1 Inc.
 
System Thinking - Making sense before acting
System Thinking - Making sense before actingSystem Thinking - Making sense before acting
System Thinking - Making sense before actingAndre Jankowitz
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
 
7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication SkillsDigicast Productions
 
Lorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 MisLorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 MisTonyversity
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersMaria FutureThoughts
 
What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1IANS
 
How To Write Essays In English
How To Write Essays In EnglishHow To Write Essays In English
How To Write Essays In EnglishJulie Kwhl
 

Similar to Communicating Security Risks to Management (20)

Secure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On BoardSecure Texting Best Practices: Get Your Organization On Board
Secure Texting Best Practices: Get Your Organization On Board
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin..."From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
"From Insights to Action" by Andrew Vincent, a Revelation Great Research Thin...
 
Sales training for an IT consulting firm
Sales training for an IT consulting firmSales training for an IT consulting firm
Sales training for an IT consulting firm
 
Engaging Advocates by Vertical
Engaging Advocates by VerticalEngaging Advocates by Vertical
Engaging Advocates by Vertical
 
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docxDisc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
Disc 1_ Team 7.docx1Report 1 Behavior Based Safe.docx
 
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
Practical Experience with Christensen's Innovation Methodology JOBS(R) Jobs-t...
 
Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1Enterprise Architecture in the Boardroom with Dragon1
Enterprise Architecture in the Boardroom with Dragon1
 
System Thinking - Making sense before acting
System Thinking - Making sense before actingSystem Thinking - Making sense before acting
System Thinking - Making sense before acting
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
 
7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills7 Secrets to Transform your Safety Communication Skills
7 Secrets to Transform your Safety Communication Skills
 
Lorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 MisLorrach Mkt Res T3 Mis
Lorrach Mkt Res T3 Mis
 
Business Analyst Documentation
Business Analyst DocumentationBusiness Analyst Documentation
Business Analyst Documentation
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Team building tsunami
Team building tsunamiTeam building tsunami
Team building tsunami
 
knowledge management document
knowledge management documentknowledge management document
knowledge management document
 
Business Analyst Interview Questions with Answers
Business Analyst Interview Questions with AnswersBusiness Analyst Interview Questions with Answers
Business Analyst Interview Questions with Answers
 
What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1What is an IANS CISO Workshop? Factor 1
What is an IANS CISO Workshop? Factor 1
 
How To Write Essays In English
How To Write Essays In EnglishHow To Write Essays In English
How To Write Essays In English
 

Recently uploaded

Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 

Recently uploaded (20)

Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 

Communicating Security Risks to Management

  • 1. Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Selling Security To Management One of the biggest complaints heard from security professionals is related to the fact that they feel that management does not understanding or properly appreciate the problems related to ensuring the security and privacy of their systems. As with all problems of this nature, this problem is the result of a failure to communicate with management. While I realize this is not your typical topic for a SANS discussion, it is important to our credibility as professionals because, if we cannot effectively communicate with th... Copyright SANS Institute Author Retains Full Rights AD
  • 2. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 1 Selling Security To Management Jeff Hall GSEC Certification Practical Version 1.2e One of the biggest complaints heard from security professionals is related to the fact that they feel that management does not understanding or properly appreciate the problems related to ensuring the security and privacy of their systems. As with all problems of this nature, this problem is the result of a failure to communicate with management. While I realize this is not your typical topic for a SANS discussion, it is important to our credibility as professionals because, if we cannot effectively communicate with those who control our success, then we will continue to be relegated to our present role in the organization. The better we are able to communicate our issues to management, the more likely it will be that management will respond positively to our issues. This document will help you understand how to create presentations that will engage management and will discuss the common presentation pitfalls that befall technology people. Creating Great Presentations Great presentations do not just occur; they are the culmination of a significant amount of work. If you do not plan, then your presentation will not deliver the message that you are trying to communicate. Planning Planning of a presentation requires you to develop a topic to be presented. Barbara Minto wrote a seminal work on writing, thinking and problem solving logic in the mid-1980s entitled The Pyramid Principle. As a management consultant with one of the “Big 5”, this book and a related, internally developed training class was required for anyone in a management position within the Firm. Unfortunately, Ms. Minto’s book is no longer in print, but if you ever get a chance to obtain a copy, I would highly recommend that you take the opportunity to add it to your bookshelf. Ms. Minto argues in her book that effective communication of ideas is constructed like a pyramid. At the tip of the pyramid is the message or theme to be communicated. Underneath the tip of pyramid are the details in support of the theme that create the foundation of the message being delivered. The further you go down from the tip, the more detail that is offered. The Pyramid Principle goes on to discuss that the construct of a presentation can flow from top to bottom (summary of findings and recommendations and then a discussion of the details that support those findings and recommendations) or from bottom to top depending on the needs of the audience. For senior management presentations, the top to bottom approach is usually the best way to organize your document because it effectively provides an executive summary of your findings and recommendations and then allows for selective discussion regarding the details
  • 3. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 2 that support your findings and recommendations. A bottom to top approach is typically used in the development of tutorials or training materials where ideas or concepts build on one another. The result of this process is a definition of your message or theme and an outline of the material you wish to present and the strategy you will use to present it. Research and Analysis Now that you have an outline, you need to give it substance by researching your subject and developing sound conclusions and recommendations. The problem most people face with this process is that there is typically an over abundance of information, but you only have so much time in which to present. However, now is not the time to worry about quantity, now is the time to get all of the quality facts that you can find. Focusing all of this information is done in the next step when we will edit it based on the needs of your audience. Using your outline from the previous step, gather together as much information related to your various points as possible. Make sure you gather information that may be contrary to your position, as you will need it for your analysis later in this step. The SANS GIAC practical assignment does an excellent job of describing the research effort. Once you have gathered all of your information, perform your analysis for the development of conclusions and recommendations. Do not be surprised if you find that some of your preconceptions regarding the topic to be misguided. Audience The next step in the process is remembering to focus on WHO is your audience. During this step, we will determine how to “filter” all of the information you’ve gathered to this point. A security professional’s audience is typically going to be a group of business executives with titles such as Chief Executive Officer (CEO), President, Chief Financial Officer (CFO), Chief Operating Officer (COO), Chief Information Officer (CIO), Chief Marketing Officer (CMO) and the like. To help you understand your audience, the following provides a brief description of each position’s responsibilities and potential influence on your presentation. CEO/President/General Manager – These people are responsible for the overall management of the company, division, subsidiary, etc. These people will have a varied background, but they typically come from the operations or finance areas and have shown a broad base of knowledge regarding the industry and the organization. Their focus will be on the big picture and they will rely on the other executives to provide their own perspective based on their area of expertise. Their interest will be in determining if the definition of the problem is appropriate, the analysis of the possible solutions are well thought out, and the recommendations make sense based on the analysis presented.
  • 4. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 3 CFO/VP of Finance/Division Controller – These people are responsible for the financial well being of the organization. To dispel a popular myth, they are not always just “bean counters” concerned with every last expenditure. These people are also responsible for ensuring that the controls of the systems (manual and automated) are adequate. As such, you should make sure that your presentation provides information regarding how your recommendations improve the control environment. COO/VP Operations/VP Manufacturing/VP Distribution – These people are responsible for delivering the goods and services that your organization provides its customers and clients. Their primary focus is ensuring that the processes and procedures related to delivering goods and services are as efficient and effective as possible within the control environment. If you are recommending changes in policies and procedures, you will need to provide details on how those changes will either not impact operations or will improve other aspects of the operations of the organization. CMO/VP Marketing/VP Sales – These types of people are responsible for selling the goods and services of your organization. Their focus will be on making sure that your recommendations are not going to adversely affect sales. If your recommendations affect only non-sales users, these people will likely go along with your recommendations. However, if your recommendations affect customers or the sales force (a secure VPN for example), then these people will want to minimize the impact or possibly will argue that your recommendations are too onerous and should not be implemented. You need to remember the impact your solutions may have on customers and remote users. CIO/VP IS/Director IS – You should already have a good idea of this person’s role in the organization and this person should be your champion during the presentation. It is important that this person review and comment on your presentation prior to the actual meeting. This person can add insight into the internal politics between the previously mentioned players and can help you adjust your language so that it plays better to the audience. Mr. Lenny Laskowski has produced short document on how to focus this analysis. He has broken down the word audience as a memory aid. A nalysis – Who are they? How many will there be? U nderstanding – What is their knowledge of the subject? D emographics – What is their age, sex, educational background? I nterest – Why are they there? Who asked them to be there? E nvironment – Where will I stand? Can they all see and hear me? N eeds – What are their needs? What are your needs as the speaker? C ustomized – What specific needs do you need to address? E xpectations – What do they expect to learn or hear from you? If you can answer these questions, you should have a good understanding of your audience and what they will expect from your presentation and how to filter your information to meet their expectations.
  • 5. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 4 Create A Draft At this point we now have identified and filtered the information that we want to use, but we still have not really created the presentation. Now is the time to put your thoughts together in PowerPoint, Word or whatever you use for your presentations. Using your outline, the information you have gathered and the information filters you have identified, you now need to actually develop the presentation. Forget about the amount of time you have to present, just get your thoughts on paper. We will edit the content after the draft is completed and has been reviewed. If your organization has a standard presentation template, USE IT! Nothing helps you fit in than making your presentation look and feel like all other presentations created by your organization. If your organization does not have a standard template, Ms. Ann Agee of George Mason University has developed a set of rules for formatting a presentation. § You should have no more than six to eight words per line. § No more than six to eight lines or 50 words per slide. § Use only two fonts throughout your presentation. Ms. Agee suggests a serif font like Times Roman for page titles and a san serif font like Ariel for the body of your presentation. § Fonts should be no smaller than 24 point to ensure your slides are legible when projected. § Use graphics to make a point or enhance your analysis, but be careful to balance your graphics on the page. § Avoid special effects such as screen wipes and sounds. They will give the appearance that your presentation is more show than go. § ALWAYS spell check your presentation. Not once, but every time you make changes – make sure you spell check it prior to finishing your PowerPoint session. In this day and age, there is no excuse for poor spell and grammar. Edit For Time Now that you have your draft created you can now edit it for the amount of time you have to present. A good rule of thumb is each slide takes one to two minutes to present. Also plan for questions either throughout your presentation or at the end of the presentation. Another good rule of thumb is 10 minutes of questions for every hour of presentation. In the beginning, you will probably find this part of the process the hardest to deal with. After all, you have all of this good information, but you cannot share it all with your audience. If you find that you are having difficulty with the editing, save your presentation and walk away from it for a while. When you come back you will be amazed at how well you will be able to trim it down. A Second Set Of Eyes
  • 6. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 5 Another key to a great presentation is to get a second set of eyes to review your presentation. Your second set of eyes should not be your buddy in the cubicle next to you; you should get your mentor or their mentor to review your presentation. They can provide you further input regarding further clarification that may be required, further editing for time and the all-important editing for political correctness. Practice Now that you have a presentation, you need to get comfortable with it. It does not matter how you practice, but you need to practice. If you are not comfortable with public speaking, then you will want to have a lot of practice. The key is to practice until you are fully comfortable with the flow of the presentation and the information you are presenting. Technology Presentation Pitfalls The following is a list of presentation pitfalls and potential solutions that I have accumulated over my 25+ years of management consulting. This is not a complete list, but I believe that it covers a significant number of the presentation sins that I personally have committed or have seen committed over the years. 1. Techno-babble and Acronyms There is nothing more uncomfortable to any audience than unfamiliar terms used in documents and presentations. The next most uncomfortable thing to an audience is a speaker who assumes that they should know the terminology. The key to avoiding this pitfall is to remember WHO your audience is and WHAT their comfort level is with the topic being discussed. If you are not sure about the audience’s level of understanding, then take some time to explain the technology and the terminology. If necessary, include a Glossary Of Terms as an appendix to your presentation as a future reference. 2. Expert Myopia All subject matter experts suffer from “expert myopia”. This is not a bad thing, but it is something that every person needs to be aware. Every person has some area of knowledge where they are the perceived experts and as that expert, they tend to be very focused on that topic and assume some level of understanding of their expertise from others. However, where things go awry is that we, the experts, typically assume a greater level of understanding because of questions or discussions with our audience. When answering questions in your area of expertise, take a step back and politely probe the audience’s comfort level with the topic so that you can appropriately discuss the topic with the correct level of detail and background. 3. Failure To Practice
  • 7. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 6 Very few people can just get up in front of a group and speak off the cuff. However, speaking extemporaneously is not what a professional does. A professional practices their speech over and over. These practice sessions can range from just repeatedly going over the presentation in their head to practicing their presentation in front of a mirror. The key to addressing this area is to find a method of practicing your discussion so that you are comfortable with your delivery and your gestures. The more comfortable you are, the more comfortable your audience will be during your presentation. 4. Forgetting Your Audience’s “Hot Buttons” There are reasons or “hot buttons” that has prompted management to request your presentation to them. As the expert, it is your job to make sure that you find out those reasons. Everyone has or should have a mentor that is higher up in the organization. Go to your mentor and find out the reasons for your presentation. If your mentor does not know the reasons, prompt them to go to their mentor for the reasons. Once you have the reasons for your presentation, take those reasons and incorporate them into your presentation. When giving your presentation, focus on those “hot buttons” by consistently tying your discussions to the “hot buttons”. 5. Humor Humor is a tough subject. Some people are good at telling a joke and some people are not. If you are one of those that cannot tell a joke well, then a presentation is not the place to inject humor. And it is definitely not the place for using humor if this is one of your first presentations. If you are going to use humor, make sure it is relevant to your topic and presentation, the humor is not off color and the humor does not embarrass the audience. Remember that like a stand up comic, sometimes the room is just tough and your humor may not solicit a laugh from your audience. Hopefully this document has given you some ideas on how to improve your presentation skills and get your ideas across.
  • 8. © SANSInstitute2001,Authorretainsfullrights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. 7 Bibliography Creating A Great Presentation, Anne Agee, September 1998, http://www.irc.gmu.edu/scampbel/aagee/aagee.html A.U.D.I.E.N.C.E. Analysis - It’s Your Key To Success, Lenny Laskowski, 1996, http://www.ljlseminars.com/audience.htm Gathering Information & Materials, Lenny Laskowski, 1997, http://www.ljlseminars.com/gather.htm Speech Preparation As A Process, Lenny Laskowski, 1997, http://www.ljlseminars.com/gather.htm Elements Of An Effective Speech, Lenny Laskowski, 1997, http://www.ljlseminars.com/elements.htm Overcoming Speaking Anxiety In Meetings And Presentations, Lenny Laskowski, 1996, http://www.ljlseminars.com/anxiety.htm The Minto Pyramid Principle: Logic In Writing, Thinking and Problem Solving, Barbara Minto, ISBN: 0960191046, May 1996
  • 9. Last Updated: January 29th, 2013 Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location SANS Scottsdale 2013 Scottsdale, AZUS Feb 17, 2013 - Feb 23, 2013 Live Event SANS Belgium 2013 Brussels, BE Feb 18, 2013 - Feb 23, 2013 Live Event RSA Conference 2013 San Francisco, CAUS Feb 24, 2013 - Feb 25, 2013 Live Event SANS Secure Singapore 2013 Singapore, SG Feb 25, 2013 - Mar 02, 2013 Live Event SANS Egypt 2013 SEC560 Cairo, EG Mar 02, 2013 - Mar 06, 2013 Live Event SANS South Africa 2013 Johannesburg, ZA Mar 04, 2013 - Mar 09, 2013 Live Event SANS 2013 Orlando, FLUS Mar 08, 2013 - Mar 15, 2013 Live Event SANS Secure Canberra 2013 Canberra, AU Mar 18, 2013 - Mar 23, 2013 Live Event SEC573 Python for Pen Testers Washington, DCUS Mar 18, 2013 - Mar 22, 2013 Live Event SANS Monterey 2013 Monterey, CAUS Mar 22, 2013 - Mar 27, 2013 Live Event SANS Abu Dhabi 2013 Abu Dhabi, AE Mar 23, 2013 - Mar 28, 2013 Live Event SANS Delhi 2013 New Delhi, IN Apr 01, 2013 - Apr 12, 2013 Live Event SANS Northern Virginia 2013 Reston, VAUS Apr 08, 2013 - Apr 13, 2013 Live Event SANS Secure Europe 2013 Amsterdam, NL Apr 15, 2013 - Apr 27, 2013 Live Event SANS Cyber Guardian 2013 Baltimore, MDUS Apr 15, 2013 - Apr 20, 2013 Live Event SANS CyberCon Spring 2013 Online, VAUS Apr 22, 2013 - Apr 27, 2013 Live Event AppSec 2013 Austin, TXUS Apr 22, 2013 - Apr 27, 2013 Live Event SANS CDK Seoul 2013 Seoul, KR Apr 22, 2013 - Apr 27, 2013 Live Event Critical Security Controls International Summit London, GB Apr 26, 2013 - May 02, 2013 Live Event North American SCADA and Process Control Summit 2013 OnlineFLUS Feb 06, 2013 - Feb 15, 2013 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced