Geek Speak with Wisegate’s Brian O’Hara
Security and IT professionals must successfully navigate risk, and the stress that accompanies these circumstances, on a daily basis. Protecting sensitive business information, employee data, and internal systems would be harrowing for most individuals. However security professionals swiftly handle these matters. What then threatens the confidence of these employees? Feedback suggests providing a status update to C-level executives leaves security experts in a cold sweat.
Enter Brian O’Hara. This security veteran is a passionate contributor to Wisegate’s growing community. Currently serving as Do It Best Corp,’s virtual information security officer, O’Hara’s security experience is broad, including governance, risk assessment, compliance, cloud security, and security architecture. Within Wisegate, O’Hara frequently shares his expertise on the importance of soft skills, like fielding career-hinging questions from the executives. Recently, O’Hara hosted a Wisegate roundtable, later turned into a toolkit, called “Geek Speak for the C-Suite.”
“The question you must be prepared to answer correctly is ‘Are we safe? Are we secure?’” O’Hara said. “That’s what you’re going to be asked, from people who don’t know anything about how we manage security in our profession. It’s a loaded question and you better be careful how you answer it.” On one occasion, a colleague mentioned he was fired for answering one such inquiry poorly. “That’s why you prepare and know how to answer that question, because there isn’t a simple answer. … The truth is you’re never secure. Everyone’s at risk.”
But risk is one area the C-Suite inherently understands.
“They take risk on a daily basis,” he said. “They take big risk. They worry about things like: Can we meet payroll? Can we [manage] expectations? What’s the risk of hiring more people? They get risk really, really well.”
The real question the C-Suite is trying to ask is: Are we doing everything required, based on our tolerance for risk, in order to manage that risk to a reasonable level?
“If the answer to that is yes, things are in good shape,” O’Hara said. “If they’re not, you can say, ‘Well, in most areas we are, but we do have some areas where we need to beef things up or make improvements”.’ That’s when it’s time to start engaging them.”
The best way to create a productive conversation with the C-Suite is to be mindful of your delivery.
“It’s about softening down everything that you’re doing,” he said. “Tech people have very sharp edges. They just tend to be very black and white. We’re either secure, or we’re not. There are no gray areas. C-Levels don’t get that. They deal in grays all day long. It’s their life.”
O’Hara encourages peers to pay attention to body language, make sure security suggestions are in line with your company’s strategic objectives, and to avoid using technical terms when talking to executives.
“When you start talking to them in technical terms, you’re going to lose them,” O’Hara said. “Glazed over eyes, they’re done. … Talk to them in terms they understand and communicate using their kinds of words, like ‘We’re managing this risk adequately.’ Any reasonable person would go, ‘That sounds pretty good.’ What else could you do?”
Your response to a question like, “Are we safe?” can successfully serve as a launching point to frame a discussion around risk management principles and best practices around high-risk areas. But you have to be careful. “You should never approach your execs with a problem unless you are prepared with a solution. Bosses and BOD members do not like complaints without solutions. If you are not prepared with solutions you can quickly become seen as a complainer and can lose credibility quickly.”
O’Hara said at the end of the day, practice makes perfect. Practice role-playing these senior level conversations within workshops, and with peers, until you’re comfortable navigating the conversation.
To learn more about “Geek Speak for the C-Suite,” and other soft skills, please visit our “Research” section.
Or see O’Hara in action at RSA 2016 on March 3rd as he will be hosting a Peer2Peer session at the conference titled, Get a Seat at the Table: Effectively Communicate Risks to the Board. More details are on this session at RSA 2016 Agenda HERE.