As organizations prepare for the remainder of 2020, cybersecurity leaders can use this opportunity to review their communication style and improve how they share key messages across the organization. Taking time to refine business communication can help those in security and technical leadership roles heighten the effectiveness of their messaging and ensure alignment with organizational priorities.

At a time when we’re limited in how we can interact, choosing the right medium and shaping the right message are key to delivering on security’s function: to enable and protect value creation. Communicating upward to the C-suite and the board, for example, is about demonstrating how cybersecurity brings value to the business. As such, security teams should redouble their efforts to align the mission and value of their department with shared business goals.

Set Your Sails

How cybersecurity leaders craft their messages can either help propel the organization through the winds of change or leave it stranded in the middle of an ocean. Crafting an effective message can be challenging in the best of circumstances, but answering some important questions can help you deliver a persuasive pitch.

What is the goal of the message? Why am I reaching out? Spending a few minutes to review one’s purpose in sending a message can help make the difference between a rant and a directive, a complaint and a warning.

What does success look like? Asking this simple question can help identify elements that may be missing from an important message, such as the intended result of this exchange or how you will measure whether the goal behind the message was achieved down the road.

There’s No Sailing Without a MAST

Without a solid “MAST,” there can be no venturing out, even into the bluest ocean. If the message is the sail that propels the organization forward, the MAST is there to help translate and support that propulsive force into a forward motion for the organization. Here’s a breakdown of the acronym.


Cybersecurity leaders can benefit greatly from considering whether they are choosing the right medium for their message and whether they are adapting the message to that medium well. Too many important messages are ignored because they are delivered as a poorly crafted or poorly narrated set of slides. In some cases, a series of messages delivered through more than one medium might need to be coordinated to achieve the desired effect. For example, a point raised in an introductory email might be followed by a more detailed plan-of-action report and brought home by a digestible presentation.


The best leaders acknowledge the importance of having allies throughout the organization. While you may have crafted the perfect message over a great medium, your communications might not land if you don’t have the support of key allies.

Who can you turn to ahead of time for feedback on this message? Try to seek out technical peers and organizational influencers whose interests are aligned with yours and who understand your target audience.


While the medium influences the message, the meeting space in which the message is delivered can also have a strong effect on how it is perceived. Is your message set to be delivered in person, in a meeting, over the phone, over email, during an interactive one-on-one session or in a large meeting?


As the saying goes, strike while the iron is hot. The timing of when your message is delivered can make or break your request. The most in-tune leaders ask themselves when is the best time to deliver their messaging. Some ideas may not be well received after some bad financial news or a reorg announcement, while other ideas may be key to securing people and assets during times of transition.

Align With Organizational Winds

Even with a great sail and a solid mast, your sailboat would just sit idle without another key element: the wind. As important as it is for cybersecurity leaders to craft a good message, get feedback, and determine the best time, space and medium to deliver it, organizational headwind is one of the most important considerations to take into account.

Because the purpose of security is to support value creation and value protection, security leaders must invest time, energy and influence into staying in-tune with organizational winds. To determine the extent that security efforts are aligned with organizational priorities, it’s important for the chief information security officer (CISO) to have their finger on the pulse of the business and to know and support the direction it has chosen.

Are there any recent high-level business updates or reports that provide critical insights to that end? Who are the cybersecurity leader’s key allies at your organization, and do they provide a good view into the business horizon of the organization as a whole?

While technologies and threats continue to evolve, security leaders must keep their eye on what the business needs to survive and thrive. Smooth sailing requires careful alignment and communication of the value that the security function brings to the entire organization.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…