SVP, Cyber Risk Evangelist at Black Kite.
getty
Esteemed journalist Sydney J. Harris once said, “The two words 'information' and 'communication' are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.” To excel as communicators, we need to be able to “get through” to our audience.
In the cyber risk realm, security and risk management leaders often miss the mark when it comes to communicating with their business counterparts. Because technical understanding doesn’t easily translate to communication, they struggle to connect the dots with business stakeholders—causing a significant disconnect.
Cyber and risk leaders must craft their communication to resonate with a business audience. Although technical jargon like “ransomware,” “patching,” ”zero-day,” “third-party breach” and “bot” might not capture their audience’s interest right away, linking these topics to how they impact the bottom line or customers can make business leaders more receptive. Technical messages from cyber and risk leaders can be delivered clearly, concisely and effectively by adhering to the following best practices.
Understand the risk appetite of the audience.
Risk appetite refers to the extent of risk an organization is prepared to tolerate in pursuit of its strategic goals. Recognizing that operating without any risk is unrealistic, organizations engage in a delicate balance between accepting certain risks and mitigating others whenever possible. Often categorized as high, low or risk-neutral, risk appetite guides decision-making and resource allocation to align with organizational objectives. A company with a high-risk appetite may be looking to make large acquisitions (i.e., high risk, high reward), while such an objective may not be in the cards for companies that are low or risk-neutral.
Before presenting to business leaders, security and risk teams must understand their organization's risk appetite to effectively communicate updates and offer actionable recommendations. Does leadership already have a defined risk appetite? What stakeholders are involved in the decision under consideration? Collaborating with the relevant parties to determine risk appetite will help define the terminology and taxonomy and link security risk appetite with enterprise objectives, helping ensure alignment right from the start. Understanding risk appetite can help bridge the divide between a technical team and the organization's business leaders, fostering stronger connections between risk management and overall business objectives.
Become an effective storyteller.
Effective storytelling aims to achieve three primary objectives: informing and educating, influencing decisions and altering behaviors. When executed correctly, storytelling can powerfully convey your objectives to get key points across and connect with an audience. Practice is paramount in refining storytelling skills. Consistent rehearsal enhances presentation delivery.
One way that cyber and risk professionals can enhance their storytelling skills is by crafting concise one-pagers to streamline messaging that helps prevent tangents and ensures directness in presentations. It’s also helpful to develop easy-to-articulate analogies that will resonate with your audience. For example, when speaking about the impact of third-party breaches, you could say, “A third-party breach operates much like a virus coursing through a school. It begins with an initial carrier, who unwittingly passes it on to others. Subsequently, these newly infected individuals become carriers who can spread the virus, creating a cascade of compromise across the community.” This helps put potentially unfamiliar ideas in terms the audience can relate to, giving them a better chance to resonate with your message.
Include qualitative elements.
Although quantitative evidence holds significance, there are also qualitative drivers that motivate decision-making. Customer impact, company image and market trust are all crucial points to consider when communicating with non-cyber stakeholders. They need to know how technology purchases, security posture and other major decisions can affect these areas. Consider using scenario planning to pinpoint trends and effectively demonstrate the consequences of both actions and decisions not to act. This approach helps clarify the audience's motivations and preferences.
Keep in mind, however, that these points can be emotionally charged. When discussing sensitive topics, it's beneficial to road-test the approach with a smaller group to ensure that it's likely to be well received by the larger group. Appealing to emotions can make for more compelling discussions, but tread carefully, and try to avoid over-indexing on fear, uncertainty and doubt.
Master speaking on a business level.
Cyber and risk professionals can effectively communicate with non-technical leaders by tailoring their approach to frame information in terms that align with business priorities. Framing topics in terms this audience understands will inevitably spark action within the leadership team.
Several helpful tactics to master business-level conversations include:
• Piloting Your Messaging: Before crafting your presentation, it's a good idea to engage with a relevant industry expert to test your messaging. This enables you to gauge likely audience reactions, identify resonant themes and refine your key points for maximum impact.
• Presenting Mindfully: When presenting to business leaders, don’t assume they're familiar with your technical references. Pause periodically during your presentation to check if the information is clear and useful to them, and encourage questions to ensure clarity and engagement. Also, ensure that you have credible sources to back up what you're presenting, and provide credible third-party validation to your messaging.
• Enrolling In Free Business Classes: Many organizations provide complimentary business training opportunities that leaders can leverage. Harvard University, Coursera and edX offer courses that cyber and risk leaders can take to enhance their business communication skills and learn what the C-suite really cares about.
Bridging the gap between technical roles and business leaders is often a challenge. Although security and risk teams hold crucial data about an organization’s risk levels, it’s important that they convey this data in a way business leaders understand so they can prioritize and take action immediately when necessary. Understanding the business’ risk appetite, taking steps to become an effective storyteller, remembering to incorporate qualitative elements and learning how to speak business leaders’ language will help ensure effective, open communication for greater business success.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
