This scenario was built using real-world insights from Fred Kwong, chief information security officer at DeVry University. Fred has held IT security leadership positions with Delta Dental Plans Association, Farmers Insurance, and US Cellular.
Fred was working as a senior manager of information security for a large organization earlier in his career. He had identified serious gaps within the organization’s security posture and constructed what he believed to be the best solution. In fact, finding security issues and building solutions was something that excited Fred.
Fred wrote a detailed justification requesting the necessary budget and shared his findings with his director. His director then took Fred’s request to the VP, and the VP placed the request with the CIO. Soon thereafter, Fred got the response to his request: rejected.
Fred felt disappointed, invalidated, and frustrated. He did his job but was denied the ability to protect his company. How did this happen?
He took some time to reflect and found a few lessons in this experience. Fred realized being new to the role and the organization, he was unaware of a few critical factors:
- Fred’s request discussed the issue, solution, and request in technical security terms. He had created his funding request as if it was his director who would be the one to approve it, but the ultimate approvers on the executive leadership team were not technical and did not see value in the request.
- The telephone game does not create effective communication. Fred realized his message lost effectiveness through multiple approval levels as it progressed up the management chain.
- Fred was new to the company and had no relationship with the decision-makers. Because he had yet to build any trust or credibility with the CIO, the CIO was more cautious in approving Fred’s request.
Had there been someone coaching Fred, he would have been taught effective communication skills that would help him be more effective in performing his job, avoiding the disappointment, invalidation, and frustration he experienced. Here are three core tactics Fred could have used to keep from undermining his own efficacy and unlock the budget he needed.
1. Learn How to Tell a Good Story
First, use language the decision-makers understand. Fred suggests using risk as your primary language. The business is used to speaking in terms of financial, operational, compliance, and cyber risk. The more you can talk in terms of risk, the more likely the business will understand the importance of your project.
Second, simplify your complex concepts. Translate technical jargon into layman’s terms to ensure that your message is accessible to a nontechnical audience. Break down complex ideas into relatable anecdotes or real-world scenarios to engage your listeners.
Finally, show the return on investment (ROI). Help the business understand where the ROI is when building out your cyber program. Work with business to build that program.
2. Build Relationships
Relationship-building skills are essential for IT security practitioners seeking funding for their projects. Establishing strong connections with stakeholders across various departments is crucial to gaining support and influencing decision-making processes. By nurturing relationships, you can position yourself as a trusted advisor and gain insight into the organization’s priorities, enabling you to align your project proposals with business objectives effectively.
How do you build relationships?
Spend time getting to know them as a person. Have no other agenda other than getting to know them personally, as well as what is important to them in their role. There are a variety of ways to do this, and it does not take a lot of effort. It can be as simple as grabbing coffee or spending 15 minutes with them over Zoom. Gorick Ng has some great suggestions for introverts.
Actively engage with stakeholders, help, and share your expertise. It is extremely important to come from a place of humility and meet others where they are at in their understanding.
Collaborate with other departments to identify areas where IT security initiatives can contribute to their objectives, such as compliance, customer trust, or productivity. By showing you care about their work and want to support it, you hit on major psychological needs: being seen, valued, and related to. Leaning into these needs will create stronger connections and trust among your colleagues.
3. Develop Your Presentation Skills
Presenting project proposals in a clear, concise, and persuasive manner is crucial to secure funding for IT security initiatives. Excellent presentation skills can help you engage decision-makers, instill confidence, and effectively communicate a project’s value and impact.
First, know your audience. Tailor your presentations to their specific needs and interests. Understand their level of technical knowledge and adapt your content accordingly. Use language that resonates with them and provide relatable examples to make your message more impactful.
Then, visualize your message. Employ visual aids such as charts, graphs, and infographics to enhance understanding and retention of key information. Visual representations can simplify complex ideas and make them more accessible to decision-makers. Done in the right way, you can capture attention and leave a lasting impression.
Developing elite communication skills is essential for IT security practitioners looking to secure funding for their projects. By mastering the art of storytelling, building strategic relationships, and honing sharp presentation skills, you can effectively convey the value and necessity of your initiatives. In doing so, you increase your chances of securing the funding required to implement needed IT security measures, safeguarding organizations from potential cyber threats and ensuring a secure digital future.
Source: www.darkreading.com