Getting Executive Buy-In Is Critical
If You Expect Your Clients to Take Action on Assessment Findings
Only about 15% of the risk assessments, from audience poles I conducted, are being acted on! Yet, over 95% of them show urgent issues, according to security experts I am in touch with. There’s a major disconnect.
The Right Language Matters
One key reason I’ve observed, is the language being used to write the assessment reports. Not only are the reports too long to attract executive readers. Even if they did want to wade through the 50 page document, it would be like you or I wading through a technical journal to find out what to do about cancer risks. Chances are we would comprehend about 5% of it, giving up after the first few pages.
If you’ve worked in a large corporation, you know there’s a disconnect between IT and executive management. Don’t expect everyone to sit down to review your paper. In the small business the security expert doesn’t exist, and the small business owner is already running at top speed, trying to grow the business, manage cash flow, and build customer experience before their competition does. They don’t have time to sift through mounds of jargon.
Grabbing Their Attention Early
But the other issue is one of desire and priority. Does the business owner or executive see your report as urgent – must read now? If you have not involved them in the findings, chances are they don’t see it as urgent. If they have an IT group, they’ll delegate it. If they don’t it will sit on their desk (especially if you waved your fee – a common practice in the small business market).
All of this changes when you start your assessment at the Asset Owner level. (See my book, The House & the Cloud, Page 195). Starting with those who have liability, with the goal of discovering their most important data as it relates to their business growth and profitability, is the best way to get them interested before you complete the assessment.
Find out what digital assets are most important to protect and why. Then look at who would want them. And based on how things are set up and who creates and uses this data, discover how unauthorized users might gain access. When you’re done, tie your findings to business issues. Leave out the technical jargon. And bring your report to the that executive with a short presentation on what it means to their business.
If your conversion rates on this process don’t go up to about 60% something is wrong. Consider reading through chapter 13 of The House & the Cloud – 2nd Edition, for ideas on how to convince your audience that this is important.
© 2016, David Stelzl