I was recently asked to observe and give feedback to a security leader who was delivering an update to a group of staff. The content was brief, a few slides about some changes and projects going on in the security space (what security is doing) and a slide on actions needed to keep the organisation secure (what the audience could be doing). The group of 100 or so staff sat politely and listened for the 8-10 minutes allotted to the security topic. The security leader did a great job of delivering the key security messages and updating the audience with the why, what and how of the security activities. After which another leader took the stage, shifting the minds of the audience to another topic.
This is not uncommon for a department meeting to welcome a variety of leaders from across the business to be wheeled in for their time in the spotlight and then wheeled out again.
What struck me was that the content delivered by the General Manager (GM) in this example was the introductory message and the project detail that pertained to his department. What could have been a welcome change, was for the GM to deliver the security update. Don’t panic - This does not make the security leader redundant – they will always be needed to execute on the security strategy, brief the executive and the Board, lead the security team and so on. However, having a non-security executive deliver security content every now and then can achieve the following:
1. It forces that executive to be across the security program and relevant updates.
2. It shows that the executive presenting is committed to security, and it resonate more as the messages are relevant to the target audience.
3. Despite being a little uncomfortable at first, it would start to stitch security into the fabric of the business.
4. When they are briefed, the non-security leader will ask questions which will help the security team understand the knowledge/awareness gaps.
5. It’s something different. It will encourage discussion, questions and probably generate a few laughs as the leader makes their way through the content.
I believe it’s still important for the security leader to be present. Their face needs to be known and it is a show of support to the presenter (and for the security leader to be across how and to what response the security information is delivered). If you’re a security leader reading this, consider the impact of your messages when coming from a Director or General Manager. And if you’re not a security leader, next time the security team ask if they can provide your staff with an update, for something different why not offer to deliver the presentation on their behalf?