make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Security Leadership Series: Overcoming the Curse of Knowledge

11/19/2018  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

Making cybersecurity a topic of conversation with C-level leaders is one of the most important goals for cybersecurity professionals. Ultimately, those are the people who are going to make the decisions about the budget and resources you need to manage the organization’s security risks. 

However, there’s a key principle to remember as you get the opportunity to have conversations about and motivate senior leaders to address security issues: Make sure your message resonates with your audience. 

What NOT to do When Talking Cybersecurity with Senior Leadership

If you’re lucky enough to get an audience with the senior leadership team to talk about security issues, don’t talk beyond the knowledge level or pain points of the intended audience. Some people call this “the curse of knowledge.” Many times, it shows up in the form of assumptions, technical jargon, and logic that seems like second nature to an expert but will confuse people who are outside your field. 

You don’t want to talk pings, packets, ports, and firewalls with business leaders because most of them don’t understand the gory details of cybersecurity. The truth is, they don’t need to. If you start talking about all of the technical aspects of cybersecurity, you may lose the audience…permanently.  

In the end, the curse of knowledge can completely undermine your efforts, because your leadership team doesn’t understand how the things you’re discussing can impact them. They may become frustrated, feeling that you’re wasting their time or that you’re making them feel stupid, and neither of those feelings are going to get you invited back to the table in the future!   

A Simple Way to Overcome the Curse of Knowledge

So, how do you avoid the trap of the curse of knowledge when talking about cybersecurity with your senior leadership team? I suggest practicing your pitch with someone who doesn’t know what you know.

The first time I had the opportunity to present about cybersecurity in the boardroom, I actually practiced my pitch for my wife. She doesn’t work in cybersecurity or know all of the specific nuances about how things work in our field. I wanted her opinion on whether what I was going to say made any sense at all, because if it didn’t make sense to her, I needed to change my message. 

Once I did that, I went to a few of the company leaders who were going to be in the room and bounced the updated presentation off them. Their feedback on my planned message and approach accomplished two objectives: It helped me hone the message even further to make sure that my five minutes were useful and would leave the board wanting to know more, and it also served to prepare those leaders for what they would hear from me in the boardroom, so they would not be caught off guard and could confidently endorse my recommendations when queried by the board. 

Don’t Miss Your Chance to Blow them Away

While some senior company leaders understand the importance and value cybersecurity provides your organization, others might not. Being able to translate what you’re doing into terms they understand is critical for earning their attention, trust, and support. 

As leaders in the information security industry, our team at LBMC Information Security can answer any questions you might face and help you make the case for the initiatives you’re pursuing. Explore our Security Consulting services, or contact us today to learn how we can help you with information security solutions.

This blog is the third in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.​

Posted in: Security Consulting