Techniques that the average hacker and information security specialist can use to communicate with C-level executives.

1. 1
proudly presents at

2. 2
Hackers Are from Mars;
CxOs Are from Jupiter
Rob Havelt
Director of information Governance, Risk and Compliance (iGRC)
infoedge LLC

3. 3
• A background as a packet monkey,
wireless geek and leader of a
pretty big pen test team
• A hacker and technologist who
bleeds ink from all those tested pens
• A director of iGRC for a management
consulting firm called infoedge LLC
Rob is decidedly from Mars

4. 4
Denizens of the boardroom and the SOC
A rift often exists between the denizens of the boardroom and the SOC,
who each inhabit different worlds.

5. 5
Denizens of the boardroom and the SOC
They don’t think, communicate or process information the same.

6. 6
The title of this talk isn’t arbitrary; the
planet names are significant.
Beyond simple lexicon

7. 7
• God of war
• Protector of agriculture
• Guardian of populace
M
ARS

8. 8
• Lightning bringer
• Controlled the realm
• Father of Gods
JUPIT
ER

9. 9
Why bother knowing this?
Fair question.

10. 10
Why bother knowing this?
Fair question.
I’d rather be taking apart an ATM,
developing exploits or getting root.

11. 11
As a director at
a technical firm
for many years,
I thought I knew
a decent amount
about the business
layer until I left
that bubble and
entered theirs.

12. 12
Then everything
changed...

13. 13
I realized that words
and concepts meant
completely different
things to a CPA
than an engineer.

14. 14
Like any hacker,
I wanted to pull
things apart, see
exactly how it
worked and know
the rules.

15. 15
What’s in it for hackers?
• Leave “the bubble”
• Communicate clearly to get your funding
• Hack “the rules” to get your way

16. 16
Disregarding bold ideas
• Ideas for solving non-technology
problems are often non-starters
• They aren’t bad ideas but lack business
context (metrics, operationalization,
optimization, planning)
• They also lack visualization of how
they contribute to the company
(mission, vision, goals, objectives)

17. 17
Don’t let good ideas stagnate
due to presentation.

18. 18
All Other Business Levels
Board of Directors
Jupiter Players
Other Players
(CIO|CMO|CCO|CTO)
Company Management
(CEO|COO|CFO)

19. 19
What about the CISO?
• Chief Information Security Officer (CISO)
or Chief Security Officer (CSO)
• Has the least secure position
in the organization
• Is the person who takes the fall
for the inevitable breach
• Knows heshe will take the fall
• Accepts impermanence as part
of the job description
CISO?

20. 20
Keep the following in mind
when strategizing on how to
present to these players.

21. 21
Executives have unique
expectations and priorities
• Do some homework to find out what those priorities are
• Prepare to cycle through a few
contexts to see what resonates

22. 22
Executives have limited time
and demand clarity
• Deliver key messages up front
• Have a plan A, B, C and D in your pocket

23. 23
Executives require
high-level communication
• Use graphical models whenever possible
• Use pre-reads and handouts

24. 24
How do hackers align CISO/CSO
InfoSec expectations?

25. 25
Align your message with
business risk strategy
• Understand the risk appetite of the organization
• Make a proposal that enables business decision-making

26. 26
Satisfy cyber security
risk concerns
• Cyber risk is one of the top three boardroom
concerns, and therefore an executive concern
• Other concerns include current risks,
emerging trends and strategy

27. 27
Use effective storytelling
• Know what impression you want to leave
behind/story you want to tell
• What outcome do you want?

28. 28
Take the time to refine your message.

29. 29
Tell a story that aligns
with your objective
• Facts and data are great, so use them
• Ensure your data can stand on its own
• Connect the dots to tell a compelling story
• Socialize your story ahead of time

30. 30
Paint a complete picture
without raising alarms
• Risk management is about both opportunities and threats
• Don’t exaggerate and negatively impact your
credibility; expect counter information to exist
• Any counter information can destroy your credibility

31. 31
Communicate risk and
provide clear parameters
• Terms like “high risk” are open to interpretation
• Use frequencies rather than percentages
• People respond differently when you allow a
comparison of how often an activity is undertaken

32. 32
Constructs management loves
• Corporate dialogue
• Analytics
• Process flows
• Value propositions

33. 33
Learn these constructs to help you
present your ideas more effectively.

34. 34
Learn your corporate dialogue
• Technological talk actually makes sense to the initiated
• Terms have definitions, acronyms all stand
for something and they are defensible
• “Corpspeak” has to be made up; what do
words like “operationalization” even mean?

35. 35
Analytics
• Measure everything...even if your approach
to measurement is unique
• Gather real, obtainable measurements
• If you can’t directly measure something on its own
scale, compare it to something similar, e.g. BSIMM
• Look to someone with “Auditor” in their title to
learn how to do this in your organization

36. 36
Process flows
• Arrange into corresponding swim lanes
• Number all steps
• Have descriptions for all artifacts
• Include an input and output for each block

37. 37
Value propositions
• Straightforward yet hard to do
• Must start with business issues
• Focus on threats and opportunities in a risk context
• Define what you want and the impact it will have
• End with what people will get out of it

38. 38
Tying it all together
• Both sides have different concerns, focus and drivers
• People working towards the same objective
can approach it in vastly different ways
• Bridge the gap by taking an objective look
at your players and their risk drivers
• Frame the issues that are most critical
for the C-suite to understand

39. 39
Questions?

40. 40
Rob Havelt
Director
information Governance, Risk and Compliance (iGRC)
infoedge LLC
rob.havelt@infoedgellc.com
@dasfiregod
About infoedge LLC
infoedge helps you improve business strategy, accelerate innovation and manage
risk, so you can succeed in the information economy.