How do you hand out the "Thimble of Knowledge"?
People in Information Security run into this scenario all of the time. How do you translate your "mountain of facts" into something that accurately assesses and conveys the proper amount of information to your client, boss, or manager?
A few years ago I took some Incident Response training at CERT. The training culminated with a mock presentation of your team's findings to C-level executive. You had 10 minutes to present your findings and provide recommendations. The instructors acted as the C-level executive and were tough, gruff, experienced, and sharp (in this part of the exercise, outside of it they were very personable and approachable). The instructors played the part to a T and had years of experience in incident response and presentations in the scenario.
Here are some guidelines that I kept in mind for that presentation and when trying to present technical information or recommendations to less technical people:
- Stick to the facts - don't exaggerate or use flowery adjectives.
- Know the difference between possibility and probability
- Reevaluate your "first draft" - can your points be refined or distilled down to more accurate statements? One method I use when trying to reevaluate is by applying some root cause analysis with the 5 Whys. It's not a direct translation but the process works for me.
- Be prepared - Be prepared to support your claims with additional material, whether in your mind or on paper.
- Keep It Simple, not Stupid - Don't assume that just because the audience is not an information security expert that the audience's mental capacity is below average.
