Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Sep 2, 2017

NBlog September 2 - InfoSec 101 elevator pitch, part 1 of 3

The elevator pitch is an awareness format we developed specifically for busy senior executives and other senior managers. 

Its main aim is to tell them just enough so they know what the awareness topic concerns. We'd like to intrigue them, prompting them to ask questions and seek more information, ideally influencing their decisions and actions as they go about their business in a more secure fashion.

The 'elevator pitch' name and button panel image alludes to the idea of condensing a complex subject down to a short statement that could literally be expressed during a short elevator ride. We don't actually envisage someone standing there in the elevator car reading out a prepared script to the captive audience, so much as being primed and ready to respond off-the-cuff to an informal opener from an exec along the lines of "So, how are things with you?".

We limit ourselves to about 100 words per topic. As you'll see from the example above, that works out to just 3 paragraphs or so, of 2 or 3 sentences each. It takes a surprising amount of effort to put things across so succinctly: the real art is in figuring out what's appropriate to leave out, and how to express the essentials in a way likely to resonate with senior managers.

Imagine being a fisherman selecting some juicy morsel to bait the hook. Ideally the pitch needs to catch the target's eye, intriguing them and sparking their imagination so they gulp it down ... but being realistic, very few execs are going to have the time and interest to drop everything and focus on information security, at least not on the strength of a snatched conversation in the elevator or a casual corridor chat.  

Let's look at the InfoSec 101 elevator pitch in more detail, breaking it down a paragraph at a time:
Information is a valuable but vulnerable business asset that requires protection against risks. Responding to the risks through suitable controls involves all those who create, use and handle information.  Yes, that’s everyone.
Those first few words are crucial, explicitly positioning information risk and security as a business issue. The whole pitch, in fact, is prioritized  such that, if our audience is distracted or busy and cuts it short, they have already had the most important information. If they get nothing else, "Information is a valuable but vulnerable business asset" is a fundamental awareness message. Whereas we'd like them to swallow the bait, we'd settle for a nibble.

The next two sentences emphasize that information risk is a concern for everybody in the organization (meaning the execs, managers, staff and others such as contractors and consultants, temps and interns - and in fact various outsiders such as our ISPs and CSPs, business partners, accountants, legal and tax advisers, authorities and more: as I said, writing an elevator pitch is largely about what to leave out without materially affecting the message).  

Given that Information Security 101 is an introductory module, the first paragraph cuts directly to the chase. I'll pick this up again tomorrow, exploring the second paragraph.