How NOT to break the news.
Disclaimer: I’m not a CIO, but I played one today.
I was asked to roleplay one for an incident response training class in which the teams had been working all week investigating an “incident” and now had to present their findings and recommendations to the “CIO.” They were all working from the same scenario, but didn’t all get the same information if they didn’t figure out which questions to ask.
Needless to say, their views of the incident, as well as their perspectives and descriptions, were all over the map. Some students had an excellent grasp of senior management (i.e. business) concerns; others were completely focused down in the technical trees and had no clue there was even a forest. Some had very clear recommendations laid out: immediate, short-term and long-term, with time and cost estimates for each; others basically just threw out the problem and then sat there, awaiting further instructions.
Based on my own experiences reporting to C?Os, I had fun picking at the weak parts of each presentation. I was told that I could be as tough as I wanted to be, and it was very interesting to see the reactions. Some presenters floundered; one got so obnoxious and defensive that he certainly would have been shown out of the boardroom (if not the building) before the meeting was over.
In no particular order, here are some bits of feedback that occurred to me as we did the exercise:
1. Describe the problem in high-level and move on. Don’t get all technical unless the CIO asks for it; you’re not presenting a SANS paper and you’re not trying to impress your peers, so can the jargon and the 133t sp3ak.
2. Be clear on what information you have, how confident you are of your figures and be ready to explain what it would take for you to narrow in more precisely.
3. Be ready to explain why it appears this has been going on for months and yet this is the first time your boss is hearing about it.
4. Do NOT bring a problem like this to your boss’s boss or your boss’s peers before your boss knows about it. That either shows a political tone deafness so severe that you should never be let out of the computer room, or an open intent to sabotage your boss. Either way, it’s a career-limiting move to say the least.
5. Don’t forget to mention crucial details that your boss really needs to know, like, “Oh, by the way, our machines are attacking our competitor’s. And no, we’re not sure we’ve stopped it yet.”
6. Don’t try to throw your IT colleagues under the bus when the CIO asks how this was allowed to happen. Your boss is trying to keep all his direct reports playing nicely together, and doesn’t appreciate a troublemaker.
7. Bring real solutions to the table, even if they involve other groups under which you have no control. It’s your boss’s job to make things happen if he agrees that they need to be done. Don’t just shrug and say, “We’re not allowed to do that. We just make policy.” There are few things more useless in IT than a pure “policy maker.”
8. Be ready to do back-of-the-envelope risk analyses and more cost estimates, because these are the two things your boss is going to ask about a LOT as you go through options. This entails understanding your network, your resources, and your business functions, so study up beforehand.
9. When you don’t have a ready answer for something, at LEAST give an estimate on when you will be able to get the answer.
10. And finally, show yourself as someone who is ready to do whatever it takes to deal with the problem. Don’t just lay it down like a turd in front of your boss and expect praise.
When bad things happen in security, that’s when you need your people skills the most. How you handle a crisis will demonstrate to your boss very clearly whether you’re a net asset or a liability.
on 11/03 at 01:21 PM:
Good advice! I try to be conscious about a lot of them. I’ve seen people who lay down problems with no options or plans. I’m not the boss and even I find that annoying. It’s like someone who wants to point out all your shortcomings but offer nothing of use.
#9: Not sure where I picked it up, but while I sometimes will say, “I don’t know,” I always try to follow that up with something along the lines of, “I’ll find out by x.” My own personal experience has told me that being honest about not knowing is better than trying to sound cute when avoiding the question. Just admit it and find out later.
#4: Sometimes issues are discovered with someone else nearby, but I try to always make sure my boss hears anything from me as soon as possible. It’s politically suicidal to let my boss be blindsided in the hallway or a meeting. It also wastes time as people get lathered up and he has to spend time triaging misinformation.
#6: You also want to trust and have trust from your colleagues. Throwing anyone under the bus destroys that, almost immediately.
I would make some exceptions, but really only to my direct boss, not higher. If the mistake is mine, I’ll fess up as soon as I know the mistake is mine. I’ll let him decide if my name should be brought up to his own boss. If I get asked twice about whose fault it is, I’ll try to answer as diplomatically as possible without trying to be a finger-pointer or a roadblock.