Privacy careers can be made or broken in the boardroom. While some CPOs are finding success in getting the board of directors on board with privacy, others are missing the mark. So what is it that separates the best from the rest when it comes to privacy presentations? PwC's Ken Mortensen, CIPP/G, CIPP/US, CIPM, provided a room full of eager privacy professionals with the following 10 tips for success, complete with Spinal Tap references,while speaking at Privacy. Security. Risk. 2015 in Las Vegas, NV.
1. Know Your Audience
“Gather intelligence,” Mortensen said. Find out all you can about each member of the board—who they are, their backgrounds, their role on the board, their knowledge of privacy and security issues, etc.—and get to know them outside of the boardroom. Knowing your audience allows you to build a better strategy of how to address them and rally them to your side.
2. Know Your Story
“In order to communicate, you need to tell a story,” Mortensen said. In developing your story, ask yourself, who are the protagonists and antagonists? Create contrast between the good and bad, describing and distinguishing between them. Build the story with the events leading to “the incident,” i.e., the climax of the story, but do not end with a conclusion; rather, end with a resolution.
3. Know Your Metrics
“How do you measure success in your program?” asked Mortensen. Get to know your “key-risk-indicators”—that is, “the things that drive a business objective” but don’t become too attached to them throughout your presentation. “These are the (signs) you watch as you’re driving down the street—(but) the board’s not interested in that; boards are interested in risks.” Metrics are obtained when we ask ourselves the question, “How successful are we in addressing our key risk indicators?”
4. Be Graphic(al)
“Using some sort of graphic to make sure you’re getting your point across does make a difference,” Mortensen said. In addition to using graphics, Mortensen also added that a CPO should also, in a sense, be graphic. “What did it mean when I had an employee put PHI in the external dumpster?” Mortensen asked, recalling his own experience as a former CPO. “What did it mean to the people whose information it was?”
5. What Are the Takeaways?
“I hate giving status reports,” said Mortensen. “That’s a waste of my time. I want to tell you a story.” Mortensen challenged the audience to think about the one to three things that drive the presentation and that you want the board to take away from it. “What do you expect the board to do?”
6. Why Should They Care?
“Make it exciting.” Mortensen quipped that in a three-hour meeting where lunch is being served, you want someone to speak up and tell everyone, “Hold off on the Cobb salad. I really want to hear what (the CPO) has to say.” Help the board understand how privacy concerns are engrained in every aspect of the organization and its objectives.
7. What Should They Do?
“There are organizations who do not exist today because they failed to incorporate privacy into their DNA.” Mortensen encouraged the audience to remind themselves about what the board actually does—that is, “a board of directors serves as the fiduciary of the shareholders; they represent the owners of the company and their job is to keep the management in line.” The board should want to make privacy inherent in every aspect of the organization to best protect the owners’ investments.
8. How Does the Program Address Risk?
“What’s your strategy?” Mortensen asked. Ask yourself how the resolution we talk about is addressing risk. Mortensen explained that the program should not only address the privacy risks but also the business risks, particularly since the two are intertwined in many cases.
9. How Does the Program Support the Business Objectives?
Mortensen told of his own time as a CPO and his goals of changing the organization’s approach to privacy and security “from being cost-centered to being profit-centered.” In other words, you should be able to demonstrate that you can go from privacy and security being viewed as an impediment, to something that actively supports the business objectives.
10. Where Is the Program Going?
“What’s your vision for privacy, for security? How does that parlay into addressing the risks and meeting the business objectives?”
But Mortensen was not done there—yes, he took it to an 11. “Because just like Spinal Tap, every privacy program needs to be able to get that little extra.”
*11. Tell Them What You Need from Them.
“Never walk out of a meeting without telling (the board) what you need.” Mortensen addressed the intimidation and resistance that some privacy professionals feel in front of the board, suggesting instead an attitude of “Hi, I’m from the privacy program. I’m here to help.” In the end, whether it’s “money, people, resources (or) their attention ... ask for it.”
photo credit: Sportsfile (Web Summit) via photopin(license)