William Hill CISO: Think more like a marketer

'When we're talking to the board, we are marketing our product to our customers'

Getting the board to support security initiatives is a perennial challenge, but in order to succeed, CISOs and security managers need to borrow some tricks from the marketing trade.

That's according to Killian Faughnan, the group CISO for betting company William Hill.

Speaking at London's InfoSecurity Europe convention, Faughnan highlighted the challenges that security professionals can face when obtaining buy-in, and how treating it like a marketing exercise can help overcome them.

"What we're doing when we're talking to the board is we're marketing a product to our customer," Faughnan said. "Security is our product."

He stressed that while security often things about 'the board' as a single, homogenous entity (more akin to the Borg), board members are all individuals with their own distinct attitudes and priorities. As such, he said, understanding what motivates each individual board member can be the key to getting your message across.

"Board members are people too... they're not homogenous institutions. The board isn't an individual; it's a collection of people who have different views on what success looks like. They have different goals, different ambitions [and] different objectives," he said. 

One of the common traps that security personnel fall into when selling to the board is the temptation to overcomplicate their pitches. In particular, Faughnan warned against overloading slide decks with infographics, graphs and data, stating that if there's too much concentrated information, board members often glaze over.

"Part of knowing your customer is that you should know they only have 15 minutes. Even if you've got a half-hour slot, by the time you get 10 to 12 minutes in, they're responding to email or doing something else, because these are busy people."

"Data has its place," he said, "but that place is mostly in your dashboards... because your job is to take that data and cut it down to something meaningful.

Faughnan's advice was to keep pitches short and sweet. He recommended picking the three most important messages you want to deliver, simplifying them as much as possible, and focusing on those. The ideal slide deck, he said, consists of one slide: a block of green, yellow or red, depending on how well the company's security posture is.

"Obviously, we're never going to get to one slide," he admitted, "but we should be aiming for it."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts
Security

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021
What is public key infrastructure (PKI)?
Security

What is public key infrastructure (PKI)?

12 Jan 2021

Most Popular

Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021