Simple!There’s a celebrated quote attributed to Albert Einstein that goes “If you can’t explain something simply, you don’t understand it well enough”. Most executives and stakeholders are probably familiar with this idea, and you would be wise to familiarize yourself with it too. It’s OK, or even necessary, to elaborate on a subject at times, especially if you’re asked to do so. But don’t forget to start with a simple explanation before throwing your audience into the deep-end.
Don’t dumb it downTo simplify something is not to dumb it down. It’s very common among security professionals to make fun of naive clients and executives who are ignorant about matters pertaining to their own safety and security. But try not to let this mostly harmless tendency infect the way you explain security to them. Remember, the executives and decision makers you are talking to didn’t get to the positions they’re in by being dumb, and they’re not going to appreciate you treating them as such. Security just isn’t their field of expertise, it’s yours. The idea isn’t to dumb things down. On the contrary. It’s to synthesize and summarize things into understandable terms with actionable outcomes. It’s the opposite of dumbing things down.
Know your audienceThis one comes up a lot. You’ve put together a great security presentation; detailing threat matrixes, risk mitigation strategies, hostile planning disruptions, attack contingencies, and, oops… You’ve lost your non-security audience about thirty seconds into it. Always be mindful of your audience’s level of understanding and/or caring in regards to security issues, and adapt the way you explain things to suit them. It’s like the old basketball idea, where the responsibility for the pass falls on the player who throws the ball, not on the one who fails to catch it. Your listeners are where they are. It’s your responsibility to pass the information to them at a level they can receive it.
Put things in relatable termsOnce you know who your audience is, try to translate security into relatable terms your audience isn’t just familiar with, but also familiar with the experience of spending resources and capital on. It’s not that it’s particularly difficult for decision-makers to understand ideas like security risk mitigation, it’s just that it’s a stretch for many of them to give it the budget it requires. But put it in relatable terms for them and explain that a risk mitigation strategy is actually a potent insurance policy (with preventive and reactive benefits), and presto, every single person in the room, from accountants to HR managers can relate to it. Speaking of insurance, suggest to your budget conscious audience (I’ve yet to meet one that isn’t) that they can inform their insurance provider about their new security measures, and see if they can negotiate lower insurance premiums to cover the now lower risk profile – thereby actually saving them money. Finally, on the slightly negative end of things (which means you should never start off with this angle), if your audience is reluctant to take action, try to explain that their lack of preventive and/or reactive security capabilities opens them up to certain legal liabilities. It’s not the most cheerful subject to raise, but one that might sway the legal department to take a second look at your suggestions.
Return on investment (ROI)You might be able to wow decision-makers with your tactical skills and experience, but if they don’t see what’s in it for them, they’re not likely to invest any capital in it. As you explain things, always keep your audience’s interests in mind. Not where you think their interests ought to be, but where they actually are right now. The bottom line for almost any decision-maker is ‘How much will it cost me and what’s in it for me?’ It’s in the second part of this question – the return on their investment – where you should really put some explanatory effort. (for reference, check out this great example by AS Solution)
Don’t be a shock jockThough this can, on occasion, lead to a sale, shock tactics aren’t usually effective. It’s a classic mistake that many security professionals make – trying to scare decision-makers with horrific case studies and doom-and-gloom prophecies of what might to happen to them if they fail to employ some immediate protective measure. It’s not a question of describing what you think is objectively true, but choosing an effective way to communicate things in order for your listeners to take action. As strange as it may seem, most people are not likely to take action if you try to shock and scare them. Doom-and-gloom just doesn’t sell very well. You don’t have to sugar-coat everything, just find a more effective way of getting your audience to want to take action.
Manage expectationsA few years ago, I was asked to speak to the staff of a wealthy San Francisco Bay Area foundation. Before I was contacted, the foundation (which had received a number of threats) had initially asked their local police department for some security guidance. Their local PD then sent an officer who started teaching the office staff (mostly consisting of women) hostile defensive tactics such as turning your side to an armed attacker (in order to decrease the size of your silhouette), before employing some nifty handgun disarming techniques to neutralize the threat. Needless to say, this did not go over very well, and the now terrified staff wanted to get a slightly more realistic second opinion. I’m sure the officer had the best intentions, but he just didn’t set realistic expectations for his non-law enforcement, non-security audience. It’s not a question of objective tactical effectiveness, but of relatable and realistic ideas to suit your specific audience. To ignore this point will not only be a disservice to your audience, but might get you booed or laughed out of the room.
“I don’t know”Last but not least, if a question gets asked that you don’t feel qualified to answer, don’t be afraid to say “I don’t know”. I know many security professionals who are afraid this will make them look weak or ignorant in front of prospective clients (and I admit I also had this issue till I got over it). The fact of the matter is, however, that no one knows everything and it’s actually important to admit what you don’t know. Philosophers and stoics since ancient Greek times have referred to Socratic Ignorance (the frank acknowledgement of what you don’t know) as a true sign of wisdom. Not only is there no shame in admitting you don’t know something, it can be a way to demonstrate integrity and intelligence. Don’t make a big deal out of it, just admit you don’t know and offer to get back to the person with an answer later on. There are obviously more than just eight tips to be given on this topic, but any article has to end somewhere… What are other tips you can think of? Please feel free to put them in the comment section below.
Learn more about this subject—and many others—in my master class on Hostile Activity Prevention. Utilizing Israeli know-how and delivered by me, Ami Toben, this online course teaches actionable, time-tested methods of prevention, detection and disruption of hostile attacks.