How to Talk to Management About Security: Part 3 of 3 – Guest Blog

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Talking to Management»

In this third and final Installment, Chris Hayner sums up his recommendiation on


How to talk to management about security

Specific strategies for talking security

So it’s finally time to ask for approval for your project. What are the best ways to get your ideas across?  How can you get show senior management the importance of your project without alienating or boring them to death? Here are a few essential elements of a successful business presentation.

You should:

  • Speak clearly and explain the issue in basic terms. Do not try to impress them with technical language.
  • Avoid business language as well. Managers talk to one another in Management Speak. If you start spouting off about ‘revolutionary’ ‘shift paradigms and the like, you will just come off as patronizing.
  • Stress that information is the life blood of an organization. Protecting customer data, employee data and intellectual property has got to be a priority.
  • Remind them that the majority of security issues come from within the enterprise. This is often a glaring hole in the security structure that is easy to overlook from the boardroom. This can get managers interested quickly, providing a springboard into the rest of your presentation.
  • Identify project goals and attempt to define ROI.  No manager on earth will sign off on a project that doesn’t have concrete goals to justify the cost of the project. Try to include charts and graphs, if applicable, as graphical information is easier to digest than abstract numbers.
  • Show case studies of where security failed, and what it cost other organizations. This will remind managers that while no one ever got a raise for not getting hacked, plenty of people have been fired for security breaches occurring on their watch.

Be prepared to back up your assertions with data and case studies, but don’t fill a presentation with needless slides just to fill time.  Be prepared to answer questions, and try to anticipate as many as possible. Practice your presentation so you don’t stumble or lose the flow.  All senior managers are by necessity practiced speakers, and you need to sound professional in their company.



How to Talk to Management About Security: Part 2 of 3 – Guest Blog

This entry is part of a wonderful series, Talking to Management»

Today we will continue with Chris Hayner’s guest ‘blog on how to talk to Management about security:


How to talk to management about security, Part 2

Understand **how** to talk to management

So what is the ‘proper’ way to talk to management? How can you explain the importance of what you’re asking in an engaging and informative way? It is possible if you wed the technical benefits to the business objectives using examples, case studies and plain language. Many of

the following points relate to general professional conduct and talking to management in general. When you are presenting to upper management, you are being evaluated as much as your idea.

You should:

  • Establish a comfortable rapport with your managers beforehand, and speak up during their meetings. Talk enough, and people will start to look to you for opinions.
  • Establish a good reputation. Be seen as a hard worker with a record of positive past contributions. Management needs to know that you are speaking from a position of proven judgment and technical authority.
  • Make a stronger case for implementing your plan by obtaining the support of others in your organization. This is especially true if you can find a sympathetic manager or VP who can use their clout to help you get approval.
  • Present them a strategy that is compelling and well thought out. Know the strengths and weakness and be able to answer any and all questions they may have. Show them something that they will want to buy.
  • Don’t waste their time. Managers have a lot on their plates. Don’t engage them on a topic until you understand it completely yourself, and don’t waste their time with anything off topic.


One final point about getting coworkers opinions on your idea: It is possible that your coworkers will say that the idea is not good, or not suitable for your enterprise. This is also valuable because it will prevent you from damaging your reputation by bringing a bad idea to the attention of your manager.

In the final part of this series, we will talk about the specifics of your security presentation, and how best to sell a difficult topic to your manager.


Next week at the same time, we will post the third and final part of Chris’ article.