Defense in Depth
How Should CISOs Talk to the Business

Most CISOs can talk tech inside and out. But when they have to communicate that to the business, the conversation doesn't flow nearly as smoothly. Why is translating cyber to the business still a struggle?

Check out this post by Binoy Koonammavu of Secusy AI for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is best-selling cybersecurity author Peter Gregory. His upcoming study guide on AI governance can be pre-ordered here.

Listen to the full episode here.

Speaking the language of leadership

For CISOs to secure the resources and support they need, cybersecurity must be framed in terms that resonate with business priorities. "CISOs must translate tech into business value to win leadership support. The biggest hurdle is framing cybersecurity as a strategic asset, not a tech cost and linking risks in terms of revenue, reputation, or compliance impacts," said Chetan Jain of Deloitte India. Kuriyachan Joseph of Beinex reinforced this point, noting that "CISOs or similar infosec roles should articulate risk in business language rather than technical language to get management buy-in. The management doesn't look at technical jargon, they instead will focus on only business risk, which will end up in financial loss, reputation damage, or customer loss."

Beyond translation: the trust factor

Speaking the right language is only part of the equation. Jerich Beason, CISO at WM, used an analogy to make his point: "The only time I give someone my money without knowing what they are talking about is my mechanic, and I've been with him long enough to trust him. Why would anybody think a CFO, COO, or CEO would be any different? Leaders don't open their wallets for things they don't understand. It's on us to find a way to ensure they understand." Tom Le, CISO at Gap, pushed the thinking even further, arguing that communication alone isn't sufficient. "Even CISOs with good communication skills, the ability to translate technology and risk into business decision making and outcomes, still need one more capability: influence."

Making risk tangible

The most effective CISOs understand that abstract security concepts won't drive action. Risk isn't real until it's tied to revenue," noted James Braunstein of Apii. Prabh Nair of Azpirantz Technologies described his own evolution in the role, explaining that "success as a CISO is about bridging worlds: shaping the technical reality into a narrative that resonates with leadership priorities. My experience taught me fast that 'tech talk' alone won't move the board. The turning point was learning to translate security risks into the language of business value and impact."

When translation isn't enough

Even perfect communication doesn't guarantee investment when business priorities diverge from security needs. Richard Kim, CISO at Queens District Attorney's Office, offered a sobering reality check: "Sometimes it's just not a priority for the business. No matter what excuse people in our field will say. If the business understands the risk and liability and it is clearly communicated, but does not think it a priority or worth it over another business priority, then no matter how well the CISO 'translates', it won't be a priority." A CISO should accept that. It's a business decision at that point. Kim provided a concrete example of the calculation some businesses make, weighing a $100 million security investment against a $100 million sales and marketing investment with a projected $300 million ROI, deciding they can absorb potential $10 million breach fines and temporary reputation damage.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Reddit ‘Ask Me Anything’ – December 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a security professional who transitioned our security program from compliance-driven to risk-based. Ask Me Anything."

For this edition, we’ve assembled a panel of CISOs and security professionals to talk about a transformation many organizations struggle with: moving from a compliance-driven security program to a risk-based one. They’ll be here all week to share how they made that shift, what worked, what failed, and how to align security with real business risk — not just checklists and audits.

Please ask questions for our participants here.

This month’s participants are:

• David Cross, (u/MrPKI), CISO, Atlassian

• Kendra Cooley, (u/infoseccouple_Kendra), senior director of information security and IT, Doppel

• Simon Goldsmith, (u/keepabluehead), CISO, OVO

• Tony Martin-Vegue, (u/xargsplease), executive fellow, Cyentia Institute

Thanks to all of our participants for contributing!

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Andy Ellis, principal, Duha, and Johna Till Johnson, CEO and founder, Nemertes. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, Adaptive Security

Super Cyber Fridays!
Join us in 2026 for Super Cyber Friday!

That’s it for Super Cyber Friday in 2025! You can find all previous video episodes here.

Join us again in 2026 for our weekly live streams and post-show networking groups! Visit this link to register for future sessions. And be sure to import the CISO Series calendar into your planner to be reminded about all of our live streaming events.

Cyber chatter from around the web...
Jump in on these conversations

“What are the top 5 controls to mitigate ransomware?” (More here)

“I need help understanding something that I commonly face in cyber security.” (More here)

“How do you break out of being “pigeonholed” when your company has a team for everything?” (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.