Speak Their Language: Making Cybersecurity Communication Land with Business Stakeholders

If your message doesn’t land, it doesn’t matter how technically accurate it is.

Cybersecurity professionals often speak in a dialect few outside our circle understand. We throw around CVEs, TTPs, and zero-days as if they were universal concepts. But executives and stakeholders think in different terms: uptime, risk exposure, shareholder value, reputation, and compliance.

That disconnect is why security gets sidelined. The solution? We need to speak their language.

Dale Carnegie: Talk in Terms of the Other Person’s Interests

Dale Carnegie, the grandfather of business communication, wrote in How to Win Friends and Influence People that to win someone over, you must "talk in terms of the other person’s interests." This deceptively simple principle is foundational to all effective communication. Carnegie wasn’t talking about cybersecurity, but his advice applies directly: the best technical advice in the world won’t matter if it doesn’t resonate with the person making the decision.

For cybersecurity, that means understanding and addressing the business context of your stakeholders. If a CEO is focused on quarterly earnings, show how the risk of downtime or data loss could threaten those earnings. If the legal team is preparing for a compliance audit, explain how your controls support that effort. This isn’t simplification. It’s translation. And it’s essential.

Eckhart Mehler: Risk Framing and the Language of Capital

Eckhart Mehler, a security advisor and business communicator, puts it bluntly: "Security gets rejected not because people don’t care about risk, but because we fail to frame that risk in the language they care about."

In his essay, "Risk Framing for Executives," Mehler outlines a method for aligning cybersecurity messaging with CFO priorities. Rather than discussing vulnerabilities, security teams should focus on capital impact: EBITDA, WACC, and enterprise value. This method moves security out of the realm of technical minutiae and into the strategic language used by executives to inform their decision-making.

For example, rather than saying "this vulnerability has a CVSS score of 9.8," Mehler would advise framing it as "this exposure could lead to a breach that triggers legal penalties and erodes customer trust, reducing projected revenue by 5% this quarter." That’s a message a CFO will act on.

Academic Research: Clarity, Quantification, and Scenario Framing

A 2025 research study by Bodenberger and Thommes titled "Words or Numbers? How Framing Uncertainties Affects Risk Assessment and Decision‑Making" found that business leaders respond more decisively when cyber risks are framed using quantified, monetary terms rather than vague descriptions. For example, presenting a risk as "a 30% chance of a $2 million loss" was significantly more actionable than describing the risk as "high likelihood of severe consequences."

This aligns with additional research from the University of Oxford’s Journal of Cybersecurity, which examined scenario-based cyber risk workshops for executives. The findings were clear: when cybersecurity concerns are presented in the context of operational, legal, and reputational consequences, executive understanding and engagement improve dramatically. In other words, if you want your leadership to pay attention, discuss the business impact, not firewalls and patch levels.

FAIR and NIST IR 8286: Aligning Security with Enterprise Risk

For those seeking established frameworks to guide this translation, the FAIR (Factor Analysis of Information Risk) model provides a blueprint. FAIR breaks down cyber risk into probability and impact, allowing teams to calculate risk in financial terms. This makes it easier for CISOs and risk officers to engage the board in familiar formats—such as expected loss, ROI, and opportunity cost.

NIST IR 8286 goes further by recommending that organizations integrate cybersecurity risk into enterprise risk management processes. This includes aligning security reporting with frameworks like COSO, using language and formats already familiar to business units. If you’re still reporting your risks in a siloed Excel sheet with technical jargon, you’re likely getting ignored.

Sally Susman: Communications as a Business-Critical Function

Sally Susman, Pfizer’s Chief of Corporate Affairs, played a key role in leading the company’s public communications during the COVID-19 vaccine rollout. In recent interviews, she emphasizes that effective communication is not a soft skill—it's a core business competency. Her point: the ability to tell a clear, credible, and compelling story to the public or leadership can make or break a company’s success.

While Susman doesn’t speak directly to cybersecurity, her lessons apply perfectly. Cyber leaders must stop viewing communication as secondary to technical skills. The ability to explain security risks in a narrative that resonates with decision-makers is now a required part of the job. As Susman says, "You can have the facts, but if you can’t convey them clearly, they won’t matter."

Theresa Payton: Making Cybersecurity Understandable

Theresa Payton, former White House CIO and a leading voice in cybersecurity media, focuses her work on making complex technical topics understandable to leaders and the public. In her public speaking and consulting, she consistently models the kind of storytelling that connects cyber threats to strategic risks.

She advocates for explaining cybersecurity in terms that reflect business values, emphasizing the importance of protecting customer trust, maintaining service availability, and preserving brand reputation. Her approach reflects the broader trend: cybersecurity professionals who want influence must become translators and storytellers, not just technologists.

Amy Gallo: Audience-Centered Communication

Amy Gallo, a contributing editor at Harvard Business Review and an expert on workplace dynamics, speaks frequently about tailoring communication to your audience. In her book Getting Along, she outlines techniques for making your message resonate even when you're in conflict or dealing with skeptics.

For security professionals, her advice is gold: don’t try to win by being the smartest person in the room. Win by connecting your message to what your audience already values. That might be avoiding public embarrassment, hitting quarterly goals, or staying compliant with new regulations. The key is not what matters to you, but what matters to them.

Cybersecurity is a business function. And like every business function, its success depends on communication.

We need to stop trying to impress people with our knowledge and start trying to help people with our insight. Speak their language. Align with their priorities. Translate your expertise.

Because if your message doesn’t land, your strategy won’t either.