Boards and Executives Don’t Want to Hear Solely About the Problem Anymore
If you’re like me, and you hear presentations in various different settings on a regular basis, you’ve probably noticed something. The awareness drum seems to beat ever louder in the information security field. Every event, conference, or forum I attend seems to produce a constant stream of never-ending problem statements. Presenter after presenter gets up to sound the alarm that “cyber” is a problem that needs to be dealt with. Statistics and numbers detailing the gravity of the situation abound. Fear, Uncertainty, and Doubt (FUD) are in no short supply. But still, there is something missing. Something strangely absent from the scene. What am I referring to? Allow me to explain.
During the course of my travels, the feedback I overwhelmingly and continually receive from customers, prospects, and partners is very simple and straightforward to understand and internalize. Raising awareness is yesterday’s news. Almost everyone who is in a position of responsibility knows that security is an area of risk to the business that needs to be mitigated. Boards and executives don’t want to hear solely about the problem anymore. Enough already. They understand. They get it. What these decision makers are really looking for are solutions. How they approach their security leadership is often as follows: That’s great that security is a problem, but I didn’t hire you to complain about problems. I hired you to solve them.
Given that the operational security community has grown tired of hearing problem statements, I always find it amazing how many presentations consist of just that — and nothing else. The consensus from the operational side seems to be “throw me a bone.” In other words, enough of the hype — give me some practical, sensible, tangible advice and insights that I can evaluate and consider implementing.
Esoteric, academic, and unproven ideas won’t help me either. I need real ideas, new pathways to solutions, and different frameworks that I can consider, examine, and implement.
My pieces in SecurityWeek and elsewhere, as well as a few other blogs, forums, and publications strive to provide that practical, sensible, and tangible advice that operational users want to hear. But sometimes, it is difficult for the “hands-on” information to be heard above all the marketing, noise, and hype that pervades our profession.
Granted, 30, 60, or 90 minutes during a presentation is not going to be enough time to detail precisely how to implement solutions to complex problems, particularly when each environment is unique. But it is more than enough time to make constructive suggestions, lay out a problem-solving framework, or help people change the way they look at a given problem. Stop beating the drum of awareness and fanning the flames of fear — that is yesterday’s game. No one cares anymore, especially customers and others on the operational side.
Some people may have labeled 2014 the year of the breach. Yet others may have labeled 2015 the year of the cloud. I would argue that 2016 should be the year of solutions, even though I’m skeptical that it will be. I can dream, can’t I?
You want to give a presentation? Talk about solutions. Talk about methodologies and frameworks that people can use to solve the problems they face. Help them understand how to break down big problems into smaller, more solvable problems. Share experiences of problems that were solved along with details of how they were solved. Stop describing the problem and listing the same set of challenges over and over again. Sure, a bit of that is needed to set the stage for the knowledge you’ll impart. But if that is all there is to the presentation, then that should be an indication that it is maybe better left unpresented.
Unfortunately, I’m not seeing a lot of talk of solutions out on the circuit, but rather, more of the same recycled, regurgitated material given over and over again. In my opinion, part of the reason this occurs is that people don’t have a lot of great answers or operational experience upon which to draw, and so it’s just easier to discuss the hype. Unfortunately, that won’t solve any real problems for anyone in the operational community.
There is no shortage of critics in the information security space. One needn’t try very hard to find someone lambasting an idea, criticizing an individual, or ridiculing an organization. But how often do we see helpful suggestions or recommendations in place of those cynical remarks? Sadly, not very often. Anyone with a Twitter account and an opinion can be a critic. But fresh thinking, new ideas, and helpful suggestions are what people, and especially those in operational positions, are really after. If you don’t help build things up, then you’ll forgive me for ignoring you when you rant and try to tear things down.
In the spirit of being constructive, I would advise those writing, blogging, or speaking to consider the points I’ve made in this piece when working on your next piece. The operational community doesn’t need to hear more from the echo chamber. They’re thirsty for real solutions. So please, help give them what they’re after if you can.
FUD, marketing, and entertainment, unfortunately, will probably always get the press and lauds. Fortunately, a select number of events, news readers, strong peer networks, and trusted information sharing communities provide us good tools that we can use to share and consume the information we really need. My hope is that presentations will become less hype and more hands-on and practical in the coming years. Regardless of whether or not that actually happens, we’ll likely have to keep throwing each other those much-needed bones.