May 20, 2021

Last Updated on January 13, 2024

The ability to communicate effectively is a huge success factor for many executives. As an IT leader, you may be accustomed to thinking in terms of risk. But how well does the discussion go when you “talk risk” to a C-suite audience?

Especially when the risk is fuzzy or guesstimated, you could be met with a lot of skepticism (or worse, glazed looks!). How do you counter those tendencies and get your point across?

On a recent episode of The Virtual CISO Podcast, business coach John Sheridan, author of the best-seller, The Perfect Business: Master the 9 Systems to Get Control, Work Less, and Double Your Profit, shared some great advice on how to talk about risk to senior executives in a relatable, compelling way.

As show host John Verry, Pivot Point Security’s CISO and Managing Partner, notes, “It’s easier to pitch the value creation side of the argument. Because it naturally translates into more easily quantifiable numbers, right? Three more customers, retaining 40% more customers… whatever that might be.”

“On the risk side, risk is probability times impact,” continues John. “Both of those are fuzzy things. What would the impact be? How many clients would we lose? Those are hard questions to answer. We might not know that answer. What’s the probability that we’re going to get breached? What’s the probability we’re going to have an earthquake? Some stuff is actuarial table based, but most isn’t in our field.”

CFO’s are People Too

“So, I think we have to remember, contrary to stories you might have heard, that CFOs are human beings, right? And we are wired for stories,” John Sheridan points out. “So, I would ask, what’s the great metaphor?”

As an example, John Sheridan cites the brutal winter 2020 storm event in Texas: “Tremendously bad things happened because, in large part, they weren’t prepared. It was an event they thought would never happen, or maybe was low risk, so why bother investing?”

“‘So, Mr. CFO, I was thinking about what happened in Texas last month, and I was thinking about our exposure. Do you think we ought to be a little more careful about what we’re doing?’” John Sheridan pantomimes. “In other words, tie something that’s relatable into the risk, that is maybe not a number, but that is something they can understand.”

John Sheridan adds: “I view it as analogous to insurance in many ways, right? There’s a range of possible outcomes, and there’s no such thing as 100%. But, I think, in that pitch, not so much telling, more asking. ‘How do you feel about this potential outcome? Is this something that you would find acceptable if it happened?’”

An Acceptable Risk

What about getting somebody to sign off on the risk, if they’re not eager to mitigate it? As John Verry suggests,

“It’s like, ‘Hey, my role as InfoSec Director is to identify risk. I’ve identified a risk, which to me looks like it would be unacceptable. You’re saying that you don’t want to fund [mitigating] it, which means you’re saying this risk is acceptable. Am I understanding that correctly? Will you shoot me an email that says that? Because I need to document that we considered this risk, and that you indicated that you didn’t want to mitigate said risk.’”

“Yeah, that’s classic CYA, right? John Sheridan replies. “But I think you’ve got to choose your tone and your language carefully when you pitch that, right?”

What role could your company’s processes and procedures play in helping with this? John Verry observes: “In ISO 27001, as an example, you have this construct of an information security management team. And this governance of an ISMS committee being presented with data, and making a decision. And documenting those decisions is just… that’s the process. And fundamentally, it’s a great process.”

“So, if I just walked in and said, ‘Well, you’re going to have to sign off on that.’ Yeah, that might not fly—especially if that guy signs your paycheck,” comments John Verry. “But, if we’ve architected a process that we agree is the best way to run our company, that kind of protects both of us, right?”

“Think about the consequences of not having that process, and something goes wrong, and the CEO asks the IT chief, ‘So what’s our process for this?’ There’s shrugs all around, heads roll. So, yeah, absolutely, there’s no substitute for [process]. Not just for the butt coverage aspect of this that we’re kind of joking about. But, just from the practical standpoint of, these are consequences that we are going to face at some point or another. We know that bad things are going to happen, right? This is anticipated. But, without a process, there’s no discipline to address it in any kind of timely, or specific schedule, or in a specific way.”

What’s Next?

If you’re an IT or security leader looking to shine in conversations with senior management, you’ll love this show with business coach and author John Sheridan.

Ready to hear the show in its entirety? Click here. If you don’t use Apple Podcasts, you can access all our podcast episodes here.

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times