William Hill CISO: Think more like a marketer
'When we're talking to the board, we are marketing our product to our customers'
Getting the board to support security initiatives is a perennial challenge, but in order to succeed, CISOs and security managers need to borrow some tricks from the marketing trade.
That's according to Killian Faughnan, the group CISO for betting company William Hill.
Speaking at London's InfoSecurity Europe convention, Faughnan highlighted the challenges that security professionals can face when obtaining buy-in, and how treating it like a marketing exercise can help overcome them.
"What we're doing when we're talking to the board is we're marketing a product to our customer," Faughnan said. "Security is our product."
He stressed that while security often things about 'the board' as a single, homogenous entity (more akin to the Borg), board members are all individuals with their own distinct attitudes and priorities. As such, he said, understanding what motivates each individual board member can be the key to getting your message across.
"Board members are people too... they're not homogenous institutions. The board isn't an individual; it's a collection of people who have different views on what success looks like. They have different goals, different ambitions [and] different objectives," he said.
One of the common traps that security personnel fall into when selling to the board is the temptation to overcomplicate their pitches. In particular, Faughnan warned against overloading slide decks with infographics, graphs and data, stating that if there's too much concentrated information, board members often glaze over.
"Part of knowing your customer is that you should know they only have 15 minutes. Even if you've got a half-hour slot, by the time you get 10 to 12 minutes in, they're responding to email or doing something else, because these are busy people."
"Data has its place," he said, "but that place is mostly in your dashboards... because your job is to take that data and cut it down to something meaningful.
Faughnan's advice was to keep pitches short and sweet. He recommended picking the three most important messages you want to deliver, simplifying them as much as possible, and focusing on those. The ideal slide deck, he said, consists of one slide: a block of green, yellow or red, depending on how well the company's security posture is.
"Obviously, we're never going to get to one slide," he admitted, "but we should be aiming for it."
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now