My father was the superintendent of the public school district where I grew up in Missouri. He was a very hands-on type of leader; when he was not filling out forms, writing reports, making plans, or in meetings he was out in the hallways seeing what was up with the students and teachers and making sure that all was well. And then the evenings were busy with basketball games, concerts or other school events. Those school employees, parents and students that were able to talk with him during opportune times in the hallway or in the bleachers during time-outs, and get their concerns or points stated succinctly and clearly, made a positive impression with my dad. He appreciated that they communicated their ideas and concerns clearly, and got right to the point.
If you had an opportunity to speak for a few minutes with your CEO, CFO, or other CxO, would you be prepared to communicate succinctly and clearly your concerns and state your points regarding the importance of your information security and privacy initiatives?
I’ve seen many very knowledgeable and talented information security and privacy practitioners who have had golden opportunities presented to them in elevators, in the corporate cafeteria line, and while walking to the parking garage to make an impression on their executives about the importance of information security and privacy, but when the executives asked the question, “How’s everything going in your area?” they stumbled or were caught off guard and said something like, “Um, oh, well about as good as can be expected, I guess.” Immediately followed by silently kicking themselves at the missed opportunity.
Over the years I’ve heard some common themes running with regard to what CxOs want to know about information security and privacy efforts within their organizations. These include:
1. What are the personal risks that business executives face if they fail to implement effective security controls or do not comply with data protection regulations?
2. What approach should business leaders take to start an effective risk management program?
3. What are some of the most common ways that information is leaked or compromised?
4. What should we do to secure mobile data?
5. What should we do to keep personnel from making mistakes or doing malicious activities?
Would you have a short, succinct 30-second (give or take) answer ready for each of these when the opportunity presents itself?
I wrote about this in the November CSI Alert, “Elevator Speeches for Business Leaders;” providing a discussion for why each of these issues are important to your business leaders, along with an example elevator speech for each that I have used or would use.
Of course your elevator speech will differ based upon your own personality and your organization’s environment and culture. However, I hope that my examples will give you some ideas for creating your own elevator speeches.
Let me know what you think! Let me know what additional topics are important for you in your organization, or what different kind of communication approach you would take in 30-seconds to make an impact on your CxO.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, privacy breach, privacy incident, risk management, security risk, security training