CSY399 Week 11 Capstone

Week Content

Cybersecurity Capstone

Track your progress through this week's content

Mental Model

"Executives don't need to understand how SQL injection works. They need to understand that customer data is at risk, what it will cost to fix, and what happens if they don't." — Security Leadership Principle

Technical excellence means nothing if you can't communicate its importance to decision-makers. This week focuses on translating your comprehensive technical findings into compelling executive presentations that drive action and secure resources for security improvements.

Learning Outcomes

By the end of this week, you will be able to:

  • LO1: Translate technical security findings into business-relevant language
  • LO2: Design effective executive presentations that drive decision-making
  • LO3: Quantify security risk in terms meaningful to business leadership
  • LO4: Anticipate and address executive concerns and objections
  • LO5: Deliver confident, credible presentations to non-technical audiences

Introduction: The Executive Presentation

You've completed a comprehensive security assessment and documented everything in a detailed technical report. Now comes a critical moment: presenting findings to NovaTech's leadership team including the CEO, CFO, and board members.

This presentation will determine whether your recommendations receive funding, whether security becomes a priority, and whether the identified risks are actually addressed. Your technical skills got you here; your communication skills will determine the outcome.

NovaTech Leadership Team

Role Primary Concerns Key Questions
CEO (Sarah Chen) Business growth, customer trust, competitive position "How does this affect our customers and market position?"
CFO (Michael Torres) Budget, ROI, financial risk "What will this cost and what's the cost of not doing it?"
CTO (Jennifer Park) Technical debt, development velocity, architecture "How does this fit with our roadmap?"
CISO (Marcus Webb) Security posture, compliance, risk management "How do we prioritize and resource this?"
Board Members Fiduciary duty, liability, governance "What's our exposure and are we doing enough?"

1. Understanding Executive Audiences

Executives think differently than technical teams. Understanding their perspective is essential for effective communication.

Executive Mindset

┌─────────────────────────────────────────────────────────────────┐
│           TECHNICAL vs. EXECUTIVE PERSPECTIVE                   │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  TECHNICAL TEAM THINKS:           EXECUTIVE THINKS:             │
│  ──────────────────────           ─────────────────             │
│  "This is a critical vuln"        "What's the business impact?" │
│  "CVSS score is 9.8"              "How much could this cost us?"│
│  "We need to patch Log4j"         "What resources do you need?" │
│  "The code has SQLi"              "Are our customers at risk?"  │
│  "We should implement WAF"        "What's the ROI?"             │
│  "This violates CIS benchmarks"   "Will this affect our audit?" │
│                                                                 │
│  SPEAKS IN:                       SPEAKS IN:                    │
│  • CVEs and CVSS                  • Revenue and costs           │
│  • Technical vulnerabilities      • Customer impact             │
│  • Security frameworks            • Competitive position        │
│  • Tools and technologies         • Risk and liability          │
│  • Implementation details         • Strategic priorities        │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

What Executives Care About

1. Business Continuity

Can we keep operating? Will this disrupt our business?

2. Financial Impact

What does this cost us? What's the ROI of fixing it?

3. Customer Trust

How does this affect our customers and their confidence in us?

4. Regulatory Compliance

Are we meeting our legal and contractual obligations?

5. Strategic Alignment

Does this fit with where we're going as a company?

Common Executive Questions

Be prepared to answer these questions confidently:

Question What They Really Want to Know
"How bad is it?" Give me the bottom line—should I be worried?
"Could this actually happen to us?" Is this theoretical or a real threat?
"What's this going to cost?" What resources do you need and what's the alternative cost?
"How do we compare to others?" Are we worse than our peers/competitors?
"What should we do first?" If we can only do one thing, what is it?
"How long will this take?" When will we be "secure" (or at least better)?
"Why didn't we catch this before?" Is there a systemic problem with our security program?

2. Translating Technical to Business

The core skill of executive communication is translation—converting technical findings into business language without losing accuracy.

Translation Framework

┌─────────────────────────────────────────────────────────────────┐
│              TECHNICAL TO BUSINESS TRANSLATION                  │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  TECHNICAL FINDING                                              │
│       │                                                         │
│       ▼                                                         │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 1. WHAT could happen? (Attack scenario)                 │   │
│  └─────────────────────────────────────────────────────────┘   │
│       │                                                         │
│       ▼                                                         │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 2. WHO is affected? (Customers, operations, partners)   │   │
│  └─────────────────────────────────────────────────────────┘   │
│       │                                                         │
│       ▼                                                         │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 3. WHAT'S THE COST? (Financial, reputation, regulatory) │   │
│  └─────────────────────────────────────────────────────────┘   │
│       │                                                         │
│       ▼                                                         │
│  BUSINESS IMPACT STATEMENT                                      │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Translation Examples

SQL Injection Vulnerability

Technical:

"The /api/customers/search endpoint is vulnerable to SQL injection (CWE-89) due to improper input validation. CVSS 9.8."

Business:

"Attackers could steal our entire customer database—50,000 records including names, emails, and workflow data. This would trigger GDPR breach notification within 72 hours and could result in fines up to €10M. We'd also need to notify affected customers, likely resulting in significant customer churn and media coverage."

Public S3 Bucket

Technical:

"S3 bucket 'novatech-customer-uploads' has public read access enabled with no authentication required."

Business:

"Customer files uploaded to WorkflowPro are currently accessible to anyone on the internet without logging in. A security researcher or journalist could discover this at any time. Several recent high-profile breaches (Capital One, Twitch) started with similar misconfigurations."

Missing MFA

Technical:

"IAM credential report shows 5 users with console access lack MFA. This violates CIS AWS Benchmark 1.10."

Business:

"If any of these five employees' passwords are compromised through phishing or a data breach elsewhere, attackers get direct access to our AWS infrastructure—no second factor required. This is the same attack vector used in several recent high-profile breaches. It's also a common audit finding that could impact our SOC 2 certification."

Language Dos and Don'ts

Instead of... Say...
"Critical CVSS 9.8 vulnerability" "Attackers could take complete control of this system"
"SQL injection in the API" "Customer database could be stolen"
"Missing security headers" "Defense against common web attacks is incomplete"
"Violated CIS benchmark" "Below industry standard security practices"
"Need to implement WAF" "Add a security layer to protect customer-facing applications"
"RCE on Jenkins" "Attackers could compromise our software build process"

3. Quantifying Security Risk

Numbers speak to executives. Quantifying risk in financial terms makes security investments comparable to other business decisions.

Risk Quantification Approaches

Industry Benchmarks

Reference industry studies on breach costs:

  • IBM/Ponemon Cost of Data Breach Report: Average breach cost $4.45M (2023)
  • Cost per compromised record: $165 average
  • Healthcare, financial services higher

For NovaTech: 50,000 customer records × $165 = $8.25M potential exposure

Regulatory Penalties

Reference specific regulatory frameworks:

  • GDPR: Up to €20M or 4% of global annual revenue
  • CCPA: $2,500-$7,500 per intentional violation
  • PCI-DSS: $5,000-$100,000 per month of non-compliance

Business Impact Calculation

Estimate specific business impacts:

Scenario: Customer database breach via SQL injection

Direct Costs:
  Incident response: $150,000
  Legal/regulatory: $200,000
  Customer notification: $50,000
  Credit monitoring: $500,000
  Forensics: $100,000
  Subtotal: $1,000,000

Indirect Costs:
  Customer churn (5% of $10M ARR): $500,000
  Sales cycle impact: $300,000
  Brand/reputation: $500,000
  Subtotal: $1,300,000

TOTAL ESTIMATED IMPACT: $2,300,000

Comparison to Remediation Cost

Show the ROI of security investment:

Risk Exposure: $2,300,000 potential loss
Remediation Cost: $150,000 (3 engineering sprints)
Risk Reduction: ~90% (eliminates SQL injection vector)

ROI Calculation:
  Risk mitigated: $2,070,000 (90% of $2.3M)
  Investment: $150,000
  ROI: 1,280% ($2.07M / $150K)

For every $1 invested in remediation, we protect $13.80 in potential loss.

Presenting Financial Risk

NovaTech Risk Summary

Risk Category Potential Impact Remediation Cost Risk Reduction
Customer Data Breach $2.3M - $8.25M $150K 90%
Supply Chain Compromise $5M+ (enterprise customers) $50K 95%
SOC 2 Audit Failure $1M+ (lost deals) $100K 80%
Total $8.3M - $14.25M $300K

A Note on Quantification

Risk quantification involves estimation and assumptions. Be transparent about your methodology and acknowledge uncertainty. It's better to present a range ("$2M-$8M") than false precision ("$4,237,891"). Executives understand estimates; they distrust false certainty.

4. Designing the Executive Presentation

An executive presentation is not a condensed version of your technical report. It's a focused narrative designed to inform decisions.

Presentation Structure

┌─────────────────────────────────────────────────────────────────┐
│           EXECUTIVE PRESENTATION STRUCTURE                      │
│                    (15-20 minutes)                              │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  1. OPENING (1-2 slides, 2 minutes)                            │
│     • Thank you / engagement context                           │
│     • One-sentence bottom line                                 │
│                                                                 │
│  2. OVERALL ASSESSMENT (1-2 slides, 3 minutes)                 │
│     • Security posture rating                                  │
│     • Key metrics (findings by severity)                       │
│     • Comparison to industry/expectations                      │
│                                                                 │
│  3. KEY RISKS (2-3 slides, 5 minutes)                          │
│     • Top 3-5 business risks                                   │
│     • Business impact for each                                 │
│     • Visual representation                                    │
│                                                                 │
│  4. RECOMMENDATIONS (2-3 slides, 5 minutes)                    │
│     • Prioritized action plan                                  │
│     • Resource requirements                                    │
│     • Timeline                                                 │
│                                                                 │
│  5. DECISION POINTS (1 slide, 2 minutes)                       │
│     • What we need from you                                    │
│     • Options if applicable                                    │
│                                                                 │
│  6. Q&A (5-10 minutes)                                         │
│     • Prepared for common questions                            │
│     • Backup slides ready                                      │
│                                                                 │
│  TOTAL: 10-12 slides + backup slides                           │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Slide Design Principles

One Message Per Slide

Each slide should communicate a single key point. If you need to say "and also..." you probably need another slide.

Headlines Tell the Story

Slide titles should be complete sentences that convey the key message. Someone reading only the titles should understand the narrative.

❌ Poor: "Findings Summary"
✓ Good: "Three Critical Vulnerabilities Require Immediate Attention"

Visuals Over Text

Use charts, diagrams, and images instead of bullet points where possible. A risk matrix is more impactful than a list of findings.

Minimal Text

If you must use text, keep it brief. The slide supports what you're saying; it shouldn't be a script.

  • Maximum 5-6 lines per slide
  • Maximum 6-8 words per line
  • Font size readable from back of room (24pt+)

Sample Slide Content

Slide 1: Title/Opening

NovaTech Solutions Security Assessment

SecureFirst Consulting | January 2025

Assessment Period: January 6-24, 2025

Slide 2: Bottom Line Up Front

Overall Assessment: HIGH RISK

Critical vulnerabilities could allow attackers to access customer data and compromise software deployments. Immediate action required on three findings; strategic investment needed to mature security posture.

Slide 3: Findings Overview

28 Findings Identified Across All Assessment Areas

[Horizontal bar chart showing:]

  • Critical: 3
  • High: 5
  • Medium: 8
  • Low: 12

"Critical and High findings require action within 2 weeks"

Slide 4: Top Business Risk #1

Customer Data at Risk of Theft

What: SQL injection vulnerability in WorkflowPro

Impact: 50,000 customer records could be stolen

Cost: $2.3M-$8.25M in breach costs, GDPR fines, lost business

Fix: $150K investment, 2-week timeline

Slide 7: Recommended Investment

$300K Investment Reduces $14M+ Risk Exposure

Phase 1 (Immediate) $50K 2 weeks
Phase 2 (Urgent) $100K 4 weeks
Phase 3 (Strategic) $150K 3 months

ROI: 40:1 risk reduction to investment ratio

Slide 10: Decision Points

We Need Your Decision On:

  1. Approve immediate remediation — $50K for critical fixes this week
  2. Authorize Phase 2 resources — 2 FTE developers for 4 weeks
  3. Commit to strategic roadmap — Architecture improvements in Q2

5. Handling Questions and Objections

The Q&A portion often determines whether your recommendations are approved. Prepare for likely questions and potential pushback.

Common Questions and Responses

"How does this compare to other companies?"

Response approach:

  • Reference industry benchmarks if available
  • Be honest if you don't have comparative data
  • Focus on NovaTech's specific risk profile

Sample response: "Based on industry reports, the types of vulnerabilities we found are common in fast-growing SaaS companies. What matters most is that these specific issues, in your specific environment, create real risk to your customers and business. The good news is they're all fixable with reasonable investment."

"Why didn't our own security team find this?"

Response approach:

  • Don't criticize the internal team
  • Highlight value of external perspective
  • Note resource/focus constraints

Sample response: "External assessments provide fresh perspective and dedicated focus that internal teams, juggling daily operations, often can't replicate. This is exactly why companies engage external assessors—not because internal teams aren't capable, but because they're busy keeping things running. Many of these findings require specialized testing that's outside normal operations."

"Can't we just accept this risk?"

Response approach:

  • Explain risk acceptance formally
  • Outline implications (compliance, liability)
  • Note what formal acceptance requires

Sample response: "Formal risk acceptance is an option for some findings, but for Critical and High items, it requires documented justification, executive sign-off, and compensating controls. For the SQL injection specifically, accepting this risk would mean documenting that we're aware customer data could be stolen and choosing not to fix it—which creates significant liability exposure for the company and potentially individual officers."

"What happens if we don't do anything?"

Response approach:

  • Be direct but not alarmist
  • Reference concrete scenarios
  • Note increasing likelihood over time

Sample response: "The vulnerabilities we found are the same types being actively exploited across the industry. The Log4Shell vulnerability on Jenkins, for example, is being scanned for by automated tools continuously. It's not a question of if these vulnerabilities could be exploited, but when. The longer they exist, the more likely discovery becomes. A breach would cost significantly more than the remediation investment we're recommending."

"Can we do this cheaper?"

Response approach:

  • Offer tiered options if possible
  • Explain what's essential vs. nice-to-have
  • Note implications of reduced investment

Sample response: "The $300K covers comprehensive remediation. If budget is constrained, here's what I'd recommend: $50K covers the three critical items—that's non-negotiable for protecting customer data. The remaining investment can be spread over time, but each delay maintains that portion of the risk. What's your risk tolerance for the high-severity items?"

Handling Difficult Situations

When Asked to Soften Findings

"Can you downgrade that critical to a high? We don't want to alarm the board."

Response: "I understand the concern about board reaction, but severity ratings are based on objective criteria—potential impact and likelihood. Downgrading would misrepresent the risk and could create liability issues. What I can do is help frame the presentation to show both the seriousness and the clear path to remediation."

When Findings Are Challenged

"I don't think that's really exploitable in our environment."

Response: "I appreciate the skepticism—it's healthy. The finding includes proof-of-concept evidence showing exactly how we exploited it. I'm happy to walk through the technical details with your team after this meeting. If after review you believe the environmental context changes the risk, we can discuss adjusting the contextual rating."

When Blamed for Finding Problems

"We didn't have these problems before you showed up."

Response: "These vulnerabilities existed before our assessment—we just made them visible. The goal of this engagement was to find issues before attackers do, and that's exactly what we've done. Finding them is the first step to fixing them. Organizations that don't look for vulnerabilities still have them; they just don't know about them."

6. Presentation Delivery

How you deliver the presentation matters as much as the content. Confidence, credibility, and professionalism all affect how your message is received.

Delivery Techniques

Start Strong

  • Thank the audience for their time
  • State the bottom line immediately
  • Don't apologize or hedge upfront
❌ Weak: "So, um, we found some things that you might want to look at, I guess..."
✓ Strong: "Thank you for your time today. Based on our assessment, NovaTech faces significant but addressable security risks. I'll walk you through what we found and what we recommend."

Maintain Confidence

  • Speak with authority about your findings
  • It's okay to say "I don't know" to questions outside scope
  • Avoid undermining your credibility with excessive qualifiers
❌ Weak: "I think maybe this could possibly be a problem, perhaps..."
✓ Confident: "This is a critical vulnerability. We exploited it successfully in our testing, and it poses real risk to customer data."

Read the Room

  • Watch for confusion and clarify
  • Notice engagement/disengagement
  • Adjust pace based on reactions
  • Don't rush through important points

Handle Interruptions Professionally

  • Answer brief questions in the moment
  • Defer complex questions to Q&A
  • Never get defensive
  • Thank people for questions

End with Action

  • Clearly state what you need from them
  • Offer to answer questions
  • Provide clear next steps

Sample close: "To summarize: three critical vulnerabilities need immediate attention, and we've outlined a clear path forward. We're asking for approval of the $50K immediate remediation budget today. What questions can I answer?"

Virtual Presentation Tips

7. Follow-Up and Ongoing Communication

The presentation isn't the end—it's often the beginning of an ongoing conversation about security investment and progress.

Post-Presentation Actions

Immediate (Same Day)

  • Send thank-you email
  • Provide digital copy of presentation
  • Answer any questions that were deferred
  • Confirm next steps and action items

Short-Term (Within 1 Week)

  • Deliver final technical report
  • Schedule technical walkthrough with implementation teams
  • Clarify any questions on remediation guidance

Ongoing

  • Available for questions during remediation
  • Retest/verify critical findings when remediated
  • Periodic check-ins on progress if engagement includes

Follow-Up Email Template

Subject: NovaTech Security Assessment - Presentation Follow-Up

Dear Sarah, Michael, Jennifer, and Marcus,

Thank you for your time today reviewing the security assessment findings. 
As discussed, here are the key points and next steps:

KEY FINDINGS:
- 3 Critical, 5 High severity findings requiring priority attention
- Estimated risk exposure: $8-14M; recommended investment: $300K
- ROI: Approximately 40:1 risk reduction to investment ratio

ACTION ITEMS:
1. [Owner: Marcus] Approve immediate remediation budget ($50K) - Target: Friday
2. [Owner: Jennifer] Assign development resources for SQL injection fix - Target: Monday
3. [Owner: SecureFirst] Deliver final technical report - Target: Tomorrow

ATTACHED:
- Executive presentation (PDF)
- Technical report will follow tomorrow

I'm available to answer any questions or provide additional detail on 
specific findings. Would it be helpful to schedule a technical deep-dive 
with the development team this week?

Best regards,
[Your Name]
SecureFirst Consulting

Self-Check Questions

Test your understanding of executive communication:

Question 1

Translate this technical finding for an executive audience: "CVE-2021-44228 (Log4Shell) was identified on jenkins.novatech-solutions.com running Log4j 2.14.1, allowing unauthenticated RCE via JNDI injection."

Reveal Answer

Executive translation:

"Our software build system has a critical vulnerability that attackers could use to take complete control of the server. This is the same vulnerability that made headlines in December 2021 and is being actively exploited worldwide. If compromised, attackers could inject malicious code into software we deploy to customers, creating supply chain risk for our enterprise clients. Additionally, we found AWS credentials on this server that could provide access to our cloud infrastructure."

Key elements:

  • What it means (not technical details)
  • Real-world context (headlines, active exploitation)
  • Business impact (customers, supply chain)
  • Cascading risk (AWS credentials)

Question 2

The CFO asks: "We have a lot of other priorities right now. Can this wait until next quarter?" How do you respond?

Reveal Answer

Sample response:

"I understand you're balancing competing priorities. Let me help put this in context: the critical vulnerabilities we found are being actively scanned for by attackers—it's not a theoretical risk. Each week we wait increases the likelihood of discovery and exploitation.

If a breach occurs, you're looking at $2-8 million in direct costs, plus the operational disruption of incident response during what sounds like an already busy time.

What I'd recommend: the critical items—$50K investment, 2-week effort— should not wait. The strategic improvements can be phased into next quarter if needed. But leaving the critical vulnerabilities unaddressed is essentially accepting a very real chance of a breach that would cost 50-100x more than fixing them."

Question 3

How would you present a finding that your assessment couldn't fully exploit due to scope limitations, but you believe is serious?

Reveal Answer

Approach:

  1. Be honest about what you tested and didn't test
  2. Explain what you did find and why it concerns you
  3. Reference similar vulnerabilities that were exploited elsewhere
  4. Recommend further investigation if warranted

Sample presentation:

"We identified what appears to be a server-side request forgery vulnerability in the document preview feature. Our scope didn't include exploitation that could affect production data, so we stopped at confirming the vulnerability exists.

However, this type of vulnerability is the same class that enabled the Capital One breach—attackers used SSRF to access AWS metadata and steal credentials. Given your similar AWS architecture, we recommend either expanded testing to confirm the full impact, or immediate remediation of the underlying issue."

Question 4

A board member asks: "What's the probability we'll actually be attacked?" How do you answer without being alarmist or dismissive?

Reveal Answer

Sample response:

"That's the right question to ask. While I can't give you an exact percentage, here's what I can tell you:

The vulnerabilities we found—especially Log4Shell—are being scanned for by automated tools across the internet continuously. We know this because we see the scan traffic in security telemetry industry-wide. It's not a matter of whether attackers are looking; they already are.

For the SQL injection, the application is internet-facing and the attack requires no special access. Any attacker targeting SaaS companies would test for this.

Industry data shows that 83% of organizations experienced more than one data breach last year. Companies with these specific vulnerability types are significantly more likely to be compromised.

I can't tell you it will happen tomorrow or next month, but I can tell you the conditions for it to happen exist today."

Question 5

You're presenting to executives when the CISO interrupts to explain a technical detail that contradicts something you said. How do you handle this?

Reveal Answer

Approach:

  • Stay calm and professional
  • Don't get defensive or dismissive
  • Acknowledge their point
  • Clarify or correct if appropriate
  • Offer to discuss details offline

Sample response:

"Thank you for that clarification, Marcus. You're right that [acknowledge their point if valid]. Based on our testing, we observed [state what you found with evidence]. There may be additional context I'm missing about your environment.

I'd suggest we compare notes after this meeting to reconcile the details. For the purpose of this discussion, the key point is [refocus on business impact]. Does that make sense?"

Key points:

  • Don't argue in front of executives
  • Acknowledge without fully conceding if you believe you're correct
  • Refocus on what matters to the executive audience
  • Resolve technical disputes privately

Question 6

Create a one-slide "bottom line up front" summary for NovaTech's assessment that an executive could understand in 30 seconds.

Reveal Answer

Sample slide content:

Security Assessment: Immediate Action Required

BOTTOM LINE: Critical vulnerabilities put customer data at risk. $300K investment addresses $14M+ exposure.

🔴 3 Critical Customer database, CI/CD pipeline, cloud storage at risk
💰 $8-14M Potential impact from breach (regulatory + business)
✅ $300K Recommended investment to address all findings
⏰ 2 weeks Critical items need immediate remediation

DECISION NEEDED: Approve $50K immediate budget today

Lab: Executive Presentation Development

Objective

Create and deliver a professional executive presentation of the NovaTech security assessment findings, demonstrating the ability to communicate technical security concepts to business leadership.

Deliverables

Time Estimate

5-6 hours

Lab Tasks

Part 1: Audience Analysis (LO1)

  1. Review NovaTech leadership team profiles
  2. Identify key concerns for each stakeholder
  3. Determine primary decision-makers
  4. Note potential objections or concerns

Part 2: Message Development (LO1, LO3)

  1. Translate top findings into business language
  2. Quantify risk using appropriate methods
  3. Develop ROI narrative for remediation investment
  4. Create clear call-to-action

Part 3: Presentation Design (LO2)

  1. Create slide deck following executive structure:
    • Title slide
    • Bottom line / overall assessment
    • Findings summary (visual)
    • Top 3 business risks (1 slide each)
    • Recommendations and investment
    • Timeline / roadmap
    • Decision points
  2. Apply slide design best practices
  3. Create supporting visuals (charts, diagrams)
  4. Add backup slides for detailed questions

Part 4: Q&A Preparation (LO4)

  1. List 10 likely executive questions
  2. Prepare responses for each
  3. Identify potential objections
  4. Develop responses to difficult scenarios

Part 5: Presentation Practice (LO5)

  1. Write speaker notes for each slide
  2. Practice delivery multiple times
  3. Time your presentation (target: 15-20 minutes)
  4. Refine based on practice

Part 6: Recording and Review

  1. Record your presentation delivery
  2. Review recording for:
    • Clarity of message
    • Confident delivery
    • Appropriate pacing
    • Professional presence
  3. Note areas for improvement
  4. Re-record if needed

Self-Assessment Checklist

Message Quality

  • ☐ Technical findings translated to business language
  • ☐ Risk quantified in meaningful terms
  • ☐ Clear ROI narrative presented
  • ☐ Specific decision asks included

Presentation Design

  • ☐ One message per slide
  • ☐ Headlines tell the story
  • ☐ Visuals over text
  • ☐ Professional formatting
  • ☐ Appropriate length (10-12 slides)

Delivery Quality

  • ☐ Confident, professional presence
  • ☐ Clear and audible speech
  • ☐ Appropriate pacing (15-20 minutes)
  • ☐ Strong opening and close

Q&A Preparation

  • ☐ 10+ questions anticipated
  • ☐ Responses prepared and professional
  • ☐ Difficult scenarios addressed
  • ☐ Backup slides ready

Portfolio Integration

Save your executive communication deliverables:

🎯 Hands-On Capstone Activities

Week 11 capstone activities - Executive Communication

🎯 Executive Communication Lab

Deliverable: Professional capstone component ready for portfolio
Time estimate: 4-8 hours

💡 Capstone Strategy: This work becomes your portfolio—make it job-interview ready.

Resources

Required

How to Present Security Findings to Executives

SANS guidance on translating technical security findings for business audiences and securing executive buy-in.

SANS White Papers (search: executive communication) 45 minutes
Required

IBM Cost of a Data Breach Report

Industry benchmark data on breach costs useful for quantifying risk in executive presentations.

IBM Data Breach Report 30 minutes (executive summary)
Optional

Presentation Zen

Classic book on presentation design principles. Helpful for creating visually effective slides.

Presentation Zen 2 hours (if new to presentation design)

Weekly Reflection

Prompt

Reflect on the challenge of translating technical security findings into business language. What was most difficult about this translation? What strategies did you develop for explaining complex technical concepts to non-technical audiences?

Consider how executive communication skills fit into a security professional's career. Why is the ability to communicate with leadership as important as technical skills? How might strong communication skills differentiate you in the security field?

Target length: 250-350 words

Week 11 Quiz

Test your understanding of the weekly concepts.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz