The role of the information security professional, be it at the chief information security officer (CISO) level or at the security analyst level, continues to undergo rapid and significant transformations. For years, security leaders have asked — no, begged — for a seat at the executive table. As an increasing number of organizations feature cyber risk reporting to the executive layers, security professionals at all levels must adapt to this new audience by developing an appropriate set of professional skills.

The fastest way to lose the attention of executives is to start talking in computer or security jargon. Most of us have likely experienced this, either because we were the ones communicating in such a manner or because we witnessed our own colleagues or bosses do so. How do we avoid confusing or frustrating the executives in our audience?

The Audience Matters

Security professionals and CISOs who have risen through technical ranks are very good at talking tech. And as long as they are talking to other techies, such use of jargon is not only tolerated, but expected. Yet if one spends just a few minutes eavesdropping on the conversations that executives have amongst themselves, one quickly realizes that the language used is casual, conversational and, in a word, understandable.

For the security professional, this new audience may appear to be conversing in a foreign language. You might hear them complain, “What do you mean I can’t talk about VPNs or IDS or SIEM?” The foreign language metaphor is a simple yet powerful representation of the difference in culture, expectations, vocabulary and grammar that one might experience. Much like with learning to speak in a foreign language, the first few days, weeks or months are difficult as one trains their brains to translate concepts and messages into this new way of conversing.

The Message and Its Framing Matters

One of the key benefits of the increased conversations around cyber risks (i.e., how much risk do we have, and is that something we are comfortable with?) as opposed to information security (i.e., are we secure?) is the need for and the opportunity to have significant — yet sometimes very thorny — discussions about cyber risks with the various stakeholders. The way the message is framed is essential to either continuing such conversations or shutting the door on them. For example, the U.K. government was able to generate an extra £1.9 million, or about $3 million, in additional tax revenue in just 23 days by including two sentences using minority framing to make a point with late taxpayers: “Nine out of 10 people in the U.K. pay their tax on time. You are currently in the very small minority of people who have not paid us yet.”

For example, when reporting risk metrics, one can document the current versus previous quarter’s numbers by using a simple yet clear visual representation, such as the radar chart in the example below:

Key Questions to Improve Your Professional Skills

  • Are you communicating concepts and issues in the language of your executives? If not, immerse yourself in their world by surrounding yourself with some of the same resources and sources of information (The Wall Street Journal, Harvard Business Review, company reports, financial reports, etc.).
  • Is your message adapted to the audience, both in terms of granularity — reporting at a level of detail appropriate for the audience — and in terms of presentation?
  • Is your message framed in such a way as to engender conversations around information risks as opposed to giving a closed-ended and likely wrong view of the organization’s security posture?
  • Do you have access to a mentor — internal or external — who can provide you with feedback about how effective your presentations and communications to business executives are?

Other Resources for the Information Security Professional

To learn more about the art of making strong arguments, I suggest you read “Rhetoric, Logic, & Argumentation: A Guide for Student Writers” by Magedah E. Shabo.

To learn more about positioning yourself and your communications towards your clients, whether internal or external, I suggest you read “The Trusted Advisor” by David H. Maister, Robert Galford and Charles W. Green.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read