CPTC - Better Board Presentations
One of the culminating events of CPTC involves a presentation to the board, along with a team's penetration test report. The following is some quick advice to help teams get as many points as possible during this phase. Remember, these are very fast presentations, of 10 minutes, where each team member must speak. First, focus on your audience. Try to get a sense for the people your speaking to. If you're speaking to a senior executive audience then you will want to keep it high level. Focus on the overall risk, trying to summarize the risk to the business and the board. The board is often interested in actionable steps, or programs they can put in place to remediate the presented risk. That said, you really need to know your customer to focus on the biggest risks specific to them. As my friend Alex Levinson once said, "You need to find the heart of the business and drive a stake through it". That said, remember to keep it professional. Your team should dress appropriately for your audience. Your presentation should be polished and well practiced, such that your transitions seem smooth and natural. Finally, remember time management is critical. If you're practicing your presentation it can help to time yourself with a stopwatch or even record your practice sessions. Personally, I like to give big conclusions up front, so I don't lose the audience's interest before getting to my point. I also like to include throw away slides and a conclusion slide to reiterate my major points at the end. Throwaway slides also help me anticipate questions or topics I may want to expand on if there is extra time. The following are the top three performing team's final presentations. I've embedded them below with some specific notes on each presentation:
Up first is RIT's presentation, the winning team this year. To start, I really like how RIT laid out the structure of their presentation and what they would be walking us through, this intro laid out expectations very well. I really appreciate how they addressed the initial pentest and how the environment improved through remediation, before going into the retest results. I think highlighting the NERC-CIP compliance issues is important and this team covered the topic tactfully by suggesting a deeper compliance audit. Ultimately, I think this team nailed the risk and impact to the business in plain terms. Similarly, I think this group had good remediation suggestions, such as focusing on patching, authentication, and access controls.
Next is Stanford, the second place team this year. I really liked the theme and feel of this presentation; it felt the most corporate of the presentations we saw. I was very impressed with the level of care this team showed, considering they wrote their own monitoring software to make sure they didn't adversely effect systems. This level of attention to the customer's needs definitely set them apart from other teams. I do think this team went a bit overboard in terms of compliance recommendations. That said, I really liked their conclusion, specifically how they highlighted strategic opportunities for NGPEW to move towards. In concert, I thought their specific technical remediations were high quality and worthwhile. For both this presentation and the previous presentation, I would suggest leaving more time for questions, a general rule of thumb is 80/20 in terms of presentation time to discussion time. The next presentation does a good job leaving time for and subsequently fielding questions.
Finally we have Cal Poly Pomona, who took third place this year. Their professionalism was excellent. The entire team dressed business professional and used matching Zoom backgrounds, that also matched with their presentation. This team was very effective at explaining issues at the appropriate executive level. That said, I think this team spent a lot of time explaining their methodology, risk approach, and things the client has done well, which wasn't the most valuable way to spend the time with the board. That said, I think this team did well with explaining the issues, their impact, and the remediation to the client, but I think more of the time could have been spent on the remaining issues. Breaking each of the issues down with slide per major finding or remediation could be a way to make the individual points clearer.