September 25, 2014 By Martin McKeay 3 min read

Recently, I had the opportunity to do something I don’t do often: present to an audience that isn’t directly involved in security.

It was an enlightening experience as I noted which ideas were met with nods of agreement and which concepts were met with blank stares. The event was a cloud summit in Prague, so part of the communication issues may have been related to language, but I suspect as much of the problem had to do with the unique language used by those of us in the information security industry.

There are a number of aspects of a presentation to a non-security audience that I place foremost in my mind when creating my presentations. How much technical understanding do we have in common? What background do they have in the topics I’ll be covering? How can I phrase the messages I have to be as simple and clear as possible without taking away from the depth of the conversation? Everyone who is dealing with technology has to deal with the implications of security, even if they don’t know it.

Common Language, Common Concepts

I think one of the hardest issues is to build in the groundwork for the conversation from the very start of the presentation. When I think about the topic of “security,” there are a whole host of concepts that I automatically include in that one word. But when a person without my background thinks of the same word, it’s likely that the first thing he or she thinks of is having a long, complex password that has to be changed every 90 days. So, I like to start each conversation by defining what I mean when I say “security.” It’s a combination of availability, privacy, integrity, confidentiality and many other things, but mostly, it’s about keeping data safe and in the hands of people who should have control of it.

The second tip is making sure to take out as many of the three-letter acronyms as possible from any talking points. In information security, as in any technical space, there are a whole host of acronyms that can be overloaded or confusing. When I say “PCI,” am I talking about the payment card industry and credit card numbers, or am I talking about a bus slot on a motherboard? Is the audience going to understand what border gateway protocol is and what it means if I say “BGP?” Rather than rely on the audience to understand what these terms mean, I try to either avoid them altogether or define them the first time I use them, explaining what the acronym means and what the technology does.

I know I make the same mistakes in presentations as I do when talking to someone further up in the organization. I make jokes equating 127.0.0.1 to home and then have to explain why I’m laughing, which totally ruins any comedic value. More importantly, if I’m not careful, I don’t set up the foundational concepts to support the arguments or stories I’m trying to tell and have to circle around to explain why my conclusions make sense. If I can prepare and deliver a presentation where I’ve assembled this logic in an entertaining way to get my message across to an audience of strangers, I know I can use those same skills to communicate to management.

Embrace the Difference

I like presenting to different audiences because the feedback is always distinct from what I’d get at a security conference. I know I’ve done well when someone walks up to me and says, “I’ve never thought of it that way.” I enjoy it when the audience wants to talk more about some aspect of what we do and walks away with a bit more understanding than they’d had before.

There are exceptions, but I believe most people in this field want to present at security conferences and their peers. And why not? We need to decimate the information among ourselves. But I also believe that there’s a lot to be gained by talking to a different audience, to people who don’t share the same interests and the same language that we do in our profession. We complain that “they” don’t understand security, but how many of us are actually trying to reach out and educate them in their language? Not as many as there probably should be.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today