Effective Strategies for Talking About Security Risks with Business Leaders

Storytelling helps CISOs bridge the gap between tech expertise and business objectives to boost company security.

Riaz Lakhani, CISO

September 23, 2024

5 Min Read
Cyber risk discussions with execs
jittawit21/Shutterstock

Difficult conversations are inevitable, whether in personal relationships, professional settings or everyday interactions. They're especially important when it comes to discussing cyber risks with an executive team.

In today's ever-expanding and evolving digital landscape, cybersecurity is a critical business concern, no longer just an IT issue. However, business leaders often struggle to understand or consider cyber risks a serious threat. Just over a third (35%) of the small businesses surveyed for a recent Barracuda study say that senior managers don't see cyberattacks as a significant risk.

This lack of understanding isn't necessarily due to poor management but to faulty communication between the nontechnical executive team and the more technologically advanced IT team, mainly the chief information security officer (CISO).

CISOs Play a Pivotal Role in Communicating Cyber Risk

While security is the responsibility of all organization leaders, CISOs play a pivotal role in bridging the gap between technical security measures and business objectives. The challenge often comes down to how CISOs communicate.

As a CISO, you've likely experienced situations where another executive discusses their function in highly specialized terms, making it difficult to follow. For instance, imagine a CFO delving into technical accounting or financial models. When the content is too specific, it can lead to frustration and make it hard to leave the meeting with actionable items. Similarly, the use of excessive technical jargon like "ZTNA," "ransomware" and "DMARC" will turn people off as they don't care about things they don't understand, or tune out when it's too complex.

Related:The Gately Report: Lookout Threat Research Helps Partners Tackle Mobile Cyber Crime

When preparing to discuss cyber risk, it's important to observe how other executives in your organization communicate. For example, take note of how a CFO makes complex topics relevant and apply similar tactics when explaining security-related technical issues.

According to Cybersecurity Ventures, the global cost of cybercrime is expected to reach $10.5 trillion by 2025, making the cybersecurity conversation paramount in the C-suite and boardroom. Yet, according to research from Diligent Institute, less than 9% of an average board has technical expertise.

Storytelling an Effective Strategy as Threats Evolve

So, how do CISOs effectively communicate cyber risks and the growing threat landscape? Storytelling.

Effective storytelling serves three core purposes: enlightening audiences, shaping choices and transforming actions. When crafted skillfully, these stories become potent communication tools. Other benefits of effective storytelling include:

  1. Simplifying complex information. Cybersecurity concepts can be highly technical and challenging for nonexperts to grasp. Storytelling simplifies these ideas by framing them in relatable and understandable narratives. By using analogies, real-world examples and scenarios, CISOs can make complex information more accessible and engaging.

  2. Engaging and captivating audiences. Stories naturally capture attention and keep audiences engaged. Unlike dry, data-heavy presentations, a well-told story can evoke emotions, create suspense and maintain interest. This engagement ensures that the audience remains attentive and retains shared information.

  3. Highlighting the human element. Cybersecurity is often perceived as purely technical, but at its core, it involves human behavior and decisions. Storytelling illustrates how cyber threats affect real people and businesses to humanize the topic and make it more relatable.

  4. Enhancing memory and recall. Research shows that stories are easier to remember than isolated facts or statistics. By embedding key cybersecurity messages within a narrative, CISOs can enhance the likelihood that their audience will remember and recall the information later.

  5. Driving behavior change. One of the primary goals of cybersecurity communication is to encourage behavior change, such as adopting stronger passwords, following security protocols or recognizing phishing attempts. Stories can be persuasive tools for motivating such changes.

As a CISO, if you are just starting to introduce security within your organization and are uncertain about where to begin, sharing a recent popular incident through storytelling is an excellent starting point. Your story should highlight the sequence of events, entry points for the attackers, methods used to bypass security measures and key takeaways from the incident.

Most companies will publish a security postmortem. Consider using that technical write-up to build a fun, engaging story to share. Then, connect this story to your security team's efforts to address similar risks and explain how these risks could impact your business, and what the company and its leaders can do to support the security team's mission in addressing these risks.

The Time, Place and Strategy Make All the Difference

Like every difficult conversation, CISOs must pick the right time, place and strategy to discuss cyber risks with the executive team and staff. Instead of waiting for the opportunity to arise, CISOs should proactively engage with individuals at all levels of the organization to influence them and ensure an understanding of security policies and incident response.

These conversations could come in the form of monthly or quarterly meetings with senior stakeholders to maintain the cadence and consistency of the conversations, discuss how the threat landscape is evolving and review their part of the business through a cybersecurity lens. They could also be casual watercooler chats with staff members, which not only help to educate and inform employees but also build vital internal relationships that can affect online behaviors.

In addition to talking, CISOs must also listen to and learn about key stakeholders to tailor conversations around their interests and concerns. Consider creating a monthly security newsletter written in an engaging manner. This will help people stay informed about security in an enjoyable way. At Barracuda, for example, I send out a security newsletter called CISO Monthly to the leadership team. It receives a lot of positive feedback, which helps to drive engagement and dialog with company leaders.

If you're talking to the board, you'll need to know the people around that table. What are their interests, and how can you communicate in a way that resonates with them and gets their attention? Use visualization techniques and find a "cyber ally" on the board who will back you and help reinforce your ideas and the information you share.

In the increasingly complex cybersecurity landscape, effective communication is vital to fostering understanding, awareness and action. Storytelling is a powerful tool that can transform complicated, technical information into engaging, relatable and memorable narratives. It allows CISOs to bridge the gap between technical expertise and broad audience understanding, enhancing the effectiveness of their communication and the security posture of their organizations.

Read more about:

EMEAVARs/SIsMSPs

About the Author

Riaz Lakhani

CISO, Barracuda

Riaz Lakhani is chief information security officer at Barracuda, where he is responsible for setting the strategy, managing implementation and driving Barracuda's information security program.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like