Hot Topics
Analytics & Intelligence CISO Suite Cyberlaw Cybersecurity Governance, Risk & Compliance Incident Response Security Awareness Security Boulevard (Original) Social Engineering Threat Intelligence 

A Guide to Articulating Risk: Speaking the Language of the Stakeholder

Avatar photo by Gar O'Hara on June 29, 2023

The role of the modern CISO today is just as much about managing technical solutions as it is about communicating risk to key decision-making stakeholders. In their daily roles, most C-suite executives and board members are too heads-down on their own priorities to think about their worst case scenario—a cyberattack that derails operations. As a result, cybersecurity funding and strategy often fall to the wayside. But cybersecurity risk is becoming an increasingly important aspect of C-suite roles beyond CISOs and CIOs. In fact, Gartner forecasts that by 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts. However, driving home the message that cybersecurity risk is business risk to multiple stakeholders with respective priorities is easier said than done. 

When advocating for ample cybersecurity resources and buy-in, CISOs and security advocates need to speak in plain language targeted to the diverse areas of the business. The key is identifying commonalities among stakeholders and articulating risk in terms that resonate with their priorities. For example, envision what keeps each executive up at night. What are their teams working each day to accomplish? On a scale of one to 10, with 10 being the worst thing that could happen to this company, what’s their 10? Armed with this information, security advocates can then identify common goals, provide real-world examples, and translate the technical aspects of IT security into relevant business terms. 

Every corner of the business has a natural overlap with cybersecurity efforts. Below, we’ll focus on the overlap in finance, marketing, revenue operations and legal, and how to articulate cybersecurity risk to each organizational Leader. 

Chief Financial Officer

The CFO is concerned with maintaining the financial health of the organization: Tracking cash flow, financial planning and generally overseeing all financial activities. Cyberattacks pose a direct threat to that financial health, with the average cost of a successful breach up 80% since 2021. 

Financial loss is a top consequence of cyberattacks, and discussions often center around costs related to customer notification, credit monitoring, legal judgements and regulatory penalties. However, Deloitte also pointed out seven tangible and intangible hidden costs associated with a successful cyberattack, including insurance premium increases, increased cost to raise debt, operational disruption and destruction, lost value of customer relationships, lost value of contract revenue, devaluation of trade name and the loss of intellectual property. 

Translation: CFOs see the world in dollar signs, profit and loss. When advocating for security budget, frame the argument in these terms. Best-of-breed email and collaboration security, comprehensive API partnerships and employee awareness training are necessary measures to mitigate significant financial loss down the line.  

Chief Marketing Officer 

Brand spoofing attacks are on the rise. A recent market report from YouMail found that more than three out of four (78%) of U.S. respondents have been targeted by a brand impersonation attack—that’s well over 200 million Americans. What’s worse: One in seven respondents fell victim to a successful attack. 

Strangely enough, the teams tasked with creating the brand are often siloed from the teams tasked with protecting that brand. Marketing teams spend their time and resources on carefully crafting and fine-tuning a brand and, more importantly, establishing trust with consumers. Yet, one malicious email could irreparably tarnish that a brand’s reputation and consumer confidence. 

Mimecast’s Brand Trust report showed that 61% of consumers would lose trust in their favorite brand if that brand disclosed personal information to a spoofed version of its website. Why? The YouMail survey found that more than half of consumers blame the brands for spoofing attacks, not just the cybercriminals. 

Translation: The CMO is focused on preserving the health of the brand. It just so happens that cybersecurity solutions are, too. When articulating the importance of cybersecurity to marketing leadership, focus on potential impact to brand reputation, providing real-world examples of the detrimental consequences of brand spoofing. This will help frame the argument for brand protection measures such as auditing web and domain real estate and implementing DMARC. 

Chief Revenue Officer

Considering revenue operations (RevOps) and marketing are closely related within a business, any disruption to brand trust has down-funnel effects on the sales organization, directly correlating to revenue loss. The YouMail report found that roughly half (47%) of consumers said they are less likely to accept calls or texts from brands that have suffered imposter calls, making it harder and more costly for brands to contact their prospects and customers. To compound the problem, over half (57%) of respondents would stop spending money with their favorite brand if they fell victim to a phishing attack.

Translation: CROs want to keep all revenue operations across sales, marketing and customer service up and running and profitable. Remind RevOps leaders that a cyberattack can create a significant hurdle for sales and customer success representatives in reaching prospects and current customers. 

General Counsel 

There are several legal consequences for companies that suffer a cyberattack, including fines and regulatory sanctions, government audits, lengthy regulatory investigations and even criminal liability. Organizations risk litigation from customers, partners and even employees in the event of a breach. Public companies have an even bigger target on their backs; in the U.S., there have been several class action lawsuits enacted by shareholders after inadequate security protocols and successful cyberattacks resulted in a drop in stock price. 

Cybersecurity events also send legal teams into overdrive trying to anticipate and prepare for legal ramifications and manage any negative impact on the organization. In the U.S., companies must be in contact with their state’s attorney general and regulatory bodies such as the SEC, FTC and FCC to ensure timely disclosure of a cyberattack. An organization must also be able to demonstrate to regulators that it follows the highest level of compliance and has an effective response plan in place.  

Translation: A general counsel’s primary goals are twofold: 1) Don’t get sued and 2) don’t get fined. Strong cybersecurity measures can help mitigate the possibility of both. Investing in preventative measures will help save teams from the legal headache of responding to a breach. 

Tips for Stronger Communication and Accountability 

Articulating risk is no easy task and requires security advocates to be able to speak in many different tongues. The first step is understanding the priorities of each department and finding common goals. The next step is communication. Below are five tips for effective advocacy: 

  1. Make explicit connections between cybersecurity risk and business outcomes and how investing in best-of-breed solutions will play a part.
  2. Focus on why cyberattacks happen versus how they happen on a technical level (e.g., a lack of threat sharing across tools or a lack of organizational cybersecurity awareness).
  3. Talk like a human being and avoid technical jargon while articulating short- and long-term risks.
  4. Be able to quantify cybersecurity risk beyond crises. Don’t perpetuate the idea that urgency is required to prioritize cybersecurity—it should be prioritized every day, not just in the wake of a breach. 
  5. Once buy-in from key stakeholders is secured, document and execute on that commitment, including it as a key metric in quarterly meetings with the C-suite or the board.

Cybersecurity risk will increasingly demand the C-suite’s focus and the safety of an organization depends on the level to which it allocates funding and resources towards effective security measures. Advocating for cybersecurity is more important now than ever, meaning the ability to articulate risk to diverse lines of business is a critical skill. When a business can successfully cultivate executive buy-in and a cybersecurity team sport mentality, all corners of the organization are empowered to work protected while mitigating negative consequences. 

Gar O'Hara , , , ,
Avatar photo

Gar O'Hara

Garrett O’Hara is the Senior Director, Sales Engineering at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organizations understand and manage their cyber resilience strategies.

gar-ohara has 1 posts and counting.See all posts by gar-ohara

Secure Guardrails