Dejan Kosutic Don’t expect your management to understand on their own why ISO 27001 is good for their company – you have to work very hard to convince them. Essentially, you need to have two elements to be successful in that process: (1) prepare a list of business benefits that are really applicable to your company, and (2) communicate those benefits in a manner that is understandable to your executives.
I have covered the topic of business benefits in this article: Four key benefits of ISO 27001 implementation, and in the article you’re reading I’ll write about the best ways to communicate them.
Unfortunately, one presentation to your top management is not going to be enough, no matter how nice your PowerPoint presentation looks. The truth is, much more is needed than a simple presentation, and it will take time for your management to understand all the key points.
Here are a few techniques you can use for presenting your case in a more effective way:
Elevator speech
Chances are you’ll achieve much more in informal occasions than in formal meetings – e.g., when you accidentally stumble into your CEO in a cafeteria, in an elevator, or similar. If you are not prepared for such an occasion, you’ll probably get confused – therefore, you have to prepare a so-called elevator speech, a 30- to 60-second speech where you vividly present your case. When you rehearse it well, you will sound confident and convincing. For example, my elevator speech (as a consultant trying to sell my services) is: The investment in ISO 27001 will pay off if you prevent only one medium-sized incident, not to mention large incidents.
Find an ally
You need to find people who are close to your CEO and who would naturally be interested in what you are doing – for example, your Chief Financial Officer might see information security as a way to decrease the financial risk to the company, so she may choose to support your effort; the Chief Compliance Officer could see your project as a way to relieve him of part of the workload, while the marketing guys might see this as an additional key selling point. In any case, do your homework and research who would be interested in information security benefits.
These people will not only give you additional insight into how information security will help the company, they will also make it easier to get to the top management agenda more quickly.
30-20-10 rule for presentations
When you do make your PowerPoint presentation, forget about all those fancy statistics you’ve found, and hundreds of slides you prepared. Instead, go for the 30-20-10 rule: use fonts size 30, maximum 20 minutes, up to 10 slides. And focus on benefits – this is the main message you need to deliver.
And try to be short – your presentation should last a maximum of 10 minutes, plus 10 minutes for questions and answers. Here you’ll find a free PowerPoint presentation Project proposal for ISO 27001 implementation which includes all the elements that need to be presented to your top management.
Be careful with words
Remember, your target group is managers who don’t understand or don’t like your geeky expressions. For example:
| Instead of: | Use this: |
| Backup, fire-suppression systems (and other safeguards) | Prevention (We will prevent…) |
| Cost | Investment (By investing in …, we will save xyz dollars…) |
| Probability | Risk (We will decrease the risk of…) |
| Incident | Damage (We will decrease the damage by implementing…) |
| Disaster | Loss/downtime (We will lose xyz dollars; our expected downtime will last…) |
This way, your executives will perceive you as someone who understands the business perspective of information security – in other words, you will build your credibility in their eyes.
Prepare for the long run
And here comes the bad news – to be successful, you need all the qualities of a good salesman: you need to be patient, persistent, and persuasive. I know that you probably didn’t want to become one, but this is what successful CISOs do.
After a while, you will surely start to notice some progress – maybe not in the first couple of days or even couple of months, but don’t let that discourage you.
This article is an excerpt from the book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own. Click here 
