Saturday, September 17, 2016

What does it mean to give a security presentation on Cyber Threat Intelligence at the CIO level?

A team of cybersecurity experts was recently asked to explain the results of their research in Cyber Threat Intelligence to a CIO panel. Thirty minutes was set aside in a meeting for the presentation and Q&A. They spent seven of the minutes running a simulation of a scan. The CIO asked them to terminate the presentation and leave the room. She turned to the director for cybersecurity and said, reschedule, but only after you have explained how to give a presentation to executives.

Problems should always be categorized as common cause, (happens a lot), or special cause, (once in a lifetime). Sadly, poor security briefings are common cause. 

As toolbox puts it:
During my career I've seen security presentations evolve from symbols chiseled on rocks, to puppet shows, to large paper pads on easels, to vector-graphic infested Powerpoint presentations to cinematic-quality 720p slideshows.

And they still stink.

Two suggestions that the author makes are:

  • Keep the number of slides to an absolute minimum. I use a "1 for 2" rule (and even that is generous) - one slide for each two minutes of speaking.
  • Sell, baby sell. Sell the message of your presentation. It should be very clear in your last few minutes of your presentation because you used the outline format I recommended, right? Keep your summary clean, clear, and to the point. I always find that ending on a humorous note tends to garner much higher scores on post-presentation scorecards.
NOTE: Keep in mind that the most important thing to sell is yourself; people do business with people they trust and hopefully like.

CIO magazine points out senior executives are concerned with strategic issues and may be irritated by technical and tactical presentations, The article goes on to say:

Just as your message should be succinct, so should the supporting visuals. One common mistake CIOs make is dumping every piece of data they have into a PowerPoint presentation and dragging the board through every bit and byte. 

Stephanie Woiciechowski, a member of the GIAC Advisory Board, has this to say about strategic thinking. Having been a hands on bits + bytes person, the strategic perspective is something I just began to understand a few years ago because "strategy" when you're hands on and focused on your job means something different to you than it does to the C-level types. 

I tried to listen to advice and present a strategic perspective but I didn't know enough about how my team fit in the larger picture and what that larger picture was. It's hard to understand how the details you find fascinating aren't strategic at the C-level and it's hard to understand how to the C-levels can make strategic decisions when they don't understand the details.

Senior executives like the CIO are involved in the organization's strategic planning process. There are many definitions for strategic planning, but a common one is the set of strategies to achieve the organization's vision for two to five years from now. Tactical thinking, which is common for cybersecurity professionals, are the activities to be accomplished between now and and a year from now. It is completely true that the strategies that make up the strategic plan depend on tactical activities. However, senior executives are responsible for more than cybersecurity, they have to lead the entire business. When briefing them about tactical activities, be sure to tie the discussion to the strategies of the business. As Robert Maughan puts it, The single most important of thing to remember is "What is the benefit for the company?"  Stop talking about features of the solution and focus on what it will deliver.

This Harvard Business Review blogpost summarizes all the tips succinctly.

A SANS Reading Room paper by Jeff Hall suggests using the pyramid principle. If you have ever heard me teach, you know that when I start a new section by saying, "let me tell you the bottom line first." The tip of the pyramid is the message or theme to be communicated. Underneath the time are the supporting facts. The further down you go, the more detail is offered. When briefing senior management expect to brief the tip, the first level down and conclude by restating the tip. However, be prepared to answer questions on any part of the pyramid.

Anticipating questions is an important part of presentation preparation, pragmaticcloud suggests:

When preparing for a meeting or presentation it is also beneficial to view things from the senior managers’ perspective and try to anticipate questions they may ask.  For example, if preparing for a presentation ask yourself what questions may be asked about each and every slide, and about the presentation or topic overall.  Then prepare answers, in executive summary form (less is more), for each of the questions.  It is amazing the difference this can make in the level of confidence you will have in yourself, and the executives will have in you in return. 

NOTE: Anticipating questions is extremely important, but don't forget to prepare to address objections as well.

Three weeks later the team of security researchers returned to the boardroom. Their presentation was better, but the question handling was still below par. The CIO's first question was about the business case. So, you’ve identified a problem and devised a solution.  Quantify, or qualify, the risk for me vis-à-vis the cost of fixing it.  Is this worth doing?

The researcher that gave the presentation identified a range of possible motivations and actors, and offered an overall recommendation to configure the system to log and report significant events, followed by analysis and correlation to include a deep dive if indicators are seen.  He proposed only one course of action, with no alternatives (better, quicker, cheaper, more risky, whatever) on offer.  He could not offer any real sense of the cost of the problem vs. the cost of the fix.

The second researcher identified a potential ideology motivation by way of the GIAC Enterprises, the largest provider of fortune cookie sayings in the world, presence in Indonesia.  He also identified potential to modify fortunes to put out a hacktivist message.  His recommendation went down a Cyber Threat Intelligence road, in that he proposed to use this methodology to figure it out and devise an incident response plan.  This offered course of action went into zero detail, didn’t explain what CTI was beyond, apparently, a silver bullet with no cost and no risk.

 After they left the room, the CIO turned to the director for cybersecurity and said, can you work with you people to find out  if what you are proposing might be an ideal solution, but is there possibly an easier or cheaper option that could be acceptably effective?  (Alternatively, if they have identified a minimal solution, “How would the ideal solution look and what would it require?”) Please write up a one page paper summarizing the information and send it to me.

The entire ordeal changed the director for cybersecurity's perspective. He began to study the art of presentations to executives. One article he found stated, Executive boards are always looking to answer the question “how secure are we?” So he created a presentation that answered that question, kept it up to date and stayed prepared to address the question in ten minutes or less. When GIAC Enterprises finally grew to a size they were ready to create a CISO position, he was offered the job.


2 comments:

  1. While the concept is right on, I think that the case you use still leaves many techies to wonder "well I thought I was doing that"? Most technically oriented folks who make the jump to management levels, have little or no experience in actually addressing business concerns.

    Security is only one small part of the overall business, and the C-suite needs to consider it all. If we are to properly solve problems and sell our solutions, we need to speak in their terms.

    In order to teach our technologists how best to present at these levels, we may need to present them with a checklist type of job aid. Such as:

    1) what is the issue to the business
    2) how likely is it that we will experience this
    3) what do you suggest we do about it
    4) what are some other options we should consider
    5) restate the initial business problem highlighting the attributes that are security related, and stressing the solution set
    6) allow for questions that may dive deeper than anticipated as far as costs, resources, timelines etc.

    I believe that if we use this type of a formulaic approach, we can be prepared for the 20 minutes of questions that follow, rather than trying to answer twenty minutes of questions at the beginning by giving too much "security stuff". This type of job aid calls for 6 -7 slides, and minimizes the "security stuff" while maximizing the business value, risk and solution set we recommend.

    ReplyDelete
  2. I think Stephanie has hit on an important principle. The communications between the BOD and IT Security folks needs to be done in the "language" of the BOD. This requires some effort on behalf of the Security folks.

    I wrote a LinkedIn article addressing this in more detail at the following link:

    https://www.linkedin.com/pulse/presenting-security-board-curtis-blais

    ReplyDelete