Thorough preparation is the secret to
winning funding for complex security projects from company boards,
according to two leading IT directors.
Presentations are like making a film – each minute
in front of the board should represent hours of research and
preparatory work, said Ewan Melling, former IT director at F&C
Asset Management.
“It is essential that you put effort into preparing.
You might only be in front of the board for 20 minutes, if you are
doing a good job. But you could be in there a long time if you have
not done your homework,” said Melling, who will shortly take up a
new IT director post.
He advised IT departments to spend time getting to
know the board members, and to discuss issues with them, so that
directors are not taken by surprise when they ask for
funding.
“Find out what their attitude to risk is. Are they
risk takers or are they risk averse? The hardest people to deal
with are those who are risk averse. They will not make decisions;
they will keep sending you back for more information,”
he said.
“Find out what sort of financial case they are
looking for. Do they want a high-level plan? Do they want a
detailed return on investment? Do they want to make sure you have
got the best deal on the market?”
Having your business case validated by one of the
big four accountancy firms can help to win over the board. “If you
go through that process and they have found a few things you can
improve on, that helps your credibility,” said Melling.
If the board shows some interest in technology,
include a slide with a diagram, but do not use technical jargon.
“They do not want to know why you have chosen one firewall rather
than another,” he said.
Rorie Devine, information security director at
online betting exchange Betfair, said it is vital for security
staff to recognise the seniority of board members, if their bid for
funding is to be successful.
“I have seen people being glib and not treating them
with the respect they are used to,” he said.
Devine advised IT staff never to contradict a board
member, even if they are wrong. It is better to offer to look into
a matter and report back, than to challenge their
authority.
Make sure you come across as enthusiastic, confident
and speak with conviction, he said. “The board, like everyone else,
likes to back the jockey, not the horse.
“A really common mistake is being too verbose. You
really need to be concise. You should be able to make your case in
four or five slides. There should be no ambiguity.”
It helps to offer board members a choice of
solutions rather than impose a single option. But do not give them
too many choices – two is probably the optimum number, said
Devine.
If the board fails to be convinced by your
presentation, your fallback position should always be to note any
concerns, reassess the project, and present it again at the next
board meeting, he said.
To win backing from the board for IT security
initiatives, Betfair IS director Rorie Devine advises:
- Present security projects as a way of reducing
risks to the business
- Frame security problems around developments in
the business
- Give boards a choice of solutions
- Be transparent about costs and
assumptions
- Do not quote PR material from
suppliers
- Network with other companies and competitors to
find out how they are tackling problems
- Sell security to the board as part of
compliance
- Discuss projects with key decision makers before
they are formally considered by the board
- Anticipate security risks before they happen,
rather than reacting to them afterwards
To win backing from the board for IT security
initiatives, Ewan Melling, former IT director at F&C Asset
Management, advises:
- Always position security as a business issue
with a security context
- Take board meetings seriously and prepare for
them thoroughly
- Find out what sort of financial case the board
expects
- Get to know board members’ style – are they risk
takers or risk averse?
- Find out the board’s level of understanding of
technology
- Remember that presenting to the board is your
opportunity to shine and surprise
- Do not propose a solution that is
over-engineered – the board will see through it
- Keep presentations jargon-free
- Do not promise perfection