Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Elevator pitch for explaining security risks to executives InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Elevator pitch for explaining security risks to executives

Published: 2008-06-05
Last Updated: 2011-08-10 16:31:00 UTC
by Lenny Zeltser (Version: 2)
1 comment(s)

How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an elevator--about 60 seconds. It is often used by entrepreneurs to convince a potential investor to learn more about the start-up. We can use an elevator pitch to highlight the importance of a security risk to a business or IT executive.

If you've never given or heard a traditional elevator pitch, take a look at the Elevator Pitches website at TechCrunch, which presents many videos from hopeful entrepreneurs. (Consider pitches for SmugMug, Ugobe, Framr.) You may notice that those pitches that catch your attention have a few characteristics in common:

  • They are brief. The listener has a limited attention span.
  • They are specific. The issues they bring up are easy to understand and visualize.
  • They differentiate. The speaker clarifies what his issue different from the rest.
  • They empathize with the listener. The listener needs to know why he should care.
  • They have a clear ending point. The speaker clarifies at the end what he wants the listener to do.

Let's say you are concerned about a security risk no one is paying attention to. Maybe it's a web server everyone is afraid to patch. Maybe its the practice of allowing visitors to plug into your LAN. Use an elevator pitch to convince management to pay attention and support you.

Here are my hypothetical examples that may inspire you to explain your security risks. Remember: be brief and specific, differentiate the concern from other similar issues, clarify why the executive should care, and state what you want.

Example 1: "Our extranet website is missing dozens of critical security updates. The site could crash or become infected at any minute, and it may take us weeks to recover. This will prevent us from communicating with our supply chain partners, and will lead to thousands in losses. The challenge is that the app running on the server was written years ago by people who left the company, so everyone is afraid to touch the server. Yet, if we do nothing, we're sitting on a ticking time bomb. I need your help to get the right people together so we can make a decision. Could I invite you to a 30-minute meeting I'm organizing for tomorrow?"

Example 2: "Have you noticed that every vendor who visits us plugs into our LAN as soon as they unpack their laptop? If their system has a virus, the infection will likely spread to our internal systems. This is a significant threat we have not considered, as our patching practices rely heavily on the effectiveness of our network perimeter. As a result, our internal servers could get compromised, severely disrupting operations. I evaluated a few products that would let us control who can plug into the LAN. Could we speak next Monday about this issue--I think I have a solution you might like, but I need your feedback before continuing with the project."

An ISC reader emphasized the importance of speaking with the right executive. The person should have enough decision-making power to affect the desired outcome. Further, the person must be able to grasp the technical essence of the problem, and understand the business implications. The goal of the pitch might be to obtain the executive's sanction to take a certain action. Armed with a formal authorization from an influential person, you will be more likely to get the right people's attention. The reader also noticed the power of including compliance reququirements in the pitch, which can be very powerful as long as you do not make use of its powers too often.

An important point to consider with elevator pitches: Their aim is not to explain everything you want to say about the issue. Instead, the goal is to catch the listener's attention, so he would give you the additional time needed to explore the issue more carefully. Also, remember that preparation is critical, because you only have a minute to deliver your pitch. Don't memorize your statement, because then it may sound fake and rehearsed, but definitely consider what you will say before approaching the executive.

-- Lenny

Lenny teaches a SANS course on analyzing malware.

Keywords:
1 comment(s)
Diary Archives