We have over two decades of effectiveness in briefing—and helping security practitioners brief—senior management as well as middle management security stakeholders. Topics include updates on risk profiles, project plans and status, overviews on security programs and on proposed security improvements.
Your Most Important Briefing
The most important briefing, whether or not you have briefed management before, is to introduce the primary mission of security:
Reduce security risks to acceptable levels, at an acceptable cost
At RBCS we refer to this briefing as “Briefing 1”.
We consider this statement, which we repeat as often as opportunity permits, “the security mantra”. We also refer to that statement as “Message #1”. The more you can say it, the better.
The objectives of this message include:
- Get all security stakeholders using the same starting point in their thinking about security
- Provide management with the right perspective for evaluating security program elements and proposals
- Introduce the idea that security performs “risk reduction” not “risk elimination”
- Establish that security’s baseline thinking is fiscally responsible and takes into account the organization’s cost concerns and resource availability
- Provide immediate justification for collaborating with middle managers and senior executives on risk appetite and cost considerations
Breaking Through Management Overload
The time of middle managers as well as senior executives is precious, as there are more demands on their time each day than they can give to requested meetings.
That’s one reason why how security messaging is provided to managers is critically important.
The most effective way is one message at a time.
We start with the security mantra, and repeat it at every meeting in which security personnel participate. For example:
“As you already know, the primary mission of security is to reduce security risks to acceptable levels, at an acceptable cost. That’s why for this particular initiative we’re considering, we’ll want to assess the security risks, including the risk of ‘doing nothing’ in terms of additional security measures, so that we can provide input as to the costs and efforts that may be appropriate to support this initiative.”
“We need the business stakeholders to weigh in on this, as we don’t want to more than we need to or less than we should.”
You know when you have repeated this message enough when the other meeting participants start finishing the security mantra before you do.
That means you have successfully broken through the overwhelming amount of data that managers and executives have to deal with, and you have firmly established security’s role in the minds of your peers and upper management. By establishing this concept in the minds of middle managers and senior executives, you have taken the first major step in fixing a very common problem: practically no one outside of security has a correct impression of security’s role in the company. The “security mantra” expresses the most fundamental concept of your job and the role of the security function.
One that concept has “made its impression” in the minds of your managers and executives, they are now ready for “Message #2”.
Building on the Foundation
Having firmly established what the primary mission of security is, the next step is to involve management in these risk decisions:
- What level of risk is acceptable?
- What level of costs are acceptable?
These are management decisions, as the corporate assets are not security’s assets—they are entrusted to the care of managers at several levels in the organization.
Thus the problems they have are not security’s problems, they are the problems of the business that relate to protecting people, material assets and critical processes.
Your role as a security practitioner are to risk-mitigation measures in the form of people, processes and technology. You are already doing this, but to obtain the full support of mid-level and senior-level managers, a shift in thinking is required that is started by getting “Message #1” across.
In recent years the term business alignment has been adopted to refer to the process of leaning more about the business, and engaging managers and executives in participatory roles in establishing or improving a sustainable security program.
This is a specialty of RBCS, and we gained our experience with management briefings through numerous business alignment initiatives.