How to Talk to Stakeholders About Cybersecurity

By Fortra's Digital Defense

Productive cybersecurity conversations are more critical than ever as vulnerabilities continue to grow every year. Support from business leaders, including the board and C-suite,  is essential to building organizational awareness and cultivating cross-divisional partnerships. Unfortunately, communicating about cybersecurity can be a challenge for many IT professionals. Sometimes stakeholders lack familiarity with the current threat landscape or enough technical understanding required for productive discussions. 

 It is essential to bridge these gaps with productive conversations based on terms and reporting that everyone can understand. After all, the only way businesses can protect themselves from cyber attacks is if the entire organization shares responsibility for cyber risk management.

Partnering within the Organization 

Many CISOs and IT professionals come from a technical or engineering background. However, in addition to architecture and infrastructure expertise, they must also demonstrate the soft skills necessary to build a risk-aware organizational culture and foster strong partnerships throughout the company. 

Developing firmwide partnerships is critical to understanding the interconnected role that risk plays in an organization. The CISO must be a champion of good security practices while also recognizing the potential impact of those practices on the whole business. 

Much of this boils down to communication and the ability to have productive security conversations that propel the business and its security program in the right direction. 

Simpler, More Productive Security Conversations 

Successful security conversations start with a shared understanding of the landscape, the potential risk and costs of cyberattacks on your organization, and proactive strategies for mitigation. CISOs can position themselves for a productive discussion by following three key steps: 

  • Lead with the risk: Make sure your audience understands your current threat landscape and what exactly is at stake if security measures are not taken. 
  • Speak the same language: Find terminology and rating systems that everyone can understand, establishing clear benchmarks and the ability to easily report progress.  
  • Communicate what’s relevant: Some of your audiences will want the details; others will not. Be sure you can easily tailor your cybersecurity reporting.  

CISOs and other IT professionals can employ these steps to develop the shared understanding needed to have security conversations that resonate. 

Initiating Productive Dialogue

Today, CISOs are being asked not only to report, but also to proactively assess the environment and look around corners at upcoming risks. Effective CISOs contribute an understanding of the interconnection between business and risk so they can help their organizations protect vital operations and take advantage of strategic opportunities. Here we will outline three key steps that can help CISOs and other IT professionals start those conversations. 

1. Lead with the Risk 

As a first step, demonstrate your commitment to protecting and fostering the success of the business. Show you understand the strategic business goals of the organization, how they intersect with security, and how cyber risk could potentially impact those goals. Emphasize why proactive measures are important and how the business is at risk if you don’t implement them. 

We all know that once a network vulnerability is exploited, the damage is done. Remind stakeholders that a proactive approach to cybersecurity is less expensive, given the potential costs of breaches, both financial and non-monetary. The average breach costs businesses $8 million in the US and $3.9 million globally. Drive home the point that upfront investment not only protects the firm and its assets, but also maximizes the returns from other investments such as digital transformation or cloud migration programs. Good business and effective cybersecurity go hand in hand. Reiterate your awareness that IT and security systems should work cohesively with, other parts of the business and not hinder progress. 

Demonstrating what is at risk requires tools that effectively identify and assess vulnerability and threat assessments, and report them in a straightforward way. Be sure you are using the right solutions so you can pull this information together quickly and painlessly  

2. Communicate in the Same Language 

Conversations are easier when you’re speaking the same language. Part of building a risk-aware organization is agreeing on a language that everyone understands. Communicating in the same language helps your organization build a shared perspective on cyber and other risks so that you can make effective decisions and investments. 

When discussing network vulnerabilities, threats, and their associated risks, there are many technical terms and a wealth of data that can create confusion. It’s important to find reporting metrics that speak a language everyone can understand and tools that can help you communicate. 

For example, Frontline Vulnerability Manager offers a simple and intuitive metric called Security GPA that is based on the academic grading system of letters (A, B, C, D, F) and numeric values. It provides an easily understood and consistent way to communicate cybersecurity risk and show remediation progress to board members, the C-suite, clients, or the public.  Learn more about Security GPA in this video snippet:



3. Report What Is Relevant 

When discussing security, IT professionals must know their audience. While some stakeholders may want a high-level threat and vulnerability assessment, others may demand a more detailed risk profile. Whether reporting to the board, the C-suite, or other stakeholders, adapt your presentation and add context for the audience so they have the relevant information they need to take action. 

To assist with this, Frontline Vulnerability Manager communicates information on your security posture, risk rating, and remediation actions with two versions of reporting: an Executive Summary report and a Detailed report.  

The Executive Summary provides a high-level overview of an organization’s security posture, without overwhelming the audience with too much data. The Detailed report provides comprehensive information about your organization’s scan results, analysis, and relevant benchmarks, as well as in-depth information about network vulnerabilities.  Watch this brief video snippet for examples:


Building Organizational Awareness 

According to BCG, managerial resistance is a leading reason why 70% of digital transformation efforts fail to achieve their investment objectives. With the more dangerous threat environment and rising costs of attacks and breaches, IT professionals must take the lead on security conversations and build a culture of awareness from the top down. 

A cyber-secure organization maintains a proactive posture and firmwide responsibility for identifying and managing cyber risks. The rapid evolution of technology means attack surface and attack vectors are constantly changing, making effective cybersecurity a moving target. As a result, everyone must do their part and contribute to organizational security. It’s imperative that organizations maintain an ongoing dialogue and sustain conversation with a regular cadence as the threat environment evolves. 

Start Simplifying Your Security Conversations 

Building a culture of awareness requires commitment and intention from your company’s top executives and managers. To maintain a robust security posture, company leaders must be committed to the cause and willing to adapt. This all starts with the sharing of information and productive conversations around cyber security.  

The Digital Defense team is here to track the ever-changing security landscape and help you simplify security conversations across your organization to keep them useful, actionable, and ongoing.  We offer not only the solutions you need, but also the support that makes it easy and simple for any organization to reduce your risks and build maximum network security. 

Ready to Learn More? Contact us to schedule a personalized demo to see how Frontline Vulnerability Manager can help you more easily and effectively identify and manage risks.

See Firsthand How VM Can Work For You

Request a customized demo and see which cybersecurity vulnerability management options your organization needs.

Get a Demo

Share This