11.2 Before the Workshop: Prepare to Meet with Senior Management

You need to prepare thoroughly for your meeting with senior managers. This task is more difficult than it appears. Since most senior managers have a limited amount of time to spend on efforts such as this, you need to be able to set the context for the managers and get input from them in a span of an hour or two. You must help them understand which assets are critical to the organization, why they are critical, and how they are at risk. You also need to help managers understand what the organization is currently doing well to protect its critical assets and where its protection measures are missing or inadequate. Finally, you need to present solutions that you developed to improve how the organization is protecting its critical assets. In this activity you prepare for your meeting with your organization's senior managers by deciding how you will present the issues identified during the evaluation and the solutions that you developed to address those issues.

Prepare a Presentation for Senior Managers

Your presentation will likely be broken into the following two themes: (1) background risk information and (2) proposed solutions. Table 11-3 shows key elements that you should consider including in the presentation.

Remember to consider the requirements of your audience (the organization's senior managers) before you create your presentation, as well as the time constraints involved. Tailor your presentation to the needs of your managers and make sure that it is consistent with any requirements or conventions in your organization. You might consider providing senior mangers with a summary of the evaluation results in advance. Each organization and each set of senior managers are different, so there are no universal rules, but Table 11-3 provides some guidelines and ideas for you to consider. When preparing to meet with senior managers, you need to rely upon your experience in the organization and use your best judgment. Appendix A presents a sample final report from our case example.

Now that you have created a presentation for your organization's senior managers, you are ready to meet with them. The next section looks at the process 8B workshop.

Table 11-3. Key Elements of Presentation to Senior Managers

Presentation Theme	Information	Description
Background risk information	Asset information	Asset information includes a summary of all of the assets that were identified during the evaluation and those that were identified as important by each workshop group from processes 1 to 3.
	Critical assets and the rationale for their selection	This information indicates which of the assets you believe to be most critical to the organization. You also need to include your rationale for designating these assets as critical.
	Security practices and organizational vulnerabilities	This part of the presentation summarizes the results of the security practices surveys and follow-up discussions. This information conveys what the organization is doing well in addition to which practices are missing or inadequate.
	Risk profile for each critical asset	The risk profile for each critical asset includes the threats to that critical asset, potential impact on the organization (narrative descriptions and qualitative impact values), key infrastructure components, and a summary of the vulnerabilities that were discovered.
Solutions	Protection strategy	The protection strategy highlights the long-term initiatives you propose to improve the organization's security posture.
	Risk mitigation plan for each critical asset	These plans illustrate proposed actions that are intended to reduce the risks to critical assets.
	Action list	The action list is a set of proposed action items that need to be addressed in the near term.