Cybersecurity Professionals Need to Think Like Business Leaders
When CISOs, CIOs, and other cyber leaders approach the board, they often run into a familiar problem: the C-suite doesn’t speak their language.
I’ve seen security teams identify a legitimate vulnerability but not receive the budget, resources, and attention needed to mitigate it. Not because the problem wasn’t real, but because the team couldn’t clearly explain the issue to business decision-makers. You know how this story ends: the company jumped into firefighting mode once operations were eventually (inevitably) disrupted.
There was a time when identifying and fixing risk was pretty much the extent of the job. These days, it’s table stakes. Businesses expect cybersecurity professionals to serve less as technical protectors of systems and more as business-facing protectors of revenue. That takes a blend of leadership posture, business fluency, and executive communication skills.
Mastering those skills is how we get executive leadership to understand what’s at stake. It’s how we guide them toward proactive cybersecurity decisions that are best for the business, until one day, we find ourselves in the decision-making seat.
A Three-Step Framework for Executive Communication
Cybersecurity professionals often walk into the room thinking we’re the headline. Not to minimize us too much, but what we really are is an input to a decision about mitigating or eliminating risk. Executive leadership teams have limited bandwidth. When we lead with jargon, it shouldn’t surprise us that we don’t get the budget, resources, and support we need.
Here’s a practical framework I teach cybersecurity professionals — and use in my own conversations with executive teams:
1. Frame the issue around business outcomes
When you need money or resources to fix a problem, lead with business outcomes. As technical people, we love to explain how the sausage is made. Executives don’t have the time or patience for that.
Walking in with guns blazing, saying, “I need a million dollars for these tools to fix these vulnerabilities in these systems you’ve never heard of,” won’t get you far. On the other hand, this phrasing will grab an executive’s attention: “I understand that 80% of our revenue comes from transaction processing fees. I know we have customer concentration among our top five customers. If we don’t fix this issue, we are at risk of losing one of those top five customers, which would have a 20% impact on revenue.”
2. Provide two options
Next comes presenting options to fix the issue. I like to keep it to two — “Here’s Option A, Here’s Option B” — because people get overwhelmed by too many choices. If you’re anything like me, your instinct is to be hyper-accurate and detailed. I’ve learned to fight that urge.
Executives want the high-level picture: the cost, yes, but also the effort required, the trade-offs, and the impact on operations. They care about friction. They want to know whether an option will slow business and interfere with velocity goals.
3. Make a recommendation
This step is easiest to miss. Executives pay us for our expertise, and they want to know what we think. I always make a clear recommendation. Explain my reasoning, and stand behind it. “Here’s the blue pill. Here’s the red pill. I recommend the red pill, and here’s why.” Clarity and confidence build trust with decision-makers.
When you don’t get an immediate “yes”...
Sometimes, we don’t get a “yes.” Or a “no.” We get that squishy in-between answer. “Oh, that sounds like a 2027 problem.”
When that happens, tie the issue back to the risk that executive leadership is ultimately accountable for. “If we don’t make a decision now, here’s the risk that you’re accepting.” If the tradeoff violates the company’s established risk tolerance, say so.
Following up after the initial conversation is often part of the process. Keep coming back to the risk, though not in a salesy way. Nobody wants to be the person lobbing emails in with “Thoughts? Following up. Checking in.” There’s a difference between that and saying, “I’m making sure you understand this is still at risk. We still have this revenue at risk. This contract with our largest client is still at risk. This is the risk we’ve accepted because a decision hasn’t been made yet.”
The Temperature Check
It takes practice to hone leadership posture, business fluency, and executive communication skills. We’re introverts, most of us tech nerds. In the workshops I lead, we practice through role-playing. Making your case against a mock CFO or board helps build the muscle memory to frame issues and have conversations with executives that actually move the needle.
A couple of signs you’re on the right track:
You’re thinking holistically. Your mindset has shifted away from “all about security and compliance.” You accept that your company or client doesn’t want to spend a dollar more than necessary on security. You identifying the risks that matter most to the business, and rather than merely flagging problems, you enable decisions.
You’ve earned a seat at the table. Leaders call you for advice: “Hey, we’re getting ready to go into this new market. We want to take on this new client. We want to acquire this company. We want to get your input.” They invite you to the table because they see you as a trusted advisor who adds value and drives business outcomes.
The Gap Is Yours to Fill
When I first started teaching other cybersecurity professionals, I was surprised to find that many of the folks in the room — mid-level managers and directors — had never received any leadership training. Not once. The good news is that leadership skills are learnable.
Technical chops can get cybersecurity professionals far, but it’s leadership skills that take us to the next level. They make us more effective in our current roles and, over time, pave the way for us to become the ones making the big decisions.
