Chapter 2: CISO Communications

How to talk like a CISO and sell a problem twice

Effective communication is a vital skill for CISOs and vCISOs, often proving to be one of the most challenging aspects for MSPs and MSSPs transitioning to offering vCISO services. Unlike IT roles that primarily interact with company staff on technical issues, vCISOs must communicate extensively with key stakeholders and executive management. 

This involves conveying complex cybersecurity issues in a manner that is understandable to non-technical audiences, such as executives and board members.

Why communication is crucial

1. You’re speaking to non-technical stakeholders

Executives and board members often lack technical expertise but are responsible for making critical decisions about the company’s security posture. CISOs must simplify technical information to help them understand the risks and necessary actions.

2. You need to sell twice

One of the most critical aspects of a CISO’s role is the need to sell not just once, but twice—first to define and explain the problem, and then to advocate for the solution. This process goes beyond technical expertise; it requires a deep understanding of business risk, the ability to convey the seriousness of cybersecurity threats, and the communication skills to gain buy-in from non-technical stakeholders.

Selling the problem

 

Before any solution can be implemented, a CISO must first articulate the problem in a way that resonates with business leaders. This involves translating complex technical risks into business language that highlights the potential impact on revenue, operations, reputation, or compliance. For example, rather than simply stating that a vulnerability exists, a CISO must explain how it could disrupt business operations or lead to financial penalties. The goal is to make stakeholders fully understand why the issue matters and what is at stake if it’s not addressed.

Academy-Lesson-1-Image-4.4
Selling the solution

In both phases, the CISO’s role is as much about influencing and persuading as it is about providing technical guidance. Success hinges on the ability to craft compelling narratives that link cybersecurity measures to business outcomes, ensuring that both the problem and the solution are clearly understood and supported at the highest levels of the organization.

3. You need to tailor your communication to different stakeholders

One of the most challenging tasks is tailoring your communication style to different audiences. 

  1. Determine Stakeholders Style & Needs: During onboarding, it’s crucial to understand both the organization and the communication preferences of its executives. Determine what information they need and how they prefer to receive it. 
  2. Adapt Your Approach: Executives often aren’t aware of their knowledge gaps, so asking “What do you want to know about security?” isn’t effective. Instead, focus on using the language that resonates with them and convey essential security information effectively.

For example, you can have fact-focused executives who prefer straightforward, factual information without speculation, while competitive-focused executives will seek industry-specific data and comparisons, such as sector-specific breach statistics. 

Some common executives you’ll be speaking to include:

  • Chief Financial Officer (CFO)
  • Chief Executive Officer (CEO)
  • Chief Information Officer (CIO)
  • Human Resources (HR)
Financially and insurance motivated.
office-v3
Focus on business services, longevity, and revenue protection.
office-v5
Address the impact on the team, performance, visibility, and technical details.
Team in office
Emphasize employee and customer privacy concerns.
office-v1

For example, CFOs hate talking about averages. Avoid using blanket average statements such as “the average cost of a breach is X.” Instead, provide specific data, like “the going rate for a credit card on the dark web is X” or “the average cost of a health record ranges from $5 to $5K, depending on the data’s value.” 

Then provide calculations specific to the business: if credit cards are valued at $10 each and the business has 5,000 cards, the data’s value on the dark web ranges from $100,000 to $500,000. This approach uses averages to support precise calculations, offering meaningful insights specific to the organization.

In boardroom settings, you’ll need to communicate to every person simultaneously, touching on each individual’s concerns. Tailoring your message to each executive’s priorities ensures you address all their interests effectively.

10 best practices for CISO communication

1. Always focus on business impact

Clients may be reluctant to understand the need for cybersecurity (more on this in Lesson 3), and therefore it’s critical for you to tie security measures directly to business objectives and goals. 

Ensure you have a thorough understanding of your client’s revenue streams. Recognize which products or services are the lifeblood of the client’s business and always communicate how security measures will protect these revenue streams. For instance, if you manufacture a widget for the Department of Defense (DoD), discuss the new security requirements necessary to protect this specific product and comply with regulations.

Always ask: What does this mean for my clients’ business?

2. Simplify complex technical concepts

Translate technical security information into business language. Focus on the impact of security issues on business operations, financial performance, and regulatory compliance rather than technical details.

Don’tDo
Don’t use acronymsDo use simple straightforward language
Don’t use any technical jargonDo use full terms and spell out abbreviations for clarity
Don’t (IT language): We’ve seen 50,000 attacks at the firewall but we’ve got rules to block them and we’re looking at the logs to see if there are any more anomalies.Do (CISO language): We’ve prevented 50,000 external attacks on our organization thanks to our robust security posture. We’re monitoring these activities closely to identify and analyze any trends in how we’re getting attacked.

3. Ensure you have a common vocabulary

It’s crucial that everyone has a shared understanding of risk. If they don’t see the risk the way you do, it will be difficult to secure buy-in for your plans. Moreover, it’s essential to establish a common vocabulary.

Example

When you describe something as a “critical risk,” does that imply a billion-dollar impact or a million-dollar one? Does it suggest an imminent failure? What does “critical risk” mean in your context? Is it a low-impact event that happens once every 10 years?

4. Use analogies

Relate cybersecurity concepts to familiar business scenarios to help non-technical stakeholders grasp the issues. 

Example

To emphasize the importance of maintaining sensitive data hygiene, consider using an analogy that stakeholders can resonate with: Imagine your clients’ organizational data as a cluttered space, much like the homes featured in shows such as Buried Alive or Hoarders. If you needed to locate a specific credit card number or medical record, it would be nearly impossible to know if the data is even present, let alone where to find it. In contrast, an attacker can methodically sift through the disorganized data, increasing their chances of uncovering valuable information. This disordered approach to data management inadvertently gives attackers a significant advantage.If your organization’s data is similarly disorganized, you likely have little awareness of what sensitive information exists or where it is located, making it impossible to protect effectively. Proper organization of your data is essential to ensure its security.

5. Be concise

Executive time is valuable; get to the point quickly and focus on the most critical information.

Example

Place clear action items at the beginning of any email to C-suite executives: “Decision needed on x because of y,” then give details below.

C-suites will only read the first 3 sentences. If those three sentences aren’t compelling enough, they won’t read the rest of the email. 

7. Use visual aids

Use simple charts and graphs that helps them understand the impact. These could include trend lines, progress, achieved results etc . 

8. Communicate regularly

Provide regular updates on the security posture, incidents, and improvements. Consistent communication helps keep security top-of-mind for executives and demonstrates the value of the vCISO’s work.

9. Engage with stakeholders

Identify the stakeholders for different business areas and understand their specific communication needs. This includes not only the C-suite and board members (which we mentioned above) but also directors, third parties, and clients. 

For instance, if your client is a manufacturer within a larger supply chain, you need to communicate with the larger organization about security updates and data handling practices. Even third-party stakeholders may require communication.

Stakeholder mapping will also determine the frequency of communication, ensuring that everyone receives timely and relevant updates.

10. Prepare for questions

Anticipate potential questions from stakeholders and be prepared with clear, concise answers. 

Here are some examples:

  • Leadership
  • CFO
  • HR
  • Legal counsel
How does security align with the company strategy? How is security contributing to company objectives? Are we secure, what is our risk, and what does it mean for us? If they see something in the news: How does this apply to us? Are we at risk for this? Are we secure?
What are the financial aspects of security? What is the cost? What is the expected spend over 1, 3, 5, years?
Academy-Lesson-1-Image-4.1
How does security affect employee privacy?
office-v2
What are our legal requirements? | Are we compliant? | What is our incident response plan? | Who is going to handle the communication in case of an incident?
office-v1
Chapter 2 Key Takeaways

  • Effective communication with non-technical stakeholders: CISOs must be skilled in translating complex cybersecurity issues into language that is accessible to non-technical stakeholders, such as executives and board members. This requires focusing on the business impact of security measures rather than delving into technical specifics.
  • Tailoring communication styles: Understanding the communication preferences of different stakeholders is crucial. Each executive, whether it’s the CFO, CEO, or CIO, has specific concerns and information needs. CISOs should customize their communication to address these diverse interests, ensuring that all relevant aspects of security are covered.
  • Using business language and analogies: To effectively convey the importance of cybersecurity, CISOs should avoid technical jargon and instead use business-friendly language and analogies. This helps make abstract or technical concepts more relatable and easier to understand for stakeholders unfamiliar with cybersecurity.
  • Consistent and concise communication: Given the limited time executives have, CISOs need to be concise and direct. Placing clear action items at the beginning of communications and using visual aids like charts can help capture attention and convey critical information quickly.
  • Regular engagement and preparedness: Continuous communication with stakeholders about the organization’s security posture, incidents, and improvements is essential. Set clear expectations from the beginning regarding the frequency of your communications and report submissions. CISOs should also anticipate potential questions and be ready with clear, concise answers that align security efforts with the company’s strategic objectives.