Presentation of the SEIS Report to Top Management

Objective: To present the State of Enterprise Information Security report to top-level management. This presentation is a milestone in the process of incorporating security to the organisation's business culture.

The SEIS report as documented evidence of the technical and general collection of information seeks a twofold objective: on one hand, to summarise the technical and organisational state of information security in the company in a concise and clear document. This documentation can be used as reference material in proposals for future projects -probably after hiding confidential information.

On the other hand, and even more important, the report serves as a reference (specially the executive summary) to top management to support their decisions about decreasing risk and therefore increasing the value of the organisation.

On this note, a presentation to top management transmits the key messages from the report in clear business and financial risks terms, avoiding technical terms where possible, for the audience to understand the significance of the messages.

The presentation may use the following structure:

  • Brief introduction about information security.
  • Description and rationale of the work undertaken
  • Current state of the organization
  • Examples of findings, problems and/or existing vulnerabilities
  • Recommendations
  • Immediate actions required
  • Conclusions
  • Round of questions

The level of risk taken by the organization needs to be emphasised in both the initial part of the presentation (current state) and the final one (conclusions). For instance, clear and concise statements like the following can be used: "The level of risk is High and unacceptable in an organization of this size and visibility" or "The organisational structure needs to improve and there is an insufficient level of technical and organizational measures".

The length of the presentation depends on the size of the organization, the nature of the information to be presented and other factors, such as availability of management staff, etc. In any case, it is recommended to take between 1 and 2 hours. At the end of the presentation, some time is set aside for a round of questions, or to elaborate some aspects of the presentation in more detail at the audience's request.

The presentation should result in approval of the SEIS report by top management and their support and explicit commitment to the continuation of the project, that is, the development of the IASAP (Information Assurance and Security Action Plan) document.