A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

Communication is One of The Biggest Cybersecurity Challenges to Overcome

Dr. Eric Cole

Illustrations by Pete Gamlen

Dr. Eric Cole,  former CIA hacker, and an industry-recognized expert with over 20 years of hands-on experience, shared why it’s communication, not cyber threats, that’s the industry’s biggest challenge to overcome. 

Listen to the full podcast here, or read on for Dr. Eric Cole’s top three takeaways.


The biggest problem in cybersecurity today is the lack of communication.

The biggest problem today in cybersecurity is that there is no communication between the technical folks and the executives. Most executives believe that if they spend enough money and hire enough cybersecurity people then their businesses will be secure, but it’s not that simple. Even with world-class technical people, poor communication can prove a significant barrier. A CISO can identify risks and tell business executives where they believe money needs to be spent, but if they’re not communicating in business terms, executives are not going to listen.

This communication barrier is why we see companies spending a lot of money and resources on cybersecurity without securing the basic core areas, and the problem lies with how people view the role of the CISO. Generally people think that the CISO is a technical position and will hire accordingly, but this is a misconception. Someone can be a world-class technical person, but that does not automatically make them a good CISO. A CISO is a strategic thinker that can communicate technical components using business language so that the executives can make the correct decision. To me, that’s the broken piece in many organizations.


Cybersecurity risks need to be communicated in business terms, and without emotion.

In cybersecurity, we deal with risk – the probability of loss. We don’t know what is going to happen, and we need to communicate using language that reflects this

The problem is that world-class security engineers naturally use language that they’re comfortable with, which is technical and not business-led. Further to this, cybersecurity people are brilliant and methodical, so they form conclusions and then believe wholeheartedly that they are correct. So when cybersecurity people talk to executives they often approach the conversation as though they would a debate, making it emotional and one-sided. This is why the idea that I highlight when training CISOs and security folks is that data should drive decisions, not emotions.

So, how can we improve communication between security employees and business executives? To help executives understand a security risk, four things need to be presented:

  1. What could happen
  2. The likelihood that it will happen
  3. The cost if it happens
  4. The cost to secure against it happening

Then ask them if they would like to take the suggested security measures. The key here is that the answer shouldn’t matter to the CISO or security engineer. They have communicated the problem in simple terms, made executives aware of it and given them the data – they have done their job and the rest is in the executives’ hands.



Risk should be priced and communicated using quantitative bands

Risk is notoriously difficult to put a price tag on – even insurers struggle to do so! In my opinion there is no point trying to describe things exactly. The problem is, executives don’t tend to respond to qualitative descriptions either – describing something as ‘high risk’ or ‘bad’ just isn’t tangible to them.

The solution is to communicate in general bands, where the information is inexact but quantitative. For example, instead of describing a security risk as ‘high risk’ and the outcome as ‘bad’, the risk can be described as being 80-100% likely, with a possible cost of £5 million to £10 million. This is not a perfect science, but it bridges the gap, and presents executives with something in business terms that is actionable.


For more from Dr. Eric Cole and his take on communication in cybersecurity, listen to our Tessian Podcast episode, here.