7 Tips for Talking to Executives about Security

In my last article, I mentioned briefly that it’s important to have executive support for your security initiatives. Because it’s such a crucial aspect to the success of your security program, I wanted to expand on the subject in this week’s installment of AppSec advice. Below are some practical tips to help you be more effective when talking to executives about security.

1. Remember, they’re busy.

You’re more likely to get a positive response if you ask for 15 minutes of their time, rather than an hour. Executives have a lot going on, and even if they already care about security, your time with them will probably still be limited. Challenge yourself to get your pitch down to 15 to 20 minutes. 

At the end of the meeting, be sure to explicitly thank them for their time. This shows respect, even if the meeting doesn’t go your way. (As with a lot of the advice in this article, this is a good practice no matter who you’re talking to!)

2. Speak from their perspective.

Start with understanding what is important to them. For most executives, the top priority is most likely the bottom line. Remember, this isn’t a bad thing. The company needs to make money so that everyone can keep their job. 

From an executive’s perspective, security initiatives are often seen as an impediment to progress, and that does everyone a great disservice. Your challenge, should you choose to accept it, is to paint security in a different light. We’re like insurance — you need to have it to prevent devastating losses that put the company out of business. 

As I mentioned last week, the average cost of a data breach is $3.92 million. That’s the average! The more sensitive data you have, the higher the cost. Juxtapose this number with the cost of any security improvements that you’re proposing. It’s easier to convince them to shell out $300,000 for a new tool when you’re trying to prevent a loss in the millions.

3. Watch the “non-verbal” communication.

You want to make a good impression and non-verbal communication is a big part of that, if only subconsciously. Here are some tips for knocking it out of the park:

• Dress a level nicer than you usually do for work. In many tech companies, the atmosphere is fairly casual, but I still wouldn’t recommend showing up to a meeting with an executive in a hoodie. 
• Smile! As long as it’s appropriate. If you’re informing the CTO about a data breach, maybe not. 
• Be aware of your body language - sit up straight and avoid crossing your arms. 

This goes both ways, of course. If you watch the body language of the person you’re talking to, it will give you some clues about how well you’re communicating.

• Furrowed brows: indicates they are either confused, worried, or upset.
• Arms crossed: they’re likely not receptive to what you’re saying.
• Leaning backwards: a subconscious communication that they are feeling defensive.
• Playing with their phone: Sorry, but you’ve totally lost their interest. 

For bonus points, you can build rapport with the person you’re talking to by occasionally mimicking their body language. This communicates to their subconscious mind that you’re on the same page. Just don’t make it obvious! 

4. Stick to the facts. 

If you’re anything like me, you are passionate about security. This is great, but remember to keep your emotions in check. Facts tend to be more persuasive than the most ardent speech. 

Stick to what no one can argue with. If you’re speaking about an incident, detail exactly what happened and the root cause without blaming anyone in particular. If you’re giving an update about the state of security, the number and severity of open vulnerabilities is a good place to start.

Keep in mind that we humans are really bad at intuitively evaluating risk. If you say something like, “If we don’t fix this SQL Injection, someone could steal all the data in our database!” You and I know the likelihood of that happening, but to someone who isn’t familiar with the issue, they’re likely to underestimate the risk. Use statistics whenever possible to make the risk something more concrete. For example, a report from Akamai shows that SQL Injection represents nearly two thirds (65.1%) of all web application attacks. That’s more convincing, right?

5. Visualize as much as you can.

This goes back to point #1 - they’re busy! I learned early on in my career that executives tend to love graphs and charts, so do what you can to visualize the data. Data visualization software makes this easy for you. (e.g. Tableau, Power BI) It doesn’t have to be pretty — it just needs to make your point clearly.

Some ideas for charts and graphs:

• WAF statistics showing blocked attacks over time
• Open vulnerabilities by severity and age
• Vulnerabilities broken down by product

If you can’t do that, also consider that visual analogies are highly effective when you’re trying to influence someone. Computer security is a very hard thing for anyone to visualize. It is just a bunch of 1’s and 0’s when you get down to it. But an effective analogy — especially one that creates a picture in the mind — can be a game changer. For example, if someone asks why they have to fix SQL injections when you have a WAF, you could say “A WAF is like a goalkeeper in hockey. It’ll block a lot of stuff but sometimes it lets things through.” 

6. Have a solution for every problem. 

Be prepared when the executive asks, “So, what do we do about it?” You want to make sure you have a clear, concise answer ready. Keep in mind, they may have other ideas, but since you’re the security expert, they will expect you to know what to do.

7. Have an answer for every question.

I know this sounds impossible, but there is usually a pattern to the kinds of questions you’ll get from the bosses. Some common questions from executives include:

• “What does success look like?” - Be clear ahead of time what the specific outcome is. Keep in mind not only measurable goals, but also the benefits of success.
• “How much will it cost?” - If you want them to take you seriously, don’t ever go into a meeting with an executive without knowing the answer to this question!
• “How much time will it take?” - Same thing. Time is money. Further, make sure you hit the deadline you set in that meeting. Keeping your word is at least 70% of the battle when building trust.*
• “What do you need to make it happen?” This is your chance to ask for their vocal support, along with anything else you might need.

I hope that you’ve found this helpful! Now go put these things into practice, and get support for your security program. You’re doing important work, fellow security people! If you liked this, be sure to subscribe for more updates!

*This is not based on any scientific studies. I pulled that number right out of my hind quarters.

Originally published on LinkedIn.